Vulnerability Development mailing list archives
Re: reverse engineer c or java
From: sebastion () IRELANDMAIL COM (Jeff Bachtel)
Date: Tue, 23 May 2000 10:51:14 -0500
The problem is that with optimizing compilers, a given output of the compiler has an infinite (or thereabouts ;) number of possible source programs. The fact is, that a decompiler can produce perfectly valid C code, that makes no sense to normal humans. This does not take into account self-modifying code, which would require a decompiler coupled with a simulation engine, and logic to detect flow between possible states of the program, and the algorythmns used. Now, for the guy who was blabbering incessantly (initd_ ?) about review of source code of say ssh/ssl. BlueBoar wasn't saying that they were vulnerable to a trivial exploit... he was saying that IF a protocol or piece of code is vulnerable to a trivial exploit, it can usually be found quickly by walking through the code (but obviously not too quickly, the source code for RSAREF had been out there HOW long before sshd exploits popped up?). It is interesting to note, however, that in contrast to initd_'s own example (ssh), there IS a vulnerability that was found in its protocol leading to possible session hijacking (which was fixed in the ssh2 protocol) jeff On Sat, May 20, 2000 at 02:13:51PM -0300, AnorEXia wrote:
Hm Writing a tool for decompiling C or C++ in my fool mind would be done by turning from hexadecimal code to assembly, then you should create a "interface" that reverse what most compilers do, that is, language->assemby, by so, it should be assembly->C I didn't see any of this tools yet, if someone did, appoint me ----- Original Message ----- From: phazer <phazer () TALOCAN DHS ORG> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, May 21, 2000 1:47 AM Subject: Re: reverse engineer c or java : Check out this nice tool: : http://www.geocities.com/SiliconValley/Bridge/8617/jad.html : It will decompile java .class files into java source code.. I don't know : if there are similar programs for C, but i believe it's a lot : harder to decompile than java. : : -phazer : : On Fri, 19 May 2000, kj wrote: : : >> Hey KJ. I don't know if this sounds stupid or not, but this is : >> basically what I want to know. : >> Matthew : >> : >> Is there any difference in difficulty between reverse engineering : >> an executable file or a Java Class. If the C or Java program is : >> written with security in mind by an experienced programmer, how : >> long would it take to reverse engineer each version of a fairly : >> simple application? : > : > : >The desired effect is to have a program that a client downloads off : >the internet, and Matthew wants to know if it should be written in : >c or java. Though, I take it both can be reversed engineered by : >talented programmers; but I guess he wants to know which would be : >harder or more complex to "hack". : > : >I am not too sure, thus I am passing it on to you gurus. : > : >K.J. : > : >"Never argue with an idiot. He will take you down to his level, and : >beat you with experience." : > :
Current thread:
- Re: reverse engineer c or java AnorEXia (May 20)
- Re: reverse engineer c or java Jacek Lipkowski (May 21)
- Re: reverse engineer c or java Bluefish (May 22)
- Re: reverse engineer c or java Jeff Bachtel (May 23)
- Re: reverse engineer c or java Crispin Cowan (May 28)
- <Possible follow-ups>
- Re: reverse engineer c or java Miller, Timothy (May 21)
- Re: reverse engineer c or java Zoa_Chien (May 22)
- Re: reverse engineer c or java Michael Wojcik (May 22)
- Re: reverse engineer c or java Matt inAmsterdam (May 24)
- Re: reverse engineer c or java Matt inAmsterdam (May 25)
- Re: reverse engineer c or java Jacek Lipkowski (May 21)