undefined | Better HN

0 pointsPeterisP12y ago0 comments

Well then, what and why are the differences? I mean, if there's an arbitrary data block somewhere, then the "matching disassembly" can have wildly different behavior by simply copying & executing parts of that block.

0 comments

4 comments · 1 top-level

voltagex_12y ago· 3 in thread

It's explained in the article. Timestamps, file paths, certificates and oddities of the PE format.

hamburglar12y ago

I can't wait until the source audit uncovers a funny little subroutine that loads the certificate from the .EXE, decodes the public key into RAM, and then starts executing it. :)

edit: not that this seems like a realistic method of injecting malicious code. If you could get away with that in an open source project, you could probably get away with just hiding the malicious code in the app directly.

PeterisPOP12y ago

I got an impression from the article that disassembly was what he did to explain the binary differences that remained AFTER he corrected for timestamps/certificates/etc.

Dylan1680712y ago

Your impression was wrong. He showed all of the differences in the screenshots. That's how few there were. Not a single bit of the code portions was different. Only a handful of metadata bytes, plus appended certificate.

The disassembly was only there to be cute and emphasize the point.

j / k navigate · click thread line to collapse