Reverse engineering an obfuscated .Net application

Содержание

Слайд 2

Huge thanks Curtis Mechling http://twitter.com/#!/curtismechling

Huge thanks Curtis Mechling http://twitter.com/#!/curtismechling

Слайд 3

Outline This talk is for all audiences, no experience and seasoned

Outline

This talk is for all audiences, no experience and seasoned .Net

developers
I’ll be covering basic technology behind a .Net application
I’ll discuss simple and more complex ways to reverse an obfuscated .Net application
Demo reversing an obfuscated .Net app
Слайд 4

Steps to reverse .Net app Run the application to understand functionality

Steps to reverse .Net app

Run the application to understand functionality
Decompile the

application
Review source code and hone in on the functionality you’re trying to understand
If obfuscated look for key constructs to understand functionality
Optional: Modify app to achieve your desired functionality
Слайд 5

Topic not new Many others before me have discussed the insecurities

Topic not new

Many others before me have discussed the insecurities of

.Net applications
Mark Pearl
http://1dl.us/va3
Jon McCoy
http://digitalbodyguard.com/
Cory Foy
http://1dl.us/va4
Слайд 6

Reversing and obfuscation What exactly is reversing and obfuscation? Reversing example

Reversing and obfuscation

What exactly is reversing and obfuscation?
Reversing example
You’re given an

EXE and tasked with determining how it performs its functionality, aka secret sauce
Could also mean you’re trying to subvert functionality such as licensing
Obfuscation
Equivalent to hiding
Слайд 7

.Net basics .Net, it’s a framework, nuff said Blanket term for

.Net basics

.Net, it’s a framework, nuff said
Blanket term for microsoft family

of technologies
Most people think .Net web applications but that’s not the focus of this discussion
The focus of this talk are stand alone executables written in C sharp although the programming language doesn’t really matter
Слайд 8

.Net basics A stand alone executable built for .Net will run

.Net basics

A stand alone executable built for .Net will run inside

the application virtual machine, which sometimes may be referred to as the CLR (common language runtime)
The .Net application virtual machine is a requirement for all .Net executables
Слайд 9

Executables There are two main kinds of EXE’s Compiled and interpreted

Executables

There are two main kinds of EXE’s
Compiled and interpreted
Compiled applications usually

require an install, e.g Next > Next
Interpreted applications require an application virtual machine
So first you’ll have to install the application virtual machine before running the interpreted application
Слайд 10

Executables Compiled executables are often built with a higher programming language,

Executables

Compiled executables are often built with a higher programming language, such

as C++, which then gets translated to a lower level language known as assembly machine language
Due to the nature of compiled executables they are “harder” to reverse back to original source because of different compilers, architectures, and lack of information during compilation
Слайд 11

Executables Interpreted executables, such as java and .Net, are much easier

Executables

Interpreted executables, such as java and .Net, are much easier to

reverse
The interpreted compilation (JIT) process is more structured and retains more information about the executable
Because of this it’s trivial to get original source code from executable
I repeat, getting source code is trivial
Слайд 12

Obfuscation Because it’s trivial to get source code from a .Net

Obfuscation

Because it’s trivial to get source code from a .Net application

developers will use obfuscation to hide a majority of their source code
There are a number of tools that will obfuscate your .Net application
Most obfuscators will hide things such as variable and class names
Слайд 13

Determine type executable There are a number of ways to determine

Determine type executable

There are a number of ways to determine the

type of executable you’re dealing with
The tool I like the best is CFF explorer
http://www.ntcore.com/exsuite.php
Once installed you can simply right click on the executable to view the information via CFF explorer
Слайд 14

Firefox with CFF explorer

Firefox with CFF explorer

Слайд 15

Firefox with CFF explorer

Firefox with CFF explorer

Слайд 16

GuessPassword.exe in CFF explorer GuessPassword.exe is a simple .Net application I

GuessPassword.exe in CFF explorer

GuessPassword.exe is a simple .Net application I wrote

to check a password
We’ll continue to use GuessPassword.exe
Слайд 17

Next step > decompile Now you’ve identified the executable was built

Next step > decompile

Now you’ve identified the executable was built using

.Net
Next step is to decompile
There are two tools that I like to use to decompile
Reflector
www.reflector.net (paid)
ILSpy
http://wiki.sharpdevelop.net/ILSpy.ashx (free)
Слайд 18

ILSpy

ILSpy

Слайд 19

Reflector

Reflector

Слайд 20

Decompilation tips Only analyze your exe tree and ignore dependencies that get pulled in

Decompilation tips

Only analyze your exe tree and ignore dependencies that get

pulled in
Слайд 21

Decompilation tips Only focus on the “real” code Real code located in pink bricks

Decompilation tips

Only focus on the “real” code
Real code located in pink

bricks
Слайд 22

SafeAsHouses.exe Let’s take a look at a real life example SafeAsHouses.exe

SafeAsHouses.exe

Let’s take a look at a real life example
SafeAsHouses.exe can be

downloaded from from either download.com or softpedia.com
SafeAsHouses is a password keeper, it’s designed to keep all your passwords safe in one location
Слайд 23

SafeAsHouses in ILSpy

SafeAsHouses in ILSpy

Слайд 24

SafeAsHouses in ILSpy So soon as we open SafeAsHouses.exe in ILSpy

SafeAsHouses in ILSpy

So soon as we open SafeAsHouses.exe in ILSpy we

see signs of obfuscation
In the GuessPassword example we see the class names are clearly visible
SafeAsHouses masks this information to make it harder to understand the underlying functionality of the application
Слайд 25

GuessPassword vs SafeAsHouses Next let’s compare GuessPassword and SafeAsHouses in ILSpy First GuessPassword

GuessPassword vs SafeAsHouses

Next let’s compare GuessPassword and SafeAsHouses in ILSpy
First GuessPassword

Слайд 26

GuessPassword vs SafeAsHouses SafeAsHouses

GuessPassword vs SafeAsHouses

SafeAsHouses

Слайд 27

More obfuscation Here we see more signs of obfuscation In GuessPassword

More obfuscation

Here we see more signs of obfuscation
In GuessPassword we see

how things should look, we clearly get to see class names in the application
In SafeAsHouses however things are hidden
Instead of class names all we see are these grey boxes such as “STX”, “ETX”, etc
STX, ETX, etc
Слайд 28

Understanding the app Typically you would run the application first to

Understanding the app

Typically you would run the application first to get

an idea of the functionality but wanted to show the obfuscation first
Run the application
Слайд 29

Understanding the app If we authenticate with the correct password we

Understanding the app

If we authenticate with the correct password we are

granted access to the application
Incorrect password we get denied
Слайд 30

Items of interest The application asks for input Incorrect password presents

Items of interest

The application asks for input
Incorrect password presents a pop

up stating “Password incorrect”
The application exits after you click OK when your password is incorrect
Successful authentication brings up another window
Слайд 31

Items of interest The main idea is to take certain areas

Items of interest

The main idea is to take certain areas of

interest inside the application and find that functionality
Even if the application is obfuscated hopefully identifying an item of interest will lead us to the code we want to reverse
I’ve highlighted four items of interest but you could easily focus on other areas
Слайд 32

Searching for items of interest Now that we’ve done some recon

Searching for items of interest

Now that we’ve done some recon and

understand the type of functionality we want to go after we need to search for that
There are a number of ways to search for items of interest but I’ll highlight two
Decompile all code into one text file
Use the Reflector plugin “Code search”
Слайд 33

Decompile code into text file

Decompile code into text file

Слайд 34

Decompile code into text file Next choose File > Save Code

Decompile code into text file

Next choose File > Save Code

Слайд 35

Decompile code into text file Then save the file as a “C# single file”

Decompile code into text file

Then save the file as a “C#

single file”
Слайд 36

Decompile code into text file At this point you can use

Decompile code into text file

At this point you can use your

favorite text editor to search through the decompiled code
Disadvantage is that searching through a flat file doesn’t present a lot of context
On the other hand it’s always handy to have a raw dump and the ability to save for historical purposes
Слайд 37

Reflector code search plugin Reflector’s code search plugin is very convenient

Reflector code search plugin

Reflector’s code search plugin is very convenient in

that you don’t have to leave the reflector tool
With the code search plugin you also don’t loose the context with where code functionality is located
Using code search we’ll search for all four items of interest
http://reflectoraddins.codeplex.com/wikipage?title=CodeSearch&referringTitle=Home
Слайд 38

Items of interest The application asks for input Incorrect password presents

Items of interest

The application asks for input
Incorrect password presents a pop

up stating “Password incorrect”
The application exits after you click OK when your password is incorrect
Successful authentication brings up another window
Слайд 39

Application asks for input A popular way of taking form input

Application asks for input

A popular way of taking form input in

a .Net application is through the text box class where the convention is “this.textBox1.Text”
Here textBox1 is a variable name
Most obfuscators will hide the variable name with something like “this.STX.Text”
So better to search for “this.*.Text” inside the code search reflector plugin
Слайд 40

Application asks for input Searching for this.*.Text revealed numerous hits, probably

Application asks for input
Searching for this.*.Text revealed numerous hits, probably best

to keep searching for different terms, you might also want to search for just *.Text
Слайд 41

Pop up message A pop up box is typically done with

Pop up message

A pop up box is typically done with the

“MessageBox.Show” method
Two arguments can be given to this method, window title and window message
MessageBox.Show(“title”, “message”)
Use code search to see how many message boxes are in the application, the idea is to hopefully pinpoint this functionality
Слайд 42

Pop up message So quite a few hits on MessageBox.Show, let’s continue searching for other constructs

Pop up message
So quite a few hits on MessageBox.Show, let’s continue

searching for other constructs
Слайд 43

Pop up message The pop up message states “Password incorrect” We

Pop up message

The pop up message states “Password incorrect”
We should search

the code for strings like this
No dice, the phrase “Password incorrect” must be obfuscated
Слайд 44

Application closes If you enter an incorrect password you’ll get a

Application closes

If you enter an incorrect password you’ll get a pop

up, after clicking OK the application will close
.Net can handle this in a couple of ways, with Application.Exit and Environment.Exit
Let’s search for these terms as well
Слайд 45

Application closes Less results which means which means less manual reviewing of code

Application closes
Less results which means which means less manual reviewing of

code
Слайд 46

Successful authentication opens another window Probably the most popular way to

Successful authentication opens another window

Probably the most popular way to show

one window then hide another is to use the window.Show() and window.Hide() methods
They are used in tandom
Even though they are commonly used in tandom it’s a good idea to search for both terms
Слайд 47

Successful authentication opens another window Only three hits, we’re money

Successful authentication opens another window
Only three hits, we’re money

Слайд 48

Code search plugin Using this plugin we were able to narrow

Code search plugin

Using this plugin we were able to narrow down

to only three locations where our authentication functionality is most likely hiding
Click on each result to view the obfuscated code
Look for the other constructs, Environment.Exit, this.*.Text, etc
Code search is case sensitive
Слайд 49

First hit, found the functionality

First hit, found the functionality

Слайд 50

Same code in ILSpy

Same code in ILSpy

Слайд 51

Explanation of code Line 6: developer is assigning variable “a” to

Explanation of code

Line 6: developer is assigning variable “a” to whatever

you type into the text box
Line 7: if statement comparing password values
Line 17: if password is correct base.Hide will hide the login box
Line 18: will show the main window
Line 22: message box that tells you your password is incorrect
Line 23: closes the application
Слайд 52

Subverting authentication Now that we’ve found the code that performs the

Subverting authentication

Now that we’ve found the code that performs the authentication

we want to subvert that functionality to gain access without knowing the password
There are two tools that will allow us modify the executables
Graywolf
http://digitalbodyguard.com/GrayWolf.html
Reflexil
http://reflexil.net/
Слайд 53

Reflexil

Reflexil

Слайд 54

Reflexil The bottom half of the previous screen shot shows the

Reflexil

The bottom half of the previous screen shot shows the reflexil

plugin to reflector
With reflexil we can edit the executable
We’ll be editing content in the “Instructions” tab within reflexil
These instructions are referred to as CIL (common intermediate language)
Слайд 55

CIL Lower level language used by the .Net application virtual machine

CIL

Lower level language used by the .Net application virtual machine
So your

higher level programming, such as C#, gets converted to CIL (sometimes called IL)
The CIL instructions will then be JIT compiled into native machine code at run time
Opcodes are at the heart of CIL and tell the application what to do
Слайд 56

CIL Not that important to understand all the technical details behind

CIL

Not that important to understand all the technical details behind CIL
On

lines 01, 02, and 03 we can see these three lines are more than likely responsible for getting input from user via a text box
Слайд 57

Modifying CIL Looking through the code and CIL we see an

Modifying CIL

Looking through the code and CIL we see an interesting

instruction on line 07
The operand to the instruction is “op_Equality” that compares passwords
The next opcode instruction on line 08 is “brfalse”
Stands for branch if false, so it’s the if statement
Слайд 58

Modifying CIL You’ll also notice the operand for the opcode on

Modifying CIL

You’ll also notice the operand for the opcode on line

08 is “->(36)”
This means branch to line 36 if the password doesn’t match
This branches all the way down to the message box functionality
To break this functionality we can change the brfalse opcode to the opposite which is brtrue
Слайд 59

Modifying CIL Right click on opcode and choose edit

Modifying CIL

Right click on opcode and choose edit

Слайд 60

Modifying CIL Next change to brtrue then click update

Modifying CIL

Next change to brtrue then click update

Слайд 61

Modifying CIL Next right click on root tree and save

Modifying CIL

Next right click on root tree and save

Слайд 62

Patched executable Now you’ve successfully patched a .Net executable If we

Patched executable

Now you’ve successfully patched a .Net executable
If we run this

we can provide the incorrect password and successfully authenticate but if we provide the correct password the application will close
We don’t have to stop there we can delete chunks of code to remove that functionality as well
Слайд 63

Deleting code blocks

Deleting code blocks

Слайд 64

Delete code blocks Delete lines 1-28 Save the patched application Run

Delete code blocks

Delete lines 1-28
Save the patched application
Run it again and

now it won’t matter what password you type in because we’ve deleted that entire if statement that checks for the password
Next open the patched application in reflector to see if the code block was deleted
Слайд 65

Missing code block

Missing code block

Слайд 66

Great success We’ve successfully modified the application to subvert authentication If

Great success

We’ve successfully modified the application to subvert authentication
If we had

obtained this executable from another user then we would have all their passwords
Hopefully you see how easy it is to control and modify .Net applications to your heart’s content
Слайд 67

Easier reversing via deobfuscation There is a slightly easier way to

Easier reversing via deobfuscation

There is a slightly easier way to go

about reversing an obfuscated .Net application
If we can deobfuscate the obfuscated code then we’ll have a much easier time understanding the functionality of the application
Luckily reflexil can deobfuscate many obfuscation tools
Слайд 68

Reflexil deobfuscation Right click > Reflexil > Obfuscator search

Reflexil deobfuscation

Right click > Reflexil > Obfuscator search

Слайд 69

Reflexil deobfuscation Next reflexil will try to determine the type of

Reflexil deobfuscation

Next reflexil will try to determine the type of obfuscation

used
Here it successfully determined it was obfuscated with Eazfuscator.NET 3.2
Слайд 70

Reflexil deobfuscation Next you save the executable, you can stick with

Reflexil deobfuscation

Next you save the executable, you can stick with the

default *.Cleaned extension so you don’t accidentally write over the original exe
Next open your saved SafeAsHouses.Cleaned in reflector to view deobfuscated code
Слайд 71

Deobfuscated code

Deobfuscated code

Слайд 72

Deobfuscated code So reflexil actually does a nice job on getting

Deobfuscated code

So reflexil actually does a nice job on getting us

better source code
It may not retrieve original variables or class names but it will at least name them var1, var2, etc to give better meaning
In this case it actually revealed the pop up message of “Password incorrect” to whereas before that was obfuscated
Слайд 73

Steps to reverse .Net app Run the application to understand functionality

Steps to reverse .Net app

Run the application to understand functionality
Decompile the

application
Review source code and hone in on the functionality you’re trying to understand
If obfuscated look for key constructs to understand functionality
Optional: Modify app to achieve your desired functionality
Слайд 74

Wrapping up A standalone .Net executable will more than likely be

Wrapping up

A standalone .Net executable will more than likely be very

easy to decompile to get original source code
Obfuscation techniques only make it a little bit harder to figure out the original source code
If you want to save your intellectual property then don’t write the software that utilizes the .Net framework
- Предыдущая
Российский флаг - державы символ
Следующая -
Ремесло в средневековом городе

Похожие презентации

Структура книги
Устройства хранения информации
Файловая система
Презентация "Правила безопасной работы в сети Интернет" - скачать презентации по Информатике
Средства массовой информации
Метод координат. Способы кодирования информации
Новостной сайт
Структуированные переменные данные
Электронные таблицы. Формулы
Базы данных. Основные понятия и общие представления
Базовая настройка коммутаторов 3028, 3526, 1210-28P
Представление информации. Информация и информационные процессы
Защита информационных процессов в компьютерных системах. Тема 4
Теоретические методы исследования в технологическом образовании. Абстракция. Структурно-функциональные модели
Учебный курс Язык UML в анализе и проектировании программных систем и бизнес-процессов Лекция 1 Базовые принципы и понятия техн
Паттерн Singleton
Графики и диаграммы. Наглядное представление о соотношении величин
Базы данных
Графы. Состав графа
Обработка информации
ЭБС Лань
Простейшие конструкции языка Pascal
Особенности средств разработки информационной системы
Презентация Основы логики
Виды компьютерной графики. 8 класс
GIT : getting decentralized
Текст как форма представления информации
Разработка автоматизированной системы управления технологическими процессами ООО «Связьторг»
Вы можете прислать нам Вашу презентацию и мы опубликуем ее на сайте.
Обратная связь
Для правообладателей
Email: Нажмите что бы посмотреть