Is it possible to build an equivalent function just looking at the input and output of the original function?
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function
. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function
how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function
:
int secret_function(int a, int b) {
if (a == 234) {
return b*2 - a;
}
return a*b;
}
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
add a comment |
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function
. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function
how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function
:
int secret_function(int a, int b) {
if (a == 234) {
return b*2 - a;
}
return a*b;
}
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
2
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
8 hours ago
add a comment |
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function
. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function
how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function
:
int secret_function(int a, int b) {
if (a == 234) {
return b*2 - a;
}
return a*b;
}
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function
. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function
how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function
:
int secret_function(int a, int b) {
if (a == 234) {
return b*2 - a;
}
return a*b;
}
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
functions hash-functions
edited 2 hours ago
Rocco Mancin
asked 10 hours ago
Rocco MancinRocco Mancin
6113
6113
2
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
8 hours ago
add a comment |
2
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
8 hours ago
2
2
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
8 hours ago
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
8 hours ago
add a comment |
3 Answers
3
active
oldest
votes
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
New contributor
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
New contributor
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
3 hours ago
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
1 hour ago
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
1 hour ago
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
New contributor
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "489"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f21089%2fis-it-possible-to-build-an-equivalent-function-just-looking-at-the-input-and-out%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
New contributor
add a comment |
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
New contributor
add a comment |
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
New contributor
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
New contributor
New contributor
answered 9 hours ago
CarolineCaroline
511
511
New contributor
New contributor
add a comment |
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
New contributor
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
3 hours ago
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
1 hour ago
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
1 hour ago
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
New contributor
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
3 hours ago
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
1 hour ago
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
1 hour ago
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
New contributor
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
New contributor
New contributor
answered 7 hours ago
LuaanLuaan
1313
1313
New contributor
New contributor
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
3 hours ago
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
1 hour ago
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
1 hour ago
add a comment |
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
3 hours ago
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
1 hour ago
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
1 hour ago
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
3 hours ago
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
3 hours ago
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
1 hour ago
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
1 hour ago
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
1 hour ago
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
1 hour ago
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
New contributor
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
New contributor
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
New contributor
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
New contributor
New contributor
answered 5 hours ago
frollofrollo
1311
1311
New contributor
New contributor
add a comment |
add a comment |
Thanks for contributing an answer to Reverse Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f21089%2fis-it-possible-to-build-an-equivalent-function-just-looking-at-the-input-and-out%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
8 hours ago