This document contains the notes from a presentation titled "Hacking .NET Applications: The Black Arts" given by Jon McCoy at AppSec USA 2014 in Denver, Colorado. The presentation covered attacking .NET applications by decompiling code, injecting code at runtime, exploiting weaknesses in validation checks, replaying registration codes, and cracking hardcoded crypto keys. It also discussed protections like obfuscation and discussed the risks of data leaks, weak crypto, and clear text password storage.

1. AppSec USA 2014
Denver, Colorado
Hacking .NET Applications:
The Black Arts
AppSec – USA – 2014
Jon McCoy

2. 2
DenHac - DenHac.ORG
Monday 8:00
700 Kalamath St. Denver CO

3. 3
WHAT IS .NET?
NOT Microsoft
Cross Platform
Next Step From C++/JAVA
FUTURE COMPATIBLE
PLATFORM INDEPENDENT

4. 4
HACKER VS ATTACKER

5. 5

6. 6
NOT AMS LEVEL

7. 7
IDA PRO
WHY NOT IDA?

8. 8
IDA PRO

9. 9
BACK WHEN

10. 10
BACK WHEN

11. 11
BUT….

12. 12
NOT IDA PRO

13. 13

14. 14

15. 15
NOT IDA PRO

16. 16
IL – Intermediate Language
Code of the Matrix |||| NEW ASM

17. 17
DECOMPILE
C# - 13 LINES
LINES
C# - 15
IL - 34
ASM - 77

18. 18
C# -IL1 5- 34
ASM - 77
HOW MUCH CODE DO YOU
NEED TO READ`

19. Attacking/Cracking
IN MEM |||| ON DISK
19

20. 20
ATTACKING .NET
ATTACK
THE CODE ON DISK

21. 21
ATTACKING ON DISK

22. 22
ASM Attacking
Basics of ASM in .NET
Demo

23. 23

24. 24 AMS

25. 25
GRAYWOLF
ON DISK EDIT

26. 26
ATTACKING .NET
APPLICATIONS: AT RUNTIME

27. 27
GRAYDRAGON
INJECTION

28. 28
ATTACKING .NET
ATTACK WHILE
THE APP IS RUNNING

29. 29
Run and Inject
SECURITY
SYSTEMS

30. 30

31. 31
BAD IDEA
Some Things Are Just A Bad Idea!!!

32. 32
101 - ATTACK ON DISK
Connect/Open - Access Code
Decompile - Get code/tech
Infect - Change the target's code
Exploit - Take advantage
Remold/Recompile - WIN

33. 33
THE WEAK SPOTS
Flip The Check
Set Value is “True”
Cut The Logic
Return True
Access Value

34. 34
SET F VLAIPL U TEH ET OC H “TERCUKE”
bool Registered = ftfraullssee;;;
IIff((aa!=====bbb)))

35. 35
RETURN TRUE
bool IsRegistered()
{
Return TRUE;
........................
}

36. 36
CUT THE LOGIC
string sqlClean(string x)
{
Return x;
}

37. 37
CRACK THE KEY
Public/Private
3/B==Name*ID*7
Call Server
Demo = True;
Complex Math
==
==
==
==
== Complex Math
Change Key
ASK what is /B?
Hack the Call
Set Value
1% of the time the KeyGen is given

38. 38
PUBLIC/PRIVATE KEY
If you can beat them
Why join them
Key = “F5PA11JS32DA”
Key = “123456ABCDE”

39. Reg Code = f3V541
39
SERVER CALL
1. Fake the Call
2. Fake the Request
3. Fake the Reply
4. Win
“Send”
SystemID = 123456789
*Registered = True*

40. 40
REG CODE REPLAY
Name:
JON DOE
Code: ==
98qf3uy
!=
5G*C9P3
FAIL

41. 41
REG CODE REPLAY
Name:
Code:
*C
5G9P3

42. 42
REG CODE REPLAY
Name:
JON DOE
Code: ==
5G9P3
5G*C9P3
WIN

43. 43
COMPLEX MATH
1. Chop up the Math
2. Attack the Weak
3. ??????????
4. Profit

44. 44
WHAT STOPS THIS?
What is the security?

45. PROTECTION ON DISK
Protection - Security by 0b$cur17y
45
Code Obfuscation
Logic Obfuscation
Unmanaged calls…to C/C++/ASM
Shells / Packers / Encrypted(code)
Try to SHUTDOWN
Decompilation

46. 46

47. 47

48. 48
PROTECTION ON DISK
0bfu$ca7ed
DEMO
FAIL

49. 49

50. 50
UNPROTECTED / PROTECTED

51. 51
PROTECTION ON DISK
Shells
Pack/Encrypt the EXE

52. 52
IT CAN BE THAT EZ
‘’TT
What is the security?

53. 53

54. 54
ATTACK VECTOR
VISUAL STUDIO
Exploit – Run arbitrary code
First noted in 2004
Get developer Keys
Attack the SVN & DB
www.pretentiousname.com/misc/
win7_uac_whitelist2.html

55. 55
LOOK INSIDE

56. 56
DON’T LOOK

57. 57
SECURITY
The Login security check is
Does A == B
Does MD5%5 == X
Is the Pass the Crypto Key

58. 58
DATA LEAK
The Data sent home is
Application Info
User / Registartion Info
Security / System Info

59. 59
KEY
The Crypto Key is
A Hard Coded Key
The Licence Number
A MD5 Hash of the Pass
6Salt 6MD5 Hash of the Pass

60. 60
CRYPTO
The Crypto is
DES 64
Tripple DES 192
Rijndael AES 256
Home MIX (secure/unsecure)

61. 61
FIN

62. 62
MORE INFORMATION @:
www.DigitalBodyGuard.com
JonM@DigitalBodyGuard.com
Jon McCoy

63. 63
HACK THE LOGIN
DEMO
PASS THE KEY
SHOW THE KEY

64. 64
HACK THE KEY
DEMO
APPSEC-USA 2011
999ca10a050f4bdb31f7e1f39d9a0dda

65. 65
Encrypted Data
Static Crypto Key
Vector init = 0
Clear TXT Password Storage