Good morning,
I have a stripped binary, and I have to bypass ASLR and NX. I am fighting since three days to find a solution but I cannot find one. I cannot find the libraries linked to the binary as it is stripped ("not a dynamic object") to build my ROP chain against. Would someone know about it ?
Thanks.
https://security.stackexchange.com/questions/20497/stack-overflows-defeating-canaries-aslr-dep-nx
maybe this? also I think this question is more suitable for reverse-engineering exchange or security exchange
Related
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
iPhone/iPad App Code Obfuscation - Is it Possible? Worth it?
I have spent a lot of time on this and I couldn't able to find a perfect answer. That's why I decided to put my question here. I have an iPhone application and want to encrypt the code to prevent from class-dump or otool utilities. (Tools used to dump out the headers from executable). I would like to know is there any way to encrypt the source code or obfuscate the source code?
It's a lot more complicated than it might seem initially. Any tool that mangles method names has the potential to fudge up:
KVC compliance
The use of dynamically generated selectors
Nib file compatibility
Protocol conformance
Method inheritance
Obfuscation is just another layer to deal with; often obfuscation is easily reversed. It is not really possible to “encrypt” your classes because the Objective-C runtime and Cocoa framework won't know how to decrypt it. Anyone determined enough will eventually figure out how your program works.
Actually you can provide some obfuscation and tamper protection with specialist 3rd party tools. There are 2 companies, I know of, that provide tools or services to do this : Arxan and irDato.
Neither are cheap or accessible to small developers but if you are developing for a large corporation then you should consider them.
Obfuscation is done by mangling code paths and adding redundant instructions so as to confuse anybody trying to reverse engineer the code. Tamper protection is done by adding checksums to the code and embedding checksum checks within functions. You can create a network of interdependent checksums that makes it extremely difficult to bypass them. There are a few other things that can be done but you really need to talk to specialists in this area.
Further to the earlier answer, Apple does not encrypt the binaries but just signs them. It is fairly easy to reverse engineer and modify app binaries on a jailbroken device.
Apparently, according to this answer Apple encrypts iPhone binaries as a matter of course for all iPhone apps.
I'd stop worrying about it.
Looking for some fast, simple and stable RPC library I stumbled upon MessagePack project which seems to be very good. It is also under active development.
If you used it in any way, could you please share your experience?
P.S. I think this question should be community wiki
Well, after some time I found that MessagePack is not well-documented (there was even non-working tutorial in Wiki for Java), there are like 7 outstanding bugs several months old without any replies. Code even is not JavaDoc'ed so that you can take and learn it quickly...
But it seems developer activity there is quite high despite of some outstanding pull requests from the community, that are several months old.
So, well, if GPL suits you, go for ICE. If not... don't know yet. Still looking.
I'm also looking into a fast, cross-platform, cross-language, non-GPL-licensed RPC library.
From looking at the C++ source of MessagePack it seems that it doesn't work on Win32 though, which is a requirement for myself.
Except for that that single item it is on top of my list of serialization/RPC libraries.
http://msgpack.org/ - Win32 missing
http://avro.apache.org/
http://thrift.apache.org/ - Win32 missing
http://bert-rpc.org/
http://www.xmlrpc.com/
http://json-rpc.org/ - GPL license
http://code.google.com/p/protobuf/ - RPC missing
In Lua-scripting I found wxWidgets (wxLua) library very useful, so I'd wanted to found binding for Ada and GNAT Programming Studio 2010 (4.4.1) - does it exist at all and maybe somebody know how to link it with GNAT?
Only one I found is wxAda, which is about 5 years old and without any hyperlinks to load it.
I'm the author of wxAda and tbh, it's a dead duck as it currently stands. I am looking at the moment at a revival by generating the source automatically.
Luke.
Well, the URL you are probably looking for is wxada.tigris.org, but it says right there it is incomplete. Most likely that's the best you are going to get without doing the work yourself.
From the discussion of his problems here it looks like he had solvable issues.
I'm using GNUstep to begin with learning Objective-C.
I could find the header files for all, but don't know where to find its implementation files.
I was thinking, with that I can understand the whole programming style and many more.
I am working without mac , so if some body knows about any good tutorials , that i can use to identify structure of every Classes.
For instance, i have to parse an xml file, just to learn,
but don't know where to start.
Without IDE its hard to find out the sequence, and I don't have got access to any tutorials that best explains this, ( all that i get is in accordance with i-Phone and Cocoa. )
I'm concentrating on console programs, so that I can be thorough with the syntax and language.
Pls help me.
http://gnustep.org/ is the best resource for GNUstep related information, including source and documentation.
GNUStep has some tutorials and definitely the source code available.
You will find that there are small bits and pieces where Cocoa has moved on so GNUStep will not recognize new methods and things like properties or any new objective-2.0 stuff and so on.
Where ever you have the source installed, you can find NSString.m here
/path_to_my_src/gnustep/modules/core/base/Source/NSString.m
What are the programming features that are missing in C++ and Java ?
For eg. You can't do recursive programming in QBasic ? You can't dynamically allocate memory in QBasic.
What would be the good to have features in C++, Java.
I think Lisp Programmers will be able to add a few.
I miss lambda expressions.
This answer deals only with C++
Things I miss from the syntax, or the standard library:
RegExp as part of the standard library
Threads as part of the standard library
Pointer to member methods (not objects!)
Properties would be nice (I have seen codes that emulate this via C++ preprocessor... note an nice looking code).
Some lower level networking API (sockets!), and higher level API (give me this file from this ftp, submit "this" to this site via POST).
This is the list of things I would like to see, but I assume other people will disagree with me.
Memory garbage collector is nice.
A n interface for a GUI toolkit - let MSVC map it to win32, and on Linux... (good question!)
A stable ABI. In C it's a standard - but on C++ we are still missing a few decades. I want also stable ABI between compilers - I want to compile one library in MinGW, the other with CL and all should work.
This is the list of things I want to see, but I know they will not get away:
Compatibility with C. Really, it's a myth right now. using namespace std killed it.
Include, headers. Most of the information is already available in the DLL/so/a/"library", do we really need to keep this bad decision from 30 years ago? If needed the compilers should keep information in the binaries.
The need for Makefiles - the compiler should be smart enough to know what to do with this code, from the code itself. Pascal is doing it quite good. I think also D.
(I might be wrong, please correct me) The official standard openly and freely available for viewing. Why should I pay for the official papers? Do I need to do it for HTTP? UTF8? Unicode?
I think this is a very subjective question. From a theoretical point of view there's nothing "missing" in Java because you can do everything you want to from the perspective of the outcome as an application.
As with QBasic - recursion may not be possible but that doesn't prevent you from changing your recursive algorithm to an iterative algorithm. Programming language theory tells us that you can do this with every recursive problem. So there's also nothing missing here.
I think what you mean are features that are "nice to have" - and here everyone has to decide for himself. I'd even say there are features in the language which would have been "nice not to have" such as static imports - but again this is my subjective opinion...