Who is this guy? Certifiable (MCSD.net certified that is) Blog
http://jasonhaley.com/blog http://jasonhaley.com/blog Co-leader of
Beantown.Net User Group Member of Boston Area Code Brew A nerd
dinner organizer for Boston area TA for Programming.Net at Harvard
Sr. Software Engineer - Cheshire Software
Slide 3
Disassembling is useful See how efficient a compiler is
Translate IL to a higher level language View all pieces of an
assembly Extract resources Edit source code to recompile
Slide 4
Example of disassembling What is Round-tripping? Demos: ILDasm,
Reflector
Slide 5
Agenda Define disassembling Applied disassembling Writing a
disassembler
Slide 6
What is disassembling? Disassembling is not reflection Demos:
WinCV, Asmex Disassemble or decompile Demos: ILDasm, Reflector
Slide 7
Agenda Define disassembling Applied disassembling Writing a
disassembler
Slide 8
What is in an assembly file? PE/COFF File CLR Header Metadata
IL code
Slide 9
PE File Portable Executable File Format PE/COFF headers Data
directories Sections Demos: Dumpbin,.Net Explorer
Slide 10
CLR Header Contains CLR specific information Required runtime
version Metadata location Managed resources location Strong name
signature location Demo:.Net Explorer
IL Code Recognizing the pieces Metadata table contents Metadata
heap contents IL code Demos: Metadata diagram, ILDasm, Dis#
Slide 13
Disassemblers/Decompilers ILDasm Monodis DILE Dotnet IL Editor
Reflector for.Net Asmex Free source.Net Assembly Examiner Dis#
-.Net decompiler .Net Explorer Spices.Net
Slide 14
DILE Dotnet IL Editor Open source (Zsolt Petreny)
http://sourceforge.net/projects/dile
http://sourceforge.net/projects/dile Disassembles to IL Quick
search for name and tokens Debugger functionality can debug IL!
Demo: Debugging IL vs. Assembler
Slide 15
Reflector for.Net Lutz Roeder
http://www.aisto.com/roeder/dotnet
http://www.aisto.com/roeder/dotnet Great code browsing tool Add-ins
created by community - http://csharp21.tripod.com/ReflectorAddIns
http://csharp21.tripod.com/ReflectorAddIns Demo: Reflector and its
add-ins
Slide 16
Asmex Assembly Examiner Free source (Ben Peterson) -
http://www.jbrowse.com/products/asmex/
http://www.jbrowse.com/products/asmex/ Graphical representation
Most pieces of an assembly Demo: Look at the code
Slide 17
Agenda Define disassembling Applied disassembling Writing a
disassembler
Slide 18
Writing a disassembler PE/COFF File CLR Header Metadata IL
Code
Slide 19
PE File Finding the PE header Signatures (MS-DOS, PE) Necessary
structures Demos: Vijay
Slide 20
CLR Header Finding the CLR Header Need information from PE
Header Calculate the offset in file Demos: Vijay
Slide 21
Metadata Tables are a normalized database Heaps String
zero-terminated character GUID 16 byte binary objects Blob binary
object, preceded by its length Manifest Demos: metainfo, Vijay
Slide 22
IL Code Getting to the IL code SignaturesRVA Method format
(tiny or fat) Method data section Exception handling clause (small
or fat) Demos: Dile, Vijay
Slide 23
Summary What is disassembling? What is a disassembler and what
can it do for you? Where can I find a disassembler? What are some
of the things you need to know to write your own disassembler? Why
do you care?
Slide 24
Resources Inside Microsoft.Net IL Assembler Serge Lidin
Standard ECMA-335 CLI http://ecma-
international.org/publications/standards/Ec ma-335.htm http://ecma-
international.org/publications/standards/Ec ma-335.htmhttp://ecma-
international.org/publications/standards/Ec ma-335.htm Metadata
diagram - Chris King .Net SDK (especially ILDasm)
