
I was asked to crack a program in a job interview, part 2 - m00dy
http://erenyagdiran.github.io/I-was-just-asked-to-crack-a-program-Part-2/
======
pranayairan
It is sad to know that even after this much worked he did, he was asked to
switch and work on something he was not hired for !!

~~~
enraged_camel
Could be a great meme.

"Got the job as a security software engineer, ended up writing CSS"

~~~
wnevets
the inverse would be funnier in a scary kind of way.

~~~
bithush
The inverse is true in a lot of technology companies sadly. I once worked with
a "network security expert" who got the job after 2 years as a front end web
dev and zero real training in network security. He knew what SSL was so got
promoted...

~~~
antocv
I was a Java Web Gui developer, typical stuff, so the architect of the project
asked me to implement better security by reversing SHA512.

Specifically SHA512 he said, dont use SHA1 or SHA256 thats not good enough.
And he explained several times how the security solution work, it would be
based on reversing a hash function. As I shrugged it off, people say weird
things sometimes, and offered a real solution he kept pushing for his
solution. Weird but anyway maybe he just means what I mean but is using
different words, so I implement a real solution, and then days later he
questions my judgement and the solution because I didnt use his. Thats when I
said "you cant reverse a hash function, in fact thats the point of it" and
then point to the diagram he made see there, thats not mathematically
possible. His title was Security Architect.

------
scott_s
The "Computer Systems" course that was started at CMU has a similar project
commonly called the "bomb lab":
[http://csapp.cs.cmu.edu/public/labs.html](http://csapp.cs.cmu.edu/public/labs.html)

I TAed a Computer Systems course at a different university, and it was a great
exercise to get the students to really understand what was going on in their
programs - and to force them to use the powerful tools (disassembler,
debugger) available to them.

------
wging
Are there any positions in the industry where this is part of the average work
day? It seems awesome and I really want to get into it.

(the above is copied from a dead post on this thread, possibly by a hellbanned
user. i'm reposting it because it's a reasonable question)

~~~
nekitamo
I imagine this sort of reverse engineering is common for malware analysts and
people who work in the AV/security industry.

Personally I work at a software security shop, where we aim to prevent this
sort of reverse engineering. So we also end up doing a lot of this to be
familiar with attacks, test our own protection, debug issues etc...

If people want to learn more about this kind of stuff, tuts4you is great:
[https://tuts4you.com/](https://tuts4you.com/)

Specifically, the lena151 tutorials are great for beginners with 0 experience:
[https://tuts4you.com/download.php?list.17](https://tuts4you.com/download.php?list.17)

------
neom
Dropped you some digitalocean credit for being awesome.

Totally great read! :)

~~~
tjbiddle
"$5 plan - you know the company" "I can redeploy another droplet in seconds."

Well, I wonder what company that is? :p

------
diminish
> I'm not working for that company now , I moved to Barcelona. > i live in
> Barcelona and have a great life

In both cases living in Barcelona is positioned as the contrary of working
-for that company-, so I'm confused. Are you working? Is it a security-related
position?

~~~
jarek
J2EE+CSS company was in Turkey, he quit and got a different job in Barcelona

------
earlz
Stuff like this deeply fascinates me. However, I can't help but feel like a
lot of it could be improved with the help of some automation tooling.

Is there anything out there for like a "language" of sorts (or API, etc) that
can automate some of the debugging things required? Like I imagine very
"active" debugging and code modification like "When we are at this location,
and the past few instructions exected were X, Y, and Z at addresses A, B, and
C, pop this item off the stack and push this hard coded value on the stack"
Things that would take forever to do manually, especially when called in a
loop, but would be fairly trivial to formalize into a programming language

~~~
rjzzleep
It all went downhill, when compuware bought numega and killed softice. yes,
ollydbg and windbg work fine, but still...

~~~
DEinspanjer
Hehe.. I worked for Numega back then. I did tech support and I still remember
how often we got tech support requests from people and companies wanting a way
to prevent SoftIce from being used to crack their software. So many times I
tried to explain to people that there just wasn't really a good way to detect
that it was happening that couldn't just be circumvented by the debugger.

------
shijie
> My English is not that bad.

I'd say it's quite good. However, I'd quit it with the space after the comma
thing, and the no space after the period thing you're doing:

>But I'm sorry , i would like to correct some misunderstandings.

Should look like

But I'm sorry, I would like to correct some misunderstandings.

> And finally , please read the end of the post.I'm sure you will like it.

Should look like

And finally, please read the end of the post. I'm sure you will like it.

Great article though! Really enjoyed reading it.

Edit: formatting

~~~
dllthomas
You mean space _before_ the comma. There should be a space after both commas
and periods and no space before either.

~~~
shijie
Bah, yes. That's what I meant. Thanks for catching that.

------
nobotty
Really wish baby-level software analysis posts would stop hitting the top.

