THE ESSENTIAL TOOL FOR REVERSE ENGINEERING PROCESS. NET (PART 1)

Category : 0

The written program. NET has different structure than the native PE files, so the debug tool / disassembler normally can not unleash the power, but want to decompile the program. NET and structural analysis + source code for them, nothing better than using specialized programs dedicated to. NET, I will introduce to you in this article.
I will temporarily split into two groups following major programs:
  • Group Editor / Decompiler / Disassembler / Utilities: This group is a collection of tools to help us review, analyze and modify the structure and parameters of the program. NET. Accompanied by a few small utilities to serve process decompile or more programs are easier

  • Group Unpacker / Deobfuscator / Detector: This group set of tools to help us detect and remove the protective coating of the program. NET. Currently, there are many products for source protection. NET decompiler to avoid, read and analyze code, so this tool is also quite important.

OK, now I will list the common program groups in 2 above. Starting with the first team before.
1. CFF Explorer
Thông tin và download: http://www.ntcore.com/exsuite.php
This is one versatile program located in Suite Explore the development of NTCore. Although this is a marginal project (Side-project) was written by Daniel Pistelli, however its features are highly appreciated and useful. 1 PE Editor program is true with the following features:
  • Process Viewer
  • Drivers Viewer
  • Windows Viewer
  • PE and Memory Dumper
  • Full support for PE32/64
  • Special fields description and modification (.NET supported)
  • PE Utilities
  • PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
  • View and modification of .NET internal structures
  • Resource Editor (full support for Windows Vista icons)
  • Support in the Resource Editor for .NET resources (dumpable as well)
  • Hex Editor
  • Import Adder
  • PE integrity checks
  • Extension support
  • Visual Studio Extensions Wizard
  • Powerful scripting language
  • Dependency Walker
  • Quick Disassembler (x86, x64, MSIL)
  • Name Unmangler
  • Extension support
  • File Scanner
  • Directory Scanner
  • Deep Scan method
  • Recursive Scan method
  • Multiple results
  • Report generation
  • Signatures Manager
  • Signatures Updater
  • Signatures Collisions Checker
  • Signatures Retriever
(Since this is the most technical language when translated into Vietnamese so can not literally, so I leave it in English).
For Reversing. NET, the following useful features:
  • Special fields description and modification (.NET supported)
  • PE Rebuilder (with Realigner, IT Binder, Reloc Remover, Strong Name Signature Remover, Image Base Changer)
  • View and modification of .NET internal structures
  • Support in the Resource Editor for .NET resources (dumpable as well)
  • Hex Editor
  • Quick Disassembler (x86, x64, MSIL)
  • Dependency Walker

This is also the first program to support the view and change the structure, parameters. NET PE file, can be done even when the machine is not installed. NET Framework. We can also extend the capabilities of the program operation by cachs write the script to automatically run the program, it is also very valuable strengths. So, if you want to perform Reverse Engineering. NET, this is the tool you need to be in the "kit" of his
cff_explorer

CFF Explorer

+ Pluses: Lightweight, free, feature very useful, effective support. NET, good scalability
+ Minus points: No

2. .NET Reflector
Referring to. NET Reflector is not too strange name for those who are studying. NET. This is the most popular tool in the reverse. NET. There is a quality engine decompile, many plugin / addin support, useful features, intuitive interface easy to use, can be integrated into Visual Studio, which is attached to one "boss" fight lung behind Red-Gate, not strange when. NET Reflector is becoming ever more powerful and more popular. Features of the reverse. NET Reflector follow my personal opinion is great, can give 90-95% of the original code, and the code can not browse much different than what we read code in Visual Studio. But I still prefer the old version. NET Reflector as LulzRoeiier also developed independently. At that time. NET Reflector running very gentle and precise, although there are not many interesting features like. Existing NET Reflector, and most importantly, it's "free". Red-Gate has acquired. NET Reflector and turn it into a proprietary tool, and sold at high prices. Of course cracker / Reverser do not like this, and they have developed an alternative tools with similar features. NET Reflector and gently run a lot more (I will introduce a few other prominent tools in below).
reflector
.NET Reflector
+ Pluses: Strong, popular, easy to use, many addin, better integration with Visual Studio, many useful features
+ The minus: Heavy, take charge, lack of specialized features and enhance
3. Simple Assembly Explorer
This is the tool that its popularity is on par with. NET Reflector. Commonly referred to as SAE, an open source project written by Wicky Hu. The program provides the following features:
  • Assembler: Assemble and file to call ilasm 
    Disassembler: Call ildasm to disassemble assembly 
    Deobfuscator: de-obfuscate obfuscated assembly 
    Strong Name: remove strong name signed assembly, add / remove assembly to / from GAC 
    PE Verify: Call to verify PEVerify assemblies
  • Class Editor: browse/view assembly classes, edit method instructions
    Run Method: run static methods
    Profiler: Trace function calls and parameters with SimpleProfiler
  • Relector: plugin which call Reflector to browse selected assembly
    ILMerge: plugin which call ilmerge to merge selected assemblies
    Edit File: plugin which call your editor to view selected assembly
    Plugin Sample: plugin sample
  • Copy Info: copy information of selected assemblies to clipboard
    Open Folder: open container folder
    Delete File: delete selected file(s)

This is very powerful features that professional and virtually no in. NET Reflector. Another strength of the program is to support use of the Engine decompiler. ILSpy or NET Reflector to decompile the code given in the form of high-level languages ​​(C #, VB.NET ....) because default program IL is decompiled code. It can also reverse many of the files. NET that. Insufficient NET Reflector (typical example is the. NET is obfuscated / packed)
The weakness of the program is that it somewhat difficult to use, and suitable for those who have more experience than the beginners. But if you understand and know how to use the program, then this is a great program for the reverse. NET
out
SAE
+ Pluses: very powerful, open source, lightweight, free of charge, many professional features that other tools can not, scalability, and integration of other tools
+ The minus: Difficult to use, requires experienced
4 Telerik JustDecompile
JustDecomple Telerik is a tool under the influence of. NET Reflector, and is considered the best alternative for. NET Reflector. Key features include the following:
  • 10 times faster than competitors.
  • Open API for everyone to create extensions.
  • Supports .NET 2, 3.5, 4, 4.5, 4.5.1, WinRT Metadata, C#5, APPX and WinMD.
  • Code becomes easily searchable with JustDecompile.
  • Create a Visual Studio project from a decompiled assembly.
  • JustDecompile integrates with JustCode and JustTrace.
  • Switch easily between different methods and assemblies in one JustDecompile instance.
  • Decompile referenced assemblies in a Visual Studio project.
  • Save resources from assemblies.
  • Bookmark usages in loaded assemblies.
  • Export code directly from the command prompt.
Decompile an assembly after browsing to it in Windows Explorer.
This is a pretty good tool for decompiling. NET, is a business development for investment should be pretty good. It includes the basic features of. NET Reflector and has good scalability. However, because new development should not have too much prominence and distinctive features should still standing after the ball is too big. NET Reflector. In the future this will definitely be a very powerful tool and useful. For now, it is still a good choice for replacement. NET Reflector for these two tools have many features in common and are very easy to use. A few other points worth noting here is command line support and the ability to export the source code is great. About the time I use the plugin only 3 plugin.
justdecompile
JustDecompile
+ Pluses: free, easy to use, many useful features like. NET Reflector, good scalability, the ability to decompile good, lightweight, well developed
+ Minus point: New, less plugin support, lack of features dedicated enhance

Powered by Blogger.