Researchers Reverse-Engineer Dropbox, Cracking Heavily Obfuscated Python App 242
rjmarvin writes "Two developers were able to successfully reverse-engineer Dropbox to intercept SSL traffic, bypass two-factor authentication and create open-source clients. They presented their paper, 'Looking inside the (Drop) box' (PDF) at USENIX 2013, explaining step-by-step how they were able to succeed where others failed in reverse-engineering a heavily obfuscated application written in Python. They also claimed the generic techniques they used could be applied to reverse-engineer other Frozen python applications: OpenStack, NASA, and a host of Google apps, just to name a few..."
Re:Python? Really? (Score:5, Informative)
even then, all it takes is someone versed in the assembly language of the platform your application runs on, a copy of IDA pro or something similar, and a few hours of his time. I know this is a bit of a lost art in today's world of python and javascript, but it's still valid.
Re:Obfuscated python code? (Score:5, Informative)
http://archive.hack.lu/2012/Dropbox%20security.pptx
"A critical analysis of Dropbox software security", Florian LEDOUX
Re:Python? Really? (Score:4, Informative)
However, there's an interesting twist to the pcode vs. native code dichotomy, from reverse engineering standpoint, as anyone who's well versed in the brain-mangling line noise that calls itself the IOCCC will know. One of the best obfuscations is to embed an interpreter into your code, and then do all the hard work in the bytecode.
Re:Well, there goes Eve Online (Score:5, Informative)
EVE doesn't use IronPython. It uses Stackless Python. And yes, it is possible to decompile the code, and it has been done in the past.
http://evesupernerf.blogspot.co.uk/2012/05/decompiling-eve-client.html [blogspot.co.uk]
https://github.com/wibiti/evedec/blob/master/evedec.py [github.com]
Re:Python? Really? (Score:4, Informative)
Been there. Done that.
I believe it was EA that was doing that way back as part of their DRM for their Commodore 64 disk-based games. It would load the interpreter and a script, then execute the script [drawing it's fancy startup screens, checking for various bad sectors on their disk, over-writing parts of the script and interpreter, loading the game from various parts of the disk].
Re:Waste of resources (Score:5, Informative)
Re:Python? Really? (Score:4, Informative)
Use a non-compiled language, get what you deserve...
Python is compiled, if you distribute *.pyc files only.
Re:Insecure by design (Score:5, Informative)
http://en.wikipedia.org/wiki/Cryptographic_nonce
It is a crypto term.
Re:Wow, amazing. (Score:2, Informative)
Andrew Tridgell was accused of "hacking" BitKeeper because he telnetted in and typed "HELP".
Trusting trust is busted (Score:4, Informative)
ecryptfs+Dropbox is a nice solution (Score:5, Informative)
chinook: ~orp df
Filesystem 1K-blocks Used Available Use% Mounted on
/home/orp/Dropbox/e 491451392 129077764 361240528 27%
chinook: ~orp ls Dropbox/e
./
../
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw6-7kc4NR3-58yIKIxSsrgk--
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkw9VkRKmwOO95LV0W1qwwNHk--/
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwKsqUWInaV2aVwzvhw6CcW---
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwOggoYf2PUQpQQmgJLHwIaU--/
ECRYPTFS_FNEK_ENCRYPTED.FWZS4gY2TLKRZUavoct.ewyb3LhUsTmtMCkwQEdvushvgMYZ2uRpeRJ9EU--
[etc]
This works with the same partition mounted across multiple machines. Save a file to
The main disadvantage to this approach is that if you are trying to access files on a non-linux machine you are hosed; Lastpass and other password managers that have file encryption functionality can give you cross-platform encryption but not with the nice filesystem access that Dropbox provides.