Re: reverse engineer c or java

[sebastion () IRELANDMAIL COM (Jeff Bachtel)]

The problem is that with optimizing compilers, a given output of the
compiler has an infinite (or thereabouts ;) number of possible source
programs. The fact is, that a decompiler can produce perfectly valid C
code, that makes no sense to normal humans.

This does not take into account self-modifying code, which would
require a decompiler coupled with a simulation engine, and logic to
detect flow between possible states of the program, and the
algorythmns used.

Now, for the guy who was blabbering incessantly (initd_ ?) about
review of source code of say ssh/ssl. BlueBoar wasn't saying that they
were vulnerable to a trivial exploit... he was saying that IF a
protocol or piece of code is vulnerable to a trivial exploit, it can
usually be found quickly by walking through the code (but obviously
not too quickly, the source code for RSAREF had been out there HOW
long before sshd exploits popped up?).

It is interesting to note, however, that in contrast to initd_'s own
example (ssh), there IS a vulnerability that was found in its protocol
leading to possible session hijacking (which was fixed in the ssh2
protocol)

jeff

On Sat, May 20, 2000 at 02:13:51PM -0300, AnorEXia wrote:
> Hm
> Writing a tool for decompiling C or C++ in my fool mind would be done
> by turning from hexadecimal code to assembly, then you should create a
> "interface" that reverse what most compilers do, that is,
> language->assemby, by so, it should be assembly->C
>
> I didn't see any of this tools yet, if someone did, appoint me
> ----- Original Message -----
> From: phazer <phazer () TALOCAN DHS ORG>
> To: <VULN-DEV () SECURITYFOCUS COM>
> Sent: Sunday, May 21, 2000 1:47 AM
> Subject: Re: reverse engineer c or java
>
>
> : Check out this nice tool:
> : http://www.geocities.com/SiliconValley/Bridge/8617/jad.html
> : It will decompile java .class files into java source code.. I don't
> know
> : if there are similar programs for C, but i believe it's a lot
> : harder to decompile than java.
> :
> : -phazer
> :
> : On Fri, 19 May 2000, kj wrote:
> :
> : >> Hey KJ. I don't know if this sounds stupid or not, but this is
> : >> basically what I want to know.
> : >> Matthew
> : >>
> : >> Is there any difference in difficulty between reverse engineering
> : >> an executable file or a Java Class. If the C or Java program is
> : >> written with security in mind by an experienced programmer, how
> : >> long would it take to reverse engineer each version of a fairly
> : >> simple application?
> : >
> : >
> : >The desired effect is to have a program that a client downloads off
> : >the internet, and Matthew wants to know if it should be written in
> : >c or java. Though, I take it both can be reversed engineered by
> : >talented programmers; but I guess he wants to know which would be
> : >harder or more complex to "hack".
> : >
> : >I am not too sure, thus I am passing it on to you gurus.
> : >
> : >K.J.
> : >
> : >"Never argue with an idiot. He will take you down to his level, and
> : >beat you with experience."
> : >
> :