1. Disassembling for Fun Jason Haley

2. Who is this guy?  Certifiable (MCSD.net certified that is)  Blog – http://jasonhaley.com/blog http://jasonhaley.com/blog  Co-leader of Beantown.Net User Group  Member of Boston Area Code Brew  A nerd dinner organizer for Boston area  TA for Programming.Net at Harvard  Sr. Software Engineer - Cheshire Software

3. Disassembling is useful  See how efficient a compiler is  Translate IL to a higher level language  View all pieces of an assembly  Extract resources  Edit source code to recompile

4. Example of disassembling  What is Round-tripping?  Demos: ILDasm, Reflector

5. Agenda  Define disassembling  Applied disassembling  Writing a disassembler

6. What is disassembling?  Disassembling is not reflection Demos: WinCV, Asmex  Disassemble or decompile Demos: ILDasm, Reflector

7. Agenda  Define disassembling  Applied disassembling  Writing a disassembler

8. What is in an assembly file?  PE/COFF File  CLR Header  Metadata  IL code

9. PE File  Portable Executable File Format PE/COFF headers Data directories Sections  Demos: Dumpbin,.Net Explorer

10. CLR Header  Contains CLR specific information “Required runtime” version Metadata location Managed resources location Strong name signature location  Demo:.Net Explorer

11. Metadata  Assembly metadata Metadata header Metadata streams (tables and heaps)  Demos: Monodis, Asmex, Spices.Net

12. IL Code  Recognizing the pieces Metadata table contents Metadata heap contents IL code  Demos: Metadata diagram, ILDasm, Dis#

13. Disassemblers/Decompilers  ILDasm  Monodis  DILE – Dotnet IL Editor  Reflector for.Net  Asmex – Free source.Net Assembly Examiner  Dis# -.Net decompiler .Net Explorer  Spices.Net

14. DILE – Dotnet IL Editor  Open source (Zsolt Petreny) – http://sourceforge.net/projects/dile http://sourceforge.net/projects/dile  Disassembles to IL  Quick search for name and tokens  Debugger functionality – can debug IL!  Demo: Debugging IL vs. Assembler

15. Reflector for.Net  Lutz Roeder – http://www.aisto.com/roeder/dotnet http://www.aisto.com/roeder/dotnet  Great code browsing tool  Add-ins created by community - http://csharp21.tripod.com/ReflectorAddIns http://csharp21.tripod.com/ReflectorAddIns  Demo: Reflector and its add-ins

16. Asmex – Assembly Examiner  Free source (Ben Peterson) - http://www.jbrowse.com/products/asmex/ http://www.jbrowse.com/products/asmex/  Graphical representation  Most pieces of an assembly  Demo: Look at the code

17. Agenda  Define disassembling  Applied disassembling  Writing a disassembler

18. Writing a disassembler  PE/COFF File  CLR Header  Metadata  IL Code

19. PE File  Finding the PE header Signatures (MS-DOS, PE) Necessary structures  Demos: Vijay

20. CLR Header  Finding the CLR Header Need information from PE Header Calculate the offset in file  Demos: Vijay

21. Metadata  Tables are a “normalized database”  Heaps String – zero-terminated character GUID – 16 byte binary objects Blob – binary object, preceded by its length  Manifest  Demos: metainfo, Vijay

22. IL Code  Getting to the IL code SignaturesRVA Method format (tiny or fat) Method data section Exception handling clause (small or fat)  Demos: Dile, Vijay

23. Summary  What is disassembling?  What is a disassembler and what can it do for you?  Where can I find a disassembler?  What are some of the things you need to know to write your own disassembler?  Why do you care?

24. Resources  Inside Microsoft.Net IL Assembler – Serge Lidin  Standard ECMA-335 – CLI – http://ecma- international.org/publications/standards/Ec ma-335.htm http://ecma- international.org/publications/standards/Ec ma-335.htmhttp://ecma- international.org/publications/standards/Ec ma-335.htm  Metadata diagram - Chris King .Net SDK (especially ILDasm)

25. Questions ?