On 14/06/18 08:21, DigitalDesigns wrote:
On Thursday, 14 June 2018 at 02:13:58 UTC, Shachar Shemesh wrote:
With that said, what you're trying to achieve is probably not a good
idea anyways. With very few exceptions(1), reverse-engineering code to
figure out what it does is not considerably more difficult than using
the source, even when none of the identifiers leak at all. Certain
aspects of creating attacks are even easier with good rev-eng tools
than in source form.
Shachar
Just one question! Are you kidding me?
First of all, run your program under strace. For a surprising percentage
of the programs that should give you a fairly good idea of what the
program is doing. ltrace goes further, but it can be easily defeated by
statically linking, so probably irrelevant for our current discussion.
Next, try loading your program in Ida Pro
(https://www.hex-rays.com/products/ida/index.shtml). You will notice
that program flow practically jumps out at you with no further work on
your part.
Other tricks require a little more knowledge, but are still exceedingly
effective.
In a demonstration I saw in 2002, Halvar Flake showed how he uses Ida to
graph the branches, and then use a tool he built to place breakpoints on
the branch points. Next he started feeding inputs to the program, and
colored the graph where the input sent the code. He used that to find
the correct input that would bring the code path to the line he thought
might be vulnerable.
If I had to do this trick today for *my own* programs, I'd still use Ida
and the compiled code.
So, no, I was not kidding. Not even close.
Shachar
