PSA: Decompiler Vulnerability

Discussion in 'Community News and Announcements' started by Kaelten, Oct 26, 2014.

Thread Status:
Not open for further replies.
  1. Toyz That still doesn't demonstrate how it's run without indication that something fishy is going on in the code of the plugin, though.
  2. Offline


    But can't people obfuscate there code. It's legal and because lots of noobs like to copy plugins.
  3. Yes. And obfuscation is actually pretty terrible at hiding the intent of code. People still reverse-engineer something as massive as Minecraft. A plugin is nothing compared.
  4. Offline


    Unless you have so many junk code. You'll be screwed.
  5. Not really, no.
  6. Offline


    Obfuscation just alters the effort:reward ratio. You're never going to obfuscate something to the point that it can never be dissected. At best, you just make it take less effort to write an independent implementation.

    On topic, I find this an interesting little trick, reminded me of various exploits I played with about a decade ago in a C course. Though this is more a flaw in the tools rather than a potential weakness of the language.
    korikisulda likes this.
  7. Yup! I'd say the most important lesson to be taken from all this is to make sure your tools work for the specification they're written against. Especially if you're the one writing them.

  8. If there is a will there is a way, if you were to load or even download a *.dll and call methods through Native Access, some level of obfuscation through multiple languages, reflection reflecting reflections, bytecode manipulation, ect. would make things just as difficult. The tools they use doesn't change how easy it would be to submit a hack or such. It is eyes on examination to make a determination that "something doesn't look right". You wouldn't think to highly of google if the play store just automatically approved apps, if you were the one to have your banking app injected into, you wouldn't feel so great. I'm not making an accusation, just thinking the pieces don't fit. To be honest this community is dwindling and the way things have been handled have been horrible. They exposed there hand in everything. So I don't quite think that "that" is the most important lesson. They still have a long way to go in a short time to do it.

    tl;dr check the highlights.
    slipcor likes this.

  9. I didn't say who the lesson is most important for. In this case, I simply meant anyone who is disassembling for auditing purposes.
    Sure, Curse has its problems, but as I wasn't referring to them...

  10. However I do have to mention... There is a better way to expose security vulnerabilities.

    Might want to take a little read on

    It's helpful to give people time to fix a problem before exposing it to the world (reddit). You don't know who else uses what tools... *Cough* other android markets *Cough*. Although you gave me something new to look for in apps I install and I even made my antivirus aware of this exploit, considering I'm not sure what binaries they are looking for.
  11. Yes. For me, the most important lesson was regarding disclosure ^.^ At some point, there are going to be patches for one or two additional problems. You probably won't ever know exactly what they are ;)

    Procyon has been patched. I imagine there will be a release relatively shortly.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Jun 14, 2016
  12. Offline


    okay. I know I may not know much on this subject but wouldnt it be easier to hire. (yes I said hire) a few hackers to fix this problem. its been know to have others hire hackers to protect software and make it so everything is safe. alot of company's do this.
    DBO means -
    • The DBO is a user that has implied permissions to perform all activities in the database. Any member of the sysadmin fixed server role who uses a database is mapped to the special user inside each database called DBO. Also, any object created by any member of the sysadmin fixed server role belongs to DBO automatically
    Problem is fixed. Thread is closing. -resba
    -sleaker \/
    Didn't quite fix the whole issue it seems, DBO is now intermittently inaccessible to me with the same error.

    It seems more like this issue was patched for a permanent fix, but there are still some underlying issues with the server, bukkit is probably aware of them, but just thought I'd mention it.
  13. Doesn't DBO stand for "Dev Bukkit Org?" o_o

    Have... have I been living a lie? D:
    korikisulda likes this.
  14. Yes. Let's hire some hackers to deal with the contained exploit which will shortly have a patch. Why not? Money? Money? Tonnes of it to waste.
    DBO as DataBase Owner. What? I don't even... How... Why... What does this have to do with this? This isn't even like a MySQL thing, it's MSSQL. I.. What. Um.
    K then?
    This being or database owner? Have you been doing something you're not telling us about? *curls up in corner and hides face* Don't hurt me! D:
    Uh yeah. Yeah. If you read the post, my posts, and the bugreports, then you'd kind of ALREADY KNOW THAT AND WHY MEfpoiaepoiarefpaoirpeaofapkbs[oq[eifwpreoitq[poiq[p​
    May I humbly suggest that YOU HAVE NO IDEA WHAT YOU'RE TALKING ABOUT OR WHAT THIS IS ABOUPEtjpIFDPIJErpea9tupseritporesworeins​tantly transport a programmer's consciousness into a world of ceaseless screaming, he comes, the pestilent slithy regex-infection wil​l devour your HT​ML parser, application and existence for all time like Visual Basic only worse he comes he comes do not fi​ght he com̡e̶s, ̕h̵i​s un̨ho͞ly radiańcé destro҉ying all enli̍̈́̂̈́ghtenment, HTML tags lea͠ki̧n͘g fr̶ǫm ̡yo​͟ur eye͢s̸ ̛l̕ik͏e liq​uid pain, the song of re̸gular exp​ression parsing will exti​nguish the voices of mor​tal man from the sp​here I can see it can you see ̲͚̖͔̙î̩́t̲͎̩̱͔́̋̀ it is beautiful t​he final snuffing of the lie​s of Man ALL IS LOŚ͖̩͇̗̪̏̈́T ALL I​S LOST the pon̷y he comes he c̶̮omes he comes the ich​or permeates all MY FACE MY FACE ᵒh god no NO NOO̼O​O NΘ stop the an​*̶͑̾̾​̅ͫ͏̙̤g͇̫͛͆̾ͫ̑͆l͖͉̗̩̳̟̍ͫͥͨe̠̅s ͎a̧͈͖r̽̾̈́͒͑e n​ot rè̑ͧ̌aͨl̘̝̙̃ͤ͂̾̆ ZA̡͊͠͝LGΌ ISͮ̂҉̯͈͕̹̘̱ TO͇̹̺ͅƝ̴ȳ̳ TH̘Ë͖́̉ ͠P̯͍̭O̚​N̐Y̡ H̸̡̪̯ͨ͊̽̅̾̎Ȩ̬̩̾͛ͪ̈́̀́͘ ̶̧̨̱̹̭̯ͧ̾ͬC̷̙̲̝͖ͭ̏ͥͮ͟Oͮ͏̮̪̝͍M̲̖͊̒ͪͩͬ̚̚͜Ȇ̴̟̟͙̞ͩ͌͝S̨̥̫͎̭ͯ̿̔̀ͅpgkfdsmvpkfgpwoirpqriuoiuHOUOU&O¶ŋẃđŧýé¶ŧíħŋóé߶íúŋßó¶éíúŋẃéóíŧéoi
    Gnat008 and AdamQpzm like this.
  15. Message was unclear, started communicating with symbols. :p

    Edit korikisulda Woah, it's even weirder now.
    korikisulda likes this.
  16. You're funny. Let me know when you come down off your pedestal.
  17. ...

    I borrowed a little from here

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: Jun 14, 2016
  18. I mistakenly took your comment as patronizing than genuine. Sorry the context can go different ways.
  19. Oh, good. No, I did genuinely just mean that I had disclosed it responsibly. No patronising intent. Apologies if it seemed that way.
  20. Offline


    Well you did mention DBO and thats the real definition of it sorry for my mistake. and it sounds like you just read the punishments for me in a HTML bible or something.
    Now I know how confused I really am. (I only work with java script sorry)
  21. Lol kinda. It's part of one of the answers on a question on stackexchange asking how to parse XHTML with regex. Needless to say, that's a bad idea.
  22. Offline


    Now, its confusing but. I have made many bukkit servers and I cant make them anymore cause you guys are not allowed to supply the files correct?
  23. ak1rby That's, like, completely irrelevant to this post but yet that is correct, yes.
    korikisulda likes this.
  24. Sort of. As the result of a copyright dispute, Bukkit's official API implementation (CraftBukkit) can now no longer be released. Bukkit (as in the non-functional API) is still distributable. For the moment, it looks like CraftBukkit is dead.
    However, there are other implementations. I have been led to believe that Spigot's 1.8 version will be released at the end of this month (although don't hold me to that), and if you can find a 1.7.2 Spigot build, they posted the hashes for verification (they were obliged to stop hosting their files too, as they are based on CraftBukkit).
    I hope this is of help, but please note that I can't help you obtain any of these files, and these forums do not support unofficial implementations.
  25. korikisulda What do you mean non-functional? I happen to use the Bukkit API to convert Strings to their coloured version as they would be on Minecraft in many programs outside of plugins and Minecraft because... erm... Okay, I don't do that, but the API isn't non-functional. It's just very limited functionality, which doesn't include running a server :p
  26. Lol. To a non-developer, it's useless though ;) Stop confusing everyone with your facts!
    AdamQpzm likes this.
  27. Offline


    If its not to much trouble I wanna increase my coding and I only know java script.
    What kind of program do you use for coding?
    ( helps you with coding btw)
  28. ak1rby I have to say I admire the way you start of request advice, but by the end of the post, you're giving it :p
    korikisulda likes this.
  29. Offline


    yeah but I mean what kind of program do you use to make plugins for minecraft. my bad lol thats what I ment to say I know you use eclipse but which eclipse?
  30. korikisulda
    AdamQpzm likes this.
Thread Status:
Not open for further replies.

Share This Page