cts🌸🏳️‍⚧️ Profile picture
Apr 23 43 tweets 13 min read Read on X
im pirating Ableton Live suite 12

the .NFO has an interesting tidbit:

"does not modify any original binaries".

How does it work? lets find out. live reversing thread lets go Image
downloaded torrent is a split rar. lol

in 2024
Image
Image
okay so extracting it we have the legit installer

all the files are signed by Ableton AG. also lmao overpriced code signing cert thats a pain in the ass to get
Image
Image
the actual crack is cute

it's a keygen with a vcruntime dll

the keygen, we can run it in a VM later, so no need to reverse this for now. the msvcrt runtime dll is too small to be a real one. its probably just a shim

for reference here's also what size of real ones look like
Image
Image
how does a dll shim work?

great tool for patching, cracking, game hacking etc.

you make a dll that pretends to be another dll thats referenced by the thing you're trying to patch

put the dll earlier in the search path so yours get loaded instead Image
in your shim, provide all the same exports, but just delegate all the calls to the real dll's implementation (ie LoadLibraryA and GetProcAddress)

use the DllMain hooks to get code execution at load time. then use GetModuleHandleA to get pointers to various shit you wanna patch
anyways enough background info. lets stop fucking around and actually look at the dll.

pretty standard pe header, not very fucked up (this is a good sign) Image
text section looks like normal x86_64 (starts with "H" = push. normal function epilogue. This is what we want to see!) code is low entropy from visual inspection Image
...wait, that's it? that's a tiny text section. also a good sign. not much shit to reverse. so not a lot of places you can hide bad shit. Image
ok lets look at the data section ig

rofl

i bet this is like a RSA public key or some shit.

theyre probably just patching the license signing key Image
okay its 376h long which is 886 bytes in decimal. but this is ascii hex so this is really 443 bytes encoded.

DSA1024 keys are 443 bytes long(thx stackoverflow)
Image
Image
also lol if u read the NFO it tells u that this is in fact the protection used

1024 bit RSA is weak (~80 bits of security iirc), i feel like it may become factorable in this decade(?) with $$$ and some cloud compute? Image
lol some strings but yeah these make sense. some random cxx exception handling bullshit
Image
Image
!!!wowiee!! its the imports table. and it imports exactly all the shit a shim should import

GetsystemdirectoryW is probably for finding the real vcruntime140.dll

virtualprotect is probably for patching ableton. also i guess they're patching the main exe based on string earlier Image
ok lets acutally reverse the fucking thing in ida instead of fucking around in a hex editor
😋🤤 Image
this will be a piece of cake

enums/names added by me Image
wow guess what it does the thing i described Image
quick n dirty annotation Image
to make more obvious what is going on, here is the cff explorer of the real binary and the shim

its basically just going thru its own exports table and re-resolving the exports to the real functions
Image
Image
i guess they chose this dll because it only has 3 exports so its easy and tiny. doesnt really matter tho u could shim whatever dll in theory
ok how does the patching work?

looks like they are basically doing some hardcoded sig scanning lol Image
that look like ascii to me.

ok i guess they are parsing the pe header and finding where the rdata section starts? lol that is pretty gamer Image
alright lets fuck around and add some structs

did u know l_efanew means logical file address for the New Executable header ? me neither.

its some shit like this, theres some incorrect shit like &ntHeader[1] because the struct doesnt include the section headers Image
waow Image
Image
waoow Image
did u know ida pro has three types of comments

anterior posterior and inline?

insert, shift-insert, and / are the hotkeys

i dont give mac hotkeys because mac users arent real. mac users have a real ida license and thats just not real to me. Image
did u know that if u press \ u can make all of the problems magically disappear??
Image
Image
problem Solver.png Image
ok so it does the virtualprotect

did you know you can unfuck the flags in virtualprotect in ida using bitfield enums?? no one does this tho and that makes me sad. Image
btw the virtualprotect is to make the page writeable so u can patch the code. sorry i forgot to mention that. virtualprotect is windows mmap by the way for all u losers who learned C in college 👎👎👎👎
alr lezz fuck Image
i fw this heavy


Image
Image
Image
Image
alright thats the whole thing. normally i wouldnt go so in detailed or rename all the shit. i figured i would do it here to show how something like this is done for educational purpose Image
ok that about wraps it up im going to install ableton now bye
if you enjoyed this thread fun fact you can support me on of (there is a link to it in my youtube bio) Image
Overall I give this crack a 9/10 rating

- NFO file explains what protections was bypassed
- Public key patch, only patching rdata. No code is written which makes it very easy to audit
- Sideloaded patcher in shim DLL makes it resilient to software updates
- Good NFO art
bonus points for only scanning .rdata and parsing the PE header. some truly above and beyond shit
This is why RE is a based skill it lets me sleep like this while running a pirated shit Image
SO!!!! is this dll safe?? probably! you cant be quite sure only looking at decompilation because sometimes there is bad shit like code execution hidden in exception handlers or imports or relocations or some bullshit.
this MF right here: -->👅👢 Image
if you liked this thread, I do live reverse engineering streams on youtube!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with cts🌸🏳️‍⚧️

cts🌸🏳️‍⚧️ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @gf_256

Sep 26
The entire disclosure seems to have been leaked online



Here is the report and POC gist.github.com/stong/c8847ef2…
Not surprisingly, it's in cups-browsed.

Thankfully, the mitigation seems to be simple: uninstall or firewall off cups. And most servers and containers should not have cups installed
All the credit goes to @evilsocket
Read 4 tweets
Feb 7
In 2008, the Danish government used cutting-edge cryptography to auction 25,000 tons of beets.

The auction was needed to set the price of sugar beets. However, the farmers didn't want to show their hand. Rather than hire expensive consultants, they used MPC to implement this private auction.

But what's MPC, and how does it work? Let's build a MPC implementation from scratch. Here's how:
MPC, or multi-party computation, is about how multiple parties can do shared computations on private inputs without revealing those private inputs.

Suppose you and your friend want to compare who's richer, but without revealing your net worths.

MPC allows us to accomplish this, by computing the function (x > y), where x and y are private inputs.

In general, MPC can be used to build all kinds of useful protocols, like threshold cryptography, dark pools, and private auctions (for sugar beets)!Image
For example, MPC can be used to jointly encrypt a message with AES, with the key split up among many different parties.

But what's the difference versus key splitting, like Shamir's Secret Sharing?

In secret sharing, the key has to get reassembled. At some point, some trusted party is going to have the entire key available to them. Trusted party could get compromised.

With MPC, the whole operation is done in MPC, meaning there's no point where the combined key could be extracted.Image
Read 7 tweets
Apr 24, 2023
Announcing Smart Contract Fiesta:🎉

An open-source, high-quality dataset of over over 175M lines of Ethereum smart contract source code! It has about ~150k unique contract sources across 30M smart contracts.

huggingface.co/datasets/Zelli…

Read more: 👇🧵
Dataset statistics:

Total contracts: 30,586,657
Contracts with code available: 3,897,319 (>10%!)
Contracts with code + unique bytecode: 149,386

Total LoC: 177,552,050 Image
Of the total 177M lines of code, we also measured blank vs comment vs code lines:

Code LoC: 90,562,628
Comments LoC: 62,503,873
Blank: 24,485,549 Image
Read 11 tweets
Dec 18, 2022
@chompie1337 CTFs = math competitions
Problem solving ability yes; but ruthlessly heavy on “guess the trick” and “get into the chal author’s brain” and “know chal fashion meta”.

I like to tell people to hack video games. More free form, less on rails, many possible solutions, more creative.
@chompie1337 CTFs should not be the ONLY answer for “how to get into security” because it’s on rails. It is good at teaching SPECIFIC tricks and skills. But chals often have ONE intended solution. Whereas security in general is all about finding the alternative and unintended paths.
@chompie1337 Problem: chals are designed so as to test a VERY SPECIFIC piece of knowledge. So all unintended solns are anticipated and blocked. But my experience IRL is that if you are willing to dig hard enough, there is ALWAYS a path. For example:
Read 12 tweets
Dec 9, 2022
Common misconception: Idle memory usage is bloat. "I have 32GB of RAM, why is 16GB used when nothing is open?"

No, this is fine. If the memory is installed, the OS should make full use of it. Caching and prefetching are crucial for performance. Do you want everything to be slow?
"In use" != "Unavailable memory"
Private bytes (non-shared, non-cached) is unavailable memory.
And that is not even considering swapping/paged vs non-paged.
Read 4 tweets
Dec 1, 2022
OMG WTF
bro wtf...
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(