flat assembler
Message board for the users of flat assembler.

Index > Heap > Scary...

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
vid
Post 26 Dec 2007, 18:59
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16997
Location: In your JS exploiting you and your system
revolution
Huh, what a waste of money. In fasm it can easily be done with a simple macro.

Scary? No, just somebody trying desperately to rip people off with a silly product.
Post 26 Dec 2007, 19:08
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
vid
In C/C++ too. In any real big project, you should always enclose every string in macro anyway (so it can be translated to other language)... how can people have such stupid ideas???
Post 26 Dec 2007, 19:16
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16997
Location: In your JS exploiting you and your system
revolution
vid wrote:
how can people have such stupid ideas???
Remember P.T. Barnum's famous line (that he never actually said BTW)?
Post 26 Dec 2007, 19:22
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
vid
just discovered it, never heard of it before Smile
Post 26 Dec 2007, 19:27
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
gs0000



Joined: 26 Dec 2007
Posts: 5
gs0000
Quote:

Huh, what a waste of money. In fasm it can easily be done with a simple macro.


I am the author of Strcrypt and I don't understand the need for an attack on a product you have never seen or used.

And, FWIW, no, you can't do what it does with a macro. Each string gets a unique key that is randomly generated during each compile cycle. C certainly doesn't have a powerful enough preprocessor to do anything like this. And while MASM-style assemblers certainly have more powerful assemblers:

1) Quite a bit of the world uses other assemblers (like GAS) that have equally lame macro capabilities.

2) The tool is meant for people who want to add it to an existing product with as little changes to their environment as possible. For a company that makes money $300 for a support product is hardly excessive.

Quote:

Scary? No, just somebody trying desperately to rip people off with a silly product.


I created Strcrypt at the request of a customer we were doing work for. They wanted us to make it an official product so we would support it -- so we did. As far as what it is used for, it is used for preventing reverse engineering of automotive firmware. And what makes you think that I am ripping anybody off? Because I don't offer it for free? Because I don't offer it for $20 or whatever you think it's worth. You are free to write your own. But many companies don't have the time. And you know what, to them $300 is worth the time they will save having some guys write a tool to do this.

If you read the documentation I clearly state that it is not 100% foolproof and anybody knows that with enough effort you can get the data out. It is only meant to stop the casual disassembler (read: hobbyist) from seeing things they shouldn't see. And it does that.

Still, having done my fair share of reversing I can say that hiding strings can slow somebody down... especially when running in an ICE is not possible (the CPU's for high-volume stuff frequently have a special die with JTAG/BDM disabled)...

I still see absolutely no reason to just randomly pick on something that people asked us to create because you blindly assume it can be done with a macro in one particular assembler that you use.
Post 26 Dec 2007, 22:36
View user's profile Send private message Reply with quote
Plue



Joined: 15 Dec 2005
Posts: 151
Plue
If I own a car I don't see any good reason why you should stop me from disassembling parts of it...
Post 26 Dec 2007, 23:00
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2818
Location: dank orb
bitRAKE
It'd be silly to brute force the encryption because the decryption code and keys are included. A general solution should be possible with IDA, but prolly more effort than a hobbist is willing to invest. At $300 it might be cheaper to buy it from you and then reverse engineer your source code. It depends on the price difference between product A and B (that just have different firmware), and how many people are will to pitch in a couple bucks.
Post 26 Dec 2007, 23:46
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
vid
Wow, man, you REALLY have quick response.

Okay, i hope you would like to discuss technical stuff, maybe you'll change our opinion:
- do you apply additional protection besides encrypting string?
- how are keys stored? Inside code, as argument to called function?
- is there single decryption routine, or multiple (per-string)?
- how about strings in resources? are they supported?
- position of strings in data is often very predictable. Do you somehow obfuscate length of string? (I mean changing ending-zero byte too, or really changing length of string)

I think you see where I aim: how hard is it to write generic "unpacker"?

My idea is that your code does simply something like this.

Before:
Code:
CallFunc(1, 2, "abcd");
    

after:
Code:
CallFunc(1, 2, DecryptString("\011\123\099\227", 0x1A7764FF));
    

Do I quess right?

If this is what your program does, then sorry, but i think your program isn't worth 300$. Using some free protector would do MUCH better (and yes, there are some for which you won't find unpackers with google), and company will save 300 bucks. Of course, if you wrote it on request, then it's fine to sell it, but 300$ is IMHO really off, if this is really the case.

BTW: Can you provide example of executable protected with this? I promise not to publish any unpacker in case i write one (which is pretty unprobable) Smile
Post 27 Dec 2007, 00:09
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16997
Location: In your JS exploiting you and your system
revolution
Didn't mean to offend you gs0000, but $300, come on. For the amount of effort it takes, i.e. not much really ... And how can you justify $300 for support, is it so lame that it needs constant support from your huge team of programmers to keep the customers happy? Do you have many other products you sell for this price? You must all be millionaires.

Here is what I think happened. 1) someone asks you to write a string obfuscator. 2) After about 4 hours work it's done. 3) You sell it to the customer for $300, (a fair price, $75/hr). 4) You decide to sell commercially for the same price.

Am I wrong?


Last edited by revolution on 27 Dec 2007, 01:08; edited 1 time in total
Post 27 Dec 2007, 01:03
View user's profile Send private message Visit poster's website Reply with quote
gs0000



Joined: 26 Dec 2007
Posts: 5
gs0000
Quote:

- do you apply additional protection besides encrypting string?


No. While we have other tools that do this is just meant as one more level of protection. And FWIW, I don't *agree* with preventing disassembly of something I own (e.g. a car), but people asked me to make it. In particular, the people that did ask me were a Slovakian company, so why don't you go ask them.

Quote:

- how are keys stored? Inside code, as argument to called function?


They key is obviously passed to the decryption function as another poster mentioned, it has to be in some way... But it isn't quite so straightforward as in your example.

Quote:

- is there single decryption routine, or multiple (per-string)?


There are multiple and I'll leave it for you to guess what differentiates them. Wink

Quote:

- how about strings in resources? are they supported?


I have no idea what you mean here. If you mean Windows string resources then no -- we have no interest in getting near PCs, Windows, Linux or x86.

I think you are missing the point and what we do. We don't do PC stuff. We do embedded stuff. So typically this means things like ARM and a smattering of other CPUs. Encrypting strings is just one thing. It isn't meant to be the only thing. Typically the products we deploy it in have all custom ASICs which means while we may have an ARM core in there typically you fiddle around with the layout of the IR to make up a unique encoding. Can you write an IDA plug-in to handle the new encoding? Sure. But it does depend on what it is worth to you. And guess what, companies are willing to come up with an actual dollar amount for that.

I understand your position, you are a reverse engineer. You bought something and damn it, you have every right to take it apart to see how it works. By the same token, a company that produces a product is free to make it tough on you. If they didn't, it wouldn't be much fun, would it? By extension, I am free to come along and sell something for what I believe is a fair price ($300 is pretty trivial after sinking $1M into R&D of an ASIC) that helps make it fun. About the only thing I do believe is that the government should keep laws out of this stuff.

I just don't see any reason to bash my product on a public forum because you don't agree with the price. That is just plain old being an asshat. Guess what. It's a free world, and I have no problems if you want to write up a better one and give it away for free.

Quote:

- position of strings in data is often very predictable. Do you somehow obfuscate length of string? (I mean changing ending-zero byte too, or really changing length of string)


Yes we avoid that as much as possible. Guess what, some CPUs are remarkably better at hiding addresses to global data than others. That is why you still need a clue stick. The $300 product is more there just so legally you "paid for it" and get some support from us. Further work on preventing reversing comes with a nice hefty consulting fee. The clue stick is considerably more expensive.

Quote:

I think you see where I aim: how hard is it to write generic "unpacker"?


Again, you are assuming an environment very different from mine. The reason I wrote strcrypt was: (1) A product with a custom instruction set is going to be very hard to reverse. (2) But constant strings within the binary image may give clues that a customer doesn't want. (3) A generic unpacker that just goes to town without guidance from somebody with a clue in the target assembly language is not too likely.

And I think you've looked over the difficulty in writing a parser for C/C++ .... that's much harder than actually encrypting the strings.

Quote:

BTW: Can you provide example of executable protected with this? I promise not to publish any unpacker in case i write one (which is pretty unprobable)


I suppose I could if I was so inclined... What HW do you have available? I'm kind of feeling too lazy and pissed off right now though...

I'm more irritated at you guys for just being immature. It's a free world... Feel free to do something better. Heck, do something way better and charge way more for it. I suspect you'll find that the open source community would reject such a thing outright -- and I don't blame them, so offering the tool as open source makese no sense, but if you want, go for it!

But don't whine about something while sitting on your ass. That is just lame.
Post 27 Dec 2007, 01:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16997
Location: In your JS exploiting you and your system
revolution
hehe, gs0000, I hope you realise these posts are public, What will your customers think of you when they read that above?
Post 27 Dec 2007, 01:13
View user's profile Send private message Visit poster's website Reply with quote
gs0000



Joined: 26 Dec 2007
Posts: 5
gs0000
Quote:

Didn't mean to offend you gs0000, but $300, come on. For the amount of effort it takes, i.e. not much really ... And how can you justify $300 for support, is it so lame that it needs constant support from your huge team of programmers to keep the customers happy? Do you have many other products you sell for this price? You must all be millionaires.


Well there "Revolution"... The $300 is a legality. Many large companies will not ship with a free product. It gives them no legal liability. The $300 is a *token* amount to bring in the product. You don't really think we make our money off that, do you? If so then you have no clue what running a business actually costs. I assure you, we make our money with consulting fees. Do we have more products than we offer on our website? Yes. Why are they not listed? Not all are as packaged as the two listed.

As far as how customers need support... They don't. Have you ever actually worked at an engineering house? You have to have the little "checkbox" that says "I used a commercially supported product." Some companies have actually complained when we throw code at them along with consulting (our bread & butter) and they didn't pay for it. I don't want to rape our customers -- so I made it a tiny amount.

If you think $300 is a lot of money... That is typically 1 hour of consulting. And that isn't even an outragous fee for this industry. I'm not twisting your arm to pay it. Did I spam you? Did I send you annoying flyers in the mail? Did I point out how you suck? No. All I asked for in return is the same courtesy. I don't think I'm gonna get that here at all though.

Tell ya what. I promise to go out of business if our customers stop paying.... Which I guess they would if we sucked so hard.
Post 27 Dec 2007, 01:15
View user's profile Send private message Reply with quote
gs0000



Joined: 26 Dec 2007
Posts: 5
gs0000
Quote:

hehe, gs0000, I hope you realise these posts are public, What will your customers think of you when they read that above?


I already showed one customer. The customer was amused. My customers are free to leave us if they don't like anything I say. If the quality of our work does not keep them then there is no point to keeping the doors open.

What do your customers think?
Post 27 Dec 2007, 01:19
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7108
Location: Slovakia
vid
Quote:
No. While we have other tools that do this is just meant as one more level of protection. And FWIW, I don't *agree* with preventing disassembly of something I own (e.g. a car), but people asked me to make it.

Good answer Smile If you would do anything extra, then it probably wouldn't be possible to apply any protection on top of it.

Quote:
In particular, the people that did ask me were a Slovakian company, so why don't you go ask them.

I'm seriously tempted to ask them, in case you tell me which company it was Smile
At least, in which area does it specialize?

Quote:
They key is obviously passed to the decryption function as another poster mentioned, it has to be in some way... But it isn't quite so straightforward as in your example.

would love to see, think about that example.

Quote:
There are multiple and I'll leave it for you to guess what differentiates them.

ANSI and UTF-16?
Laughing

[quote]I have no idea what you mean here. If you mean Windows string resources then no -- we have no interest in getting near PCs, Windows, Linux or x86.[/quote
OK, good approach

Quote:
And I think you've looked over the difficulty in writing a parser for C/C++ .... that's much harder than actually encrypting the strings.

No, i realize this problem (that is the reason why i don't accept your challenge about writing better one and releasing it free Wink ). Aren't there some free usable tools for that?

Quote:
I suppose I could if I was so inclined... What HW do you have available? I'm kind of feeling too lazy and pissed off right now though...

x86 32bit and 64bit, with Windows and Linux. I can run WinCE/ARM code in emulator (I have actual device with WinCE in work, but i seldom go there). I'd prefer x86 32bit windows PE executable example, so i don't have to overcome "side problems" with testing.

Why not release something? You'd get a little "security audit" for free.

Quote:
I'm more irritated at you guys for just being immature. It's a free world... Feel free to do something better. Heck, do something way better and charge way more for it. I suspect you'll find that the open source community would reject such a thing outright -- and I don't blame them, so offering the tool as open source makese no sense, but if you want, go for it!

It's a free world, in which I saw your product, and thought price is too high. In fact, i thought price was ridiculously high (ASProtect, one of best known full-featured PROTECTORs today, sells for that price), and I found that funny enough to share with fellow members here. Note that it is posted in "offtopic" section of forum, where random things like this appear. You was free to defend it here.

What is immature in that?

It is fine for you to sold it at very high price, and if anyone buys it, it's better than fine. But in free world, if you set price too high, you must be prepared that someone will freely point it out somewhere.

Quote:
But don't whine about something while sitting on your ass. That is just lame.

Don't worry, i am doing much stuff, some free, some not. My free project isn't exactly something useful, i do it for fun (check WWW button under my post, and feel free to bash Wink). Besides that I do lot of free helping / advicing people on this board Very Happy. My job is actual protector (maybe that's why i found string encryption for 300$ hilarious), and some virtualization playing around.

You may find market in embedded world, because there is little competitive companies (I know about one WinCE/ARM protector and that's all). It could make some rationale for high price, but that's from demand/suply point of view, not from price/value.
Post 27 Dec 2007, 01:31
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16997
Location: In your JS exploiting you and your system
revolution
Hmm, something don't add up here.
gs0000 wrote:
For a company that makes money $300 for a support product is hardly excessive.

gs0000 wrote:
As far as how customers need support... They don't.

So if there is no support required then why make people pay for it?

If one of my staff ever came to me and said they need $300 for something they could do in a few hours I would tell them to look for another job.
Post 27 Dec 2007, 01:47
View user's profile Send private message Visit poster's website Reply with quote
gs0000



Joined: 26 Dec 2007
Posts: 5
gs0000
Quote:

So if there is no support required then why make people pay for it?


Because companies *want* to pay for support. They want that security blanket. I'm not willing to throw away free money. Oh, and Stringcrypt took more than a few hours to do. And that is what has angered me.... Vid, arguably made a statement about the value you get for the tool. Which I would be fine with if he *knew* what came in the tool.

But neither he nor you know what the value is... That's my gripe. Plus I would argue that embedded software is simply more expensive. Do you think that WindRiver is not ripping people off charging the amount they do for Tornado? Personally, I think it is overpriced. But I've used Tornado for many years...

What I am mad about is the assumption about what the tool does. Anyhow. I'm done feeding this troll for now.
Post 27 Dec 2007, 02:08
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Heh, gs0000... I think you're being a bit aggressive.

Face it, parsing enough C/C++ to do string handling isn't that bad, as long as you don't aim to handle things like macro-concatenated strings etc. $300 for a product like this.

I mean, sure thing, you could take more than that consulting for an individual firm, but pricetagging your string encrypter $300 is skimming the milk. Before you say "yeah well write one yourself, hot shot", be careful what you're wishing. You probably wouldn't like something like that on sourceforge :]
Post 27 Dec 2007, 08:37
View user's profile Send private message Visit poster's website Reply with quote
0.1



Joined: 24 Jul 2007
Posts: 474
Location: India
0.1
hmmm ...
but why it is scary? Evil or Very Mad
Post 27 Dec 2007, 09:17
View user's profile Send private message Reply with quote
pelaillo
Missing in inaction


Joined: 19 Jun 2003
Posts: 875
Location: Colombia
pelaillo
Wait a moment: $300 just for keeping the "hobbists" in the dark? You are a wonderful seller !
Post 27 Dec 2007, 19:02
View user's profile Send private message Yahoo Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.