Slides from a talk I gave at BSides Knoxville 2019.
Abstract:
My team loves working on legacy code projects. It's all that we do. That's why a friend of mine reached out to us for some help.
His startup was building out a universal API across a very fragmented industry with little to no interoperability or standards. Up until now, integrating with the systems in that industry had been pretty easy, because the companies that built them were willing to help.
But now he'd found one that wasn't willing to help. There was no obvious API for getting data out of the legacy application so that it could be exposed via his company's API. A big client for his company was riding on his ability to be able to pull this off. He remembered how much I loved a challenge and how much my team loved legacy code, so he figured we were his best shot.
The goal was to be able to read from the application's database.
In this talk, I'll cover:
* the different approaches that we took
* the one we really wanted to try because we thought it would be fun
* the approaches that we needed to try before we could attempt the fun one
* the excitement that we felt while working on it
* the grind toward completion once the big technical hurdle was crossed
* the sense of achievement when we got a read-only solution built
* the hope that we'd get the green light to start working on a read-write solution
* the disappointment when the plug got pulled and we weren't authorized to proceed any further
It was a fun journey, and I'd love to be able to share it.
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
Building a Bridge to a Legacy Application: How Hard Can That Be?
1. @mscottford
BUILDING A BRIDGE TO
@mscottford
BY M. SCOTT FORD
CO-FOUNDER & CHIEF CODE WHISPERER, CORGIBYTES
HOW HARD COULD THAT BE?
A LEGACY APPLICATION
8. @mscottford
WHAT DID WE KNOW?
TARGET SYSTEM
SERVICE
ON PREMISES
CLIENT UI
DATABASE
ADMIN UI
• Target system ran on Windows 7 desktop
• Data was stored in some form of database on the desktop
21. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
@mscottford
22. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
•Found evidence of very old tooling - some .EXEs had
default icon from old versions of Visual C++
@mscottford
23. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
•Found evidence of very old tooling - some .EXEs had
default icon from old versions of Visual C++
•Ran dumpbin on all DLLs for any callable functions
@mscottford
24. @mscottford
THE HUNT FOR AN SDK
•Visually skimmed installation directory looking for
anything obvious
•Found evidence of very old tooling - some .EXEs had
default icon from old versions of Visual C++
•Ran dumpbin on all DLLs for any callable functions
•Nothing obvious found
@mscottford
27. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
@mscottford
28. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
•Looked though dumpbin output for data access
functions we could call
@mscottford
29. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
•Looked though dumpbin output for data access
functions we could call
•Decompiled a few .NET DLLs
@mscottford
30. @mscottford
FIND THE DB ACCESS DLL
•Looked for evidence of commercially available
database (you name it we looked) – found none
•Looked though dumpbin output for data access
functions we could call
•Decompiled a few .NET DLLs
•Nothing obvious found
@mscottford
36. @mscottford
REVERSE ENGINEERING DB
•Find the files
–Made a small change in the admin UI
–Sorted files by date modified
–Got lucky! Only one file, a .BIN
@mscottford
37. @mscottford
REVERSE ENGINEERING DB
•Find the files
–Made a small change in the admin UI
–Sorted files by date modified
–Got lucky! Only one file, a .BIN
•Open our favorite hex editor Synalyze It!
@mscottford
46. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
•Diff before and after
•Mark location in Synalize It
@mscottford
47. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
•Diff before and after
•Mark location in Synalize It
•Repeat
@mscottford
48. @mscottford
THE GRIND
•Make a change in the UI (mostly via client UI)
•Diff before and after
•Mark location in Synalize It
•Repeat
•Only focus on data that we need
@mscottford
53. @mscottford
BUILDING THE CONNECTOR
•Only implement read commands
•Delay read/write until after demo
•Come up with some ideas about how to avoid conflicts
when write is implemented
@mscottford
58. @mscottford
THE DEMO
•CTO of vendor was present at the demo
•They were alarmed by the fact that it was working
@mscottford
59. @mscottford
THE DEMO
•CTO of vendor was present at the demo
•They were alarmed by the fact that it was working
•Turns out there was an SDK after all
@mscottford
60. @mscottford
THE DEMO
•CTO of vendor was present at the demo
•They were alarmed by the fact that it was working
•Turns out there was an SDK after all
•When they found out we had plans for read/write
support, their department handed it over
@mscottford
65. @mscottford
NOT SO FAST
•We learned a lot
•We had a ton of fun
•Our work led to the best possible solution being
uncovered
@mscottford
66. @mscottford
NOT SO FAST
•We learned a lot
•We had a ton of fun
•Our work led to the best possible solution being
uncovered
•A read/write implementation would have been risky
@mscottford