Native compile protects local DOTNET programs and restores them to the DOTNET il assembly.

The native compile method in. Net protection is discussed earlier.
We mentioned two native compile Methods: pseudo compilation and ngen compilation. There is still no native compilation like C ++.

Here we will discuss the Ni file generated by ngen compilation.
We mentioned the fetionvm. SRM file in the fetion framework in the previous discussion.
Note that it uses the ngen compilation protection mode.
Remotesoft confirmed in the comment that the fetionvm. SRM file was used as an example to restore the Ni file.

First, open the SRM file directly with reflector.
This file contains only one
[Stathread]
Public static void main (string [] argv)
{
}

No other content. Obviously, this is just a shell, and the metadata must be different from the original one.

However, it works properly with the Ni file. Obviously, there is a place that should contain the original metadata.
The SRM file is only 2 k in size and it is impossible to hide the original metadata.

the original metadata is hidden in the Ni file. Theoretically, the NI file should have a place to record the RVA and size of the original metadata. Because the format of the Ni file is not completely clear, the RVA of the original metadata is determined using the brute force search mode.
open the file with an editor (such as UE)
\ c \ windows \ Assembly \ nativeimages_v2.0.50727_32 \ fetionvm \ logs \ fetionvm.ni.exe
Search for bsjb,
we will find two results, one of which is the metadata specified in the CLI header. It is estimated that the other is the original metadata, at 0x3000 of the file offset.
Based on the metadata structure, the original data size is calculated as 0x0970.
extract it and check its structure as follows:
namespace fetionvm
{< br> internal static class Program
{< br> Private Static string gettimestring (datetime );
Private Static void log (string message);
[stathread]
Private Static void main (Params string [] ARGs );
}< BR >}< br> the structure is basically the original metadata.

If metadata is available, you can only getProgramOr the method body cannot be obtained.Code.

I have speculated that the Ni file also contains the original il code. This is a test,
Re-compile by force release, and capture the JIT layer to obtain the desired il code.
The simplest way to force the JIT operation is to use the profile API.
This Assembly is very simple. After manual restoration, you can get the following:
Internal static class Program
{
// Methods
Private Static string gettimestring (datetime)
{
Return (datetime. tolongtimestring () + ":" + datetime. millisecond );
}

Private Static void log (string message)
{
Try
{
File. appendalltext (path. combine (appdomain. currentdomain. basedirectory, "vmdotnet. log ")," ["+ (datetime. now. tostring () + "]" + message + "\ r \ n "));
}
Catch
{
}
}

[Stathread]
Private Static void main (Params string [] ARGs)
{
If (ARGs. length! = 0)
{
String Path = ARGs [0];
If (! File. exists (PATH ))
{
Log ("the program to be run is not found" + path );
}
Else
{
String assemblyfile = path;
If (path. indexof (@ "\")> 0)
{
Environment. currentdirectory = path. getdirectoryname (PATH );
Assemblyfile = path. getfilename (PATH );
}
Appdomainsetup info = new appdomainsetup ();
Info. privatebinpath = path. Combine (appdomain. currentdomain. basedirectory, "system ");
Appdomain domain = appdomain. createdomain (path. getfilenamewithoutextension (PATH), appdomain. currentdomain. evision, Info );
Try
{
String [] destinationarray = new string [args. Length-1];
Array. Copy (ARGs, 1, destinationarray, 0, destinationarray. Length );
Domain. executeassembly (assemblyfile, appdomain. currentdomain. eviassembly, destinationarray );
}
Catch (exception)
{
Log ("running program" + path + "error! "+ Exception. Message );
}
}
}
}
}

Here we can confirm that the Ni file contains the original metadata and the original il code. Therefore, theoretically, the NI file can be restored.

I don't know if I can use reflection in net2.0 TO GET THE METHOD body code in addition to JIT layer capture?
If you are interested, try it on your own.

Note that these tests need to be performed in the virtual framework. In addition, we can see that the main function code contains at least two application domains in the process.