Disassembling With Reflector: Part 1

This article shows dissembling of the source code of an assembly using Reflector.

Abstract

This paper is intended to teach sophisticated Reverse Engineering tactics using Red Gate Reflector particularly. This rare utility demystifies dissembling and cracking of .NET binary in a step-by-step fashion to reveal the protected targets of protecterd information such as finding entry points, license keys, passwords, serial keys and extending trial duration. Although we have done much of reversing in earlier papers by employing other cracking tools such as CFF explorer and ILDASM, Reflector surely opens a new dimension by easing the task of dissembling or de-compilation of .NET binaries and is proven to be a truly Reverse Engineer's tool among security professionals.

Prerequisites

The security researcher is supposed to have a thorough knowledge of the .NET supported programming language because this time, we are directly confronted with hardcore C# or VB.Net source code rather than IL or hex code. However, playing with source code is relatively easy in comparison to byte codes or opcodes. So, it is expected that their machine must be configured with the following tools:

  • Red Gate Reflector
  • .NET Framework 2.x version
  • VC 2010 IDE
  • ILDASM.exe (optional)
The Reflector

Reflector, the amazing dissembling tool, is developed by Red Gate Inc. Although it was available free of cost earlier but nowadays the vendor has commercialized it. The Reflector is essentially used to decompile or dissemble .NET binaries. It can either be an executable or a dynamic linking library. This tool is limited to open binaries that are compiled or developed only under the CLR. We can't decompile any other native unmanaged assemblies. Conversely this limitation poses an advantage in a different fashion where we can easily anticipate the development framework of a DLL or EXE. If the binary is opened or decompiled in the reflector IDE then it is a .NET assembly otherwise not. The Reflector provides the following advantages to the Reverse Engineering professional:
  • It provides the IL code dissembling facility; we don't need to open ILDASM.EXE separately.

  • It can be integrated with the Visual Studio 2010 or 2012 IDE as add-ons.

  • We can convert the decompiled code in other .NET support languages such as VB.NET, Delphi for our convenience.

  • We can run Visual Studio Command Prompt directly from here.

  • We can execute or test the executable from Reflector after decompiling the assembly.

  • Finally, we can view the decompiled code under any framework from the latest .NET 4.5 to 1.0.

After downloading and installing this software, the IDE will display something such as in the following:

Reflector

NOTE

Apart from such terrific advantages and features, I would like to eliminate of a common misconception or myth that the Reflector is not able to edit the .NET source code or opcode in any manner. So, we can't save the assemblies like other dissemblers such as CFF explorer, IDA pro and Ollydbg. It is just decompiled .NET assemblies. In terms of editing the .NET binaries, we need to import sort of open source add-on in the Reflector IDE. Thereby, we are provided a couple of other substantial capabilities such as editing the hex code, opcode and reflect these modifications into another file with a different name.

Target Software

We are not relying on any ready-made software or on another third-party downloaded cracking file to show the dissembling tutorial of the corresponding assembly source code. Instead, we have developed a custom cracking software that surely fulfills the cracking exhibition.

We have created custom software called “Champu” for exhibiting the dissembling and cracking. Don't ponder over the name; it is in fact my son's pet's name. As an analogy, this software is launched for testing purposes by its vendor and works for 15 days. After completion of the 15 days trial duration, it is automatically expired. This software presents many security restrictions, such as a 15 day trial duration, authentication in the form of user name and password validation and License key code to prevent the misuse of the software. You get a glance of this software for a 10-day grace period as in the following:

champu trail version

In the meantime, the user can operate its evaluation version by clicking the Continue button. It poses another user validation barrier where we must enter the correct user name and password to proceed as in the following.

champu

Suppose the user is quite satisfied with this software operability and performance and finally, he decides to buy the full version of this software, then he must register himself on the vendor website from where he gets the License Key code to carry on the operations as in the following.

register

So, this software is well shielded by its vendor developer to stop impending trespass. We shall anticipate that it is nearly impossible to download the license key code from the internet or torrent sources. The user has no choice except buying its license keys to proceed.

Is there any other way or option in which we can spare himself from spending money to get its full version copy? Yes, Reverse Engineering with Reflector is the ultimate way to crack this software.

Dissembling the Target

As you can see in the following figure that the Continue button is disabled and the trial expired alert message is showing in the dialog box; we are not provided the source code of this software so we can modify the code and extend or eliminate this trial restriction. We have no other option to operate it except buying its product keys.

Dissembling the Target

Ok, now it is showtime, ready for Action. We have only the Champu.exe; it's quite enough. Just launch the Reflector IDE and open the Champu.exe over there. It is successfully opened up as you can see in the figure. Now one thing is proven, that it is definitely a .NET assembly because it is dissembling into the editor.

The executable is automatically decompiled or disintegrates into its corresponding source code as you can see in the figure. It is presenting all the rudimentary information associated of this .NET assembly such as Application type, Version, Cryptographic key, copyright, GUID and target framework as in the following:

resource

We can also obtain the extra information about the external .NET assembly reference into this executable software along with the image resources as in the following:

penguins

Amazingly, we obtain much of the information of the target quite easily. Next, just right-click over the champu.exe and the IDE will show you the other significant operation options such as Analyzer, ILDASM, Command prompt and Run as in the following:

Champu in the source code

You can optionally add or remove other .NET native assemblies such as System, System.Numerics and so on in the Reflector. Now, just expand the Champu from the left-pane and here you find the namespace definition referred to as Champu in the source code. Just select it and it will wrap-up everything inside the right-pane as in the following.

source code

It can be clearly seen from the previous figure that Champu.exe has a namespace referred to as Champu that contains C_Trail, Login and Register classes along with two static classes, Program and gData. We can virtually presume that these classes contain the actual functionality logic and are responsible for operating this software.

The assembly could contain numerous classes and all these contain 2 separate logics. So, it is very complicated to determine from where we start the tracing. We need to identify the entry point of this executable software. That is why right-clicking over the champu.exe and the Reflector provides an entry point option. In the right pane, it is displaying the Main() function of this assembly and the C Trial class is initially loading as in the following.

goto entry point

Up until now, we have determined the entry point C_Trail class where the Trial duration logic is actually implemented. So select this class from the left-pane after expanding the Champu namespace. This class shall provide us an overview of the control integrated into the Trial class user interface. It contains two methods, RegisteredUser() and TrailCheck(), as in the following:

C Trail class

Again, go to the TailCheck() method body by selecting it and we find the entire trial duration logic source as in the Visual Studio 2010 editor. We can easily determine that this software works for 15 days from the date 10/5/2013. Apart from that, we can locate the trial expired message in the source code.

trailCheck

We are here, just checking the source code of the TrailCheck() method. We are not sure of the calling or triggering condition of this method. So just select the TrailCheck() method from the left pane and click the Analyze option. It will display some useful information, such as who is using this method (the triggering condition is On_Load()) and to whom this method is dependent as in the following.

TrailCheck method

The .NET reflector exposed the source code in the C# language by default. Some programmers are not proficient or comfortable enough in the C# language. So we can instantly change the assembly source code into another .NET supported programming language such as VB.Net as in the following:

programming language

If we want the actual MSIL opcode instructions behind this source code, we can again change it into its corresponding IL code as in the following figure; here, we don't need to rely on the ILDASM tool separately.

ILDASM

Reflector also provides another amazing utility of importing and exporting the assembly source code into an XML file as in the following.

source code into an XML

Finally, sometimes we need to ponder over the Global assembly cache that is the repository of all .NET assemblies. We can directly open up the GAC from Reflector as in the following:

GAC from Reflector

Summary

This article shows the dissembling of the source code of an assembly using Reflector. As we explained earlier, it is not a tool to modify the instruction sets behinds the source code to achieve our objective; rather it just decompiles the entire source code to analyze the logic. This article explores numerous features of Reflector, such as importing/exporting an assembly, the GAC, Analyzer and code conversion that might be very advantageous during dissembling. We have just analyzed the C_Trail class implementation so far in terms of getting the substantial information. In the later article, we circumvent the remaining class implementations to crack this application software.