How does it work? lets find out. live reversing thread lets go
downloaded torrent is a split rar. lol
in 2024
okay so extracting it we have the legit installer
all the files are signed by Ableton AG. also lmao overpriced code signing cert thats a pain in the ass to get
the actual crack is cute
it's a keygen with a vcruntime dll
the keygen, we can run it in a VM later, so no need to reverse this for now. the msvcrt runtime dll is too small to be a real one. its probably just a shim
for reference here's also what size of real ones look like
how does a dll shim work?
great tool for patching, cracking, game hacking etc.
you make a dll that pretends to be another dll thats referenced by the thing you're trying to patch
put the dll earlier in the search path so yours get loaded instead
in your shim, provide all the same exports, but just delegate all the calls to the real dll's implementation (ie LoadLibraryA and GetProcAddress)
use the DllMain hooks to get code execution at load time. then use GetModuleHandleA to get pointers to various shit you wanna patch
anyways enough background info. lets stop fucking around and actually look at the dll.
pretty standard pe header, not very fucked up (this is a good sign)
text section looks like normal x86_64 (starts with "H" = push. normal function epilogue. This is what we want to see!) code is low entropy from visual inspection
...wait, that's it? that's a tiny text section. also a good sign. not much shit to reverse. so not a lot of places you can hide bad shit.
ok lets look at the data section ig
rofl
i bet this is like a RSA public key or some shit.
theyre probably just patching the license signing key
okay its 376h long which is 886 bytes in decimal. but this is ascii hex so this is really 443 bytes encoded.
DSA1024 keys are 443 bytes long(thx stackoverflow)
also lol if u read the NFO it tells u that this is in fact the protection used
1024 bit RSA is weak (~80 bits of security iirc), i feel like it may become factorable in this decade(?) with $$$ and some cloud compute?
lol some strings but yeah these make sense. some random cxx exception handling bullshit
!!!wowiee!! its the imports table. and it imports exactly all the shit a shim should import
GetsystemdirectoryW is probably for finding the real vcruntime140.dll
virtualprotect is probably for patching ableton. also i guess they're patching the main exe based on string earlier
ok lets acutally reverse the fucking thing in ida instead of fucking around in a hex editor
😋🤤
this will be a piece of cake
enums/names added by me
wow guess what it does the thing i described
quick n dirty annotation
to make more obvious what is going on, here is the cff explorer of the real binary and the shim
its basically just going thru its own exports table and re-resolving the exports to the real functions
i guess they chose this dll because it only has 3 exports so its easy and tiny. doesnt really matter tho u could shim whatever dll in theory
ok how does the patching work?
looks like they are basically doing some hardcoded sig scanning lol
that look like ascii to me.
ok i guess they are parsing the pe header and finding where the rdata section starts? lol that is pretty gamer
alright lets fuck around and add some structs
did u know l_efanew means logical file address for the New Executable header ? me neither.
its some shit like this, theres some incorrect shit like &ntHeader[1] because the struct doesnt include the section headers
waow
waoow
did u know ida pro has three types of comments
anterior posterior and inline?
insert, shift-insert, and / are the hotkeys
i dont give mac hotkeys because mac users arent real. mac users have a real ida license and thats just not real to me.
did u know that if u press \ u can make all of the problems magically disappear??
problem Solver.png
ok so it does the virtualprotect
did you know you can unfuck the flags in virtualprotect in ida using bitfield enums?? no one does this tho and that makes me sad.
btw the virtualprotect is to make the page writeable so u can patch the code. sorry i forgot to mention that. virtualprotect is windows mmap by the way for all u losers who learned C in college 👎👎👎👎
alr lezz fuck
i fw this heavy
alright thats the whole thing. normally i wouldnt go so in detailed or rename all the shit. i figured i would do it here to show how something like this is done for educational purpose
ok that about wraps it up im going to install ableton now bye
if you enjoyed this thread fun fact you can support me on of (there is a link to it in my youtube bio)
Overall I give this crack a 9/10 rating
- NFO file explains what protections was bypassed
- Public key patch, only patching rdata. No code is written which makes it very easy to audit
- Sideloaded patcher in shim DLL makes it resilient to software updates
- Good NFO art
bonus points for only scanning .rdata and parsing the PE header. some truly above and beyond shit
This is why RE is a based skill it lets me sleep like this while running a pirated shit
SO!!!! is this dll safe?? probably! you cant be quite sure only looking at decompilation because sometimes there is bad shit like code execution hidden in exception handlers or imports or relocations or some bullshit.
this MF right here: -->👅👢
if you liked this thread, I do live reverse engineering streams on youtube!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
In 2008, the Danish government used cutting-edge cryptography to auction 25,000 tons of beets.
The auction was needed to set the price of sugar beets. However, the farmers didn't want to show their hand. Rather than hire expensive consultants, they used MPC to implement this private auction.
But what's MPC, and how does it work? Let's build a MPC implementation from scratch. Here's how:
MPC, or multi-party computation, is about how multiple parties can do shared computations on private inputs without revealing those private inputs.
Suppose you and your friend want to compare who's richer, but without revealing your net worths.
MPC allows us to accomplish this, by computing the function (x > y), where x and y are private inputs.
In general, MPC can be used to build all kinds of useful protocols, like threshold cryptography, dark pools, and private auctions (for sugar beets)!
For example, MPC can be used to jointly encrypt a message with AES, with the key split up among many different parties.
But what's the difference versus key splitting, like Shamir's Secret Sharing?
In secret sharing, the key has to get reassembled. At some point, some trusted party is going to have the entire key available to them. Trusted party could get compromised.
With MPC, the whole operation is done in MPC, meaning there's no point where the combined key could be extracted.
An open-source, high-quality dataset of over over 175M lines of Ethereum smart contract source code! It has about ~150k unique contract sources across 30M smart contracts.
@chompie1337 CTFs = math competitions
Problem solving ability yes; but ruthlessly heavy on “guess the trick” and “get into the chal author’s brain” and “know chal fashion meta”.
I like to tell people to hack video games. More free form, less on rails, many possible solutions, more creative.
@chompie1337 CTFs should not be the ONLY answer for “how to get into security” because it’s on rails. It is good at teaching SPECIFIC tricks and skills. But chals often have ONE intended solution. Whereas security in general is all about finding the alternative and unintended paths.
@chompie1337 Problem: chals are designed so as to test a VERY SPECIFIC piece of knowledge. So all unintended solns are anticipated and blocked. But my experience IRL is that if you are willing to dig hard enough, there is ALWAYS a path. For example:
Common misconception: Idle memory usage is bloat. "I have 32GB of RAM, why is 16GB used when nothing is open?"
No, this is fine. If the memory is installed, the OS should make full use of it. Caching and prefetching are crucial for performance. Do you want everything to be slow?
"In use" != "Unavailable memory"
Private bytes (non-shared, non-cached) is unavailable memory.
And that is not even considering swapping/paged vs non-paged.