Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Reverse Engineering Web Applications [closed]

Aloha, Stackoverflow.

I frequently come across web applications, and wonder to myself, "How could I write a script/application which would interface with that?" (purely academic, not for spamming purposes!).

For example, the website Omegle; people have written Python scripts to interface with the website and run a chat without opening the browser... how? I will admit that WEB programming is not my strongest area, but I would really like to know how one could extract the protocol being used from such applications, and use this knowledge to create custom apps and tinker with the service.

So basically, how can I figure out the inner workings of a web app (ie. imeetzu.com such that I can write code to interface with it from my desktop?

Thank you in advance!

like image 736
araisbec Avatar asked Apr 05 '13 14:04

araisbec


People also ask

Is it legal to reverse engineer website?

In the United States, even if an artifact or process is protected by trade secrets, reverse-engineering the artifact or process is often lawful if it has been legitimately obtained. Reverse engineering of computer software often falls under both contract law as a breach of contract as well as any other relevant laws.

Is it legal to reverse engineer an app?

Because reverse engineering is a crucial step in removing copy protection schemes, there is some confusion regarding its legality. Patching software to defeat copy protection or digital rights management schemes is illegal. Reverse engineering software is not.

What is the issue with reverse engineering?

Some of the most common reverse engineering challenges that you are likely to face include: Not having the right equipment - Even if you have successfully reverse engineered an object in the past, the equipment you have in-house may not be sufficient for the next object you must scan.

Can you reverse engineer open source software?

It is often believed that with source code readily available all the time, open source software systems do not need reverse engineering. But this is not true. Software reverse engineering is also done for fun and to learn.


1 Answers

You'll need a set of tools to start with:

  • A browser with a debugging window (Chrome is particularly good for this). This will allow you in particular to access the network calls that your browser directly makes (there's a caveat coming), and to see:

    • their content
    • their parameters
    • their target
  • A network packet sniffer to trace down anything that goes through Flash (or WebSockets). I'm quite fond of Ethereal (now called Wireshark), though if you're in the US, you could be breaking the law by using it (depends on the use you make of it). This will allow you to see every TCP frame that enters and leaves your network interface.

The knowledge you will need:

  • Ability to identify and isolate a network stream. This comes through practice
  • Knowledge of the language the app you are trying to reverse-engineer is written in. If JavaScript isn't your cup of tea, avoid JS-based stuff
  • Maths and cryptography. Data may very well be encrypted/obfuscated/stegg-ed from time to time. Be aware and look out for it.

In this particular case, looks like you might have to deal with Flash. There are additional resources to help on this, although all of them are non-free. There is one particularly good Flash decompiler called SoThink SWF decompiler, which allows you to turn a SWF into a FLA or a collection of AS sources.

That's all for the tools. The method is easy - look what data comes in/out and figure out by elimination what is what. If it's encrypted, you'll need IVs and samples to hope to break it (or just decompile the code and find how the key/handshake is done). This is a very, very extensive field and I haven't even touched the tip of the iceberg with this - feel free to ask for more info.

(How do I know all this? I was a contributor to the eAthena project, which reverse-engineered a game protocol)

like image 73
Sébastien Renauld Avatar answered Sep 20 '22 02:09

Sébastien Renauld