Vulnerability Development mailing list archives
Re: reverse engineer c or java
From: 11a () GMX NET (Bluefish)
Date: Mon, 22 May 2000 17:08:54 +0200
Well, in some sense, I think that copy protection is valid to this mailing list as 'crackability' is a vulnerability itself, obviously, and the simple solution is good programming style and an advanced understanding
Agree, it is not entirely off-topic. But there are mailinglist entirely dedicated to such matters.
of how your code works. Heh, personally, though, I don't believe that there is such a thing as 'uncrackable' shareware. If it dumps hex it can be cracked. This is why it is necessary to understand advanced
'uncrackable' = something hard to crack (intended to be uncrackable). Obviously, nothing is impossible to crack.
standing of the program. For example, what about random number sequencing that is involved with challenge/response authentication programs/protocols?
It's may sound great on the surface, but I doubt it will be usefull in the end. Numerous 'inventive' approaches has failed before. It has to work on the computer, therefore it has to have a logic behind it. Once it is understood, it will be a five minute attack to crack it.
About 'backdoored variants'. If the end user isnt downloading the client (open source or not) from its home site there is a threat of a trojaned binary/source. Should I, as a programmer, worry about people using my source code to make trojaned variants? I shouldn't. Why? If
Agree. I commented upon this because the original author was unspecific about why he wanted to know about it. If he was thinking about such matters, there's no reason not to answer.
someone is downloading my program from a site that is not my own and is not authorized as a distributor it is not my liability when some warez kiddie gets Sub7'd with a backdoored windows version of 'veggie the encryption program'. lol! However, if I am notified of the unauthorized distributor I will send them an email telling the person to take my program off the site.
Actually, I was more thinking about people with access to the binaries in use (administrators or people who has gotten write-access to the binaries somehow) making changes. At a singel company, not at a distributor. Open source / java makes it easier for such attacks. Note that this is not a valid argument against java and/or open source, because the binaries could be backdoored by hexediting them, re-writing them (if it's a simple utility) or simply placing a backdoor frontend, like letting main.exe exectute main.ex_ or something like that...
A final note on what I exactly meant with my 'If you aren't secure about releasing your program to the public open source, you didnt secure your program' motto. That doesn't mean you have to release every program open source, it is just a good measurement tool when finalizing your program. I may not release a program open source, but I will sure make certain I know the code is safe via my motto before I release it.
Yes. This is true. But there *are* situations where it isn't possible to do this, like with distributed.net. How do you let the public aid work with your system (alas, you invite malicious users as well) and expect their responses to be reliable if you give them the entire source code? True, it would still be possible to duplicate the authentic client's responses by reverse-engineering the application, but at least it now is a task which requires more knowledge. And hopefully those who have the abilities to do this realises there's no reason to sabotage a public contest. But, if you except public projects like distributed.net, you are enitrely right.
A note on buffer over-runs in Java. A buffer overrun will stop the program execution as soon as the OutOfBounds Exception occurs in Strings, Arrays, etc. So there is no immediate threat of putting a 0x310xdb0xb80x170xcd0x80 on the stack, heh...
Great! One problem less to concider! ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER, (continued)
- Re: Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER Blue Boar (May 20)
- Re: Infinite loop in LOTUS NOTE 5.0.3. SMTP SERVER Stuart Henderson (May 22)
- Re: reverse engineer c or java za () boo ma fu (May 20)
- Outlook, HTML & VBS Joerg Weber (May 21)
- Re: reverse engineer c or java Bluefish (May 21)
- Re: reverse engineer c or java Gordon Messmer (May 21)
- Re: reverse engineer c or java pantera () BALANCEPOINTGOLF COM (May 21)
- Re: reverse engineer c or java Crispin Cowan (May 21)
- Re: reverse engineer c or java Erik Debill (May 22)
- Re: reverse engineer c or java za () boo ma fu (May 21)
- Re: reverse engineer c or java Bluefish (May 22)
- Re: reverse engineer c or java za () boo ma fu (May 22)
- Re: reverse engineer c or java Bluefish (May 23)
- Re: reverse engineer c or java Mark Rafn (May 20)
- Re: reverse engineer c or java Pedro Hugo (May 20)
- Re: reverse engineer c or java phazer (May 20)
- Re: reverse engineer c or java Warner Losh (May 21)
- Re: reverse engineer c or java Liviu Daia (May 22)
- String checking with PHP Arturo Busleiman (May 24)
- Re: String checking with PHP Joe (May 24)
- Re: String checking with PHP Arturo Busleiman (May 24)