Is it possible to build an equivalent function just looking at the input and output of the original function? The 2019 Stack Overflow Developer Survey Results Are InExperiences from reverse engineers in detecting recursive callsHow is the first jmp skipped in plt entryCall DLL export in OllyDBGIs there a way to find out which hash standard by studying the source code?IDA ignoring register changes in pseudocodeRadare2 doesn't display the whole functionStruggling with an archive file format using “encryption”Tracing function calls in x64dbgIs it possible to get the formula out of a blackbox using neural networkDoes anyone recognise following (USB,HID?) encoding method?
Why is the maximum length of OpenWrt’s root password 8 characters?
What is the most effective way of iterating a std::vector and why?
Delete all lines which don't have n characters before delimiter
Apparent duplicates between Haynes service instructions and MOT
Why isn't the circumferential light around the M87 black hole's event horizon symmetric?
Why isn't airport relocation done gradually?
Multiply Two Integer Polynomials
Do these rules for Critical Successes and Critical Failures seem fair?
How to notate time signature switching consistently every measure
Resizing object distorts it (Illustrator CC 2018)
What is the meaning of the verb "bear" in this context?
Where to refill my bottle in India?
Why do we hear so much about the Trump administration deciding to impose and then remove tariffs?
Button changing it's text & action. Good or terrible?
Can one be advised by a professor who is very far away?
What is the closest word meaning "respect for time / mindful"
Is an up-to-date browser secure on an out-of-date OS?
Can we generate random numbers using irrational numbers like π and e?
Can a flute soloist sit?
For what reasons would an animal species NOT cross a *horizontal* land bridge?
Have you ever entered Singapore using a different passport or name?
Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?
slides for 30min~1hr skype tenure track application interview
Are there any other methods to apply to solving simultaneous equations?
Is it possible to build an equivalent function just looking at the input and output of the original function?
The 2019 Stack Overflow Developer Survey Results Are InExperiences from reverse engineers in detecting recursive callsHow is the first jmp skipped in plt entryCall DLL export in OllyDBGIs there a way to find out which hash standard by studying the source code?IDA ignoring register changes in pseudocodeRadare2 doesn't display the whole functionStruggling with an archive file format using “encryption”Tracing function calls in x64dbgIs it possible to get the formula out of a blackbox using neural networkDoes anyone recognise following (USB,HID?) encoding method?
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
asked yesterday
Rocco MancinRocco Mancin
6114
add a comment |
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
asked yesterday
Rocco MancinRocco Mancin
6114
3
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
yesterday
add a comment |
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
asked yesterday
Rocco MancinRocco Mancin
6114
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
functions hash-functions
asked yesterday
Rocco MancinRocco Mancin
6114
asked yesterday
Rocco MancinRocco Mancin
6114
edited yesterday
Rocco Mancin
asked yesterday
Rocco MancinRocco Mancin
6114
asked yesterday
Rocco MancinRocco Mancin
6114
asked yesterday
Rocco MancinRocco Mancin
6114
6114
3
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
yesterday
add a comment |
3
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
yesterday
3
3
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
yesterday
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
yesterday
add a comment |
4 Answers
4
active
oldest
votes
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered yesterday
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered yesterday
LuaanLuaan
1413
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
yesterday
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
yesterday
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
yesterday
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered yesterday
frollofrollo
1311
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 20 hours ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "489"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f21089%2fis-it-possible-to-build-an-equivalent-function-just-looking-at-the-input-and-out%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered yesterday
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered yesterday
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered yesterday
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered yesterday
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
CarolineCaroline
511
answered yesterday
CarolineCaroline
511
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered yesterday
LuaanLuaan
1413
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
yesterday
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
yesterday
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
yesterday
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered yesterday
LuaanLuaan
1413
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
yesterday
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
yesterday
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
yesterday
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered yesterday
LuaanLuaan
1413
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered yesterday
LuaanLuaan
1413
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
LuaanLuaan
1413
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
LuaanLuaan
1413
answered yesterday
LuaanLuaan
1413
1413
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
yesterday
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
yesterday
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
yesterday
add a comment |
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
yesterday
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
yesterday
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
yesterday
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
yesterday
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
yesterday
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
yesterday
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
yesterday
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
yesterday
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
yesterday
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered yesterday
frollofrollo
1311
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered yesterday
frollofrollo
1311
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered yesterday
frollofrollo
1311
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered yesterday
frollofrollo
1311
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
frollofrollo
1311
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
frollofrollo
1311
answered yesterday
frollofrollo
1311
1311
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 20 hours ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 20 hours ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 20 hours ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 20 hours ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 20 hours ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 20 hours ago
WillWill
1211
answered 20 hours ago
WillWill
1211
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Reverse Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f21089%2fis-it-possible-to-build-an-equivalent-function-just-looking-at-the-input-and-out%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
yesterday