[–]▶ No.873408>>873415 >>873423 >>873455 >>874724 [Watch Thread][Show All Posts]
How do you reverse engineer custom file formats such as archives?
Are there any resources on doing this?
▶ No.873415>>873416 >>874127
>>873408 (OP)
Oh it's pretty simple. You craft a file that's supposed to go into decoder. You make small changes and see what happens. If compression is involved, it's most likely deflate or generic lossy file compressors, so bypassing it should be trivial. If not, you're shit out of luck. Reverse-engineering a compression format is like reverse-engineering an encryption algorithm.
▶ No.873416>>873418 >>874127
>>873415
Wait disregard that. You use disassembler to produce assembly of the decoder. Then you study the assembly and try to figure out what it does, and craft a file to confirm your theories.
▶ No.873418>>873422
>>873416
what if the decoder binary is unavailable?
▶ No.873422
>>873418
Then you use the previously described approach. Needless to say it's much harder.
▶ No.873423
>>873408 (OP)
>How do you reverse engineer custom file formats such as archives?
Mostly drunk.
▶ No.873433>>873439 >>874097
Depends if you are allowed to study the source or disasm of another implementation.
If you can't for legal reasons you essentially will do small changes to the input and try to find what it changed in the output. It is also very useful to know what you should expect to be stored and you gain this knowledge with familiarity with other formats. Eventually you map out everything and then try to work backwards by changing fields to unseen values or change bytes which haven't been mapped out yet.
▶ No.873439>>873782
>>873433
>If you can't for legal reasons
The only country that I know who authorize reverse engineering is Germany.
▶ No.873455>>873754 >>873761 >>873771
>>873408 (OP)
IDA Pro and a decompiler. You don't do that shit by hand anymore, sonny.
▶ No.873754
>>873455
Can I hook IDA Pro up to mednafen and use it to disassemble PSX games?
▶ No.873761>>874127
>>873455
Or simply use Terry's disassembler.
▶ No.873771>>873778
>>873455
>EULA
>"(...) you may NOT disassemble, reverse-engineer (...)"
▶ No.873778
>>873771
>EULA
nobody cares
▶ No.873780>>873796 >>873800 >>876390
>>873441
>>873442
>"hey kid, wanna some free h4x0r pdfs...?"
>*gets infected by opening pdf*
https://security.stackexchange.com/questions/64052/can-a-pdf-file-contain-a-virus
Anyone knows good methods to check if a pdf is safe? Preferably one which focuses on pdfs, as general antimalware seems not to be very effective in finding malicious elements in pdfs.
▶ No.873782
>>873439
But only so that government agencies can always reverse anything without ever needing any warrants. You didn't think this was with the average citizen in mind, did you.
▶ No.873796
>>873780
Don't pdf exploits depend on the viewer that is being used?
▶ No.873800>>873839
>>873780
According to Tor and Whonix devs, the PDF reader security goes as this:
Airgapped machine, online viewers that render it on server side, Tor Browser's built-in PDF viewer, local viewers without scripts support, local PDF viewers with scripts support (probably proprietary).
▶ No.873810
pdftotext
pdftohtml
pdftops
pdftopng
Those should do everything you need. Comes with xpdf and/or poppler-utils.
▶ No.873823
https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
https://bugzilla.gnome.org/show_bug.cgi?id=777991
An interesting read too. Not a PDF viewer vulnerability, but rather a vulnerability of RedHat/GNOME Nautilus, a file manager that is notorious for lacking image preview in year of Our Lord and Savior 2018 that leads to executing privileged scripts when a user thinks he's opening a PDF.
▶ No.873839
>>873800
so, if we don't put on too much tinfoil, Tor Browser's PDF viewer is perfect, right?
▶ No.874063>>874093
>>874000
>with the recent requirements for Qubes it will become impossible to run it on non-backdoored CPUs (Intel ME, and AMD's PSP)
Why and how? Qubes will explicitly *require* ME/PSP, or how ist that to be understood? What sense would that make given that it would be in direct opposition to its goals?
▶ No.874093>>874146
>>874063
It will require CPU features that are only available on CPUs that have botnet controllers.
▶ No.874097
>>873433
Can't you do the "clean room" reverse engineering, where one person disassembles and figures out how it works and then tells a second person how it works, who rewrite an implementation?
▶ No.874127>>874129 >>874156 >>874231 >>876228
>>873416
Unless the encoding is really complex understanding compiler-produced assembly will take ages. >>873415 works better, but only if they don't try to obfuscate it.
>>873761
No disassembler comes even close to IDA. If it didn't cost a fortune I'd buy it for Linux, can't even find a pirate version for x64.
▶ No.874129>>874144
>>874127
>IDA probably gets cracked with IDA
▶ No.874144>>874174
>>874129
it should be hardcoded not to be able to reverse itself.
▶ No.874146>>874150
>>874093
https://www.youtube.com/watch?v=_Aex9RwgHHQ
>chick who makes Qubes worried much about botnet coprocessors (understandably so) because it's botnet
>chick who makes Qubes somehow makes Qubes require botnet coprocessors
What sense does that make
▶ No.874150>>874164
>>874146
From what I remember her justification was that Intel CPUs are the only ones that are viable so you might as well make use of their "security features" since you are trusting them anyway (she pretty much ignores AMD). To her ME is not that different from some academic vulnerability at the transistor level.
▶ No.874156
>>874127
>No disassembler comes even close to IDA. If it didn't cost a fortune I'd buy it for Linux, can't even find a pirate version for x64.
Binary Ninja is pretty good, but it supports less archiectures and has weaker subroutine / cross referencing detection. Be warned as it is proprietary software like IDA.
I should eventually take some time to find a good free software alternative for my use cases.
▶ No.874160>>874163
>>873442
>>873441
i hate to agree because technology and hacking is all about curiosity and its good to ask questions, but seriously there are so many sources of information. it seems strange that you wouldnt read a pdf before asking
▶ No.874163
>>874160
>read pdf
>get infected
lol
▶ No.874164>>874167
>>874150
>since you are trusting them anyway
Did she imply this before of after Spectre hit the news?
▶ No.874167
▶ No.874174
>>874144
...and then cracked with a competing disassembler.
▶ No.874235
>>874231
>Zhou Tao, Jiangsu Australia
Jesus, I thought Aussies were meming when they said China was buying them all out
▶ No.874241>>876332
>>874231
>The file you are trying to download is no longer available.
Did you test the link? It doesn't say it's for Linux either. For Windows and Mac there's a leak of the 7.0.
▶ No.874724
>>873408 (OP)
Back in the '80s I used to use a sector editor to modify my game's save files and achieve maximum damage. Here's how I did it with Bard's Tale:
>go into town
>save
>buy an item
>go back to spot I saved at and save again
>look at save file with sector editor
>find item
>wheeee
It's probably harder now though.
▶ No.876228
>>874127
This nigga hasn't even touched radare2
▶ No.876332>>876363 >>876864
>>874241
They offer a free version of 7.0 with less features
▶ No.876363>>876523
>>876332
It's not free, but rather gratis.
▶ No.876390
>>873780
This is stupid, you need to either have JS enabled or click on some stupid dialogue box.
▶ No.876417
▶ No.876523>>876528
>>876363
Those mean the same thing in English.
▶ No.876525
<in the free market all goods are gratis
▶ No.876528>>876548
>>876523
>freedom and at no cost mean the same in english
▶ No.876548
>>876528
Freedom isn't free, Anon. You're no American or you'd know that.
▶ No.876864
>>876332
>less features
Yeah like no fucking debugger.
▶ No.877118