SlideShare une entreprise Scribd logo

Reverse Engineering .NET and Java

Télécharger en tant que PPTX, PDF
Joe Kuemerle
Joe Kuemerle

Powerpoint from CodepaLOUsa 2011. Learn the various techniques bad guys can use to extract information from your .NET or Java applications or at least how you can recover the source code that your predecessor deleted before he quit. A demo filled session on how easy it is to extract information from virtually any .NET or Java application (yes, including Silverlight).

Technologie
1  sur  18
Reverse Engineering Applications Presenter: Joe Kuemerle / @jkuemerle Session Number: 505
Code PaLOUsa 2011 Sponsors
Code PaLOUsa 2011 Sponsors
Background of Joe Kuemerle Lead Developer at PreEmptive Solutions Over 15 years of development experience with a broad range of technologies Focused on application and data security, coding best practices and regulatory compliance Presenter at community, regional and national events.
Why Reverse Engineer?
Reasons To Reverse Engineer Curiosity – see how things work Risk Management – see what the bad guys see Recovery – recover lost / damaged source Illegal Activity – be the bad guy Random fact: Between 26% and 48% of security events are caused by insiders. http://blog.zeltser.com/post/3497622496/touchy-security-topics-insider-threat
Ease of Reverse Engineering Managed Code (.NET and Java) Why is it easy to reverse engineer Managed Code NET All high level source is compiled to MSIL IL is verbose (compared to assembly) / IL is well documented (CLI specification) Open source compiler to reference Shared Source CLI compiler Rich metadata included in assembly Support for reflection means code using reflection must be self describing, by default all that information is embedded in assemblies Java High level source is compiled to bytecode Bytecode is stored in a well defined structure / Bytecode to Opcode Compiler will be open sourced (Java 1.7) Classes are self describing
Availability of Tools Native reverse engineering tools tend to cost money ,[object Object]
$515 and up
Syser debugger $198 and up
DevPartner $2,400,[object Object]
So what, it’s free and easy. Big deal! Once you (or someone else) has this knowledge what can they do? Look to see exactly how things *really* work Find out things they might not need to know Passwords Encryption Keys Secret data Alter functionality Bypass authentication checks Unlock functionality Alter the user interface Add malicious code
Demo Time
Now What? So, how do I stop all this monkeying around with my code? ,[object Object],[object Object]
More Demos
Tools Reflector : http://www.red-gate.com/products/reflector/index.htm Reflector Plug In Page : http://www.codeplex.com/reflectoraddins Reflixil: http://sourceforge.net/projects/reflexil ILSpy: https://github.com/icsharpcode/ILSpy Cecil Decompiler : http://evain.net/blog/articles/2008/12/15/cecil-decompiler Dile : http://sourceforge.net/projects/dile Snoop : http://snoopwpf.codeplex.com Silverlight Spy : http://firstfloorsoftware.com/silverlightspy Crack.NET : http://www.codeplex.com/cracknetproject DJ Decompiler : http://members.fortunecity.com/neshkov/dj.html JAD: http://www.kpdus.com/jad.html FernFlower (online Java decompiler): http://www.reversed-java.com/fernflower Javasnoop: http://code.google.com/p/javasnoop Open Source Flash Decompiler : http://osflash.org/swf9tools
References Exploiting Software – Hoglund & McGraw – Addison Wesley Brian Long : Reverse Engineering To Learn .NET Better http://www.blong.com/Conferences/DCon2003/ReverseEngineering/ReverseEngineering.htm David Cumps : Reverse Engineering with Reflector and Reflexil http://blog.cumps.be/reverse-engineering-with-reflector-and-reflexil Jason Haley http://jasonhaley.com Jason Bock http://www.jasonbock.net/JB Decompiling Java – Godfrey Nolan – Apress Java Virtual Machine – Meyer & Downing – O’Reilly
Questions and Answers @jkuemerle / joe at kuemerle.com http://www.speakerrate.com/jkuemerle

Recommandé

Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?Herman Duarte
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationRufatet Babakishiyev
 
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets ApplicationsToward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets ApplicationsREvERSE University of Naples Federico II
 

Recommandé

Is My App Secure ?
Is My App Secure ? Is My App Secure ?
Is My App Secure ?Herman Duarte
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Magento Application Security [EN]
Magento Application Security [EN]Magento Application Security [EN]
Magento Application Security [EN]Anna Völkl
 
IEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationIEEE Day 2013 - Reverse Engineering an Android Application
IEEE Day 2013 - Reverse Engineering an Android ApplicationRufatet Babakishiyev
 
Toward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets ApplicationsToward Reverse Engineering of VBA Based Excel Spreadsheets Applications
Toward Reverse Engineering of VBA Based Excel Spreadsheets ApplicationsREvERSE University of Naples Federico II
 
Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...
Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...
Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...Association of Scientists, Developers and Faculties
 
Music video directors
Music video directorsMusic video directors
Music video directorsBrettMooreG321
 
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...Porfirio Tramontana
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Smali语法
Smali语法Smali语法
Smali语法xiaoshan8743
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112Bordeaux I
 
reverse engineering
reverse engineeringreverse engineering
reverse engineeringayush_nitt
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Let's talk about jni
Let's talk about jniLet's talk about jni
Let's talk about jniYongqiang Li
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Applicationn|u - The Open Security Community
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 
Reverse Engineering Web Applications
Reverse Engineering Web ApplicationsReverse Engineering Web Applications
Reverse Engineering Web ApplicationsPorfirio Tramontana
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...Christoph Matthies
 
Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Egor Elizarov
 
Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse EngineeringNational Cheng Kung University
 
ravi reverseengineeringitsapplication01 121101044845-phpapp02
ravi reverseengineeringitsapplication01 121101044845-phpapp02ravi reverseengineeringitsapplication01 121101044845-phpapp02
ravi reverseengineeringitsapplication01 121101044845-phpapp02Akash Maurya
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLandice Fu
 
Dancing with dalvik
Dancing with dalvikDancing with dalvik
Dancing with dalvikThomas Richards
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-codingTrần Bình Hậu
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 

Contenu connexe

En vedette

Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...Porfirio Tramontana
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112Bordeaux I
 
reverse engineering
reverse engineeringreverse engineering
reverse engineeringayush_nitt
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android appsPranay Airan
 
Let's talk about jni
Let's talk about jniLet's talk about jni
Let's talk about jniYongqiang Li
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeAlain Leon
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeMário Almeida
 
Reverse Engineering Web Applications
Reverse Engineering Web ApplicationsReverse Engineering Web Applications
Reverse Engineering Web ApplicationsPorfirio Tramontana
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...Christoph Matthies
 
Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Egor Elizarov
 
Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolGabor Paller
 
ravi reverseengineeringitsapplication01 121101044845-phpapp02
ravi reverseengineeringitsapplication01 121101044845-phpapp02ravi reverseengineeringitsapplication01 121101044845-phpapp02
ravi reverseengineeringitsapplication01 121101044845-phpapp02Akash Maurya
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLandice Fu
 

En vedette (20)

Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...
Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...
Application of Reverse Engineering and CAD/CAM in Field of Prosthetics-A Make...
 
Music video directors
Music video directorsMusic video directors
Music video directors
 
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...
Reverse Engineering Techniques: from Web Applications to Rich Internet Applic...
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Smali语法
Smali语法Smali语法
Smali语法
 
Reverse engineering20151112
Reverse engineering20151112Reverse engineering20151112
Reverse engineering20151112
 
reverse engineering
reverse engineeringreverse engineering
reverse engineering
 
Reverse engineering android apps
Reverse engineering android appsReverse engineering android apps
Reverse engineering android apps
 
Let's talk about jni
Let's talk about jniLet's talk about jni
Let's talk about jni
 
LinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik BytecodeLinkedIn - Disassembling Dalvik Bytecode
LinkedIn - Disassembling Dalvik Bytecode
 
Reverse Engineering Android Application
Reverse Engineering Android ApplicationReverse Engineering Android Application
Reverse Engineering Android Application
 
Android reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skypeAndroid reverse engineering - Analyzing skype
Android reverse engineering - Analyzing skype
 
Reverse Engineering Web Applications
Reverse Engineering Web ApplicationsReverse Engineering Web Applications
Reverse Engineering Web Applications
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)Android internals 05 - Dalvik VM (rev_1.1)
Android internals 05 - Dalvik VM (rev_1.1)
 
Understanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer toolUnderstanding the Dalvik bytecode with the Dedexer tool
Understanding the Dalvik bytecode with the Dedexer tool
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
ravi reverseengineeringitsapplication01 121101044845-phpapp02
ravi reverseengineeringitsapplication01 121101044845-phpapp02ravi reverseengineeringitsapplication01 121101044845-phpapp02
ravi reverseengineeringitsapplication01 121101044845-phpapp02
 
Learning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorialLearning by hacking - android application hacking tutorial
Learning by hacking - android application hacking tutorial
 
Dancing with dalvik
Dancing with dalvikDancing with dalvik
Dancing with dalvik
 

Similaire à Reverse Engineering .NET and Java

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET Journal
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101Jozsef Ottucsak
 
One Engine Two Tools
One Engine Two ToolsOne Engine Two Tools
One Engine Two ToolsChris Eargle
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecurityOKsystem
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecYashSomalkar
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingSoftware Guru
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Codemotion
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Passwords & security
Passwords & securityPasswords & security
Passwords & securityPer Thorsheim
 

Similaire à Reverse Engineering .NET and Java (20)

Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of Code
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101
 
One Engine Two Tools
One Engine Two ToolsOne Engine Two Tools
One Engine Two Tools
 
Year Zero
Year ZeroYear Zero
Year Zero
 
Smart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones SecuritySmart Cards & Devices Forum 2012 - Smart Phones Security
Smart Cards & Devices Forum 2012 - Smart Phones Security
 
Introduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSecIntroduction to Cybersecurity | IIT(BHU)CyberSec
Introduction to Cybersecurity | IIT(BHU)CyberSec
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
From Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in EssenceFrom Reversing to Exploitation: Android Application Security in Essence
From Reversing to Exploitation: Android Application Security in Essence
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Passwords & security
Passwords & securityPasswords & security
Passwords & security
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Dernier (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Reverse Engineering .NET and Java

  • 1. Reverse Engineering Applications Presenter: Joe Kuemerle / @jkuemerle Session Number: 505
  • 2. Code PaLOUsa 2011 Sponsors
  • 3. Code PaLOUsa 2011 Sponsors
  • 4. Background of Joe Kuemerle Lead Developer at PreEmptive Solutions Over 15 years of development experience with a broad range of technologies Focused on application and data security, coding best practices and regulatory compliance Presenter at community, regional and national events.
  • 6. Reasons To Reverse Engineer Curiosity – see how things work Risk Management – see what the bad guys see Recovery – recover lost / damaged source Illegal Activity – be the bad guy Random fact: Between 26% and 48% of security events are caused by insiders. http://blog.zeltser.com/post/3497622496/touchy-security-topics-insider-threat
  • 7. Ease of Reverse Engineering Managed Code (.NET and Java) Why is it easy to reverse engineer Managed Code NET All high level source is compiled to MSIL IL is verbose (compared to assembly) / IL is well documented (CLI specification) Open source compiler to reference Shared Source CLI compiler Rich metadata included in assembly Support for reflection means code using reflection must be self describing, by default all that information is embedded in assemblies Java High level source is compiled to bytecode Bytecode is stored in a well defined structure / Bytecode to Opcode Compiler will be open sourced (Java 1.7) Classes are self describing
  • 8.
  • 10. Syser debugger $198 and up
  • 11.
  • 12. So what, it’s free and easy. Big deal! Once you (or someone else) has this knowledge what can they do? Look to see exactly how things *really* work Find out things they might not need to know Passwords Encryption Keys Secret data Alter functionality Bypass authentication checks Unlock functionality Alter the user interface Add malicious code
  • 14.
  • 16. Tools Reflector : http://www.red-gate.com/products/reflector/index.htm Reflector Plug In Page : http://www.codeplex.com/reflectoraddins Reflixil: http://sourceforge.net/projects/reflexil ILSpy: https://github.com/icsharpcode/ILSpy Cecil Decompiler : http://evain.net/blog/articles/2008/12/15/cecil-decompiler Dile : http://sourceforge.net/projects/dile Snoop : http://snoopwpf.codeplex.com Silverlight Spy : http://firstfloorsoftware.com/silverlightspy Crack.NET : http://www.codeplex.com/cracknetproject DJ Decompiler : http://members.fortunecity.com/neshkov/dj.html JAD: http://www.kpdus.com/jad.html FernFlower (online Java decompiler): http://www.reversed-java.com/fernflower Javasnoop: http://code.google.com/p/javasnoop Open Source Flash Decompiler : http://osflash.org/swf9tools
  • 17. References Exploiting Software – Hoglund & McGraw – Addison Wesley Brian Long : Reverse Engineering To Learn .NET Better http://www.blong.com/Conferences/DCon2003/ReverseEngineering/ReverseEngineering.htm David Cumps : Reverse Engineering with Reflector and Reflexil http://blog.cumps.be/reverse-engineering-with-reflector-and-reflexil Jason Haley http://jasonhaley.com Jason Bock http://www.jasonbock.net/JB Decompiling Java – Godfrey Nolan – Apress Java Virtual Machine – Meyer & Downing – O’Reilly
  • 18. Questions and Answers @jkuemerle / joe at kuemerle.com http://www.speakerrate.com/jkuemerle
  • 19. Photo Attributes http://flickr.com/photos/calavera/65098350/ http://flickr.com/photos/epitti/199843720/ http://flickr.com/photos/moriza/77481889/ http://flickr.com/photos/dannyboyster/60371673/ http://flickr.com/photos/20406121@N04/2632344166/ http://flickr.com/photos/rogersmith/126697530/ http://flickr.com/photos/docman/36125185/ http://flickr.com/photos/frozen-in-time/3858611/ http://flickr.com/photos/chubbybat/62206640/