Empty Method Bodies
fereydoon031 opened this issue · 9 comments
dnSpyEx version
6.4.1
Describe the Bug
I am encountering an issue while decompiling C# code from a set of exe and dll files in a Portable .NET environment. I am using dnSpy for decompilation, but the methods I see appear to be empty, with attributes like the following:
How To Reproduce
To reproduce the issue, follow these steps: Load Portable .NET executable and dll files into dnSpy, attempt to decompile, and observe methods with empty bodies, noting the specific discrepancies.
Expected Behavior
When decompiling C# code using dnSpy on a set of exe and dll files in a Portable .NET environment, I expect to view the decompiled methods with their actual code and contents, including the method body and any associated logic or statements. The decompiled code should accurately represent the original code and be readable and editable for further analysis or modification.
Actual Behavior
[MethodImpl(MethodImplOptions.NoInlining)]
public Activation(double value1, double value2)
{
}
[MethodImpl(MethodImplOptions.NoInlining)]
public static Point FromString(string string)
{
return null;
}
Additional Context
I have come across the following Stack Overflow link which appears to address a similar issue of empty methods during C# decompilation.
However, the solutions provided in that thread have not resolved my specific problem when attempting to decompile C# code using dnSpy.
Is it your application that you're trying to analyse in dnSpy? I guess those methods are intended to be empty, and for most obfuscators no inlining means don't make any obfuscation here (i.e method body and method signature), but, I think it will load a method body at runtime or its just a dummy method
Would be great if you provide the file
@sunnamed434 Thank you for your answer. It's not my application. In another version, when I use dnSpy for analysis, I can see the method implementation. However, in the new version of the exe file that I'm trying to view, I cannot see the method implementation. I apologize, but I am unable to share the exe file.
The file you are analyzing is probably obfuscated with some sort of method body encryption protection which causes the original bodies to become invisible since the protection will only decrypt them at runtime. This is most likely not a bug in dnSpy but rather protection applied on the file, which must be removed first to decompile the code. This is the only hypothesis I can create for the cause of this issue without being able to view the file in question. If you do not feel comfortable placing this file on github, you can send it to me directly via email at elektrokilldev@protonmail.com with the issue number in the title of the email.
If the file cannot be provided I will have to close the issue as there is not enough information to determine whether this is an actual bug in dnSpy (unlikely) or whether it is just a clever protection scheme applied on the method bodies to make decompilation harder.
Thank you, @ElektroKill, for your detailed explanation. I'll send the file to you via email with the issue number in the title as suggested.
Also, I'm interested in learning more about removing protection from files. Could you recommend a book or course that could help me gain a better understanding of this topic? Thanks in advance!
@fereydoon031 some protectors are "eating" original method bodies and they bring it back during JIT process
as an example Agile.net protector is doing this way and some others
you won't be able to debug those empty methods until you recover / deprotect your binary
Thank you, @ElektroKill, for your detailed explanation. I'll send the file to you via email with the issue number in the title as suggested.
Also, I'm interested in learning more about removing protection from files. Could you recommend a book or course that could help me gain a better understanding of this topic? Thanks in advance!
This topic is very complex, there are no books, no information, only the solution, to learn this you need to have as much as possible complex knowledge, you know how computer work, how windows work, what is CLR, how dotnet work, what is file, which of file structure consist of (PE for example), by learning all this things you can understand how to implement this, why it work like that, etc
It's unnecessary to know in all details how everything works,but knowledge per every thing, at least basic knowledge is enough, all next things comes to your mind automatically because you have complex knowledge
I can't say that I'm pro, more a noobie who had the same questions as you, it's not an advice but answer to the questions which I had a lot on the beginning
Thanks,@greenozon. Can you suggest some software to download and use to debug those empty methods to recover/deprotect my binary?
I could suggest some keywords that would lead you to desired paradise - jit, jitDumper, clrjit
this is complex subject as different .net are using different dlls/approaches/etc
there is no one magic silver bullet...
but, first thing first you have to identify what kind of protector have you hit
use tools like exeinfope 0081 or DIE 308 or whatever you like
good luck!
@fereydoon031 Sorry for the late response, I took a look at your file and as I expected the file is obfuscated with .NET Reactor, and obfuscator which encrypts method bodies in the on-disk file and only decrypts them at runtime to counter decompilation. In order to view the method bodies you would need to remove this protection scheme first after which you will be able to decompile the code, this falls outside of the scope of dnSpy issues so I'm going to close the issue now.