6

A client has burned bridges with their previous dev and I'm trying to extract source code from what's left of their payroll executable, unfortunately as a web dev I do not have much experience with the .NET framework.

EDIT: Our client legally owns the software but did not ask for source code, the developers aren't responding to our communications. My intention of asking this question on SO was not for legal advice (we've got people handling that) but for any options available for decompilation.

I have decompiled executables with JetBrains dotPeek successfully before, however they all ran the .Net Framework v2.0/v4.5 frameworks. The client's payroll executable I'm working with at the moment runs .Net Core v4.5 which is not recognised by dotPeek, ILSpy or other C# decompilation software I've run as a .NET assembly file.

After a little research, I believe .Net Core was recently open sourced... however I'm not sure how I can proceed through the decompilation process, or if it is even possible at this point. Any recommendations?

Note: I will accept an answer along the lines of "it is impossible to decompile, but have you tried X, Y, Z first?". I need to let the client know if it can be done or not since we're running a tight schedule.

Some clarification of what I did: Opened program.exe in dotPeek, right-click properties is giving me this:

enter image description here

It claims "Not .NET assembly file", but I can run the executable fine.

EDIT: Is it possible to extract more information from the executable so I can narrow down another method to decompile?

I suspect .NET decompilers aren't going to help here.

Helen Che
  • 1,951
  • 5
  • 29
  • 41
  • do you have .NET 4.5 installed on your machine ? – Antonio Bakula Jan 03 '15 at 12:33
  • Yes, I am able to run the executable. – Helen Che Jan 03 '15 at 12:34
  • 1
    @AntonioBakula have you decompiled an executable with `.Net Core v4.5` platform before? – Helen Che Jan 03 '15 at 12:58
  • Are you sure the executable contains any managed code? The tools you're looking at only help in decompiling managed code, not unmanaged code. –  Jan 03 '15 at 12:59
  • 3
    A strongly worded letter from an attorney might make the developer deliver the source code of the application that the client paid for. If the client didn't pay for the development but merely rented the software or some such, what you are doing may or may not not be legal. – Peter Jan 03 '15 at 13:03
  • I think you have a misunderstanding. .NET Core is the framework edition for the currently RC ASP.NET vNext. Are you positive the client is using that as his framework. – Yuval Itzchakov Jan 03 '15 at 13:24
  • 1
    @YuvalItzchakov I'm unsure but when I open the assembly in dotPeek and check the properties, it's telling me that the platform is ".Net Core v4.5". – Helen Che Jan 03 '15 at 13:40
  • @Peter My manager is working on that but from what I've heard the developers aren't responding and have simply vanished. – Helen Che Jan 03 '15 at 13:43
  • .NET Core is not just for ASP.NET; you can compile native desktop apps with it. -- I'd expect it to still be able to decompile back to C#, but it seems like the decompilers haven't caught up yet. – BrainSlugs83 Jan 13 '17 at 20:09

2 Answers2

7

The developer asked a legitimate programming question on a development website and deserves an educated response. Not unwanted legal advice. There are many legitimate reasons for decompiling a dll.

When dotnetpeak suggest that a file was developed using ".Net Core v4.5" and has no MVID it would suggest that the file is missing a CLR header.

If you decompile the file back to assembly you will probably find identifying markers that the file was developed in VB6.

Find a good VB6 de-compiler and you'll probably be able to de-compile the program without much of an issue. Unfortunately you can't fully de-compile vb6 back to source-code, but you can get a pretty good understanding of how the application was constructed.

Jamie Pearcey
  • 345
  • 1
  • 10
  • Thanks for the helpful response @Jamie. We're currently working with our clients to piece back together their data and if this works we could save a lot of money. I have tried http://www.vb-decompiler.org/download.htm however it states that "This program is compiled with unknown compiler". I'm going to try and decompile it back to assembly via Hex Rays IDA. Do you have more information about the identifying markers? – Helen Che Jan 24 '15 at 09:47
  • Just look for the names of it's runtime files. Then look-up the type of language that uses those references. If it was compiled in VB6 you will find a reference to MSVBVM60.dll I'd recommend downloading a trial of PE Explorer and check import viewer to see what it references. If nothing appears make use of PE Explorers Dissassembler. – Jamie Pearcey Jan 27 '15 at 17:46
  • Thanks unfortunately it isn't VB6, C# on .NET 4.5 rather. – Helen Che Jan 28 '15 at 04:24
  • 1
    Then the CLR header has been obfuscated. You might be able to unobfuscate the assembly by replacing the CLR header with legitimate identifiers in some form of process editor so it can be decompiled; but I wouldn't know where to start and there would be no guarantee that the intermediate language hasn't been further obfuscated which would make the result very difficult to read. – Jamie Pearcey Jan 28 '15 at 11:53
0

.net core an open sourced version of .net currently a work in progress. You can see the progress day by day on microsoft public github page corefx

I am a bit confused by what .net core means in the question, but from my understanding there is not a final .net core 4.5 yet, and even though it certainly is usable yet incomplete, why would someone use it in production code?

For more info read this blog post

Mr Balanikas
  • 1,657
  • 15
  • 28