Is it true? Can someone decompile a code that I wrote in C# from MSIL? From the .exe file?
It's mostly true. A very clever programmer named Lutz Roeder wrote an excellent decompiler named Reflector (now owned by redgate). It's quite good at translating IL back to either C# or VB.NET code. It isn't complete magic, it cannot
- translate constants back to their constant identifier
- recover the names of local variables
- decompile anonymous methods except in their intermediate form
- decompile iterators, as above
- decompile lambdas, as above
- decompile the code that uses the promised C# 5 async and await keywords, as above
- recover the comments in your code.
And has a few bugs that makes it resort to goto statements or fall over. It is otherwise very useful as a debugging aid, helping you discover and diagnose bugs in code you didn't write. There are no documented cases of anyone using it to start a successful business from pirated source code obtained through decompilation. It works too well for that.
It has otherwise started a lively market segment for 'obfuscators', tools that rewrite the contents of an assembly to make it hard to decompile it. Typical strategies are to rewrite identifiers so they become very hard to interpret and/or to tinker with the structure of the assembly so a decompiler will crash but the CLR will not. Redgate, the current owner of Reflector, also sells an obfuscator. There is one included with Visual Studio paid licenses, called 'Dotfuscator Community Edition'. No idea how good it is, this never gets put to the test.
Just using lots of lambdas and iterators in your code is already an excellent way to obfuscate your code. Reverse-engineering it to the original code is very difficult. That Lutz gave up on Reflector at the exact same time he did is not a coincidence, that's when C# became too hard to decompile reliably.
Open source alternative: ILSpy. I've tried it my self encapsulate about 99% of reflector functionality.
As @Anthony Pegram and @Saif al Harthi have noted, reflector is one such example. It doesn't produce the exact same code that you wrote (mostly because the code that you wrote is optimized before becoming IL), but similar code.
There are ways to fight against it using a class of products known as Code Obfuscators. I don't know enough to compare the products, but a simple web search for "C# Obfuscator" brings up a plethora of both free and commercial tools.
As @Marc Gravell point out, the obfuscation doesn't happen on your source. The obfuscation is generally part of the build process from my understanding, so the IL that is produced is what is obfuscated.
There is a comprehensive list of decompilers available here: https://github.com/quozd/awesome-dotnet/blob/master/README.md#decompilation
- dnSpy - open-source .NET assembly browser, editor, decompiler and debugger
- ILSpy - ILSpy is the open-source .NET assembly browser and decompiler
- JustDecompile Engine - The decompilation engine of JustDecompile
- dotPeek - Free-of-charge standalone tool based on ReSharper's bundled decompiler. It can reliably decompile any .NET assembly into equivalent C# or IL code. It can create Visual Studio solutions based on the original binary files in a straight-forward way. [Proprietary] [Free]