How to reverse obfuscation in .NET?

Question

Is obfuscation only about garbling the names of non-public variables/members? If so, would it not be possible to write an application that would at least change these names more readible ones like "variable1", etc, and then extract the whole code that can still be compiled?

Answer 1

There are 'deobfuscator' tools to undo several obfuscation techniques like Decrypt strings, Remove proxy methods, Devirtualize virtualized code, Remove anti-debug code, Remove junk classes, Restore the types of method parameters and fields and more...

One very powerful tool is de4dot.

But there are more.

Answer 2

It's depend upon the obfuscation technology used. Obsfucating variable name is only one part of the issue. A lot of obfuscation tools perform some kind of program flow obfuscation at the same time, which will complicate further code comprehension. At the end, the obfuscated IL won't be expressible easily (if at all) in most programming languages.

Renaming the variables and fields won't help you much either, as having a lot of variable1, variable2.. won't help you to understand what you read.

Answer 3

That is certainly the start of an obfuscator. Though some obfuscators will also encrypt strings and other such tricks to make it very difficult to reverse engineer the assembly.

Of course, since the runtime needs to run the assembly after all of this, it is possible for a determined hacker to reverse engineer it :)

Answer 4

No, it is about a lot more, especially with more sophisticated obfuscators. They can produce IL that cannot be expressed in most languages, and where the logic flow is horribly tangled to befuddle the best of tools. With lots of time you can do it (probably lots by hand), and there is certainly an arms race between the obfuscators and deobfuscators - but you vastly underestimate the technology here.

Also, note that many obfuscators look at an entire application (not just one assembly), so they can change the public API too.

Answer 5

Obfuscation is about changing meaningful names like accountBalance to meaningless ones like a1. The application will obviously still work, but it will be more difficult to understand the algorithms inside it.