How to Decompile .NET Applications
In this post, you will learn the basics of how .NET applications are decompiled
Decompiling is essentially the reverse of compiling. That is, given a binary, recover the source of it.
While it may sound like a complicated task, it's straightforward and requires very little knowledge.
Please note that the following lecture will focus in decompilers that target the .NET platform, although the concept is the same for all languages, the tools that we will use only work with applications coded in .NET.
Ideally, before we jumped into the practice, it would be good for us to understand how the file structure works; however, we will not extend this post that much and jump directly into the practice.
Overall, when you decompile a .NET application, you will have two possible outputs: the IL code or generated C#/VB.NET. At first glance, the "pseudo-code" produced by the decompiler is more readable; nonetheless, as you get more experienced, you will find out that IL gives you more information.
We have two favorite tools when it comes to decompiling .NET applications:
dotPeek from JetBrains, which is extremely good for decompiling and debugging your application.
DnSpy from a GitHub user (0xd4d), which not just allows you to debug or decompile the app but also modify the app code and behavior. The downside of this app is that compared to dotPeek, the decompiled code may not be as easy to read.
First, download one of the two tools mentioned and open it.
You should see the following window:
(As for DnSpy, although it may be slightly different the concept is the same).
Second, drag and drop on the Assembly Explorer the Application you wish to decompile.
After this step, you must click the arrow that is right before the application dropped into the Assembly Explorer.
Finally, double click on the class you want to inspect, and the decompiled will translate the IL into decompiled code.
As you can see, the results in our case are 1:1; the decompiled code is the same as the one we wrote.
The reason why this happens is the structure of the .NET applications; the compiled applications store a lot of metadata (local names, type names, method names...).
All this data allows the decompiler to recreate code that most of the time is identical to the one we wrote if not equal.
After knowing this, a question may pop up. Is it possible to stop this process and hide my code?
The answer is yes; our .net obfuscator achieves this very purpose. While the app may still be decompilable in some scenarios, the generated code will be impossible for a human to understand (and in many situations for machines too).
Hopefully this post has helped you out, we will be posting more information which will become more advanced progressively.