Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
src
 
 
 
 
 
 
 
 

README.rst

Looking inside the (Drop) box

Security Analysis of Dropbox.

Web-based Presentation

"Upstream" Resources

Status

We are able to handle Dropbox version 73.4.118 from 29-May-2019.

Reversing Dropbox

  1. Note: For handling modern (> late 2018) Dropbox versions use "dedrop-ng" which is included in this repository.

    https://github.com/kholia/dedrop/tree/master/src/dedrop-ng

  2. Download Dropbox and extract it.

    $ cd ~
    
    $ export DROPBOX_VERSION="dropbox-lnx.x86_64-23.4.19"
    
    $ wget -c "https://www.dropbox.com/download?plat=lnx.x86_64" -O $DROPBOX_VERSION.tar.gz
    
    $ tar -xzf $DROPBOX_VERSION.tar.gz
    
  3. Build "dedrop". Switch to this repository and do,

    $ cd src/dedrop
    
    $ make
    
    $ cp libdedrop.so ~
    
  4. Use LD_PRELOAD and inject libdedrop.so into Dropbox.

    $ cd ~
    
    $ export BLOB_PATH=.dropbox-dist/$DROPBOX_VERSION/dropbox
    
    $ LD_PRELOAD=`pwd`/libdedrop.so .dropbox-dist/dropboxd
    
  5. De-compile the "fixed" bytecode files.

    $ uncompyle6 pyc_decrypted/client_api/hashing.pyc
    ...
    
  6. Study the soure-code, find bugs and make Dropbox better!

  7. You might need to do xhost local:root to start Dropbox.

Dependencies (for paper)

  • texlive

  • texlive-minted

  • texlive-texments

  • python-pygments

    yum install texlive texlive-minted python-pygments texlive-texments \
        texlive-ifplatform texlive-endnotes
    

Credits

Resources

TODO

  • Find alternatives to "tray_login" method since it is going to be patched soon. This is now redundant since Dropbox client now uses 2FA properly.
  • "While your submission was interesting, there has been other research on similar topics. There is nothing wrong with talking about the same topic more than once, especially one that has a large impact but if you are expanding on a topic, make sure to highlight how you are taking the research to a new level. Be clear with the review board about how what you are doing is extending the research." <= (apply this feedback to the paper and presentation).
  • Looking deeper into the (Drop) box.
    • dump bytecode from memory (revive pyREtic).

About

Looking inside the (Drop) box. Security Analysis of Dropbox. Updated WOOT '13 paper and other goodies.

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.