Aller au contenu
1337skills 1337skills - Aide-mémoires

Commandes dnSpy

dnSpy est un débogueur et éditeur d’assemblages .NET open source. Il peut décompiler des applications .NET, déboguer du code managé et natif, et éditer des assemblages sans avoir besoin du code source original.

Installation

# Download from GitHub releases (Windows only)
# https://github.com/dnSpy/dnSpy/releases
# Extract and run dnSpy.exe (no installation required)

# Alternative: dnSpyEx (actively maintained fork)
# https://github.com/dnSpyEx/dnSpy/releases

# For .NET 6+ assemblies, use dnSpyEx which has updated support

Ouverture d’assemblages

# Open via File menu
File > Open (Ctrl+O)
# Select .exe, .dll, or .nupkg files

# Open from command line
dnSpy.exe C:\path\to\assembly.dll

# Open multiple assemblies
dnSpy.exe assembly1.dll assembly2.dll

# Drag and drop files onto the dnSpy window

# Open from GAC (Global Assembly Cache)
File > Open from GAC (Ctrl+Shift+O)

Décompilation

Décompilation C#

# Navigate the assembly tree in the left panel
Assembly > Namespace > Class > Method

# View decompiled C# code (default)
Right-click > Decompile to C#

# Example decompiled output:
# public class Program
# {
#     public static void Main(string[] args)
#     {
#         Console.WriteLine("Hello, World!");
#     }
# }

# Change decompiler version
View > Options > Decompiler > C# version

Vue IL

# Switch to IL (Intermediate Language) view
Right-click on method > Show IL Code

# Or toggle via menu
View > Show IL Code

# IL view shows raw opcodes:
# .method public hidebysig static void Main(string[] args)
# {
#     .maxstack 8
#     IL_0000: ldstr "Hello, World!"
#     IL_0005: call void [mscorlib]System.Console::WriteLine(string)
#     IL_000a: ret
# }

Débogage

Démarrer le débogage

# Debug a .NET executable
Debug > Start Debugging (F5)
# Select the executable to debug

# Attach to running process
Debug > Attach to Process (Ctrl+Alt+P)
# Select the .NET process from the list

# Debug a .NET Core application
Debug > Start Debugging > Select .NET Core
# Browse to the .dll or .exe

Points d’arrêt

# Set breakpoint on a line
Click the margin (left of line numbers)
# Or press F9 on the current line

# Conditional breakpoint
Right-click breakpoint > Edit Breakpoint
# Enter condition: args.Length > 0

# View all breakpoints
Debug > Windows > Breakpoints (Ctrl+Alt+B)

# Break on exceptions
Debug > Windows > Exception Settings
# Check specific exception types

Exécution pas à pas

F5          Continue execution
F10         Step Over (execute current line)
F11         Step Into (enter method calls)
Shift+F11   Step Out (exit current method)
F9          Toggle breakpoint
Ctrl+F5     Start without debugging

# View variables during debugging
Debug > Windows > Locals (Alt+4)
Debug > Windows > Watch (Alt+2)
Debug > Windows > Call Stack (Alt+7)

Édition d’assemblages

Éditer le corps de méthode (C#)

# Edit C# code directly
Right-click on method > Edit Method Body (C#)
# Modify the C# code in the editor
# Click Compile to apply changes

# Example: modify a check
# Original:  if (isLicensed) { ... }
# Modified:  if (true) { ... }

Éditer les instructions IL

# Edit raw IL code
Right-click on method > Edit IL Instructions
# Modify opcodes directly in the IL editor

# Common IL modifications:
# Change branch: brfalse -> brtrue (invert condition)
# Remove check: replace with nop
# Change constant: ldc.i4.0 -> ldc.i4.1

Éditer une classe

# Edit class properties and fields
Right-click on class > Edit Class (C#)
# Add, remove, or modify members

# Edit metadata
Right-click on member > Edit Metadata
# Change visibility, name, attributes

Sauvegarder l’assemblage modifié

# Save changes to disk
File > Save Module (Ctrl+Shift+S)

# Save with options
File > Save Module
# Choose: save to same file, new file, or directory
# Options: preserve tokens, keep old maxstack

Recherche et analyse

Recherche globale

# Search across all loaded assemblies
Edit > Search Assemblies (Ctrl+Shift+K)

# Search types:
# - Type (class, struct, enum)
# - Method
# - Field
# - Property
# - Event
# - String literal
# - Number literal

Analyseur

# Analyze usage of a type or member
Right-click > Analyze (Ctrl+R)

# Shows:
# - Used By: what references this member
# - Uses: what this member references
# - Instantiated By: where type is created
# - Exposed By: public API surface
# - Extended By: derived types

Éditeur hexadécimal

# View raw bytes
Right-click > Show in Hex Editor

# Edit bytes directly
# Click on a byte value and type new value

# Go to specific offset
Ctrl+G in hex editor > Enter offset

# Find byte pattern
Ctrl+F > Enter hex bytes: 48 65 6C 6C 6F

Tables de métadonnées

# View PE metadata
View > Metadata > Tables

# Important tables:
# TypeDef     - All types defined in the assembly
# MethodDef   - All methods
# Field       - All fields
# MemberRef   - External references
# AssemblyRef - Referenced assemblies
# CustomAttribute - Attributes and decorations

# View metadata headers
View > Metadata > Headers
# Shows PE headers, CLR headers, streams

Raccourcis clavier utiles

Ctrl+O          Open assembly
Ctrl+Shift+O    Open from GAC
Ctrl+G          Go to token/address
Ctrl+T          Go to type
Ctrl+Shift+K    Search assemblies
Ctrl+R          Analyze member
F5              Start/continue debugging
F9              Toggle breakpoint
F10             Step over
F11             Step into
Ctrl+Shift+S    Save module
Ctrl+Z          Undo edit
Ctrl+C          Copy selected text
Ctrl+F          Find in current document
F12             Go to definition

Conseils

# Decompile entire project to disk
File > Export to Project (Ctrl+Shift+E)
# Creates a Visual Studio solution with all decompiled source

# Load debug symbols
File > Open > Select .pdb file alongside assembly

# Handle obfuscated assemblies
# 1. Look for string decryption methods in Analyze view
# 2. Set breakpoints after decryption to read plaintext
# 3. Use Edit IL to bypass integrity checks

# Compare assemblies
# Open both assemblies side by side in separate tabs
# Use Analyze to track differences in method calls