reverse engineering .net and java
DESCRIPTION
Powerpoint from CodepaLOUsa 2011.Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. A demo filled session on how easy it is to extract information from virtually any .NET or Java application (yes, including Silverlight).TRANSCRIPT
Reverse Engineering Applications
Presenter: Joe Kuemerle / @jkuemerle
Session Number: 505
Code PaLOUsa 2011 Sponsors
Code PaLOUsa 2011 Sponsors
Background of Joe Kuemerle
• Lead Developer at PreEmptive Solutions
• Over 15 years of development experience with a
broad range of technologies
• Focused on application and data security, coding
best practices and regulatory compliance
• Presenter at community, regional and national
events.
Why Reverse Engineer?
Reasons To Reverse Engineer
• Curiosity – see how things work• Risk Management – see what the bad
guys see• Recovery – recover lost / damaged
source• Illegal Activity – be the bad guy
Random fact:Between 26% and 48% of security events are caused by
insiders.http://
blog.zeltser.com/post/3497622496/touchy-security-topics-insider-threat
Ease of Reverse Engineering Managed Code (.NET and Java)
• Why is it easy to reverse engineer Managed Code – NET
• All high level source is compiled to MSIL– IL is verbose (compared to assembly) / IL is well documented (CLI
specification)
• Open source compiler to reference– Shared Source CLI compiler
• Rich metadata included in assembly– Support for reflection means code using reflection must be self describing,
by default all that information is embedded in assemblies
– Java • High level source is compiled to bytecode• Bytecode is stored in a well defined structure / Bytecode to
Opcode • Compiler will be open sourced (Java 1.7)• Classes are self describing
Availability of ToolsNative reverse engineering tools tend to cost money
• IDA Pro • $515 and up
• Syser debugger $198 and up• DevPartner $2,400
Availability of Tools• Managed tools tend to cost less– ILDASM/ILASM - $0– Reflector - $0 ($35 after May 30, 2011)– Dile - $0– WPF Snoop - $0– Silverlight Spy - $0 ($100 full)– JAD - $0– Javasnoop - $0 – Cecil Decompiler - $0– ILSpy - $0– (Future) JetBrains Decompiler - $0– (Future) Telerik Decompiler - $0
So what, it’s free and easy. Big deal!
• Once you (or someone else) has this knowledge what can they do?– Look to see exactly how things *really* work– Find out things they might not need to know
• Passwords• Encryption Keys• Secret data
– Alter functionality• Bypass authentication checks• Unlock functionality• Alter the user interface• Add malicious code
Demo Time
Now What?• So, how do I
stop all this monkeying around with my code? You don’t stop
it. All you can do is raise the bar
Raising Defenses• There are some steps you can take to make life more difficult and to deter the casual attacker
– Do not ship debug versions– Strong Name assemblies to prevent alteration– Authenticode signing for commercial applications– JAR signing– Do not embed secrets in the binaries
• Use DPAPI to encrypt secrets• Public key signature validation
– Obfuscation– Tamper notification
More Demos
Tools• Reflector : http://www.red-gate.com/products/reflector/index.htm• Reflector Plug In Page : http://www.codeplex.com/reflectoraddins• Reflixil: http://sourceforge.net/projects/reflexil• ILSpy: https://github.com/icsharpcode/ILSpy• Cecil Decompiler :
http://evain.net/blog/articles/2008/12/15/cecil-decompiler• Dile : http://sourceforge.net/projects/dile• Snoop : http://snoopwpf.codeplex.com• Silverlight Spy : http://firstfloorsoftware.com/silverlightspy• Crack.NET : http://www.codeplex.com/cracknetproject• DJ Decompiler : http://members.fortunecity.com/neshkov/dj.html• JAD: http://www.kpdus.com/jad.html• FernFlower (online Java decompiler): http://
www.reversed-java.com/fernflower• Javasnoop: http://code.google.com/p/javasnoop• Open Source Flash Decompiler : http://osflash.org/swf9tools
References
• Exploiting Software – Hoglund & McGraw – Addison Wesley
• Brian Long : Reverse Engineering To Learn .NET Better– http://www.blong.com/Conferences/DCon2003/Rev
erseEngineering/ReverseEngineering.htm• David Cumps : Reverse Engineering with Reflector
and Reflexil– http://blog.cumps.be/reverse-engineering-with-refl
ector-and-reflexil• Jason Haley http://jasonhaley.com• Jason Bock http://www.jasonbock.net/JB• Decompiling Java – Godfrey Nolan – Apress• Java Virtual Machine – Meyer & Downing – O’Reilly
Questions and Answers
@jkuemerle / joe at kuemerle.comhttp://www.speakerrate.com/jkuemerle
Photo Attributes
• http://flickr.com/photos/calavera/65098350/
• http://flickr.com/photos/epitti/199843720/
• http://flickr.com/photos/moriza/77481889/
• http://flickr.com/photos/dannyboyster/60371673/
• http://flickr.com/photos/20406121@N04/2632344166/
• http://flickr.com/photos/rogersmith/126697530/
• http://flickr.com/photos/docman/36125185/
• http://flickr.com/photos/frozen-in-time/3858611/
• http://flickr.com/photos/chubbybat/62206640/