SUBSCRIBE
ABOUT

Why is decompilation possible?

There are a lot of decompilers available in the .NET ecosystem and this has always been the case. I mean always. However, I sometimes forget that not everyone knows or appreciates this and that my perspective is born from the fact that I was a professional developer during the formative years of .NET. So it was a bit of a shock to see some of the responses to Decompilation being available in Visual Studio.

We do not talk about ILASM and the ILDASM very much these days, but these tools have been shipped with Visual Studio for years and allow you to manually assemble and disassemble modules at will.

I wrote about this orthogonally but it is important to repeat some fundamental Intermediate Language and Just in Time compilation are important concepts. Lets define them again here:

IL (Intermediate Language) - All .NET compilers generate Intermediate Language (IL) no matter what the underlying language used to develop the application. The CLR actually has no idea about the language used to develop a given application. All .NET compilers will generate a standard, common language we refer to as IL (aka, MSIL and CIL).

So you have executable or assembly replete with IL, now what? We have to execute it right? That is where JIT comes in:

JIT (Just in Time) - Before Intermediate Language (IL) can be executed, it must converted by the .NET Framework's JIT compiler to native code, which is CPU specific code that run on some computer architecture as the JIT compiler. Rather than using time and memory to convert all the MSIL in portable executable (PE) file to native code, it converts the MSIL as it is needed during execution and stored in resulting native code so it is accessible for subsequent calls.

There are some real advantages to this IL/JIT strategy:

  • You can potentially run your code on any platform because you are not stuck with native code (or specific version of native you built). You will, however, need to an JIT compiler for those platforms.
  • Further you can add run-time optimizations that are not possible had you created native code. So if a new CPU feature is created your IL can potentially take advantage of it (assuming an updated JIT compiler).

Given this pattern it is relatively straight for to create tools that exceed ILDASM, I have written about Lutz Roeder’s Reflector or ILSpy and a couple of others in the past. Decompilers exist and have always existed, so what can you do to protect your code?

Since .NETs inception folks that have sought out additional protection against decompilation have normally turned to obfuscation. There at least a dozen to select from that are free (such as ConfuserEx) to professional grade (such as PreEmptive). I do not have any endorsements to make here only that a quick Bing search can give you much to choose from.

Roslyn Compiler ILSpy integration

One other point of interest is that decompilation with ILSpy has existed in Visual Studio for a few years now but it is still under a preview flag. If you navigate to Options->Text Editor->C#->Advanced the Analysis section allows you to enable navigation to decompiled sources.

decompilation-rosalyn

Once enabled this permits you to F12 (go to definition) into 3rd party software and see what’s going, I think it is a really helpful feature for understanding how code may be helping or hurting you.

But lets say your a software creator who is not keen on Visual Studio users being able to casually browse through your code, you can actually use the SuppressIldasmAttribute class to stop decompilation from occurring on your module. Of course this will not protect you from the plethora of other decompilers on the market.

Visual Studio Debugger ILSpy integration

My team has also done a lot of work with integrating the ILSpy decompilation with the Visual Studio Debugger and you now have the option of decompiling during debugging or when you are analyzing a memory dump. Now if you are confronted with a No Symbols Loaded page? Or maybe experienced an exception occurring in a 3rd party .NET assembly but had no source code to figure out why? You can use Visual Studio to decompile managed code even if you don’t have the symbols, allowing you to look at code, inspect variables and set breakpoints. I love this new feature!

decompilation-visualstudio-debugger
Tagged in: .NET .NET Core Debugging Visual Studio
Comment on this post [7]
February 26, 2020 19:40
Share on: Twitter

Comment Section

Michael Balloni
February 28, 2020 21:16
What are your thoughts on .NET obfuscators, like 9rays.NET? These rename symbols, encrypt strings, etc.
Mark Downie
March 02, 2020 1:09
Hi Michael, I have not tried 9rays.NET myself but its feature set is very impressive.
Hotels San Cassiano
March 08, 2020 8:38
Pretty nice post. I just stumbled upon your weblog and wished to say that I have really enjoyed browsing your blog posts. After all I'll be subscribing to your rss feed and I hope you write again very soon!
hgf
March 26, 2020 16:47
Excellent goods from you, man. I've understand your stuff previous to and you're just too excellent. I actually like what you've acquired here, certainly like what you are stating and the way in which you say it. You make it enjoyable and you still care for to keep it sensible. I cant wait to read much more from you. This is really a great site.
coin master free spins link today
March 27, 2020 18:36
Heya exceptional blog! Does running a blog similar to this require a large amount of work? I've no knowledge of coding however I was hoping to start my own blog in the near future. Anyhow, should you have any suggestions or techniques for new blog owners please share. I know this is off subject however I simply needed to ask. Appreciate it!
infowiesci.com.pl
March 28, 2020 2:26
http://likeplus.waw.pl http://datasolutions.com.pl http://wmkiw.pl http://amtm.pl http://magicflvacation.com http://gosciniecmurckowski.pl In some methods, it has restored the thought of the newspaper, since we once again read information tales. http://stolpo.pl http://fine-scale.org http://nopix.pl http://imerp.pl http://totalwedding.co.uk http://planetaski.pl
http://dajplus.pl
March 28, 2020 2:55
http://unspoken.pl http://signwise.pl http://034548.org http://amtm.pl http://auroratennis.org http://mebledosypialni.info.pl http://hellheaven.pl http://meblenaogrod.com.pl http://navisafe.pl http://safetynett-uk.co.uk http://eltying.com.pl http://texturekick.com.pl http://abweb.com.pl http://mastermedia.info.pl http://my-place.pl The top quality experience provided by the Information School has been identified in an exceptional result from the National Student Study (NSS) 2016.