XenoCode Obfuscator
As a first test case, I have taken the linked-list sample you examined earlier
and ran it through the XenoCode 2005 (XenoCode Corporation, http://www.
xenocode.com) obfuscator, with the string renaming and control flow obfus-
cation features enabled. The “Suppress Microsoft IL Disassembler” feature
was enabled, which prevented ILDasm from disassembling the code, but it
was still possible to disassemble the code using other tools such as Decom-
piler.NET (Jungle Creatures Inc., http://www.junglecreature.com) or Spices.Net.
Note that both of these products support both IL disassembly and full-blown
decompilation into high-level languages. Listing 12.6 shows the Spices.Net IL
disassembly for the AddItemfunction from Listing 12.4.instance void x5921718e79c67372(class xcc70d25cd5aa3d56
xc1f1238cfa10db08) cil managed
{
// Code size: 46 bytes
.maxstack 8
IL_0000: ldarg.1
IL_0001: ldarg.0
IL_0002: ldfld class xcc70d25cd5aa3d56
x5fc7cea805f4af85::xb19b6eb1af8dda00
IL_0007: br.s IL_0017
IL_0009: ldarg.0
IL_000a: ldfld class xcc70d25cd5aa3d56
x5fc7cea805f4af85::xb19b6eb1af8dda00
IL_000f: ldarg.1
IL_0010: stfld class xcc70d25cd5aa3d56
xcc70d25cd5aa3d56::xd3669c4cce512327
IL_0015: br.s IL_0026
IL_0017: stfld class xcc70d25cd5aa3d56
xcc70d25cd5aa3d56::xbc13914359462815
IL_001c: ldarg.0
IL_001d: ldfld class xcc70d25cd5aa3d56
x5fc7cea805f4af85::xb19b6eb1af8dda00
IL_0022: brfalse.s IL_0026
IL_0024: br.s IL_0009
IL_0026: ldarg.0
IL_0027: ldarg.1
IL_0028: stfld class xcc70d25cd5aa3d56
x5fc7cea805f4af85::xb19b6eb1af8dda00
IL_002d: ret
}//end of method x5fc7cea805f4af85::x5921718e79c67372Listing 12.6 IL disassembly of an obfuscated version of the AddItem function from
Listing 12.4.446 Chapter 12