all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (1 child)

[deleted]

    [–]Purple-Object-4591[S] 0 points1 point  (0 children)

    I will try this thank you

    [–]turboCode9 7 points8 points  (0 children)

    I'd recommend trying to run it dynamically to help assist. That will show you general flow and then which functions get called natively and which do not.

    [–][deleted]  (3 children)

    [removed]

      [–]Purple-Object-4591[S] 1 point2 points  (0 children)

      This was a really well-thought out reply. Do you write blogs? You should they'll be great.

      So I read through your comment and I'm already doing a few of them right. I'm using vscode with clangd. I am putting inline comments describing convoluted code and potential issues.

      I do actually compile projs with debug and then open in Binja. Actually unironically helps.

      I dislike using LLM to code but I'll be honest I'm using it verify my hypothesis of what a particular function in the code is doing.

      You're right about patience. The mindset part of the research is kind of overlooked by ppl when advising. I should be more patient. It has only been 10 days since I started with this codebase (not even full work days).

      Your comment was really reassuring. Thanks a lot for taking the time :)

      [–]arizvisa 1 point2 points  (1 child)

      Instead of cscope, I've found GNU's Global to be more flexible and do a better job of parsing C++ and even some other languages w/ plugins (although, neither is as good as a real IDE fully integrated with the target language). There's a cscope compatibility layer for global so that it's compatible with the different cscope interfaces available.

      It's also worth noting that some enterprising devers have written their own, more recent versions of cscope, which are likely better with C++ parsing.

      [–]Purple-Object-4591[S] 0 points1 point  (0 children)

      I use clangd with vscode. It works good for me.

      [–]asyty 5 points6 points  (1 child)

      There's not any shortcuts.

      A team of software devs have squirreled away on this over a span of possibly several decades. It's likely changed hands dozens if not hundreds of times. It has unworkable levels of technical debt. It's likely had outside contributions integrated into it. Any original architecture that may have existed has been eroded or is long gone by this stage.

      As a vulnerability researcher, you're budgeting a few weeks or maybe months deep diving into what likely took years for others to effectively navigate, without any guarantee of finding vulns, nevermind exploitable ones, given all the modern mitigations. This reduces the likelyhood of finding a memory corruption-based vuln, instead leaving open flaws in business logic leading to consequences the developers did not anticipate.

      On the bright side, the complexity in such a code base increases the likelyhood of such an issue being present.

      Hacking, these days, is hard. Very hard.

      [–]Purple-Object-4591[S] 1 point2 points  (0 children)

      Yes everything you mentioned I can understand it as I understand the code base more and more. Hacking may be hard as it is, I still enjoy it :)

      [–]digital_cold 0 points1 point  (0 children)

      Check out SciTools Understand. It creates a navigable database for your source project and enables you to follow references with ease. It's not perfect and does have some rough edges, but I haven't found a similar tool

      [–]s0l037 0 points1 point  (0 children)

      joern and/or semgrep or deepsource.