Hacker News new | ask | show | jobs
by wladimir 4671 days ago
How could there have been any doubts that the heavily obfuscated Python could be reverse engineered? Me, and some others, did it quite a while ago. It wasn't a lot of work to find the opcode mapping using frequency analysis and a bit of reasoning (ie, mapping against known libraries). Anyone remember dropship? https://en.wikipedia.org/wiki/Dropship_(software) I wonder if they're going to send a takedown request this time too.

Oh I see dropship is mentioned in the paper, great :)

In any case, interesting that they found some previously unknown security holes this way. This again proves that security through obscurity, at least for client software, doesn't work. When will people learn. You can't hide anything on the client for the user, at least not for long.
2 comments
quasque 4671 days ago
It does raise the bar slightly though, so is still worth doing. Instead of simply running the pyc files through a decompiler as would be the case without obfuscation, one has to reverse engineer their modified Python binary to figure out the altered format of the code blocks. This is not a very common set of skills.
link
randuser 4671 days ago
Obfuscated code is surely harder to understand and work with than original code with descriptive variable names, comments, formatting, etc. Wouldn't this make it more difficult to find vulnerabilities?
link
jacquesm 4671 days ago
It makes it just as easy for the whitehats and for the blackhats so it makes no difference. It may give some people a false sense of security that they would have not had if they were able to look at the code.

Presumably dropbox is through its enormous distribution a very fat target and I find it hard to believe that this published effort would be the first instance of such an undertaking. You're average blackhat isn't going to publish his hack but will market it for all it is worth.

Then you get pages like these:

http://1337day.com/exploit/description/19604

(click 'ok')

I don't think the dropbox team obfuscates their code as a security measure, they more likely do it to increase the depth of their moat by a little bit and to make it a bit harder to write third party clients against their non-published api's.

link
cLeEOGPw 4671 days ago
Then the question becomes, is it more beneficial to make it difficult to find vulnerabilities, or make it easier and fix it when found.
link