From: bill@twwells.com (T. William Wells)
Date: Fri, 27 Aug 93 20:08:29 PDT
To: cypherpunks@toad.com
Subject: Re: .Comparing ViaCrypt and freeware.
In-Reply-To: <9308272102.AA17377@toad.com>
Message-ID: <CCFvDw.4pL@twwells.com>
MIME-Version: 1.0
Content-Type: text/plain


: > If you're worried about backdoors, reverse engineer it and verify
: > that it works as advertised. Given that the program has to largely
: > duplicate an existing set of source, this should be trivial.
:
: do you mean decompile it, or reverse engineer it based on the

Decompile.

: neither is "trivial" in my mind.

I have a program that (mostly) automatically turns 386 code into
ugly C code. It's not maintainable but, for the purpose of
determining that the commercial product is essentially the same
as the version that you have source to, that's not necessary. You
compile the two versions, decompile them, diff the results,
pattern match to eliminate the artifactual differences, re-diff
and then examine the diff with the proverbial fine-tooth comb.
This would make it quite easy to determine what the commercial
code is actually doing, with a minimum of work. And remember: it
only has to be done once per version.

(No, before anyone asks, the decompiler isn't available. It's not
documented. It's hackery. And the code is gross. You'd be much
better off writing your own; it isn't hard.)