Truly no way to "generate" C# from byte[] containing IL with method body?

Question

I`ve being playing around with reversing of some obfuscated code out there and I have stumbled upon one tricky DLL that had a "method body" (IL code) in a byte[] array and was later on invoking it with dynamic invoke. Is analyzing MSIL the only way here? How do you handle those?

I`ve spent hours researching online for tooling that would allow me to generate C# code (at least some basics) from IL in byte array. Is there truly none?

ldarg.0
ldarg.1     
add

Would be great if something existed out there, that could with some basic MSIL like above would generate a + b.

Best bet... https://www.telerik.com/blogs/justdecompile-engine-becomes-open-source — Matthew Whited, Jan 07 '19 at 23:16
Don't forget to read the license/terms of service for the software you are examining. — Flydog57, Jan 07 '19 at 23:24
It`s a crackme based on a malware. Good question though, does malware come with a license? Hmmm — MZ64, Jan 11 '19 at 20:51

OzrenTkalcecKrznaric · Answer 1 · 2019-01-07T23:33:21.077

0

MZ64, hello and welcome to SO!

Unfortunately what you're asking is a decompiler service/API/tool and that is simply not built into .NET framework. You may want to check various third party solution for this.

Back in the days, .NET Reflector was #1 tool used for that. Today there are various tools, notably dotPeek - and Reflector should still be around. You will have to pay some money for most of them, but you may find a good free tool (I tried and failed).

However, if you want to take the IL code as plain text and just try to run it, then you should use built-in ILGenerator.Emit(). Easiest way I can think of should be to map your plain text to OpCode/variables, and emit your IL line by line. I don't know if it helps but in theory it should be possible.

Look here for an example:

https://docs.microsoft.com/en-us/dotnet/framework/reflection-and-codedom/how-to-define-and-execute-dynamic-methods

edited Jan 07 '19 at 23:33

answered Jan 07 '19 at 23:21

OzrenTkalcecKrznaric

5,227
3
27
50

Follow up - would this allow me to generate C# from MSIL that is byte[] array? `byte[] arr = { ... 0x07, 0x08, 0x58 ... }; (...).DynamicInvoke(arr,....);` What I mean is - from example above, can i just copy paste the bytes from the array and get them converted to C# by the tool? It should give me smth like: var1 + var2 – MZ64 Jan 10 '19 at 10:44
Hm, it may work, never tried it though. Let me think about it a bit later, I'm busy now... – OzrenTkalcecKrznaric Jan 10 '19 at 17:21
Well this was my question. I know that you can decompile msil to C#, dnspy does it very well and it is free. I know what dynamic invoke does and how to execute code from byte array - in fact the decompiled code does this. The question is more about the second level. You have decompiled a dll that has MSIL in C# in byte[] and is calling dynamic invoke to execute it. -> how to decompile the code in byte[]? Is there a way? Basically i do not want to be doing manual analysis every time, I`m way quicker with C#. From the research that I did I could not find it anywhere. I thought maybe so knows. – MZ64 Jan 11 '19 at 20:45

Truly no way to "generate" C# from byte[] containing IL with method body?

1 Answers1