Disassembling for Fun

1
Disassembling for Fun

• Jason Haley

2
Who is this guy?

• Certifiable (MCSD.net certified that is)
• Blog http//jasonhaley.com/blog
• Co-leader of Beantown .Net User Group
• Member of Boston Area Code Brew
• A nerd dinner organizer for Boston area
• TA for Programming .Net at Harvard
• Sr. Software Engineer - Cheshire Software

3
Disassembling is useful

• See how efficient a compiler is
• Translate IL to a higher level language
• View all pieces of an assembly
• Extract resources
• Edit source code to recompile

4
Example of disassembling

• What is Round-tripping?
• Demos ILDasm, Reflector

5
Agenda

• Define disassembling
• Applied disassembling
• Writing a disassembler

6
What is disassembling?

• Disassembling is not reflection
• Demos WinCV, Asmex
• Disassemble or decompile
• Demos ILDasm, Reflector

7
Agenda

• Define disassembling
• Applied disassembling
• Writing a disassembler

8
What is in an assembly file?

• PE/COFF File
• CLR Header
• Metadata
• IL code

9
PE File

• Portable Executable File Format
• PE/COFF headers
• Data directories
• Sections
• Demos Dumpbin, .Net Explorer

10
CLR Header

• Contains CLR specific information
• Required runtime version
• Metadata location
• Managed resources location
• Strong name signature location
• Demo .Net Explorer

11
Metadata

• Assembly metadata
• Metadata header
• Metadata streams (tables and heaps)
• Demos Monodis, Asmex, Spices.Net

12
IL Code

• Recognizing the pieces
• Metadata table contents
• Metadata heap contents
• IL code
• Demos Metadata diagram, ILDasm, Dis

13
Disassemblers/Decompilers

• ILDasm
• Monodis
• DILE Dotnet IL Editor
• Reflector for .Net
• Asmex Free source .Net Assembly Examiner
• Dis - .Net decompiler
• .Net Explorer
• Spices.Net

14
DILE Dotnet IL Editor

• Open source (Zsolt Petreny) http//sourceforge.n
  et/projects/dile
• Disassembles to IL
• Quick search for name and tokens
• Debugger functionality can debug IL!
• Demo Debugging IL vs. Assembler

15
Reflector for .Net

• Lutz Roeder http//www.aisto.com/roeder/dotnet
• Great code browsing tool
• Add-ins created by community - http//csharp21.tri
  pod.com/ReflectorAddIns
• Demo Reflector and its add-ins

16
Asmex Assembly Examiner

• Free source (Ben Peterson) - http//www.jbrowse.co
  m/products/asmex/
• Graphical representation
• Most pieces of an assembly
• Demo Look at the code

17
Agenda

• Define disassembling
• Applied disassembling
• Writing a disassembler

18
Writing a disassembler

• PE/COFF File
• CLR Header
• Metadata
• IL Code

19
PE File

• Finding the PE header
• Signatures (MS-DOS, PE)
• Necessary structures
• Demos Vijay

20
CLR Header

• Finding the CLR Header
• Need information from PE Header
• Calculate the offset in file
• Demos Vijay

21
Metadata

• Tables are a normalized database
• Heaps
• String zero-terminated character
• GUID 16 byte binary objects
• Blob binary object, preceded by its length
• Manifest
• Demos metainfo, Vijay

22
IL Code

• Getting to the IL code
• Signatures
• RVA
• Method format (tiny or fat)
• Method data section
• Exception handling clause (small or fat)
• Demos Dile, Vijay

23
Summary

• What is disassembling?
• What is a disassembler and what can it do for
  you?
• Where can I find a disassembler?
• What are some of the things you need to know to
  write your own disassembler?
• Why do you care?

24
Resources

• Inside Microsoft .Net IL Assembler Serge Lidin
• Standard ECMA-335 CLI http//ecma-internationa
  l.org/publications/standards/Ecma-335.htm
• Metadata diagram - Chris King
• .Net SDK (especially ILDasm)

25
Questions

• ?