0

My professor wants me to tell him if I can get the code of an assembly binary file. For me it is not possible. The file can be call with : https://learn.microsoft.com/en-us/dotnet/api/system.reflection.methodbase.invoke?view=net-5.0#System_Reflection_MethodBase_Invoke_System_Object_System_Object___

((Assembly)obj).EntryPoint.Invoke((object)null, (object[])null);
//object was defined before

Thanxs !

[EDIT]

Thanks all for your answers, i have already tried dotpeek, ildasm.. -> not working

The file is not a dll.

file_read = Path.Combine(Application.StartupPath, "testfile");
bytes = File.ReadAllBytes(string.Concat(file_read));
bytes2 = Memrestore((byte[])bytes);
objAssembly = Assembly.Load((byte[])bytes2);
((Assembly)objAssembly).EntryPoint.Invoke(null, null);

My professor help me a little bit, bytes2 contain all the byte in the testfile.

On visual studio if i watch this variable and right click->Go to disassembly I get this :

0000000012E5F082  mov         edx,9B4000Eh  
0000000012E5F087  int         21h  
0000000012E5F089  mov         eax,21CD4C01h  
0000000012E5F08E  push        rsp  
0000000012E5F08F  push        70207369h  
0000000012E5F094  jb          0000000012E5F105  
0000000012E5F096  jb          0000000012E5F0FA  
0000000012E5F099  ins         dword ptr [rdi],dx  
0000000012E5F09A  and         byte ptr [rbx+61h],ah  
0000000012E5F09D  outs        dx,byte ptr [rsi]  
0000000012E5F09E  outs        dx,byte ptr [rsi]  
0000000012E5F09F  outs        dx,dword ptr [rsi]  
0000000012E5F0A0  je          0000000012E5F0C2  
0000000012E5F0A2  ?? ?????? 
0000000012E5F0A3  and         byte ptr gs:[rdx+75h],dh  
0000000012E5F0A7  outs        dx,byte ptr [rsi]  
0000000012E5F0A8  and         byte ptr [rcx+6Eh],ch  
0000000012E5F0AB  and         byte ptr [rdi+rcx*2+53h],al  
0000000012E5F0AF  and         byte ptr [rbp+6Fh],ch  
0000000012E5F0B2  ?? ?????? 
0000000012E5F0B3  ?? ?????? 
0000000012E5F0B4  or          eax,240A0Dh  
0000000012E5F0BA  add         byte ptr [rax],al  
0000000012E5F0BC  add         byte ptr [rax],al  
0000000012E5F0BE  add         byte ptr [rax],al  
0000000012E5F0C0  push        rax  
0000000012E5F0C1  add         byte ptr [r8],r8b  
0000000012E5F0C4  add         qword ptr [rbx],r8  
0000000012E5F0C7  add         byte ptr [rsi],dl  
0000000012E5F0C9  cmp         dl,dh

(It is an extract of the file)

My question is : it is possible to revert this assembler code to c# ?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Arthur
  • 9
  • 1
  • 1
    Run `ildasm` on the file? – Lasse V. Karlsen Jan 04 '21 at 12:47
  • 1
    You want to decompile an assambly file? That is certanly possible (if not 100% perfect)... Take a look (for example) at [Ilspy](https://github.com/icsharpcode/ILSpy)... 100% written in C#. If it is enough to see the IL code then [mono.cecil](https://github.com/jbevain/cecil) is a very good library to do it. – xanatos Jan 04 '21 at 12:47
  • And if you want to see the IL assembly of a single method, the you could begin with [GetMethodBody](https://learn.microsoft.com/en-us/dotnet/api/system.reflection.methodbase.getmethodbody?view=net-5.0) . See https://stackoverflow.com/q/2693881/613130 – xanatos Jan 04 '21 at 12:50
  • To decompile in C# & IL you can use [ILSpy](https://github.com/icsharpcode/ILSpy) (open-source), [RedGate Reflector](https://www.red-gate.com/products/dotnet-development/reflector/) (commercial), [JetBrains dotPeek](https://www.jetbrains.com/fr-fr/decompiler/) (libre)... To take a look at the real targetted platform assembly code you can use the [Visual Studio Machine Code Window](https://docs.microsoft.com/visualstudio/debugger/how-to-use-the-disassembly-window) in the débugging menu while running. If you want to decompile a .exe or a .dll into this machine assembly code, I don't know. –  Jan 04 '21 at 12:57
  • I have edited the post – Arthur Jan 04 '21 at 14:37
  • @Arthur Want to get C# code from such machine dependent code (Intel/AMD/ARM...) and not from the virtual assembly IL code ? This is not possible, as I know... I would even say more that it is not possible unless you generate some very ugly IL code, therefore some very horrible C # code without any comprehensible names for types, methods and variables. But I think it is impossible: the processor's machine code is not .NET and if .NET knows the CPU, the CPU does not know .NET types and classes... It's like trying to recreate a table from atoms without the plan. –  Jan 04 '21 at 15:20
  • @Arthur "The file is not a dll."... If it isn't something written in .NET, you can't `Assembly.Load((byte[])bytes2);` it. – xanatos Jan 04 '21 at 15:47

1 Answers1

1

An assembly does not contain your source code - so no, you can't get exactly that, however; a .NET assembly contains the compiled IL - and the IL can often be reverse engineered to get back code very similar to what your original code would have been. How accurate it is depends on a lot of factors - for example, async code is massively re-written, as are "iterator blocks", and obfuscator tools exist to deliberately make the IL harder to decipher.

Marc Gravell
  • 1,026,079
  • 266
  • 2,566
  • 2,900