Procyon/Luyten/goto_w - Exploiting Procyon 101

Discussion in 'BukkitDev Information and Feedback' started by korikisulda, Oct 27, 2014.

Thread Status:
Not open for further replies.
  1. Offline


  2. Offline


    Very nicely detailed, thanks for sharing. :D
    korikisulda likes this.
  3. Offline


    You do know, by posting this, loads of childish coders are going to try to use this as much as possible.
    My advise to everyone at this time is to only download plugins that have been popular for some time.
    Do NOT download magical 'new' plugins from people who have never made a decent plugin before.
  4. Offline


    This is not possible on BukkitDev. Worry about other places code needs to be audited.
  5. Offline


    Very nice tutorial. Did not know this. Learn something new everyday :)
  6. korikisulda I think it's been covered pretty well in IRC and such as to why this guide shouldn't exist, but regardless, it should at least not be in this section. This isn't really BukkitDev feedback/information, is it?
    Hoolean and mbaxter like this.
  7. Offline


    Shouldn't it? Since Curse posted the bugreport links, it was public anyway. That's not a choice I actually made. The choice I had to make was between relative obscurity, or disclosure. Perhaps I made a mistake, but I can't change what happened.
    Regardless, of that, you are correct. Problem is, where?
  8. korikisulda Security through obscurity isn't very reliable, I'll give you that. But it's certainly better than not only no security, but having an actual step-by-step guide showing anyone who happens across is how to exploit the bug. From what I understand, major security issues are usually reported in private, not in public. And the linked reports do not explain exactly how to perform the exploit. This does. Your whole approach is fundamentally wrong here.

    Where? I maintain nowhere on these forums. If I had to pick a section, off-topic would be the most fitting.
    TnT likes this.
  9. Offline


    Fair enough. Prefer the tutorial now? :s
  10. korikisulda Sadly I can't say no harm done, but it's definitely better than it being there. I appreciate you taking it down.
    klosjaarrr and korikisulda like this.
  11. Offline


    And yeah. I made a mistake. I can only apologise for it.

    At the moment, it's impossible to know if any harm was done. I hope not (obviously. I'm not evil or anything :s), but there's little I can do now. Heyho. I suppose the important thing is that I learn from the mistakes.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Jun 14, 2016
  12. Offline


    Just so everyone knows Kori's work has made it possible for us to get a tool in place to audit files for the presence of these hidden code snippets. We're doing a retroactive scan currently before we start processing new files again.
    korikisulda likes this.
  13. Offline


    This post is worthless.
  14. Offline


    It was originally a tutorial on how to exploit the discussed vulnerability. It was later removed at the author's discretion, and that image was used as a placeholder.
    korikisulda likes this.
  15. Offline


    Absolutely. At least it's worthless instead of potentially harmful.
  16. Offline


    Wow. We have so much to learn; ORACLE HIRE KORI!
    korikisulda likes this.
  17. Offline

    Deleted user

    Are you kidding?

    Oracle did nothing wrong. The only person at any sort of fault is the developer of Procyon, and even then, he's doing it by himself, so it's been an excellent job so far (and even now).
  18. Offline


  19. Offline


    And I thought all along people were doing this to keep others from decompiling there plugins and stealing them :), Thanks for the Info.
  20. Offline


    Well... I mean, you could do that. I'm probably going to theta-level encrypt one of my plugins that way. :3
  21. Offline


    If a JVM can run it, someone can steal it ^.^ In the end, you've put them to more effort, but it's still possible.
  22. Offline


    That, or just go to the memory dump and find your constants lol. But it's more fun to make them do more work. :D
  23. Offline


    Don't be surprised if your plugins take weeks to be approved though....
  24. Offline


    I probably wouldn't put it on BukkitDev. :p
  25. Offline


    Then what's the point? Who can admire your obfuscation art form?
  26. Offline


    There are other places to put up plugins, you know.

    Just none as popular as BukkitDev.
  27. Offline


  28. Offline



    I don't know. Don't question my brilliance! :p
Thread Status:
Not open for further replies.

Share This Page