Search code examples
c#.netreverse-engineeringdecompilingdotpeek

DotPeek not proper deserialize dll

I have decompiled DLL by dotPeek 1.4 to see what is happen inside, but there is something strage c# code (please look at attachments). There are

  • Var declaretion without var name
  • I think some var are numbers, they don't have name

Why that code was generated? Does dll could be protected from decompilation or dll was publish as realease?

enter image description here

The same problem exists when I decompile by trial version of Reflector

enter image description here

Solution

  • Firstly you're breaking the licence agreement by trying to reverse engineer their code.

    f. Disassembly. You may not reverse engineer, decompile, disassemble or in any other way try to gain access to information regarding the construction of THE PRODUCT.

    This is because .NET allows for a whole lot more than a-z in variable names. You can read about it in the MSDN section on Identifiers (C#). Visual Studio won't like the variables though and will complain, but they're perfectly valid in IL (while not being valid in C#).

    Having a look with other tools or dumping to hex, you can see the variables have been obscured and are things like which is actually the ACK character ^F followed by the 'START OF TEXT' character that looks like the space character but is not the space character. Other characters used include the backspace character.

    The IL for the above code is going to be something like

    .field private static initonly string '\u0001'
.field private static initonly string '\u0002'
.field private static initonly string '\u0003'
.field private static initonly string '\u0004'
.field private static initonly string '\u0005'
.field private static initonly string '\b'
.field private static initonly string '\u0002\u2000'
.field private static initonly string '\u0003\u2000'
.field private static initonly string '\u0005\u2000'
.field private static initonly string '\b\u2000'

    You get the idea.

    I would like to actually know what they specifically used to obfuscate this code (because looks fun!). The code was clearly generated with something like http://reflexil.net/ which allows the compiled dll to retain hints about the variable name (but changes them to nonsense) which is why the decompiler shows up all strange names (the decompiler thinks it's being cleaver by retaining the variable names mentioned in the dll).