Tutorial :Is reflection reverse engineering?



Question:

You can find out a great deal about the internals of an application through reflection, it's exposed by the .NET BCL (base class library) and it makes it trivial to retrieve actual IL for any .NET method.

Reverse engineering on Wikipedia:

Reverse engineering is the process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation.

Reflection would certainly satisfy as analysis of structure. But where do you draw the line between introspection and actual reverse engineering? And from a legal standpoint, is reflection reverse engineering?


Solution:1

The border between the two does seem blurred. Ethically I would draw the line in the programmer's motivation.

If he is using reflection to build a library, tool or similar software that is supposed to interact with any 3rd party code that satisfies certain criteria, I would not see it as reverse engineering.

For example, I was recently writing a generic base class for Linq2SQL data layers. The base class uses reflection to gain insight into the database layout and properly handle updates of nested business entities. If someone else uses my bases class for his web application, I would not gain any knowledge about the his source code. This usage of reflection is certainly no reverse engineering.

If, on the other hand, the programmer is trying to understand the inner workings by a competitor's software using reflection, he is reverse engineering it.


Solution:2

One must call into question the definition of Reverse Engineering when the ability to easily decompile the language is a part of the language ala Reflection.

With a tool like .NET Reflector I feel like the lines really start to blur!

Using an example from SO itself, they recently de-obfuscated the source code for their WMD Editor. I would argue that this defines Reverse Engineering more so than Reflection does.


Solution:3

Reflection is just a tool to read information from an assembly, so that by itself is not reverse engineering.

If you then use this information to find out how the assembly was created, for example using .NET reflector to produce readable source code that could generate the same IL code, that is reverse engineering.


Solution:4

I would say Reflection is merely a tool. The use of reflection doesn't necessarily mean reverse engineering.

For example, if you use reflection to discover the signatures of all the public and protected methods in an assembly that wouldn't mean reverse engineering.

As for a legal standpoint, I suggest you have to look at the law you are worried about to find the definition of reverse engineering.


Solution:5

Reflection is a tool that can be used for many things, including reverse engineering of code. Reflection can be used for many other purposes too, implementing dynamic languages is much easier thanks to reflection for example.

Reflection alone is also not enough for reverse engineering. You can find information on program structure that way but you still need to decompile the code. Tools like reflector do add this functionality.


Solution:6

Actually, it's the direct opposite of reverse engineering.

Properly, "reverse engineering" is to look at the results of a process, and work backward, to determine how it got there. Generally, it's done without any knowledge of the original code and generally yields a very different process.

Despite scary threats by copyright holders, it's perfectly legal.

"Disassembly" (aka "Reflection") is just the action of reading bytes on your hard disk, and assigning meaning to them. This is precisely what the CPU does when it runs the code. Here, we are just making it human readable. Again, despite scary threats by copyright holders, it's perfectly legal.

Selling someone else's code (or using it yourself) in a way which avoids the copyright holder from profiting from his work, is illegal, but we're not talking about that here.


Solution:7

I think you are talking about two different things here:

  • Reflection is a technique, that can be used for reverse engineering (among other things).
  • Reverse engineering is an action that can, but not necessarily must, use reflection for achieving its goals.

From a legal point of view, it depends on your goal, if you are using reflection for the purpose of reverse engineering.

Of course IANAL, but I believe that reverse engineering is not illegal by itself. It can become an illegal activity by proxy, i.e. through violation of copyrights etc.


Solution:8

No. With reflection, you're typically just talking about a different way of invoking methods, or possibly looking at method attributes.

By way of contrast, I expect the product of reverse engineering to produce source code that I can look at to understand the author's algorithms and ideas, which is typically what they're trying to protect.


Solution:9

Legal questions must be asked of lawyers. Lawyers charge money. Not hiring lawyers can cost even more money if you get sued for not asking a lawyer.

Best bet: don't need to ask. Microsoft has already released source for a lot of .NET. See http://www.microsoft.com/resources/sharedsource/default.mspx.


Solution:10

It all depends on the extent you take reflection. If you use a tool like Reflector, or code up something like that yourself, then that would be reverse engineering as you are actually getting to the source code.

Reflection can be used to invoke methods or look at attributes as Don said, but it can also be used to analyze the structure of an assembly and even peek inside to the underlying MSIL code. So one use of reflection might be innocent, and one would be reverse engineering.


Solution:11

Reflection is a general computer science term that was in use decades before the introduction of Microsoft .Net framework (than SUN JVM). The idea was not aimed to reverse engineering application. That in specific contexts it can be used for this purpose is just accidental. As others have written, reflection is a "tool".


Solution:12

Reflection in many languages like .NET and Java are patches for poor syntaxes that doesn't allow you to interact freely with Objects.

In really Object Oriented languages like Smalltak or Self, you hardly ever need reflection and, if needed, it's by far more powerful than those offered by .NET and Java.

Having said that, I do believe reflection is reverse engineering, considering RE is more like understanding code to do something with it rather than breaking other's protections.

I'm currently working a lot with Drupal (PHP-based), which uses ugly things like concatenating module's names to predefined hook names to find if that function exists, so it can be called later (e.g. module_hook_name).

It's very handy, but I believe in real OO languages that can be avoided by sub-classing an abstract class that can answer any message and subclasses could override that.

Reflection should not be used except for extreme circumstances, which is where you can see flaws of programming languages.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »