Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep Calm, it's Reverse Engineering Time - Midwest.io

Keep Calm, it's Reverse Engineering Time - Midwest.io

As developers, sometimes we have to investigate a bug, or add a new feature in a codebase that is completely new to us. Sometimes it can be even developed in technology that we are unfamiliar with, often with no one available to ask anything about that code. How can we do this?
In this talk I would like to share some ideas, tips and tools related to reverse engineering of various code components (server side, frontend, etc) – that can help developers to successfully overcome this challenge.

4f477cfca5c1d10d09157c07cdfa3af4?s=128

Alissa Bonas

November 10, 2015
Tweet

Transcript

  1. Keep calm, it’s reverse engineering time Alissa Bonas @mikeyteva

  2. “Run Forrest, Run” Alissa Bonas @ Midwest.io 2015

  3. When is it needed? • Add a new feature •

    Fix a bug • Investigate an issue in a production environment • Maintaining legacy code • Integration with another system or component Alissa Bonas @ Midwest.io 2015
  4. A whole new world Alissa Bonas @ Midwest.io 2015

  5. “My momma always said, life was like a box of

    chocolates. You never know what you’re gonna get” Alissa Bonas @ Midwest.io 2015
  6. How can we succeed here? Alissa Bonas @ Midwest.io 2015

  7. The easiest way Ask the person who developed it Alissa

    Bonas @ Midwest.io 2015
  8. Alissa Bonas @ Midwest.io 2015

  9. However... Alissa Bonas @ Midwest.io 2015

  10. Alissa Bonas @ Midwest.io 2015 Is it an open source

    project? • Check the docs / wiki • Ask in the community ◦ mailing list ◦ forum ◦ irc ◦ open an issue / ticket with a question
  11. Alissa Bonas @ Midwest.io 2015

  12. Back to basics • Technology / Programming language • Source

    control • Running tests • Build / Run / Deploy Alissa Bonas @ Midwest.io 2015
  13. Detecting languages example

  14. Look for hints • File extensions • .gitignore • README.md

    Alissa Bonas @ Midwest.io 2015
  15. Look for more hints • pom.xml / build.xml • Gemfile

    / gemspec • Requirements.txt / setup.py • bower.json Alissa Bonas @ Midwest.io 2015
  16. Scope the task Alissa Bonas @ Midwest.io 2015

  17. Minor changes • Fix typos • Add more info to

    a log statement • Persist a field that already exists in an object Alissa Bonas @ Midwest.io 2015
  18. In search we trust • Search for strings in the

    code repository • Search existing logs for object names Alissa Bonas @ Midwest.io 2015
  19. Medium size changes • Add a new field to an

    object / model ◦ process and persist ◦ use it in all code layers • Upgrade the version of a third party library ◦ regression is your nemesis ◦ minor version upgrade != major version upgrade Alissa Bonas @ Midwest.io 2015
  20. Follow the trail • Follow existing fields to understand the

    flow • Follow the tests ◦ learn how to add new tests ◦ check if tests pass after code changes Alissa Bonas @ Midwest.io 2015
  21. Major changes • Refactor a module / component • Add

    a new functionality which requires a deep understanding of the system • Performance is key and must not be harmed Alissa Bonas @ Midwest.io 2015
  22. The need to distill • Architecture of the system •

    Understand the relevant flows and use cases Alissa Bonas @ Midwest.io 2015
  23. Number 1 factor is... Alissa Bonas @ Midwest.io 2015

  24. Time Alissa Bonas @ Midwest.io 2015

  25. Alissa Bonas @ Midwest.io 2015

  26. Goal: Identify entry points • UI / REST / Backend

    • Class hierarchy • Identify and learn frameworks Alissa Bonas @ Midwest.io 2015
  27. Get to know the code better • Is there a

    dependency injection mechanism? • How do the components communicate • Configuration keys to enable more info in the logs Alissa Bonas @ Midwest.io 2015
  28. Get to know the system better • Identify persistency ◦

    data store type ◦ how the data is stored • Know your container ◦ web server ◦ application server Alissa Bonas @ Midwest.io 2015
  29. Product configuration files • Search for static files location •

    Check how they are used and changed ◦ directly ◦ loaded into the database Alissa Bonas @ Midwest.io 2015
  30. Multi process system • Identify the processes • How do

    they communicate with each other • High availability / symmetric Alissa Bonas @ Midwest.io 2015
  31. Multithreaded considerations • Sync or async code flow • Usage

    of thread pools Alissa Bonas @ Midwest.io 2015
  32. After several iterations • Create a sequence diagram • UML

    • Understand ◦ the main path ◦ fallback, retries, etc. Alissa Bonas @ Midwest.io 2015
  33. Iterating over the code is like solving a puzzle Alissa

    Bonas @ Midwest.io 2015
  34. Alissa Bonas @ Midwest.io 2015

  35. Creating anchors “In climbing, a piton (/ˈpiːtɒn/; also called a

    pin or peg) is a metal spike (usually steel) that is driven into a crack or seam in the rock with a hammer, and which acts as an anchor to protect the climber against the consequences of a fall, or to assist progress in aid climbing” (wikipedia) Alissa Bonas @ Midwest.io 2015
  36. Creating anchors • Read the code • If we can

    debug - put breakpoints • Read existing logs • Understand through unitests Alissa Bonas @ Midwest.io 2015
  37. Creating anchors continued • Change the log level • Add

    more logging statements • Check history in source control - commits and comments Alissa Bonas @ Midwest.io 2015
  38. Creating anchors - IDE Bookmarks Alissa Bonas @ Midwest.io 2015

  39. Creating anchors - the analog way • Works too! Alissa

    Bonas @ Midwest.io 2015
  40. Backend Alissa Bonas @ Midwest.io 2015

  41. Example - utilities to explore the JVM • JConsole •

    VisualVM • (more tools exist) Alissa Bonas @ Midwest.io 2015
  42. Getting more hints • Explore threads names • Take a

    thread dump - explore thread source • Take a heap dump - explore classes • Check which objects a map/list/set contains Alissa Bonas @ Midwest.io 2015
  43. Hint on the database Hint on the scheduler Alissa Bonas

    @ Midwest.io 2015
  44. Network analyzer / packet sniffer • Software that intercepts and

    logs traffic ◦ decodes data ◦ shows packet fields • For example - Wireshark • Define filters for efficiency Alissa Bonas @ Midwest.io 2015
  45. Example Alissa Bonas @ Midwest.io 2015

  46. Goal • Send a SOA envelope to a service •

    Sender - Ruby code • Target - Java SOA service Alissa Bonas @ Midwest.io 2015
  47. Reports Engine 1 Reports Engine 2 Reports Engine 3 UI

    Reports Engine 4 http /engine1 http /engine2 http /engine3 http /engine4 SOA Tomcat SOA SOA SOA SOA Alissa Bonas @ Midwest.io 2015
  48. Steps • Basic understanding what SOA is • Intercept traffic

    of the existing Java code • Learn how a SOA envelope should look like • Write Ruby code to create a SOA envelope Alissa Bonas @ Midwest.io 2015
  49. Frontend Alissa Bonas @ Midwest.io 2015

  50. Frontend • Which libraries are used • Search for strings

    / translation files • Search for icon files location and usage • Learn how UI calls backend Alissa Bonas @ Midwest.io 2015
  51. Browser developer tools • FireBug • Chrome developer tools Alissa

    Bonas @ Midwest.io 2015
  52. Following the code • Which css and js are downloaded

    • Add watches in the script tab • Use ‘debugger;’ to set a breakpoint • Inspect elements Alissa Bonas @ Midwest.io 2015
  53. Inspect the logo 32px * 32px SVG info Alissa Bonas

    @ Midwest.io 2015
  54. Following network requests Alissa Bonas @ Midwest.io 2015

  55. Analyzing response Alissa Bonas @ Midwest.io 2015

  56. Analyzing response - zoom in JSON response Alissa Bonas @

    Midwest.io 2015
  57. Analyzing response - zoom in JSON response Alissa Bonas @

    Midwest.io 2015
  58. Useful options • Network tab • Copy as curl •

    Copy response • Copy link address Alissa Bonas @ Midwest.io 2015
  59. REST Client • Learn how REST API is designed Alissa

    Bonas @ Midwest.io 2015
  60. In short...

  61. Alissa Bonas @ Midwest.io 2015

  62. Thank you! @mikeyteva

  63. Graphics credits • Signpost by Lubos Volkov • Clock by

    Kid Mountain • Idea by Matt Wasser • Gauge by Joel Avery from the Noun Project • Tomcat-logo by The Apache Tomcat Project Team • Loop by useiconic.com from the Noun Project • Magnifying Glass by Musket from the Noun Project • Puzzle Piece by icon 54 from the Noun Project • Writing by Creative Stall from the Noun Project • Sherlock by James Keuning, the Noun Project • Twitter by Lubos Volkov, the Noun Project • Mug by Alex Getty from the Noun Project • Diamond by MarkieAnn Packer from the Noun Project • Questions by Rediffusion from the Noun Project • Movies posters - http://www.impawards.com/