PSA: Decompiler Vulnerability

Discussion in 'Community News and Announcements' started by Kaelten, Oct 26, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    AdamQpzm

    Toyz That still doesn't demonstrate how it's run without indication that something fishy is going on in the code of the plugin, though.
     
  2. Offline

    SeniorCluckers

    But can't people obfuscate there code. It's legal and because lots of noobs like to copy plugins.
     
  3. Offline

    korikisulda

    Yes. And obfuscation is actually pretty terrible at hiding the intent of code. People still reverse-engineer something as massive as Minecraft. A plugin is nothing compared.
     
  4. Offline

    SeniorCluckers

    Unless you have so many junk code. You'll be screwed.
     
  5. Offline

    korikisulda

    Not really, no.
     
  6. Offline

    LokiChaos

    Obfuscation just alters the effort:reward ratio. You're never going to obfuscate something to the point that it can never be dissected. At best, you just make it take less effort to write an independent implementation.

    On topic, I find this an interesting little trick, reminded me of various exploits I played with about a decade ago in a C course. Though this is more a flaw in the tools rather than a potential weakness of the language.
     
    korikisulda likes this.
  7. Offline

    korikisulda

    Yup! I'd say the most important lesson to be taken from all this is to make sure your tools work for the specification they're written against. Especially if you're the one writing them.
     
  8. Offline

    Deathmarine Retired Staff


    If there is a will there is a way, if you were to load or even download a *.dll and call methods through Native Access, some level of obfuscation through multiple languages, reflection reflecting reflections, bytecode manipulation, ect. would make things just as difficult. The tools they use doesn't change how easy it would be to submit a hack or such. It is eyes on examination to make a determination that "something doesn't look right". You wouldn't think to highly of google if the play store just automatically approved apps, if you were the one to have your banking app injected into, you wouldn't feel so great. I'm not making an accusation, just thinking the pieces don't fit. To be honest this community is dwindling and the way things have been handled have been horrible. They exposed there hand in everything. So I don't quite think that "that" is the most important lesson. They still have a long way to go in a short time to do it.

    tl;dr check the highlights.
     
    slipcor likes this.
  9. Offline

    korikisulda


    I didn't say who the lesson is most important for. In this case, I simply meant anyone who is disassembling for auditing purposes.
    Sure, Curse has its problems, but as I wasn't referring to them...
     
  10. Offline

    Deathmarine Retired Staff


    However I do have to mention... There is a better way to expose security vulnerabilities.
    http://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities/

    Might want to take a little read on
    http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html

    It's helpful to give people time to fix a problem before exposing it to the world (reddit). You don't know who else uses what tools... *Cough* other android markets *Cough*. Although you gave me something new to look for in apps I install and I even made my antivirus aware of this exploit, considering I'm not sure what binaries they are looking for.
     
  11. Offline

    korikisulda

    Yes. For me, the most important lesson was regarding disclosure ^.^ At some point, there are going to be patches for one or two additional problems. You probably won't ever know exactly what they are ;)

    Procyon has been patched. I imagine there will be a release relatively shortly.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 14, 2016
  12. Offline

    ak1rby

    okay. I know I may not know much on this subject but wouldnt it be easier to hire. (yes I said hire) a few hackers to fix this problem. its been know to have others hire hackers to protect software and make it so everything is safe. alot of company's do this.
    --------------------------------------------------------------------------------------------------
    DBO means -
    • The DBO is a user that has implied permissions to perform all activities in the database. Any member of the sysadmin fixed server role who uses a database is mapped to the special user inside each database called DBO. Also, any object created by any member of the sysadmin fixed server role belongs to DBO automatically
    ----------------------------------------------------------------------------------------------
    Problem is fixed. Thread is closing. -resba
    -sleaker \/
    Didn't quite fix the whole issue it seems, DBO is now intermittently inaccessible to me with the same error.

    It seems more like this issue was patched for a permanent fix, but there are still some underlying issues with the server, bukkit is probably aware of them, but just thought I'd mention it.
     
  13. Offline

    ColonelHedgehog

    Doesn't DBO stand for "Dev Bukkit Org?" o_o

    Have... have I been living a lie? D:
     
    korikisulda likes this.
  14. Offline

    korikisulda

    Yes. Let's hire some hackers to deal with the contained exploit which will shortly have a patch. Why not? Money? Money? Tonnes of it to waste.
    DBO as DataBase Owner. What? I don't even... How... Why... What does this have to do with this? This isn't even like a MySQL thing, it's MSSQL. I.. What. Um.
    K then?
    This being dev.bukkit.org or database owner? Have you been doing something you're not telling us about? *curls up in corner and hides face* Don't hurt me! D:
    Uh yeah. Yeah. If you read the post, my posts, and the bugreports, then you'd kind of ALREADY KNOW THAT AND WHY MEfpoiaepoiarefpaoirpeaofapkbs[oq[eifwpreoitq[poiq[p​
    May I humbly suggest that YOU HAVE NO IDEA WHAT YOU'RE TALKING ABOUT OR WHAT THIS IS ABOUPEtjpIFDPIJErpea9tupseritporesworeins​tantly transport a programmer's consciousness into a world of ceaseless screaming, he comes, the pestilent slithy regex-infection wil​l devour your HT​ML parser, application and existence for all time like Visual Basic only worse he comes he comes do not fi​ght he com̡e̶s, ̕h̵i​s un̨ho͞ly radiańcé destro҉ying all enli̍̈́̂̈́ghtenment, HTML tags lea͠ki̧n͘g fr̶ǫm ̡yo​͟ur eye͢s̸ ̛l̕ik͏e liq​uid pain, the song of re̸gular exp​ression parsing will exti​nguish the voices of mor​tal man from the sp​here I can see it can you see ̲͚̖͔̙î̩́t̲͎̩̱͔́̋̀ it is beautiful t​he final snuffing of the lie​s of Man ALL IS LOŚ͖̩͇̗̪̏̈́T ALL I​S LOST the pon̷y he comes he c̶̮omes he comes the ich​or permeates all MY FACE MY FACE ᵒh god no NO NOO̼O​O NΘ stop the an​*̶͑̾̾​̅ͫ͏̙̤g͇̫͛͆̾ͫ̑͆l͖͉̗̩̳̟̍ͫͥͨe̠̅s ͎a̧͈͖r̽̾̈́͒͑e n​ot rè̑ͧ̌aͨl̘̝̙̃ͤ͂̾̆ ZA̡͊͠͝LGΌ ISͮ̂҉̯͈͕̹̘̱ TO͇̹̺ͅƝ̴ȳ̳ TH̘Ë͖́̉ ͠P̯͍̭O̚​N̐Y̡ H̸̡̪̯ͨ͊̽̅̾̎Ȩ̬̩̾͛ͪ̈́̀́͘ ̶̧̨̱̹̭̯ͧ̾ͬC̷̙̲̝͖ͭ̏ͥͮ͟Oͮ͏̮̪̝͍M̲̖͊̒ͪͩͬ̚̚͜Ȇ̴̟̟͙̞ͩ͌͝S̨̥̫͎̭ͯ̿̔̀ͅpgkfdsmvpkfgpwoirpqriuoiuHOUOU&O¶ŋẃđŧýé¶ŧíħŋóé߶íúŋßó¶éíúŋẃéóíŧéoi
    Agreed.
     
    Gnat008 and AdamQpzm like this.
  15. Offline

    AdamQpzm

    Message was unclear, started communicating with symbols. :p

    Edit korikisulda Woah, it's even weirder now.
     
    korikisulda likes this.
  16. Offline

    Deathmarine Retired Staff

    You're funny. Let me know when you come down off your pedestal.
     
  17. Offline

    korikisulda

    ...

    I borrowed a little from here

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: Jun 14, 2016
  18. Offline

    Deathmarine Retired Staff

    I mistakenly took your comment as patronizing than genuine. Sorry the context can go different ways.
     
  19. Offline

    korikisulda

    Oh, good. No, I did genuinely just mean that I had disclosed it responsibly. No patronising intent. Apologies if it seemed that way.
     
  20. Offline

    ak1rby

    korikisulda
    Well you did mention DBO and thats the real definition of it sorry for my mistake. and it sounds like you just read the punishments for me in a HTML bible or something.
    Now I know how confused I really am. (I only work with java script sorry)
     
  21. Offline

    korikisulda

    Lol kinda. It's part of one of the answers on a question on stackexchange asking how to parse XHTML with regex. Needless to say, that's a bad idea.
     
  22. Offline

    ak1rby

    Now, its confusing but. I have made many bukkit servers and I cant make them anymore cause you guys are not allowed to supply the files correct?
     
  23. Offline

    AdamQpzm

    ak1rby That's, like, completely irrelevant to this post but yet that is correct, yes.
     
    korikisulda likes this.
  24. Offline

    korikisulda

    Sort of. As the result of a copyright dispute, Bukkit's official API implementation (CraftBukkit) can now no longer be released. Bukkit (as in the non-functional API) is still distributable. For the moment, it looks like CraftBukkit is dead.
    However, there are other implementations. I have been led to believe that Spigot's 1.8 version will be released at the end of this month (although don't hold me to that), and if you can find a 1.7.2 Spigot build, they posted the hashes for verification (they were obliged to stop hosting their files too, as they are based on CraftBukkit).
    I hope this is of help, but please note that I can't help you obtain any of these files, and these forums do not support unofficial implementations.
     
  25. Offline

    AdamQpzm

    korikisulda What do you mean non-functional? I happen to use the Bukkit API to convert Strings to their coloured version as they would be on Minecraft in many programs outside of plugins and Minecraft because... erm... Okay, I don't do that, but the API isn't non-functional. It's just very limited functionality, which doesn't include running a server :p
     
  26. Offline

    korikisulda

    Lol. To a non-developer, it's useless though ;) Stop confusing everyone with your facts!
     
    AdamQpzm likes this.
  27. Offline

    ak1rby

    @korukisulda
    If its not to much trouble I wanna increase my coding and I only know java script.
    What kind of program do you use for coding?
    (www.code.org helps you with coding btw)
     
  28. Offline

    AdamQpzm

    ak1rby I have to say I admire the way you start of request advice, but by the end of the post, you're giving it :p
     
    korikisulda likes this.
  29. Offline

    ak1rby

    yeah but I mean what kind of program do you use to make plugins for minecraft. my bad lol thats what I ment to say I know you use eclipse but which eclipse?
     
  30. Offline

    korikisulda

    korikisulda
     
    AdamQpzm likes this.
Thread Status:
Not open for further replies.

Share This Page