Reverse Engineering Application - Louisville, KY .NET Meetup - October 2012

Transcript

1. Reverse Engineering Applications Presented By: Joe Kuemerle www.kuemerle.com @jkuemerle [email protected]

2. @jkuemerle / www.kuemerle.com Joe Kuemerle  Developer at BookingBuilder Technologies

    Over 15 years of development experience with a broad range of technologies  Focused on application and data security, coding best practices and regulatory compliance  Presenter at community, regional and national events.

3. @jkuemerle / www.kuemerle.com

4. @jkuemerle / www.kuemerle.com Why Reverse Engineer? Random fact: A 2007

   FBI study notes 70% of network abuse is due to insiders

5. @jkuemerle / www.kuemerle.com Ease of Reverse Engineering Managed Code (.NET

   and Java)  Why is it easy to reverse engineer Managed Code ◦ NET  All high level source is compiled to MSIL  IL is verbose (compared to assembly) / IL is well documented (CLI specification)  Open source compiler to reference  Shared Source CLI compiler  Rich metadata included in assembly  Support for reflection means code using reflection must be self describing, by default all that information is embedded in assemblies ◦ Java  High level source is compiled to bytecode  Bytecode is stored in a well defined structure / Bytecode to Opcode  Open Source compiler  Classes are self describing

6. @jkuemerle / www.kuemerle.com What Can Be Reverse Engineered .NET: Any

   Managed Portable Executable (PE) • Windows Forms • AWT/Swing Applications • Silverlight • Applets • WPF • Servlets • SharePoint WebParts •EJBs •Android APKs • Compact Framework Applications • Office Business Applications • Windows Workflow • Micro Framework Applications • ASP.NET (with server access) •Windows Phone Java: Class, JAR, WAR, etc. files * Flash assemblies are also similar to a managed language assembly (consist of opcodes) and can be reverse engineered to resources and ActionScript source via similar methods

7. @jkuemerle / www.kuemerle.com Native Tools • IDA Pro •$515 and

   up • Syser debugger $198 and up • DevPartner $2,400

8. @jkuemerle / www.kuemerle.com Managed Code Tools ◦ ILDASM/ILASM - $0

   ◦ IL Spy/JustDecompile - $0 ◦ Dile - $0 ◦ WPF Snoop - $0 ◦ Cecil Decompiler - $0 ◦ Reflector $0 / $35 ◦ Java Decompiler - $0

9. @jkuemerle / www.kuemerle.com So what, it’s free and easy. Big

   deal! Once you (or someone else) has this knowledge what can they do? ◦ Look to see exactly how things *really* work ◦ Find out things they might not need to know  Passwords  Encryption Keys  Secret data ◦ Alter functionality  Bypass authentication checks  Unlock functionality  Alter the user interface  Add malicious code

10. @jkuemerle / www.kuemerle.com Demo Time

11. @jkuemerle / www.kuemerle.com Now What?

12. @jkuemerle / www.kuemerle.com Raising Defenses  There are some steps

    you can take to make life more difficult and to deter the casual attacker ◦ Do not ship debug versions ◦ Strong Name assemblies to prevent alteration ◦ Authenticode signing for commercial applications ◦ JAR signing ◦ Do not embed secrets in the binaries  Use DPAPI to encrypt secrets  Public key signature validation ◦ Obfuscation

13. @jkuemerle / www.kuemerle.com More Demos

14. @jkuemerle / www.kuemerle.com Photo Attributes  http://flickr.com/photos/calavera/65098350/  http://flickr.com/photos/epitti/199843720/ 

    http://flickr.com/photos/moriza/77481889/  http://flickr.com/photos/dannyboyster/60371673/  http://flickr.com/photos/20406121@N04/263234 4166/  http://flickr.com/photos/rogersmith/126697530/  http://flickr.com/photos/docman/36125185/  http://flickr.com/photos/frozen-in-time/3858611/  http://flickr.com/photos/chubbybat/62206640/

15. @jkuemerle / www.kuemerle.com Tools  Reflector : http://www.red-gate.com/products/reflector/index.htm  Reflector

    Plug In Page : http://www.codeplex.com/reflectoraddins  ILSpy: http://ilspy.net/  JustDecompile: http://www.telerik.com/products/decompiler.aspx  Cecil Decompiler : http://evain.net/blog/articles/2008/12/15/cecil- decompiler  Dile : http://sourceforge.net/projects/dile  Snoop : http://snoopwpf.codeplex.com/  Silverlight Spy : http://firstfloorsoftware.com/silverlightspy  Crack.NET : http://cracknetproject.codeplex.com/  DJ Decompiler : http://members.fortunecity.com/neshkov/dj.html  JAD: http://www.kpdus.com/jad.html  Open Source Flash Decompiler : http://osflash.org/swf9tools  Java Decompiler: http://java.decompiler.free.fr/

16. @jkuemerle / www.kuemerle.com References  Exploiting Software – Hoglund &

    McGraw – Addison Wesley  Brian Long : Reverse Engineering To Learn .NET Better ◦ http://www.blong.com/Conferences/DCon2003/Rever seEngineering/ReverseEngineering.htm  David Cumps : Reverse Engineering with Reflector and Reflexil ◦ http://blog.cumps.be/reverse-engineering-with- reflector-and-reflexil  Jason Haley http://jasonhaley.com  Jason Bock http://www.jasonbock.net/JB  Decompiling Java – Godfrey Nolan – Apress  Java Virtual Machine – Meyer & Downing – O’Reilly

17. @jkuemerle / www.kuemerle.com Questions and Answers