Reverse Engineering .NET and Java - 1DevDay Detroit 2012

Slide 1

Slide 1 text

Reverse Engineering Applications Presented By: Joe Kuemerle www.kuemerle.com @jkuemerle [email protected]

Slide 2

Slide 2 text

@jkuemerle / www.kuemerle.com Joe Kuemerle  Developer at BookingBuilder Technologies  Over 15 years of development experience with a broad range of technologies  Focused on application and data security, coding best practices and regulatory compliance  Presenter at community, regional and national events.

Slide 3

Slide 3 text

@jkuemerle / www.kuemerle.com

Slide 4

Slide 4 text

@jkuemerle / www.kuemerle.com Why Reverse Engineer? Random fact: A 2007 FBI study notes 70% of network abuse is due to insiders

Slide 5

Slide 5 text

@jkuemerle / www.kuemerle.com

Slide 6

Slide 6 text

@jkuemerle / www.kuemerle.com Ease of Reverse Engineering Managed Code (.NET and Java)  Why is it easy to reverse engineer Managed Code ◦ NET  All high level source is compiled to MSIL  IL is verbose (compared to assembly) / IL is well documented (CLI specification)  Open source compiler to reference  Shared Source CLI compiler  Rich metadata included in assembly  Support for reflection means code using reflection must be self describing, by default all that information is embedded in assemblies ◦ Java  High level source is compiled to bytecode  Bytecode is stored in a well defined structure / Bytecode to Opcode  Open Source compiler  Classes are self describing

Slide 7

Slide 7 text

@jkuemerle / www.kuemerle.com What Can Be Reverse Engineered .NET: Any Managed Portable Executable (PE) • Windows Forms • AWT/Swing Applications • Silverlight • Applets • WPF • Servlets • SharePoint WebParts • EJBs • Compact Framework Applications • Android APKs • Office Business Applications • Windows Workflow • Micro Framework Applications • ASP.NET (with server access) • Windows Phone Java: Class, JAR, WAR, APK * Flash assemblies are also similar to a managed language assembly (consist of opcodes) and can be reverse engineered to resources and ActionScript source via similar methods

Slide 8

Slide 8 text

@jkuemerle / www.kuemerle.com Native Tools • IDA Pro •$515 and up • Syser debugger $198 and up • DevPartner $2,400

Slide 9

Slide 9 text

@jkuemerle / www.kuemerle.com Managed Code Tools

Slide 10

Slide 10 text

@jkuemerle / www.kuemerle.com So what, it’s free and easy. Big deal! Once you (or someone else) has this knowledge what can they do? ◦ Look to see exactly how things *really* work ◦ Find out things they might not need to know  Passwords  Encryption Keys  Secret data ◦ Alter functionality  Bypass authentication checks  Unlock functionality  Alter the user interface  Add malicious code

Slide 11

Slide 11 text

@jkuemerle / www.kuemerle.com Demo Time

Slide 12

Slide 12 text

@jkuemerle / www.kuemerle.com Now What?

Slide 13

Slide 13 text

@jkuemerle / www.kuemerle.com Raising Defenses ◦ Do not ship debug versions ◦ Strong Name assemblies to prevent alteration ◦ Authenticode signing ◦ JAR signing ◦ Do not embed secrets in the binaries  Use DPAPI to encrypt secrets  Public key signature validation ◦ Obfuscation

Slide 14

Slide 14 text

@jkuemerle / www.kuemerle.com More Demos

Slide 15

Slide 15 text

@jkuemerle / www.kuemerle.com Photo Attributes  http://flickr.com/photos/calavera/65098350/  http://flickr.com/photos/epitti/199843720/  http://flickr.com/photos/moriza/77481889/  http://flickr.com/photos/dannyboyster/60371673/  http://flickr.com/photos/20406121@N04/263234 4166/  http://flickr.com/photos/rogersmith/126697530/  http://flickr.com/photos/docman/36125185/  http://flickr.com/photos/frozen-in-time/3858611/  http://flickr.com/photos/chubbybat/62206640/  http://www.flickr.com/photos/citrixonline/544724 8934

Slide 16

Slide 16 text

@jkuemerle / www.kuemerle.com Tools  Reflector : http://www.red-gate.com/products/reflector/index.htm  Reflector Plug In Page : http://www.codeplex.com/reflectoraddins  ILSpy: http://ilspy.net/  JustDecompile: http://www.telerik.com/products/decompiler.aspx  Cecil Decompiler : http://evain.net/blog/articles/2008/12/15/cecil-decompiler  Dile : http://sourceforge.net/projects/dile  Snoop : http://snoopwpf.codeplex.com/  XAML Spy : http://xamlspy.com/  Crack.NET : http://cracknetproject.codeplex.com/  DJ Decompiler : http://members.fortunecity.com/neshkov/dj.html  JAD: http://www.kpdus.com/jad.html  Open Source Flash Decompiler : http://osflash.org/swf9tools  Java Decompiler: http://java.decompiler.free.fr/  APK Tool: http://code.google.com/p/android-apktool/  Smali: http://code.google.com/p/smali/  Dex2Jar: http://code.google.com/p/dex2jar/

Slide 17

Slide 17 text

@jkuemerle / www.kuemerle.com References  Exploiting Software – Hoglund & McGraw – Addison Wesley  Brian Long : Reverse Engineering To Learn .NET Better ◦ http://www.blong.com/Conferences/DCon2003/Rever seEngineering/ReverseEngineering.htm  David Cumps : Reverse Engineering with Reflector and Reflexil ◦ http://blog.cumps.be/reverse-engineering-with- reflector-and-reflexil  Jason Haley http://jasonhaley.com  Jason Bock http://www.jasonbock.net/JB  Decompiling Java – Godfrey Nolan – Apress  Java Virtual Machine – Meyer & Downing – O’Reilly

Slide 18

Slide 18 text

@jkuemerle / www.kuemerle.com