Is it possible to build an equivalent function just looking at the input and output of the original function? The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Experiences from reverse engineers in detecting recursive callsHow is the first jmp skipped in plt entryCall DLL export in OllyDBGIs there a way to find out which hash standard by studying the source code?IDA ignoring register changes in pseudocodeRadare2 doesn't display the whole functionStruggling with an archive file format using “encryption”Tracing function calls in x64dbgIs it possible to get the formula out of a blackbox using neural networkDoes anyone recognise following (USB,HID?) encoding method?
Can each chord in a progression create its own key?
Is every episode of "Where are my Pants?" identical?
Working through the single responsibility principle (SRP) in Python when calls are expensive
Mortgage adviser recommends a longer term than necessary combined with overpayments
Can withdrawing asylum be illegal?
Could an empire control the whole planet with today's comunication methods?
Does Parliament need to approve the new Brexit delay to 31 October 2019?
Identify 80s or 90s comics with ripped creatures (not dwarves)
How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time
Is this wall load bearing? Blueprints and photos attached
Keeping a retro style to sci-fi spaceships?
Visa regaring travelling European country
How do spell lists change if the party levels up without taking a long rest?
Is there a writing software that you can sort scenes like slides in PowerPoint?
What do I do when my TA workload is more than expected?
US Healthcare consultation for visitors
What was the last x86 CPU that did not have the x87 floating-point unit built in?
Am I ethically obligated to go into work on an off day if the reason is sudden?
Huge performance difference of the command find with and without using %M option to show permissions
Why can't wing-mounted spoilers be used to steepen approaches?
Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?
How can a C program poll for user input while simultaneously performing other actions in a Linux environment?
Loose spokes after only a few rides
Does Parliament hold absolute power in the UK?
Is it possible to build an equivalent function just looking at the input and output of the original function?
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)Experiences from reverse engineers in detecting recursive callsHow is the first jmp skipped in plt entryCall DLL export in OllyDBGIs there a way to find out which hash standard by studying the source code?IDA ignoring register changes in pseudocodeRadare2 doesn't display the whole functionStruggling with an archive file format using “encryption”Tracing function calls in x64dbgIs it possible to get the formula out of a blackbox using neural networkDoes anyone recognise following (USB,HID?) encoding method?
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
add a comment |
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
4
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
Apr 9 at 10:04
add a comment |
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
Imagine you are reverse engineering a software. This software uses a library, which is obfuscated and encrypted. The library contains a function, lets call it secret_function. This function is a pure function (i.e. it doesn't have any side effect and when called with the same arguments it returns always the same output).
Assuming i can call secret_function how may times i want, with whichever arguments i want, but i can't peek at the implementation, is it possible to build an equivalent function in another language (python for example), only analyzing the input and output values?
This is an example implementation of secret_function:
int secret_function(int a, int b)
if (a == 234)
return b*2 - a;
return a*b;
A way to archive this i thought of is to call the function with every possible argument, (in the example 2^32 * 2^32, assuming a 32 bit int) and store all of them, to return them based on the arguments, like a giant lookup table. But this doesn't seem very efficient, if at all possible.
UPDATE:
You can assume that the function is working with fixed size arguments. So no strings or variable length arrays.
functions hash-functions
functions hash-functions
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
edited Apr 9 at 15:55
Rocco Mancin
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
asked Apr 9 at 7:40
Rocco MancinRocco Mancin
6114
6114
4
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
Apr 9 at 10:04
add a comment |
4
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
Apr 9 at 10:04
4
4
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
Apr 9 at 10:04
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
Apr 9 at 10:04
add a comment |
4 Answers
4
active
oldest
votes
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered Apr 9 at 8:45
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered Apr 9 at 10:16
LuaanLuaan
1513
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
Apr 9 at 14:41
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
Apr 9 at 16:13
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
Apr 9 at 16:19
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered Apr 9 at 13:03
frollofrollo
1411
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 2 days ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "489"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f21089%2fis-it-possible-to-build-an-equivalent-function-just-looking-at-the-input-and-out%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered Apr 9 at 8:45
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered Apr 9 at 8:45
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered Apr 9 at 8:45
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Your problem seems to be related to what Sibyl aim at doing (https://github.com/cea-sec/Sibyl).
It tries based on the side effects of the function (return value, memory writes, ...) to identify a known function.
Of course, you will need a kind of database to "learn" the function !
answered Apr 9 at 8:45
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 9 at 8:45
CarolineCaroline
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 9 at 8:45
CarolineCaroline
511
answered Apr 9 at 8:45
CarolineCaroline
511
511
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Caroline is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered Apr 9 at 10:16
LuaanLuaan
1513
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
Apr 9 at 14:41
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
Apr 9 at 16:13
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
Apr 9 at 16:19
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered Apr 9 at 10:16
LuaanLuaan
1513
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
Apr 9 at 14:41
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
Apr 9 at 16:13
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
Apr 9 at 16:19
add a comment |
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered Apr 9 at 10:16
LuaanLuaan
1513
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If you have all the possible input and all the expected outputs, and they're not indistinguishable from encrypted/compressed data, you can find more efficient storage mechanisms than just having a large lookup table. Even a simple genetic algorithm can very quickly get you to "use a * b, unless a == 234" (I've actually made a solver specifically for this kind of problem, though in a more general mathematical formula case). In the end, it's a rather ordinary optimization problem, where you're balancing off the storage space, computation and preparation time needed to give the correct result. More complicated algorithms can take longer to solve, which is one of the reasons why encryption works - those algorithms are specifically designed to make it extremely labor intensive to go from a set of known inputs and outputs to the private key used for the encryption.
But in any case, to have certainty, you must try all possible inputs. That's easy enough (though certainly laborious) for a couple integers, but quickly gets untenable for something like a string.
answered Apr 9 at 10:16
LuaanLuaan
1513
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 9 at 10:16
LuaanLuaan
1513
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 9 at 10:16
LuaanLuaan
1513
answered Apr 9 at 10:16
LuaanLuaan
1513
1513
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Luaan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
Apr 9 at 14:41
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
Apr 9 at 16:13
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
Apr 9 at 16:19
add a comment |
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
Apr 9 at 14:41
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
Apr 9 at 16:13
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
Apr 9 at 16:19
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
Apr 9 at 14:41
The genetic algorithm you cited sounds interesting, have you got any example of that? Can genetic algorithms still be efficient if the number of possible inputs increases?
– Rocco Mancin
Apr 9 at 14:41
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
Apr 9 at 16:13
@RoccoMancin The number of inputs isn't really what makes the whole process slower (besides the verification); genetic algorithms will tend to take longer to find the solution as the problem becomes more complex (more branching, more complex operations). But of course, for any algorithm you choose, there will always be the step where you need to check all the possible inputs against all the expected outputs if you need 100% accuracy (and even then, only assuming the same inputs always produce the same output).
– Luaan
Apr 9 at 16:13
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
Apr 9 at 16:19
I have a simple genetic solver available on GitHub (github.com/Luaancz/SalemOptimizer); it's adapted from a more general solver I made some time ago. This particular one only has one "operation" (called branch; today I'd probably go with "expression" or "node"), but that's only because the problem only really needs one - the same approach can easily be used with multiple operations, though. For a math solver, those would be things like add, multiply etc.
– Luaan
Apr 9 at 16:19
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered Apr 9 at 13:03
frollofrollo
1411
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered Apr 9 at 13:03
frollofrollo
1411
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered Apr 9 at 13:03
frollofrollo
1411
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Unless you try all the input possibilities, as you suggested, you can only get an approximation of the function. This is basically one of the basic problems in the machine learning field, so I would look that way instead of trying to generate a lookup table for 2^32 * 2^32 values.
You should obviously be careful that you won't have 100% guarantee that the function is equivalent and also remember that in particular fields how the output is computed is as important as the output itself. Take encryption functions: having the same outputs but exposing informations (due to memory leaks, power usage spikes and so on) for side channel attacks means that the "equivalent" function is in fact far worse than the original (to the point it might not be a suitable replacement).
answered Apr 9 at 13:03
frollofrollo
1411
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 9 at 13:03
frollofrollo
1411
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 9 at 13:03
frollofrollo
1411
answered Apr 9 at 13:03
frollofrollo
1411
1411
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
frollo is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 2 days ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 2 days ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 2 days ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This problem essentially describes the field of sequential analysis coupled with curve fitting.
If you are able to make some assumptions about the inputs to the secret function that your model needs to be good for, you can use this to guide your choice of algorithm for generating new values to try as inputs to the function.
If you are able to make some assumptions about the characteristics of the function, you can use this to guide your choice of function to fit to the outputs of the secret function, which will determine how the resulting function behaves when you subject it to inputs you haven't tried yet.
Even the "simple" example given might be interpreted many different ways in these fields. For instance:
- If you can't assume anything about the function and your model of it must reproduce exactly the correct value, you have no choice but to evaluate all 2^64 possibilities. You don't necessarily have to store them all as you go if you correctly guess a function that can reproduce every value with the right parameters.
- If you know that there is exactly one value of
athat changes the function, and that it is one of two linear functions ofaandbdepending on this value then you'll need on average 2^31 trials to find the magicavalue, significantly shrinking the problem. - If you don't require an exact reproduction then you can begin reasoning from a value judgement about what errors are acceptable. For instance, a function which is completely wrong 2^-32 of the time might be perfectly acceptable, so if you know that the special case is no bigger than this you can just pick a few random values (almost certainly not accidentally picking
a = 234) and solve the linear equations. - You might not reasonably know that the function has linear parts, but know that it's no more complex than some other function. The parameters to this more complex function, when fitted to outputs from the secret function, would produce a function which matches linear behaviour for the values obtained from the function, but wouldn't necessarily be guaranteed to behave linearly for untested values; the possible behaviours of any function you choose to fit must hence endeavour to match the range of behaviours that can be considered plausible under your assumptions.
These are big fields, and there are plenty of options that may be available to you with the benefit of the specifics of your problem.
answered 2 days ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
WillWill
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
WillWill
1211
answered 2 days ago
WillWill
1211
1211
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Will is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Reverse Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f21089%2fis-it-possible-to-build-an-equivalent-function-just-looking-at-the-input-and-out%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
I think you already answered the question with your example. The special case (234) can't be detected without evaluating the function with exactly that input. A lookup-table also only works for inputs with a defined range, use strings and you will never be able to create a lookup-table.
– FooTheBar
Apr 9 at 10:04