Login/Register
Decompiling a .NET Framework v4.5 executable "not .NET assembly file" in dotPeek but executable runs fine
Asked Answered
c#.netdecompilingilspydotpeek
M

2

6

A client has burned bridges with their previous dev and I'm trying to extract source code from what's left of their payroll executable, unfortunately as a web dev I do not have much experience with the .NET framework.

EDIT: Our client legally owns the software but did not ask for source code, the developers aren't responding to our communications. My intention of asking this question on SO was not for legal advice (we've got people handling that) but for any options available for decompilation.

I have decompiled executables with JetBrains dotPeek successfully before, however they all ran the .Net Framework v2.0/v4.5 frameworks. The client's payroll executable I'm working with at the moment runs .Net Core v4.5 which is not recognised by dotPeek, ILSpy or other C# decompilation software I've run as a .NET assembly file.

After a little research, I believe .Net Core was recently open sourced... however I'm not sure how I can proceed through the decompilation process, or if it is even possible at this point. Any recommendations?

Note: I will accept an answer along the lines of "it is impossible to decompile, but have you tried X, Y, Z first?". I need to let the client know if it can be done or not since we're running a tight schedule.

Some clarification of what I did: Opened program.exe in dotPeek, right-click properties is giving me this:

enter image description here

It claims "Not .NET assembly file", but I can run the executable fine.

EDIT: Is it possible to extract more information from the executable so I can narrow down another method to decompile?

I suspect .NET decompilers aren't going to help here.

Mono answered 3/1, 2015 at 12:30 Comment(9)
do you have .NET 4.5 installed on your machine ?Malinger
Yes, I am able to run the executable.Mono
@AntonioBakula have you decompiled an executable with .Net Core v4.5 platform before?Mono
Are you sure the executable contains any managed code? The tools you're looking at only help in decompiling managed code, not unmanaged code.Neutrino
A strongly worded letter from an attorney might make the developer deliver the source code of the application that the client paid for. If the client didn't pay for the development but merely rented the software or some such, what you are doing may or may not not be legal.Porscheporsena
I think you have a misunderstanding. .NET Core is the framework edition for the currently RC ASP.NET vNext. Are you positive the client is using that as his framework.Obviate
@YuvalItzchakov I'm unsure but when I open the assembly in dotPeek and check the properties, it's telling me that the platform is ".Net Core v4.5".Mono
@Porscheporsena My manager is working on that but from what I've heard the developers aren't responding and have simply vanished.Mono
.NET Core is not just for ASP.NET; you can compile native desktop apps with it. -- I'd expect it to still be able to decompile back to C#, but it seems like the decompilers haven't caught up yet.Belldame
G
8

The developer asked a legitimate programming question on a development website and deserves an educated response. Not unwanted legal advice. There are many legitimate reasons for decompiling a dll.

When dotnetpeak suggest that a file was developed using ".Net Core v4.5" and has no MVID it would suggest that the file is missing a CLR header.

If you decompile the file back to assembly you will probably find identifying markers that the file was developed in VB6.

Find a good VB6 de-compiler and you'll probably be able to de-compile the program without much of an issue. Unfortunately you can't fully de-compile vb6 back to source-code, but you can get a pretty good understanding of how the application was constructed.

Gladsome answered 23/1, 2015 at 11:8 Comment(4)
Thanks for the helpful response @Jamie. We're currently working with our clients to piece back together their data and if this works we could save a lot of money. I have tried vb-decompiler.org/download.htm however it states that "This program is compiled with unknown compiler". I'm going to try and decompile it back to assembly via Hex Rays IDA. Do you have more information about the identifying markers?Mono
Just look for the names of it's runtime files. Then look-up the type of language that uses those references. If it was compiled in VB6 you will find a reference to MSVBVM60.dll I'd recommend downloading a trial of PE Explorer and check import viewer to see what it references. If nothing appears make use of PE Explorers Dissassembler.Gladsome
Thanks unfortunately it isn't VB6, C# on .NET 4.5 rather.Mono
Then the CLR header has been obfuscated. You might be able to unobfuscate the assembly by replacing the CLR header with legitimate identifiers in some form of process editor so it can be decompiled; but I wouldn't know where to start and there would be no guarantee that the intermediate language hasn't been further obfuscated which would make the result very difficult to read.Gladsome
S
0

.net core an open sourced version of .net currently a work in progress. You can see the progress day by day on microsoft public github page corefx

I am a bit confused by what .net core means in the question, but from my understanding there is not a final .net core 4.5 yet, and even though it certainly is usable yet incomplete, why would someone use it in production code?

For more info read this blog post

Slop answered 3/1, 2015 at 14:7 Comment(2)
It wasn't me that downvoted (I don't have privileges to do it anyways) to clear up the .net core question, I will upload a screenshot.Mono
I didn't, but you answer doesn't make sense at all.Cornwell

© 2022 - 2024 — McMap. All rights reserved.