Reverse Engineering .NET and Java - 1DevDay Detroit 2012

Transcript

1. Reverse Engineering
   Applications
   Presented By: Joe Kuemerle
   www.kuemerle.com
   @jkuemerle
   [email protected]
   

   View Slide

2. @jkuemerle / www.kuemerle.com
   Joe Kuemerle
    Developer at BookingBuilder Technologies
    Over 15 years of development experience with a
   broad range of technologies
    Focused on application and data security, coding
   best practices and regulatory compliance
    Presenter at community, regional and national
   events.
   

   View Slide

3. @jkuemerle / www.kuemerle.com
   

   View Slide

4. @jkuemerle / www.kuemerle.com
   Why Reverse Engineer?
   Random fact:
   A 2007 FBI study notes 70% of network abuse is due to insiders
   

   View Slide

5. @jkuemerle / www.kuemerle.com
   

   View Slide

6. @jkuemerle / www.kuemerle.com
   Ease of Reverse Engineering
   Managed Code (.NET and Java)
    Why is it easy to reverse engineer Managed Code
   ◦ NET
    All high level source is compiled to MSIL
    IL is verbose (compared to assembly) / IL is well documented (CLI
   specification)
    Open source compiler to reference
    Shared Source CLI compiler
    Rich metadata included in assembly
    Support for reflection means code using reflection must be self
   describing, by default all that information is embedded in assemblies
   ◦ Java
    High level source is compiled to bytecode
    Bytecode is stored in a well defined structure / Bytecode to
   Opcode
    Open Source compiler
    Classes are self describing
   

   View Slide

7. @jkuemerle / www.kuemerle.com
   What Can Be Reverse Engineered
   .NET: Any Managed Portable
   Executable (PE)
   • Windows Forms • AWT/Swing Applications
   • Silverlight • Applets
   • WPF • Servlets
   • SharePoint WebParts • EJBs
   • Compact Framework Applications • Android APKs
   • Office Business Applications
   • Windows Workflow
   • Micro Framework Applications
   • ASP.NET (with server access)
   • Windows Phone
   Java: Class, JAR, WAR, APK
   * Flash assemblies are also
   similar to a managed language
   assembly (consist of opcodes)
   and can be reverse engineered
   to resources and ActionScript
   source via similar methods
   

   View Slide

8. @jkuemerle / www.kuemerle.com
   Native Tools
   • IDA Pro
   •$515 and up
   • Syser debugger
   $198 and up
   • DevPartner
   $2,400
   

   View Slide

9. @jkuemerle / www.kuemerle.com
   Managed Code Tools
   

   View Slide

10. @jkuemerle / www.kuemerle.com
    So what, it’s free and easy. Big deal!
    Once you (or someone else) has this
    knowledge what can they do?
    ◦ Look to see exactly how things *really* work
    ◦ Find out things they might not need to know
     Passwords
     Encryption Keys
     Secret data
    ◦ Alter functionality
     Bypass authentication checks
     Unlock functionality
     Alter the user interface
     Add malicious code
    

    View Slide

11. @jkuemerle / www.kuemerle.com
    Demo Time
    

    View Slide

12. @jkuemerle / www.kuemerle.com
    Now What?
    

    View Slide

13. @jkuemerle / www.kuemerle.com
    Raising Defenses
    ◦ Do not ship debug versions
    ◦ Strong Name assemblies to
    prevent alteration
    ◦ Authenticode signing
    ◦ JAR signing
    ◦ Do not embed secrets in the binaries
     Use DPAPI to encrypt secrets
     Public key signature validation
    ◦ Obfuscation
    

    View Slide

14. @jkuemerle / www.kuemerle.com
    More Demos
    

    View Slide

15. @jkuemerle / www.kuemerle.com
    Photo Attributes
     http://flickr.com/photos/calavera/65098350/
     http://flickr.com/photos/epitti/199843720/
     http://flickr.com/photos/moriza/77481889/
     http://flickr.com/photos/dannyboyster/60371673/
     http://flickr.com/photos/20406121@N04/263234
    4166/
     http://flickr.com/photos/rogersmith/126697530/
     http://flickr.com/photos/docman/36125185/
     http://flickr.com/photos/frozen-in-time/3858611/
     http://flickr.com/photos/chubbybat/62206640/
     http://www.flickr.com/photos/citrixonline/544724
    8934
    

    View Slide

16. @jkuemerle / www.kuemerle.com
    Tools
     Reflector : http://www.red-gate.com/products/reflector/index.htm
     Reflector Plug In Page : http://www.codeplex.com/reflectoraddins
     ILSpy: http://ilspy.net/
     JustDecompile: http://www.telerik.com/products/decompiler.aspx
     Cecil Decompiler : http://evain.net/blog/articles/2008/12/15/cecil-decompiler
     Dile : http://sourceforge.net/projects/dile
     Snoop : http://snoopwpf.codeplex.com/
     XAML Spy : http://xamlspy.com/
     Crack.NET : http://cracknetproject.codeplex.com/
     DJ Decompiler : http://members.fortunecity.com/neshkov/dj.html
     JAD: http://www.kpdus.com/jad.html
     Open Source Flash Decompiler : http://osflash.org/swf9tools
     Java Decompiler: http://java.decompiler.free.fr/
     APK Tool: http://code.google.com/p/android-apktool/
     Smali: http://code.google.com/p/smali/
     Dex2Jar: http://code.google.com/p/dex2jar/
    

    View Slide

17. @jkuemerle / www.kuemerle.com
    References
     Exploiting Software – Hoglund & McGraw – Addison
    Wesley
     Brian Long : Reverse Engineering To Learn .NET Better
    ◦ http://www.blong.com/Conferences/DCon2003/Rever
    seEngineering/ReverseEngineering.htm
     David Cumps : Reverse Engineering with Reflector and
    Reflexil
    ◦ http://blog.cumps.be/reverse-engineering-with-
    reflector-and-reflexil
     Jason Haley http://jasonhaley.com
     Jason Bock http://www.jasonbock.net/JB
     Decompiling Java – Godfrey Nolan – Apress
     Java Virtual Machine – Meyer & Downing – O’Reilly
    

    View Slide

18. @jkuemerle / www.kuemerle.com
    

    View Slide