Matthew GarrettIt's been the sort of day where I discover that I have a surprisingly useful ability to intuit fields in headers that are probably uuids and figure out what this structure is as a result
Did you know that you can impress people by just pasting some bytes into github search and then saying "Ah yes that's an EFI-spec RSA2048-SHA256 signature" (you do not need to do the github bit in front of them)
Anyway simply mechanically copying potentially interesting looking sequences of bytes into search engines is an incredibly underrated part of reverse engineering work
Matt Palmer@mjg59 which works until the stochastic parrots take over. I enjoy asking ChatGPT the SHA256 hash of various strings. Never the same answer twice.
walnut@womble @mjg59
Sorry for the confusion. The reason you may be getting a different answer every time is because the hashing algorithm uses a different random "seed". This is to prevent what's known as a "hash collision", a generally undesirable event that breaks one of the promises of hashing, that every input produces a unique output. I hope this clarifies why you'd get a different hash for the same string.
Sorry for the confusion. The reason you may be getting a different answer every time is because the hashing algorithm uses a different random "seed". This is to prevent what's known as a "hash collision", a generally undesirable event that breaks one of the promises of hashing, that every input produces a unique output. I hope this clarifies why you'd get a different hash for the same string.
Trammell Hudson@mjg59 although you do have to wonder if any vendors are using Mulliner's Canary Tokens to detect reverse engineering https://www.mulliner.org/blog/blosxom.cgi/security/re_canary.html
Alice Averlong🏳️⚧️
Jeremy KahnWe could also call "reverse canary" a "nightingale floor", and preserve the bird reference
veetee@th hmmm...
DNS canary + URL in .Data = early warning system?
https://docs.canarytokens.org/guide/dns-token.html
just need a version that can work on a subdomain
@vt52 @mjg59 in their talk the author mentions many techniques for creating reverse engineering canaries, including buying ads for the token strings. They would be cheap since the canaries are made up. https://www.mulliner.org/collin/publications/Detecting_Reverse_Engineering_with_Canaries_CanSecWest2018.pdf
Stephen Checkoway@mjg59 as with URLs I find while reversing, I sometimes wonder if people add interesting looking unique strings/byte sequences so when people google them, they find one website with it. Then, the server access logs indicate someone has found the sequence and thus is likely reversing that particular binary.
Sven "DrMcCoy" Hesse@mjg59 also useful when reversing older games. someone might have already written modding tools for the game or one from the same dev team that uses the same file formats. Or it's not even a wholly unique format, but just an obscure one. Or maybe it's a sample format in the AdLib SDK, happened to me
Tristan Colgate-McFarlane@mjg59 it always amazes me how uniquely awful GitHub search us for actual code, and yet endlessly useful for other random tasks (like borrowing other people cloud provider credentials).