Reverse engineering tools for .NET applications

Bartosz Wójcik
7 min readJul 16, 2020

--

The set of tools for .NET reverse engineering is very different from classic tools used for the reversing of native x86 / x64 applications in PE (Windows EXE/DLL Portable Executable) or ELF (Linux Executable and Linkable Format) formats.

Different code architecture forced to create a whole range of dedicated tools for .NET executable files, I will try to present some of them that may be useful in software reversing.

Decompilers

What’s the purpose of a decompiler? .NET applications are compiled to a pseudo-code in CIL (Common Intermediate Language) format. When run, it’s interpreted, jitted, and executed by the .NET runtime library. With a decompiler, you can transform this pseudo-code back to high-level code in your chosen or favorite language, e.g. C#, VB#, etc.

dnSpy

The new king on the .NET reverse engineering playground. An all-around tool that supports decompilation, simple deobfuscation, modification and debugging of .NET applications.

It has it all. You can even edit any .NET compiled code in its high-level C# form, it will recompile it and replace the patched method. You can recompile entire projects into Visual Studio compatible source code solutions.

dnSpy debugger in action

What’s most important, it’s frequently updated and it’s free to use.

Homepage — https://github.com/0xd4d/dnSpy

.NET Reflector

For years it was the first and basic tool that most reverse engineers used for .NET applications reversing, the famous .NET Reflector.

.NET Reflector

It was the best-known decompiler and not only because thanks to the whole number of plugins it allows e.g. to modify binary files (Reflexil plugin), debug applications (Deblector plugin) and many other activities related to code analysis.

Recently .NET Reflector lost its popularity because the project was free from the beginning, but after it was taken over by Red Gate Software (by the way, the creators of the SmartAssembly obfuscator, from which one can come up with a conspiracy theory that they wanted to restrict access to one of the most popular application analysis tools) and initial assurances about maintaining its free status, after some time it was transformed into a commercial version, with the cheapest license for $35 (now it’s, even more, $100 to be exact).

Homepage —https://www.red-gate.com/products/dotnet-development/reflector/

Add-ins — https://www.red-gate.com/simple-talk/dotnet/net-tools/using-net-reflector-add-ins/

Telerik JustDecompile

Free decompiler from Telerik, rather for undemanding users, because the number of available options (or lack of them) will not knock you on your knees, you cannot even look through the code in the form of IL, not to mention other things, there are only decompiler and reference search engine.

Telerik JustDecompile

Homepage— www.telerik.com/products/decompiler.aspx

IL DASM

It’s also worth mentioning about this tool, although my experience shows that it’s rather little used, it’s a Microsoft .NET binaries disassembler included in the .NET SDK and delivered with Visual Studio.

It allows viewing the file structure and disassembling to the transition code, so it is not as handy for analysis as dnSpy or .NET Reflector.

Simple Assembly Explorer

This is another disassembler and editor, but more advanced than the IL DASM, with a lot of options to easily modify the IL code, copy instructions, cut out, all very handy, it’s been my favorite when it comes to modifying .NET binary files for some time.

SAE has a plug-in system and a built-in deobfuscator, which can be useful for analyzing protected applications.

If you want to learn the basics of programming in IL, modify binaries quickly, and efficiently this is the ideal tool.

Homepage — https://github.com/wickyhu/simple-assembly-explorer/releases

Dis#

Dis# is a relatively unknown decompiler, perhaps due to the fact that it is a commercial tool, the project hasn’t been updated for a long time, but it can be treated as a curiosity as it has some interesting features like a built-in deobfuscator, code editor allowing to easily rename functions, variables, etc.

Homepage — http://netdecompiler.com

Debuggers

My observations and experience show that most of the analysis related to .NET can be solved statically (as opposed to native applications), but also here it may be useful to debug the code being executed.

Dotnet IL Editor (DILE)

Dile is an easy to use debugger for .NET applications, a bit like the Visual Studio debugger.

Homepage — http://sourceforge.net/projects/dile/

Protection identifiers

For native applications, the basic identifier is PEiD and a more frequently updated Protection ID (and several others).

DNiD

For .NET there is an equivalent PEiD called DNiD.

It now detects most of the protections used for .NET applications.

Download — DNiD.v0.11-Rue.rar (384 kB)

Process & memory dumpers

.NET applications are nowadays rarely distributed in a pure form after compilation because thanks to tools such as dnSpy it is practically equivalent to open source distribution and in most cases, obfuscators are used for protection purposes.

Some of the obfuscators, in addition to modifying the IL code, “wraps” the whole application into a native x86/x64 code loader, which usually decrypts the entire .NET assembly and only loads it into memory in decrypted form.

This form of protection does not allow the use of .NET tools and requires that the loaded .NET assemblies are first dumped from memory for further analysis.

.NET Generic Unpacker

The project was developed by Daniel Pistelli (he worked for some time on the famous IDA disassembler at HexRays), a generic as the name suggests a dumper that can detect an image of the .NET executable file in memory despite an external native loader.

Homepage — https://ntcore.com/?page_id=353

DotNetDumper

The easy-to-use dumper, which also has support for dumping several types of security features from file memory, can generally handle most native security features.

Download — DotnetDumper.zip (66 kB)

Apart from dedicated dumpers, classic memory search methods work equally well, e.g. in OllyDbg for .NET signatures of applications (e.g. “_CorExeMain” strings).

Memory dump fixers

After the .NET file has been dumped from the memory, it is often unusable for analysis in tools such as the .NET Reflector, this is due to changes most often made by obfuscators to make analysis even more difficult. The images of files that have been dumped in this way should be fixed.

Universal Fixer

Download — Universal_Fixer.zip (31 kB)

Project site — http://forum.tuts4you.com/topic/25376-universal-fixer/

Deobfuscators

The number of obfuscators available on the market is huge, I can safely say that it outstrips the number of security tools available for native applications. Due to such a massive attack, deobfuscators were created for many tools, often integrated and supporting many types of security.

de4dot

de4dot is the most known .NET deobfuscator for many types of protections. Its development has been abandoned, but since it’s open-source and a solid base for future developments of any .NET deobfuscator, it has been modified and improved by independent developers and you find many new flavors supporting new protections.

You can download the original version from — https://github.com/0xd4d/de4dot/downloads

Summary

The current state of the .NET protections may initially be frightening and discourage further analysis (with many advanced obfuscators using virtualization), but as you can see there are many tools that can make our lives easier.

I deliberately didn’t describe here ready-made unpackers, which can be easily found by yourself, because they don’t always work, and then it’s worth knowing how to cope without their help.

If I come across any interesting tool I will add it to the article, and if you know something interesting to analyze the .NET application — describe it in the comments and I will be happy to add a description to the article.

Many more reversing tools, some rare ones

More complete list of reverse engineering tools, also for native x86/x64 binaries, with many alternative versions and some rare gems available in my article:

🔥 Reverse Engineering Tools Review

--

--

Bartosz Wójcik
Bartosz Wójcik

Written by Bartosz Wójcik

Developer behind PELock software protection system, author of reverse engineering articles.

Responses (3)