Re: reverse engineer c or java

[11a () GMX NET (Bluefish)]

>       Well, in some sense, I think that copy protection is valid to this
> mailing list as 'crackability' is a vulnerability itself, obviously, and
> the simple solution is good programming style and an advanced
> understanding

Agree, it is not entirely off-topic. But there are mailinglist entirely
dedicated to such matters.

> of how your code works. Heh, personally, though, I don't believe that
> there is such a thing as 'uncrackable' shareware. If it dumps hex it can
> be cracked. This is why it is necessary to understand advanced

'uncrackable' = something hard to crack (intended to be uncrackable).
Obviously, nothing is impossible to crack.

> standing of the program. For example, what about random number
> sequencing
> that is involved with challenge/response authentication
> programs/protocols?

It's may sound great on the surface, but I doubt it will be usefull in the
end. Numerous 'inventive' approaches has failed before. It has to work on
the computer, therefore it has to have a logic behind it. Once it is
understood, it will be a five minute attack to crack it.

>       About 'backdoored variants'. If the end user isnt downloading the
> client (open source or not) from its home site there is a threat of a
> trojaned binary/source. Should I, as a programmer, worry about people
> using my source code to make trojaned variants? I shouldn't. Why? If

Agree. I commented upon this because the original author was unspecific
about why he wanted to know about it. If he was thinking about such
matters, there's no reason not to answer.

> someone is downloading my program from a site that is not my own and is
> not authorized as a distributor it is not my liability when some warez
> kiddie gets Sub7'd with a backdoored windows version of 'veggie the
> encryption program'. lol! However, if I am notified of the unauthorized
> distributor I will send them an email telling the person to take my
> program
> off the site.

Actually, I was more thinking about people with access to the binaries in
use (administrators or people who has gotten write-access to the binaries
somehow) making changes. At a singel company, not at a distributor. Open
source / java makes it easier for such attacks.

Note that this is not a valid argument against java and/or open source,
because the binaries could be backdoored by hexediting them, re-writing
them (if it's a simple utility) or simply placing a backdoor frontend,
like letting main.exe exectute main.ex_ or something like that...

>       A final note on what I exactly meant with my 'If you aren't secure
> about releasing your program to the public open source, you didnt secure
> your program' motto. That doesn't mean you have to release every program
> open source, it is just a good measurement tool when finalizing your
> program.
> I may not release a program open source, but I will sure make certain I
> know the code is safe via my motto before I release it.

Yes. This is true. But there *are* situations where it isn't possible to
do this, like with distributed.net. How do you let the public aid work
with your system (alas, you invite malicious users as well) and expect
their responses to be reliable if you give them the entire source code?

True, it would still be possible to duplicate the authentic client's
responses by reverse-engineering the application, but at least it now is a
task which requires more knowledge. And hopefully those who have the
abilities to do this realises there's no reason to sabotage a public
contest.

But, if you except public projects like distributed.net, you are
enitrely right.

>       A note on buffer over-runs in Java. A buffer overrun will stop
> the program execution as soon as the OutOfBounds Exception occurs in
> Strings, Arrays, etc. So there is no immediate threat of putting a
> 0x310xdb0xb80x170xcd0x80 on the stack, heh...

Great! One problem less to concider!

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team