Disassembling for Fun Jason Haley Who is this
Disassembling for Fun Jason Haley
Who is this guy? Ø Certifiable (MCSD. net certified that is) Ø Blog – http: //jasonhaley. com/blog Ø Co-leader of Beantown. Net User Group Ø Member of Boston Area Code Brew Ø A nerd dinner organizer for Boston area Ø TA for Programming. Net at Harvard Ø Sr. Software Engineer - Cheshire Software
Disassembling is useful Ø See how efficient a compiler is Ø Translate IL to a higher level language Ø View all pieces of an assembly Ø Extract resources Ø Edit source code to recompile
Example of disassembling Ø What is Round-tripping? Ø Demos: ILDasm, Reflector
Agenda Ø Define disassembling Ø Applied disassembling Ø Writing a disassembler
What is disassembling? Ø Disassembling is not reflection Demos: Win. CV, Asmex Ø Disassemble or decompile Demos: ILDasm, Reflector
Agenda Ø Define disassembling Ø Applied disassembling Ø Writing a disassembler
What is in an assembly file? Ø PE/COFF File Ø CLR Header Ø Metadata Ø IL code
PE File Ø Portable Executable File Format PE/COFF headers Data directories Sections Ø Demos: Dumpbin, . Net Explorer
CLR Header Ø Contains CLR specific information “Required runtime” version Metadata location Managed resources location Strong name signature location Ø Demo: . Net Explorer
Metadata Ø Assembly metadata Metadata header Metadata streams (tables and heaps) Ø Demos: Monodis, Asmex, Spices. Net
IL Code Ø Recognizing the pieces Metadata table contents Metadata heap contents IL code Ø Demos: Metadata diagram, ILDasm, Dis#
Disassemblers/Decompilers ILDasm Ø Monodis Ø DILE – Dotnet IL Editor Ø Reflector for. Net Ø Asmex – Free source. Net Assembly Examiner Ø Dis# -. Net decompiler Ø. Net Explorer Ø Spices. Net Ø
DILE – Dotnet IL Editor Ø Open source (Zsolt Petreny) – http: //sourceforge. net/projects/dile Ø Disassembles to IL Ø Quick search for name and tokens Ø Debugger functionality – can debug IL! Ø Demo: Debugging IL vs. Assembler
Reflector for. Net Ø Lutz Roeder – http: //www. aisto. com/roeder/dotnet Ø Great code browsing tool Ø Add-ins created by community http: //csharp 21. tripod. com/Reflector. Add. Ins Ø Demo: Reflector and its add-ins
Asmex – Assembly Examiner Ø Free source (Ben Peterson) - http: //www. jbrowse. com/products/asmex/ Ø Graphical representation Ø Most pieces of an assembly Ø Demo: Look at the code
Agenda Ø Define disassembling Ø Applied disassembling Ø Writing a disassembler
Writing a disassembler Ø PE/COFF File Ø CLR Header Ø Metadata Ø IL Code
PE File Ø Finding the PE header Signatures (MS-DOS, PE) Necessary structures Ø Demos: Vijay
CLR Header Ø Finding the CLR Header Need information from PE Header Calculate the offset in file Ø Demos: Vijay
Metadata Ø Tables are a “normalized database” Ø Heaps String – zero-terminated character GUID – 16 byte binary objects Blob – binary object, preceded by its length Ø Manifest Ø Demos: metainfo, Vijay
IL Code Ø Getting to the IL code Signatures RVA Method format (tiny or fat) Method data section Exception handling clause (small or fat) Ø Demos: Dile, Vijay
Summary Ø What is disassembling? Ø What is a disassembler and what can it do for you? Ø Where can I find a disassembler? Ø What are some of the things you need to know to write your own disassembler? Ø Why do you care?
Resources Ø Inside Microsoft. Net IL Assembler – Serge Lidin Ø Standard ECMA-335 – CLI – http: //ecmainternational. org/publications/standards/Ec ma-335. htm Ø Metadata diagram - Chris King Ø. Net SDK (especially ILDasm)
Questions ?
- Slides: 25