Lost Source Code? No Problem for .NET

Author Note: I am a developer consultant who creates new software solutions and maintains existing solutions for my clients. I have been doing this for over 20 years. I primarily work with Microsoft technologies.

Recently, my client asked me to rewrite one of their .NET applications created years ago by a former consultant no longer on the team. My client did not have the source code – just the compiled PE (Portable Executable) .exe file originally written in C#. Not surprisingly, this is not the first time I have experienced this problem as a developer. Reversing to the rescue!

Reversing (reverse engineering) is the process of converting compiled binary code back to source code that “resembles” the original source code that was used to create it. This practice has been done for decades with most computer languages and platforms. Scoundrels have used reversing for nefarious reasons such as software piracy and hacking. Other times, like in my situation, developers can use it to recover source code that was lost or accidentally (wrongfully) never given to the project owner.

For me, my intentions include saving time for the client, effort, and lessening the learning curve by recreating the software solution. I also wanted to recover the source code and put it into a code repository where it belongs. There are books and tools dedicated to this science.

On a side note, developers can make it more difficult for others to reverse engineer an application by protecting the compiled code with an obfuscator (reversing horror). Software obfuscators are used by software vendors to protect against stolen applications, algorithms, and trade secrets. For .NET, the compiled Intermediate Language (IL) code can be reversed back to functional C# source code.

An obfuscator is platform specific. It provides “security through obscurity” by renaming most methods, properties, and other bits inside of a compiled application to make it more difficult to understand and convert the compiled code to source code. Years ago, I worked for a software security company that created security tools in Java. They used an obfuscator to protect their assets.

Advanced obfuscators can add confusing code bloat and more sneaky maneuvers to add to the mix. The intention is to make a potential hacker give up and move onto an easier target to hack. An obfuscated application is not worth the extra effort required to reverse it unless absolutely required. Many times, It is simply easier to rewrite an app from scratch than to reverse an obfuscated application. Thankfully for me, the applications I have had to reverse over the years have not been obfuscated.

Since 2002, when Microsoft initially released .NET, PreEmptive Software (now Idera, Inc.) has offered a free “Community Edition” of a .NET obfuscator (called Dotfuscator). A professional version is also available with a subscription. You can install it from the Visual Studio Installer. It is worth your time to play with this free tool if you have software obfuscation in your future!

Note: other vendors also offer obfuscators for different prices.

Installation

To install it, here are screenshots of the Visual Studio installer and Visual Studio 2022.

Tools

For reversing, I have used different tools for the past 20+ years. A popular .NET utility called .NET Reflector by Lutz Roeder was free for several years before he handed the project off to Red Gate Software (https://www.red-gate.com/products/reflector/). It now requires a subscription to use. They offer a Visual Studio extension you can use too (https://marketplace.visualstudio.com/items?itemName=vs-publisher-306627.NETReflectorVisualStudioExtension).

Progress Telerik used to offer a free desktop utility called JustDecompile that could reverse a .NET application back to code in the language of your choice (C#, VB, and more). Unfortunately, since it is free, Telerik has not been giving this desktop application any attention and has since removed links to download the tool. I searched the web looking for an old installer and found one that included a virus that Windows caught and cleaned up for me. That was embarrassing and frustrating. Currently, Telerik does still offer JustDecompile as a Visual Studio Extension (https://marketplace.visualstudio.com/items?itemName=vs-publisher-443.TelerikJustDecompile).  However, it requires another Telerik tool called JustCode, which has since been retired! JustDecompile is worthless to us today.

Jet Brains offers a free stand-alone tool called dotPeek that can reverse engineer an application back to IL or C# code (https://www.jetbrains.com/decompiler/). Besides recreating all the source code (.cs) files, it can also recreate the solution (.sln) file, the project (.csproj) file, and symbol (.pdb) files. This is a pretty useful tool! They also offer documentation and videos on using dotPeek.

For my last reversing project, I went with the free OSS (Open-Source Software) solution called ILSpy Fresh by iCSharpCode (https://github.com/icsharpcode/ILSpy). By the way, there are many other useful tools at their repo worth checking out, such as a tool that can convert VB to C# or vice-versa. Incidentally, ILSpy Fresh can also recreate the C# project (.csproj) and all the C# files from the .NET assembly (application/library). You can easily install ILSpy Fresh via the Microsoft Store.

 

Reversing Process

None of these tools perform a perfect job. Even after using a reversing tool, a developer will still have to clean up and prepare the project and source code files.

Important: I highly recommend you create a new Visual Studio project that you can work with side-by-side with the project created by the reversing tool. You can safely run two instances of Visual Studio in Windows. The initial goal is to capture the original source code, fix it so it can compile and execute correctly, and then put it into a repo. Do not start rewriting the app (code optimization, etc.) until this code is under source control. You do not want to lose the intentions of the original source code – no matter how badly it was written! If you start changing the code before it is put in a repo, you risk forever losing code that may only run a specific manner in its original compiled state.

Remember – all comments have been stripped away and lost forever with the original lost source code. You will have to add code comments, perform additional formatting, and add extra white space to help you and other developers read and understand how the code works.

For certain types of projects, such as desktop applications, it is often much easier to recreate forms and add positioned controls by copying/pasting controls from one project’s form to the other. Click the form in the original project, click <Ctrl>-A to select all form controls. Click <Ctrl>-C to copy them. Click the new form in the new project and then click <Ctrl>-V to paste them.

By doing this, you are also recreating the original partial classes for the forms, unlike the generated reversed project. For desktop applications or other project types that use partial classes, structs, or interfaces (these are code types that are split between two or more files), all the code will be recreated into one file when they are reversed, which is painful to separate or maintain.

You should copy regular source code files to the new project, one file at a time. As you add a source code file to the new project, try compiling it and repairing any broken code. Continue adding dependent source code files, one at a time, and fix those too.

Sometimes, you will find code files that the original project included but were never actually being used! You should still add those source code files to the new project but then comment them out. Remember, you are just trying to recreate the project and get it into a repo. There will be time for optimization afterwards. You may find those source code files useful later.

Some parts of the project will simply not be reversed correctly. For example, dynamic types are often not reversed correctly. Do your best to try and understand the original intentions of the source code. You can comment out code or rewrite code when necessary. This is not a perfect process! Do your best.

I hope this article helps you with your reversing project. Best wishes and good luck.

About Intertech

Intertech is a Software Development Consulting Firm that provides single and multiple turnkey software development teams, available on your schedule and configured to achieve success as defined by your requirements independently or in co-development with your team. Intertech teams combine proven full-stack, DevOps, Agile-experienced lead consultants with Delivery Management, User Experience, Software Development, and QA experts in Business Process Automation (BPA), Microservices, Client- and Server-Side Web Frameworks of multiple technologies, Custom Portal and Dashboard development, Cloud Integration and Migration (Azure and AWS), and so much more. Each Intertech employee leads with the soft skills necessary to explain complex concepts to stakeholders and team members alike and makes your business more efficient, your data more valuable, and your team better. In addition, Intertech is a trusted partner of more than 4000 satisfied customers and has a 99.70% “would recommend” rating.