Good Debugger or Hacker?
Given enough time working in the software industry and before proper source control discipline has been instilled, a developer will no doubt encounter a problem in a program that they no longer have the ability to attach a debugger to. Or if the developer is really junior, don’t have the ability to sprinkle log statements into. Once forced into this position, the skill to examine a running program without having access to source code is basically the unsexy definition of hacking. Rely on these skills to make troubleshooting easier.
Skill 1 – Watch the Console
The console is a wealth of information. Depending if it’s a platform limitation (only way to debug is to use console statements) or the developer has not developed proper debugging discipline. The developer would have left a lot of “notes” on the console. Just attach the device and watch its console. 99% of the time you will find keys or exposes sequence of actions. Even better are the crashes, if it’s a null pointer or overflow, it becomes a good candidate for attack. I mean troubleshooting.
Skill 2 – Watch the Traffic
A misbehaving program is sometimes just acting on bad data. By learning how to sit in the middle of a communication you can examine the data that could be the cause of the problem. Once the problem is found the developer might need to prove the cause and this is when the developer will actually change the traffic before it gets to the program. Once this skill is learned why stop at your own program, you can now do this with any program. The aptly name for this skill is called man in the middle MITM if you want to Google the good stuff.
Skill 3 – Attach a Hex Debugger
A Turing machine is nothing more than a fancy way to say that a program is pretty dumb. To trivialize the process, at its core, a computer only acts on a series of numbers. The program is told where to look for the first number and depending on what that number is will add or subtract the following numbers. If you can find the location of the number that basically says “ok let this guy through” then by changing this number to whatever the program expects, you have the basic skill to bypass any sections of code and … troubleshoot problem areas. On Windows the program is called Cheat Engine, it even has a handy generate script that can automate this action. Or as they call it online, generate a "trainer".
If the developer proceeds down this rabbit hole, what emerges at the other end is a white hat security analyst and can start countering these techniques. If the developer desires, they can always decompile a program, but that tend not to be very useful since it is not always possible to recompile the program. If it were possible it would have changed the nature of the bug that the developer is looking for. However a decompiled program can expose hard coded keys or show the protections that are in place. Hackers are just really good debuggers.
Bonus: Save your self some time, modify an open source JS interpreter and run any web app through it. Even minified and obfuscated JS can't hide from that.
