Vulnerability Development mailing list archives

Re: reverse engineer c or java

From: 11a () GMX NET (Bluefish)
Date: Tue, 23 May 2000 16:16:27 +0200

This question is for clarity for not only myself but all other
subscribers
to this list. So, you are saying, that if you understand the source code
for great programs like SSH/SSL you can create in 5 min a working attack
against these protocols?


*NO, NO, NO*
I've must have missunderstood you somehow, I thought you were on the topic
of 'uncrackable' shareware. 'uncrackable' in the sense of that crackers
will fail to make keygenerators or similar things to overcome dateexpires
and similar things often perfomed by software pirates.

Sounds like there's a mayor missunderstanding of what you ment from my
side.

when I say 'show me the Proof Of Concept'. Not to mention your resoning
behind the nonchalant attitude of changing the meaning of the word
'uncrackable'... I may just be a 21 year old kid but when someone says


This thread was originally about reverse engineering, and how to stop
people from doing so. 'uncrackable' in the that sense. Not the best use of
term perhaps, but then again I don't often use the term "crack" together
with deciphering.

then this isnt an issue. Besides, if the attacker has admin access why
would he need to backdoor a client =/


That's obviously dependent upon situation and software. Perhaps the
attacker wishes to do his crime and get out fast to escape notice?

True, it would still be possible to duplicate the authentic client's
responses by reverse-engineering the application, but at least it now is a

...

This isn't as simple as you make it sound. You cant guess a correct
128bit
key generated at random under certain environmental conditions just by
reverse engineering a program's code. If that was actually possible the
entire SSH project would be compromised.


I was *not* talking about SSH. I was talking about distributed.net. SSH
relies upon securing communication between point A and B, and then let A
and B do old fashioned password authentication (or RSA authentication by
user's public keys in homedirectories). Distributed.net has the problem
that it offers public access, where as SSH only offers access to trusted
users.

Grab a book from your local library/University on random number
generation and advanced mathematics.


Although you seem to have gotten the impression that I'm a complete idiot,
I'm not (or so I hope ;) ... Most of your email is the result of
missunderstanding my previous post.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Re: reverse engineer c or java, (continued)
- - - Re: reverse engineer c or java za () boo ma fu (May 20)
    - Outlook, HTML & VBS Joerg Weber (May 21)
    - Re: reverse engineer c or java Bluefish (May 21)
    - Re: reverse engineer c or java Gordon Messmer (May 21)
    - Re: reverse engineer c or java pantera () BALANCEPOINTGOLF COM (May 21)
    - Re: reverse engineer c or java Crispin Cowan (May 21)
    - Re: reverse engineer c or java Erik Debill (May 22)
    - Re: reverse engineer c or java za () boo ma fu (May 21)
    - Re: reverse engineer c or java Bluefish (May 22)
    - Re: reverse engineer c or java za () boo ma fu (May 22)
    - Re: reverse engineer c or java Bluefish (May 23)
    - Re: reverse engineer c or java Mark Rafn (May 20)
    - Re: reverse engineer c or java Pedro Hugo (May 20)
    - Re: reverse engineer c or java phazer (May 20)
    - Re: reverse engineer c or java Warner Losh (May 21)
    - Re: reverse engineer c or java Liviu Daia (May 22)
    - String checking with PHP Arturo Busleiman (May 24)
    - Re: String checking with PHP Joe (May 24)
    - Re: String checking with PHP Arturo Busleiman (May 24)
    - Why not a changeling? Daniel Petzen (May 20)
    - Re: Why not a changeling? Bluefish (May 20)

(Thread continues...)