Thursday, 24 April 2008

.NET Reflector Bares It All

Filed under: Programming — Jan Goyvaerts @ 10:19

Last week I received a support inquiry from an EditPad Pro user asking how to make EditPad Pro run an XML Validation tool. This particular tool was a very simple .NET application that was designed to be invoked as a tool by another text editor. There was no such example tool on EditPad Pro’s web site.

Of course, I could have just created a tool configuration for the existing XML validator applet and linked to it. But I didn’t want to subject my customers to the integration stuff the other validator provided for the competing editor. It would flash an error message as it failed to create .ini files or registry entries.

Besides, the application was only a few kilobytes. How hard could it be to write something similar? It turned out to be all too easy.

What follows is certainly old news to experienced .NET developers. But it was new to me, and quite an eye-opener. My .NET experience was limited to creating test applications to test the System.Text.RegularExpressions package for RegexBuddy, and a sample application for using RegexBuddy’s COM integration.

I had previously heard about something called .NET Reflector. But I had never tried it. It’s a free download. It asks for an email, but you can enter a bogus address as you don’t need to receive any emails to get it the .NET Reflector to run. Just unzip and run.

I pointed the reflector to the other XML validation utility that I had downloaded. I was presented with a class browser that not only showed the application’s complete class structure, but also the complete source code. Variable names etc. were still there. It was trivial to figure out what the application was doing, and write my own application to duplicate it. Though I didn’t copy/paste anything, I easily could have.

Obviously, digging into a real-world application is going to be far more involved than dissecting a little utility that, in my version, is only about 100 lines of code. But it’s not going to be any more complicated than reading the actual source code. Obfuscating the application will make the code harder to interpret. But it won’t really stop anyone from seeing your code. This effectively makes all .NET code open source, pretty much like all JavaScript code that runs in your browser is open source. It can be obfuscated, but not hidden.

Compare the screen shot below with the actual source code.

Examining my own XMLValidatorTool.exe with the .NET Reflector

No Comments

No comments yet.

Sorry, the comment form is closed at this time.