Slides from a talk I gave at BSides Knoxville 2019. Abstract: My team loves working on legacy code projects. It's all that we do. That's why a friend of mine reached out to us for some help. His startup was building out a universal API across a very fragmented industry with little to no interoperability or standards. Up until now, integrating with the systems in that industry had been pretty easy, because the companies that built them were willing to help. But now he'd found one that wasn't willing to help. There was no obvious API for getting data out of the legacy application so that it could be exposed via his company's API. A big client for his company was riding on his ability to be able to pull this off. He remembered how much I loved a challenge and how much my team loved legacy code, so he figured we were his best shot. The goal was to be able to read from the application's database. In this talk, I'll cover: * the different approaches that we took * the one we really wanted to try because we thought it would be fun * the approaches that we needed to try before we could attempt the fun one * the excitement that we felt while working on it * the grind toward completion once the big technical hurdle was crossed * the sense of achievement when we got a read-only solution built * the hope that we'd get the green light to start working on a read-write solution * the disappointment when the plug got pulled and we weren't authorized to proceed any further It was a fun journey, and I'd love to be able to share it.

1. @mscottford
BUILDING A BRIDGE TO
@mscottford
BY M. SCOTT FORD
CO-FOUNDER & CHIEF CODE WHISPERER, CORGIBYTES
HOW HARD COULD THAT BE?
A LEGACY APPLICATION

2. @mscottford
ABOUT ME
@mscottford

3. @mscottford@mscottford
CHIEF CODE WHISPERER
CO-FOUNDER AND

4. @mscottford
THIS IS A STORY

5. @mscottford
VENDORS
APICLIENTS
GAMMA
DELTA
BETA
ALPHA
THE ARCHITECTURE

6. @mscottford
VENDORS
API
ALPHA
TYPICAL INTEGRATION
CONNECTOR
VENDOR
SDK
VENDOR
SYSTEM

7. @mscottford
VENDORS
API
TARGET
TARGET INTEGRATION
CONNECTOR
TARGET
SYSTEM
??
NO SDK

8. @mscottford
WHAT DID WE KNOW?
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI
• Target system ran on Windows 7 desktop
• Data was stored in some form of database on the desktop

9. @mscottford
OPTIONS
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI

10. @mscottford
OPTIONS
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI
• Find an undocumented SDK

11. @mscottford
OPTIONS
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI
• Find an undocumented SDK
• Find libraries for
communicating with DB

12. @mscottford
OPTIONS
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI
• Find an undocumented SDK
• Find libraries for
communicating with DB
• Screen scrape the UI

13. @mscottford
OPTIONS
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI
• Find an undocumented SDK
• Find libraries for
communicating with DB
• Screen scrape the UI
• Reverse engineer DB file format

14. @mscottford
OPTIONS
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI
• Find an undocumented SDK
• Find libraries for
communicating with DB
• Screen scrape the UI
• Reverse engineer DB file format

15. @mscottford
PLAN OF ATTACK
Reverse engineer DB file format
Find libraries for communicating with DB
@mscottford

16. @mscottford
PLAN OF ATTACK
Reverse engineer DB file format
Find libraries for communicating with DB
Find an undocumented SDK
@mscottford

17. @mscottford
PLAN OF ATTACK
Reverse engineer DB file format
Find libraries for communicating with DB
Find an undocumented SDK
@mscottford

18. @mscottford
PLAN OF ATTACK
Reverse engineer DB file format
Find libraries for communicating with DB
Find an undocumented SDK
@mscottford

19. @mscottford
MAYBE THERE’S AN SDK

20. @mscottford
THE HUNT FOR AN SDK
@mscottford

21. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
@mscottford

22. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
•Found evidence of very old tooling - some .EXEs had
default icon from old versions of Visual C++
@mscottford

23. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
•Found evidence of very old tooling - some .EXEs had
default icon from old versions of Visual C++
•Ran dumpbin on all DLLs for any callable functions
@mscottford

24. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
•Found evidence of very old tooling - some .EXEs had
default icon from old versions of Visual C++
•Ran dumpbin on all DLLs for any callable functions
•Nothing obvious found
@mscottford

25. @mscottford
MAYBE THE DB IS OFF THE SHELF

26. @mscottford
FIND THE DB ACCESS DLL
@mscottford

27. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
@mscottford

28. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
•Looked though dumpbin output for data access
functions we could call
@mscottford

29. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
•Looked though dumpbin output for data access
functions we could call
•Decompiled a few .NET DLLs
@mscottford

30. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
•Looked though dumpbin output for data access
functions we could call
•Decompiled a few .NET DLLs
•Nothing obvious found
@mscottford

31. @mscottford
YAY! REVERSE ENGINEERING TIME!

32. @mscottford
REVERSE ENGINEERING DB
@mscottford

33. @mscottford
REVERSE ENGINEERING DB
•Find the files
@mscottford

34. @mscottford
REVERSE ENGINEERING DB
•Find the files
–Made a small change in the admin UI
@mscottford

35. @mscottford
REVERSE ENGINEERING DB
•Find the files
–Made a small change in the admin UI
–Sorted files by date modified
@mscottford

36. @mscottford
REVERSE ENGINEERING DB
•Find the files
–Made a small change in the admin UI
–Sorted files by date modified
–Got lucky! Only one file, a .BIN
@mscottford

37. @mscottford
REVERSE ENGINEERING DB
•Find the files
–Made a small change in the admin UI
–Sorted files by date modified
–Got lucky! Only one file, a .BIN
•Open our favorite hex editor Synalyze It!
@mscottford

38. @mscottford
SYNALYZE IT!
@mscottford

39. @mscottford
REVERSE ENGINEERING DB
@mscottford

40. @mscottford
REVERSE ENGINEERING DB
•Search for strings
–Found tables names – including “btree”
@mscottford

41. @mscottford
REVERSE ENGINEERING DB
•Search for strings
–Found tables names – including “btree”
•Look for patterns in the file
–Map them out in Synalyze It!
@mscottford

42. @mscottford
TIME FOR THE GRIND
@mscottford

43. @mscottford
THE GRIND
@mscottford

44. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
@mscottford

45. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
•Diff before and after
@mscottford

46. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
•Diff before and after
•Mark location in Synalize It
@mscottford

47. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
•Diff before and after
•Mark location in Synalize It
•Repeat
@mscottford

48. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
•Diff before and after
•Mark location in Synalize It
•Repeat
•Only focus on data that we need
@mscottford

49. @mscottford
BUILD THE CONNECTOR
@mscottford

50. @mscottford
BUILDING THE CONNECTOR
@mscottford

51. @mscottford
BUILDING THE CONNECTOR
•Only implement read commands
@mscottford

52. @mscottford
BUILDING THE CONNECTOR
•Only implement read commands
•Delay read/write until after demo
@mscottford

53. @mscottford
BUILDING THE CONNECTOR
•Only implement read commands
•Delay read/write until after demo
•Come up with some ideas about how to avoid conflicts
when write is implemented
@mscottford

54. @mscottford
VENDORS
API
TARGET
TARGET INTEGRATION
CONNECTOR
TARGET
SYSTEM
CUSTOM
SDK

55. @mscottford
TIME TO DEMO TO THE CLIENT
@mscottford

56. @mscottford
THE DEMO
@mscottford

57. @mscottford
THE DEMO
•CTO of vendor was present at the demo
@mscottford

58. @mscottford
THE DEMO
•CTO of vendor was present at the demo
•They were alarmed by the fact that it was working
@mscottford

59. @mscottford
THE DEMO
•CTO of vendor was present at the demo
•They were alarmed by the fact that it was working
•Turns out there was an SDK after all
@mscottford

60. @mscottford
THE DEMO
•CTO of vendor was present at the demo
•They were alarmed by the fact that it was working
•Turns out there was an SDK after all
•When they found out we had plans for read/write
support, their department handed it over
@mscottford

61. @mscottford
BUMMER
@mscottford

62. @mscottford
NOT SO FAST
@mscottford

63. @mscottford
NOT SO FAST
•We learned a lot
@mscottford

64. @mscottford
NOT SO FAST
•We learned a lot
•We had a ton of fun
@mscottford

65. @mscottford
NOT SO FAST
•We learned a lot
•We had a ton of fun
•Our work led to the best possible solution being
uncovered
@mscottford

66. @mscottford
NOT SO FAST
•We learned a lot
•We had a ton of fun
•Our work led to the best possible solution being
uncovered
•A read/write implementation would have been risky
@mscottford

67. @mscottford
CONTACT INFO
@mscottford
@corgibytes
corgibytes.com
LegacyCode.Rocks

68. @mscottford
QUESTIONS?

69. @mscottford
CONTACT INFO
@mscottford
@corgibytes
corgibytes.com
LegacyCode.Rocks