Greg, Depending on the target app there are various tools. Given that this list is about .Net I'd assume everyone would code around .Net so the most obvious one would be Reflector (or any of the preferred competitors). Second try would be ILDasm. Then someone will try to apply an "obfuscator" but frankly, from a security perspective that's just a bit of sand in the eyes of the attacker. If attacking that fails (doubt you have time to write/try more protections) you can try to attack directly at runtime either via a debugger (WinDbg is a simple enough tool to work in 5-10 mins) or a dll injection to actually hook your code and using reflection to navigate the object hierarchy until if finds the right info. If you really want to go hardcore you get into SoftIce but I doubt anyone would attempt that on a .Net app ... it's just such an overkill ...
You should ALWAYS assume the attacker has indefinite time and resources (because frankly they do) so your protection should not be based around "how can I hide xxx". And always assume a .Net app can be attacked in under 10 minutes :) Regards, Corneliu. On Fri, Mar 22, 2013 at 5:56 PM, Greg Keogh <g...@mira.net> wrote: > Unfortunately that raised the question of "Ok, so now where do we store >> our key in the app, so that no one can pull it out and use it, except for >> the app." >> > > No hope! If you distribute secret keys with the apps they can be found > easily and you declare yourself an amateur. A friend of mine is a security > consultant and he was asked/challenged by a company to "crack" their > product if he could. He owned some powerful Intel disassembler product (I > forget the name, it cost about $US800), ran it over the code, stepped over > the C code that "unscrambled" the secret password and found it was a block > of 64 0x65 bytes. He could even watch the C code XOR back and forth over > the buffer and found it was even wasting its own time due to a bug which > caused it to process bytes multiple redundant times. > > Corneliu, you told me years ago up at Wagga that you were doing this sort > of thing, but I can't remember what tools or techniques you used. If it's > not a state secret and you don't have to kill anyone you tell, what are > your tricks? > > Cheers, > Greg >
