Researchers Reverse-Engineer Dropbox, Cracking Heavily Obfuscated Python App

rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."

Where is your god now?

[Anonymous Coward]

/popcorn

Re:Where is your god now?

[Anonymous Coward]

Better delete your dropbox-hosted /copporn

Wow, amazing.

[RightSaidFred99]

They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack...

Wow, they can reverse engineer OpenStack? That's amazing - what do they use, an obscure set of commands called "wget", "git", and "tar"?

Trying to obfuscate python was never going to work

[Anonymous Coward]

They should have written it in perl.

Re:Waste of resources

[Anonymous Coward]

To lock the crazy people inside.

Re:Well, there goes Eve Online

[MBGMorden]

And yes, it is possible to decompile the code, and it has been done in the past.

Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.

Re:Trying to obfuscate python was never going to w

[Anonymous Coward]

They should have written it in perl.

They would have missed the fun of seeing how obfuscation made the code harder to read.

Re:Well, there goes Eve Online

[Anonymous Coward]

Awesome. With any luck they'll get an alternative client working. Shouldn't be too hard to set it up as a plugin to Microsoft Excel.

You've already got a flight simulator, what more do you want??

Re:Well, there goes Eve Online

[Anonymous Coward]

A spreadsheet simulat.... wait...

Re:Trying to obfuscate python was never going to w

[Buchenskjoll]

Yes, only with Perl would they be able to implement security through obscurity and open-source it at the same time.

Re:NANDputer

[ColdWetDog]

How do you know the machine building your CPU will not inject a backdoor in it?

Because Kevin Horton's NANDputer was built by hand out of a pile of 74HC00 (quad 2-input NAND gate) ICs on a breadboard [hackaday.com]. There isn't enough room in any single 7400 to insert a backdoor.

Hell, a breadboard full of 7400's is big enough to put in a real back door, complete with hinges.