Reverse Engineering .NET

1
Reverse Engineering .NET

• Presented By Joe Kuemerle
• _at_jkuemerle
• www.speakerrate.com/jkuemerle

2
Background of Joe Kuemerle

• Lead Developer at PreEmptive Solutions
• Over 14 years of development experience with a
  broad range of technologies
• Focused on application and data security, coding
  best practices and regulatory compliance
• Presenter at user groups, code camps, CodeMash
  2009 and MSDN Developer Conference 2009

3
Why Reverse Engineer?
4
Reasons To Reverse Engineer

• Curiosity see how things work
• Risk Management see what the bad guys see
• Recovery recover lost / damaged source
• Illegal Activity be the bad guy
• Random fact
• According to a 2007 FBI study 70 of network
  abuse is due to insiders.

5
Ease of Reverse Engineering .NET

• Why is it easy to reverse engineer .NET?
• All high level source is compiled to MSIL
• IL is verbose (compared to assembly)
• IL is well documented (CLI specification)
• Open source compiler to reference
• Shared Source CLI compiler
• Rich metadata included in assembly
• Support for reflection means code using
  reflection must be self describing, by default
  all that information is embedded in assemblies

6
What Can Be Reverse Engineered

• Any Managed Portable Executable (PE)

7
Availability of Tools

• Native reverse engineering tools tend to actually
  cost money

• IDA Pro
• 515 and up
• Syser debugger 198 and up
• DevPartner 2,400

8
Availability of Tools

• Managed tools tend to cost less
• ILDASM/ILASM - 0
• Reflector - 0
• Dile - 0
• WPF Snoop - 0
• Silverlight Spy - 0
• Mono Cecil Decompiler - 0

9
So what, its free and easy. Big deal!

• Once you (or someone else) has this knowledge
  what can they do?
• Look to see exactly how things really work
• Find out things they might not need to know
• Passwords
• Encryption Keys
• Secret data
• Alter functionality
• Bypass authentication checks
• Unlock functionality
• Alter the user interface
• Add malicious code

10
Demo Time
11
Now What?

• So, how do I stop all this monkeying around with
  my code?

• You dont stop it. All you can do is raise the
  bar

12
Raising Defenses

• There are some steps
• you can take to make
• life more difficult to
• deter the casual attacker
• Strong Name assemblies to prevent alteration
• Authenticode signing for commercial applications
• Do not embed secrets in the binaries
• Use DPAPI to encrypt secrets
• Public key signature validation
• Obfuscation

13
Questions and Answers
14
References (Tools)

• Reflector http//www.red-gate.com/products/reflec
  tor/index.htm
• Reflector Plug In Page http//www.codeplex.com/r
  eflectoraddins
• Dile http//sourceforge.net/projects/dile
• Snoop http//blois.us/Snoop/
• Silverlight Spy http//firstfloorsoftware.com/si
  lverlightspy

15
References (Articles)

• Brian Long Reverse Engineering To Learn .NET
  Better
• http//www.blong.com/Conferences/DCon2003/ReverseE
  ngineering/ReverseEngineering.htm
• David Cumps Reverse Engineering with Reflector
  and Reflexil
• http//blog.cumps.be/reverse-engineering-with-refl
  ector-and-reflexil
• Jason Haley
• http//jasonhaley.com
• Jason Bock
• http//www.jasonbock.net/JB

16
Photo Attributes

• http//flickr.com/photos/calavera/65098350/
• http//flickr.com/photos/epitti/199843720/
• http//flickr.com/photos/moriza/77481889/
• http//flickr.com/photos/dannyboyster/60371673/
• http//flickr.com/photos/20406121_at_N04/2632344166/
• http//flickr.com/photos/rogersmith/126697530/
• http//flickr.com/photos/docman/36125185/
• http//flickr.com/photos/frozen-in-time/3858611/
• http//flickr.com/photos/chubbybat/62206640/