that inherit from ListItem, each with its own Dumpmethod that is specifi-
cally designed to dump the data for that particular type of item.
Decompilers
As you’ve just witnessed, reversing IL code is far easier than reversing native
assembly language such as IA-32. There are far less redundant details such as
flags and registers, and far more relevant details such as class definitions, local
variable declarations, and accurate data type information. This means that it
can be exceedingly easy to decompile IL code back into a high-level language
code. In fact, there is rarely a reason to actually sit down and read IL code as
we did in the previous section, unless that code is so badly obfuscated that
decompilers can’t produce a reasonably readable high-level language repre-
sentation of it.
Let’s try and decompile an IL method and see what kind of output we end
up with. Remember the AddItemmethod from Listing 12.4? Let’s decompile
this method using Spices.Net (9Rays.Net, http://www.9rays.net)) and see what it
looks like.
public virtual void AddItem(ListItem NewItem)
{
NewItem.Next = ListHead;
if (ListHead != null)
{
ListHead.Prev = NewItem;
}
ListHead = NewItem;
}This listing is distinctly more readable than the IL code from Listing 12.4.
Objects and their fields are properly resolved, and the conditional statement is
properly represented. Additionally, references in the IL code to the thisobject
have been eliminated—they’re just not required for properly deciphering this
routine. The remarkable thing about .NET decompilation is that you don’t
even have to reconstruct the program back to the original language in which it
was written. In some cases, you don’t really know which language was used
for writing the program. Most decompilers such as Spices.Net let you decom-
pile code into any language you choose—it has nothing to do with the original
language in which the program was written.
The high quality of decompilation available for nonobfuscated programs
means that reverse engineering of such .NET programs basically boils down to
reading the high-level language code and trying to figure out what the program
does. This process is typically referred to as program comprehension, and ranges
from being trivial to being incredibly complex, depending on the size of the
program and the amount of information being extracted from it.
Reversing .NET 443