Vulnerability Development mailing list archives

Re: reverse engineer c or java

From: za () boo ma fu (za () boo ma fu)
Date: Sat, 20 May 2000 21:29:39 -0400


Sup,
        I'd like to respond to this question by saying that I don't
believe worrying how reversable your program is is the answer. There
are many java class decompilers, such as my personal favorite 'jad',
that do an excellent job of translating compiled java to actual working
code. In the case of c/c++, there is always a 'ThreatCon Alpha' of
decompilation and disassembly. Any good hacker worth his weight in
code will be able to read the asm statements from a compiled program
or hex from a stripped binary.
        So what would be your most valuable tool to maintain proper
security in any program you write? Write well thought out code.
Learn about common bugs such as bad 'system()' placement or
buffer overruns. If you are dealing with encryption make sure your
code is strong enough so that it isnt easily brute forced. Don't
rely on advanced programming skills as a way to keep code secure
and obfuscated as there will always be someone talented enough to
understand it.
        What I really think good code comes down to is the following.
If you aren't secure enough to release the program to the public
open sourced you didn't secure the program.

Best of luck,
        initd_

initd_ () digital net
http://digital.net/~initd_

Hey KJ. I don't know if this sounds stupid or not, but this is
basically what I want to know.
Matthew

Is there any difference in difficulty between reverse engineering
an executable file or a Java Class. If the C or Java program is
written with security in mind by an experienced programmer, how
long would it take to reverse engineer each version of a fairly
simple application?

The desired effect is to have a program that a client downloads off
the internet, and Matthew wants to know if it should be written in
c or java. Though, I take it both can be reversed engineered by
talented programmers; but I guess he wants to know which would be
harder or more complex to "hack".

I am not too sure, thus I am passing it on to you gurus.

K.J.

"Never argue with an idiot. He will take you down to his level, and
beat you with experience."

Current thread:

possible new "e-mail virus" concept ? + bypassing IE settings Zoa_Chien (May 18)
- Re: possible new "e-mail virus" concept ? + bypassing IE settings Jim Paris (May 18)
  - Re: possible new "e-mail virus" concept ? + bypassing IE settings Blue Boar (May 18)
    - Re: possible new "e-mail virus" concept ? + bypassing IE settings A.T.Z. (May 19)
    - chsh Segfault on FreeBSD 3.3 Fabio Pietrosanti (May 19)
    - reverse engineer c or java kj (May 19)
    - Re: reverse engineer c or java John Swensson (May 20)
    - Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER SMILER (May 20)
    - Re: Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER Blue Boar (May 20)
    - Re: Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER Stuart Henderson (May 22)
    - Re: reverse engineer c or java za () boo ma fu (May 20)
    - Outlook, HTML & VBS Joerg Weber (May 21)
    - Re: reverse engineer c or java Bluefish (May 21)
    - Re: reverse engineer c or java Gordon Messmer (May 21)
    - Re: reverse engineer c or java pantera () BALANCEPOINTGOLF COM (May 21)
    - Re: reverse engineer c or java Crispin Cowan (May 21)
    - Re: reverse engineer c or java Erik Debill (May 22)
    - Re: reverse engineer c or java za () boo ma fu (May 21)
    - Re: reverse engineer c or java Bluefish (May 22)
    - Re: reverse engineer c or java za () boo ma fu (May 22)
    - Re: reverse engineer c or java Bluefish (May 23)

(Thread continues...)