
Dreaming in Reverse Engineering - sylvainkalache
https://sweetcode.io/dreaming-reverse-engineering/
======
minipci1321
That routinely happens to me too -- finding solutions in the morning of the
next day (revelation typically comes while I am in the shower), after having
banged my head at the problem for several days before.

Putting the subconscious to work... I read somewhere that his is how it has to
be done -- "stimulate" it hard enough first, then "disconnect" and let it run
free-wheeled.

Does anyone have any particular tricks and hints to improve this process?

~~~
namaemuta
Not for sleeping hours but I've discovered that going for a run is a boost of
creativity. And related to this, I would say that any automated task that you
can do almost with your eyes closed, without paying attention, free your mind
enough to see things from totally different perspectives.

~~~
minipci1321
Totally agree (swimming and running in my case), but this leads us to the next
very controversial question -- how much our free time off the job during the
day, impacts our results on the job (so shouldn't we have more of it)? I know
I am not creative past 6-7 hours a day at work.

This question is of course applicable only to people in positions where
creativity is heavily involved in producing the value.

------
wazari972
I played the game another way, without reverse engineering but with execution
tricks:

>
> [https://gist.github.com/kpouget/d13b6328dd6ad8489affb3d24ad8...](https://gist.github.com/kpouget/d13b6328dd6ad8489affb3d24ad8a81a)

1/ a simple GDB.py trick: `make debug` (passme.py ) 2/ a not-so-easy-in-the-
end LD_PRELOAD trick: `make run` (passme.c)

~~~
invalid_name
Mind asking a few things? What's the purpose of this line

    
    
      void *call_addr = (void *)CHECKSUM_CALL_ADDR;

to then casting the rvalue to a double void pointer here:

    
    
      void **target = (void **)CHECKSUM_CALL_ADDR; 
    

(why not just void*) ? Also, even though mprotect() succeeds, I got a
segfault.

~~~
wazari972
> Mind asking a few things?

sure! nothing and nothing ;-) they were just leads I was trying. `target` was
for:

    
    
        void **target; *target = *mov_addr; // move sizeof((void *) bits
    

I've updated the gist.

> Also, even though mprotect() succeeds, I got a segfault.

try in GDB something like:

    
    
        (gdb) disassemble main
        ...
        0x00000000004005dd <+64>:	mov    %rax,%rdi
        0x00000000004005e0 <+67>:	callq  0x400566 <checksum>
        0x00000000004005e5 <+72>:	mov    %rax,-0x8(%rbp)
        0x00000000004005e9 <+76>:	cmpq   $0xad4,-0x8(%rbp)
        ....
        (gdb) break passme.c:62
        (gdb) continue # should ends up *after* the memcpy
        (gdb) disassemble main
        ...
        0x00000000004005dd <+64>:	mov    %rax,%rdi
        0x00000000004005e0 <+67>:	movl   $0xad4,-0x8(%rbp)
        0x00000000004005e7 <+74>:	nop
        0x00000000004005e8 <+75>:	nop
        0x00000000004005e9 <+76>:	cmpq   $0xad4,-0x8(%rbp)
    

and in both disassemblies, look around 0x4005e0 (<main+67>) to see how
instructions have been overwritten. In the second disassembly, if you see
strange-looking instructions (eg clc), there was a problem with the copy / the
instruction copied. Let me know !

------
veli_joza
Ray Kurzweil also talks about routinely using sleep and dreams to gain new
perspective to difficult problems:

[http://www.afb.org/info/living-with-vision-loss/using-
techno...](http://www.afb.org/info/living-with-vision-loss/using-
technology/ray-kurzweil/part-2-of-4/1245)

------
messel
This was a fun puzzle and learning challenge. Glad to see the next generation
is still suffering with null terminators :)

------
Cafey
That happenned to me aswell all through university!

I found that sometimes while debugging something, we go very deep into the
problem and trying to understand every little details. Sleep helps get your
mind back on the original issue and look at it from another perspective, in a
more relaxed way.

