Reverse Engineering Applications

Presenter: Joe Kuemerle / @jkuemerle

Session Number: 505

Code PaLOUsa 2011 Sponsors

Code PaLOUsa 2011 Sponsors

Background of Joe Kuemerle

• Lead Developer at PreEmptive Solutions

• Over 15 years of development experience with a

broad range of technologies

• Focused on application and data security, coding

best practices and regulatory compliance

• Presenter at community, regional and national

events.

Why Reverse Engineer?

Reasons To Reverse Engineer

• Curiosity – see how things work• Risk Management – see what the bad

guys see• Recovery – recover lost / damaged

source• Illegal Activity – be the bad guy

Random fact:Between 26% and 48% of security events are caused by

insiders.http://

blog.zeltser.com/post/3497622496/touchy-security-topics-insider-threat

Ease of Reverse Engineering Managed Code (.NET and Java)

• Why is it easy to reverse engineer Managed Code – NET

• All high level source is compiled to MSIL– IL is verbose (compared to assembly) / IL is well documented (CLI

specification)

• Open source compiler to reference– Shared Source CLI compiler

• Rich metadata included in assembly– Support for reflection means code using reflection must be self describing,

by default all that information is embedded in assemblies

– Java • High level source is compiled to bytecode• Bytecode is stored in a well defined structure / Bytecode to

Opcode • Compiler will be open sourced (Java 1.7)• Classes are self describing

Availability of ToolsNative reverse engineering tools tend to cost money

• IDA Pro • $515 and up

• Syser debugger $198 and up• DevPartner $2,400

Availability of Tools• Managed tools tend to cost less– ILDASM/ILASM - $0– Reflector - $0 ($35 after May 30, 2011)– Dile - $0– WPF Snoop - $0– Silverlight Spy - $0 ($100 full)– JAD - $0– Javasnoop - $0 – Cecil Decompiler - $0– ILSpy - $0– (Future) JetBrains Decompiler - $0– (Future) Telerik Decompiler - $0

So what, it’s free and easy. Big deal!

• Once you (or someone else) has this knowledge what can they do?– Look to see exactly how things *really* work– Find out things they might not need to know

• Passwords• Encryption Keys• Secret data

– Alter functionality• Bypass authentication checks• Unlock functionality• Alter the user interface• Add malicious code

Demo Time

Now What?• So, how do I

stop all this monkeying around with my code? You don’t stop

it. All you can do is raise the bar

Raising Defenses• There are some steps you can take to make life more difficult and to deter the casual attacker

– Do not ship debug versions– Strong Name assemblies to prevent alteration– Authenticode signing for commercial applications– JAR signing– Do not embed secrets in the binaries

• Use DPAPI to encrypt secrets• Public key signature validation

– Obfuscation– Tamper notification

More Demos

Tools• Reflector : http://www.red-gate.com/products/reflector/index.htm• Reflector Plug In Page : http://www.codeplex.com/reflectoraddins• Reflixil: http://sourceforge.net/projects/reflexil• ILSpy: https://github.com/icsharpcode/ILSpy• Cecil Decompiler :

http://evain.net/blog/articles/2008/12/15/cecil-decompiler• Dile : http://sourceforge.net/projects/dile• Snoop : http://snoopwpf.codeplex.com• Silverlight Spy : http://firstfloorsoftware.com/silverlightspy• Crack.NET : http://www.codeplex.com/cracknetproject• DJ Decompiler : http://members.fortunecity.com/neshkov/dj.html• JAD: http://www.kpdus.com/jad.html• FernFlower (online Java decompiler): http://

www.reversed-java.com/fernflower• Javasnoop: http://code.google.com/p/javasnoop• Open Source Flash Decompiler : http://osflash.org/swf9tools

References

• Exploiting Software – Hoglund & McGraw – Addison Wesley

• Brian Long : Reverse Engineering To Learn .NET Better– http://www.blong.com/Conferences/DCon2003/Rev

erseEngineering/ReverseEngineering.htm• David Cumps : Reverse Engineering with Reflector

and Reflexil– http://blog.cumps.be/reverse-engineering-with-refl

ector-and-reflexil• Jason Haley http://jasonhaley.com• Jason Bock http://www.jasonbock.net/JB• Decompiling Java – Godfrey Nolan – Apress• Java Virtual Machine – Meyer & Downing – O’Reilly

Questions and Answers

@jkuemerle / joe at kuemerle.comhttp://www.speakerrate.com/jkuemerle

Photo Attributes

• http://flickr.com/photos/calavera/65098350/

• http://flickr.com/photos/epitti/199843720/

• http://flickr.com/photos/moriza/77481889/

• http://flickr.com/photos/dannyboyster/60371673/

• http://flickr.com/photos/20406121@N04/2632344166/

• http://flickr.com/photos/rogersmith/126697530/

• http://flickr.com/photos/docman/36125185/

• http://flickr.com/photos/frozen-in-time/3858611/

• http://flickr.com/photos/chubbybat/62206640/