Debugging an obfuscated .NET core application with DotPeek

840 views Asked by At

I am hunting for a possible logic bomb in the code deployed to production by our vendor software factory.

For sake of curiosity of the readers, here is a brief recap. The application stopped working with an infinite wait at some point. Decompiling the obfuscated code, I found an odd Thread.sleep that should never be in an MVC API, where the amount is computed by difference of the current ticks to a value computed somehow. I.e.

private long SomeFunction(long param) {
    if (param > 0)
        Thread.Sleep(param);
    return param;
}

private long GetSomeLongValue() {
    //Simplified. There is a lot of long to string and back
    return SomeFunction(Manipulate(DateTime.Now.Ticks - GetMysteryNumber()));
}

private long Manipulate(long param){
    if (param < 0)
        return param;
    else
        # Compute a random number of days between 0 and param / 86400000,
        # and return its milliseconds value, always positive
}

And by running experiments with system clock, I found that there is a magic DateTime.Now value when the application works (before) and stops (right after one second). The experiment was consistent and repeatable.

Back to the question

I have done all this work using JetBrains DotPeek. This was done by looking at the code: human static analysis.

The problem is that what I have called SomeMysteryFunction is too well obfuscated that I really can't get any clue about what it does. I have the full code but I would like to take another approach.

I'd like to exercise that function and try to see if it returns consistent values that may be equal to the guilty timestamp. The function depends on the result of GetCallingAssembly method, so that will be a pain in the back.

I thought about running some sort of Program.cs or unit test that exploits the obfuscated function by reflection, but I'd like to debug using DotPeek. Why?

  • Disassembly can be a mess
  • I tried Telerik, but I had a lot more success with DotPeek decompiling async methods not in their StateMachine representation

I have never done this in my work experience. I just need to be sure about this being intentional or not.

How do I set up a test bed environment so that I can debug into a linked DLL decompiled by DotPeek?

1

There are 1 answers

0
Patrick from NDepend team On

This post In the Jungle of .NET Decompilers explains all .NET Decompilers that are worth to use.

Definitely the free and OSS tool dnSpy is the one you want to use for that sort of hacking[I'd like to exercise that function] scenarios.