[HN Gopher] Reverse engineering a software crack
___________________________________________________________________
Reverse engineering a software crack
Author : nharada
Score : 102 points
Date : 2024-04-23 14:58 UTC (8 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| skilled wrote:
| https://nitter.poast.org/gf_256/status/1782656618015904103
| _aavaa_ wrote:
| Thank you! This really should be the link, the twitter link is
| unusable
| dewey wrote:
| This says ,,Tweet not found" now.
| skilled wrote:
| It works fine but does lag sometimes. It's the only public
| Nitter instance that is reliably up since nitter.net was shut
| down or whatever else happened to it.
|
| Your error has happened to me also but it does eventually
| work.
| littlestymaar wrote:
| Oh, a Nitter instance that still works?
|
| I guess it's going to die soon like the other as they run out
| of guest accounts from scrapping...
| doix wrote:
| This was a pretty long read and I didn't really get much from it.
| The format of a million tweets is awful.
|
| tl;dr it patches the executable by having a shim dll that does
| the patch when it gets loaded. Pretty common in the game modding
| community. It finds where it needs to patch by scanning for a
| byte pattern.
|
| What does the actual patch do? No idea, that's what I was waiting
| for and I never got it. I was expecting a disassembly comparison
| of the before and after.
|
| Someone please correct me if I'm wrong.
| fullspectrumdev wrote:
| As far as I can tell - and I could be wrong having spent about
| five minutes reading the thread - the shim DLL basically swaps
| out a public key used by the applications key verification
| system for a different one so the keygen can create a valid
| licence key.
|
| Without affecting any integrity checks in the target binary.
| doix wrote:
| Ah, that makes sense, thanks! I was pretty confused about the
| string copy and what that was doing. Normally I'd expect it
| to be writing a byte array. Now it all makes more sense.
| Agingcoder wrote:
| Same here - I was interested in the mechanics of the crack,
| having spent a fair amount of time reverse engineering binaries
| back in the days.
|
| This is just a bunch of screenshots with 'lol' interspersed.
| carom wrote:
| Agree, this was just a really long thread of someone creating
| structs in Ida.
| fullspectrumdev wrote:
| That's about 75% of reverse engineering work in IDA or
| Ghidra, to be fair: labelling/annotating shit, adding types
| to shit, and making sense of structs and other data types.
|
| There's extensions to both which automatically try detect
| such things from common libraries/known calls/etc which
| massively cuts down on the timesink.
| mrguyorama wrote:
| I feel like this person is trying to copy Foone's voice but
| just doesn't get it
| RockRobotRock wrote:
| Cybersec twitter is just awful. Everything has to be a call
| out or a dunk on someone/some company. It's all so negative.
| kaladin-jasnah wrote:
| Is this akin to using LD_PRELOAD on Linux to hook something
| like __libc_start_main and modifying specific data in one of
| the data sections of the ELF binary or something?
| rumdz wrote:
| Yes
| tamimio wrote:
| Because the whole article can be written in 2 tweets but you
| need that social media "interaction", so the author goes on
| talking about non essential things. The crack itself is simple
| and smart to bypass the check by changing the public key, the
| only issue from what I have seen is there's a lot of hardcoded
| stuff like the key and the functions numbers, so most likely it
| won't work in future updates.
| hruzgar wrote:
| this is really interesting!
| msla wrote:
| Threadreader:
|
| https://threadreaderapp.com/thread/1782656618015904103.html?...
|
| Archives:
|
| https://archive.ph/rpFft
|
| https://web.archive.org/web/20240423175847/https://threadrea...
| WirelessGigabit wrote:
| What is interesting here is that a signed piece of software can
| pick up an unsigned dll, execute it, and that execution causes a
| compromise of the system.
| speps wrote:
| Raymond Chen has a ton of "being on the other side of the
| airtight hatchway" articles.
|
| Most relevant I found:
| https://devblogs.microsoft.com/oldnewthing/20200420-00/?p=10...
|
| Probably in this case the installation of the crack requires
| admin privileges to modify files in "Program Files" folder.
| Boom, you've broken the rules ;)
| Nextgrid wrote:
| This also raises a vulnerability. The author seems convinced
| this pirated copy is safe because the main binary is signed by
| Ableton, but there's no guarantee if there's a signature check
| on any of its dependent files.
| mhh__ wrote:
| Shared libraries are a scam
| can16358p wrote:
| Why can't I see the rest but only the first title tweet?
|
| Is that the case or is it a bug?
| mimischi wrote:
| Twitter requires an account for anything more than a single
| tweet nowadays. There's a link with an unrolled thread in the
| comments here.
| lcnPylGDnU4H9OF wrote:
| It's been that way for a little while. I presume it's a
| compromise between requiring a log-in and full "guest" access.
| amatecha wrote:
| "as designed", due to the gradual decrease in Twitter's
| functionality due to unknown reasons (probably trying to
| manipulate people into signing up to boost user count and ad
| revenue)
| hermitcrab wrote:
| If anyone is interested in crackers and their motivation, you
| might find this interview interesting:
| https://successfulsoftware.net/2011/04/07/interview-with-a-c...
| tamimio wrote:
| The first software I cracked was in 2004 (some video converter
| software), the motivation was simply that I can't afford it,
| but the "feeling" you get after is like a drug, then it's more
| of a challenge knowing that it's doable no matter what, just
| like lock picking, then that spark just dies and you stop
| cracking them.
| RetroTechie wrote:
| Cracked plenty software back in the day but mostly for
| personal use.
|
| For the challenge, and because I disliked software being tied
| to a specific storage medium.
|
| It was a sport to minimize changes. Like pad out a single
| assembly instruction with NOPs, change a conditional jump
| into unconditional one, etc.
| 3abiton wrote:
| In the android space, most app cracking is rather easy.
| Surprisingly.
| stong1 wrote:
| Oh hey, this is my thread. Thanks for reading, yall! <3
|
| I also do reverse engineering streams on YouTube:
| https://www.youtube.com/basteg0d69
| ptsneves wrote:
| A nice topic and insight if not for the way it is written. I
| could not finish it. It feels the author is unable to articulate
| his thoughts without interjecting curses and write incoherently.
| Is this how people communicate technically in the newer
| generations?
| m0zzie wrote:
| > Is this how people communicate technically in the newer
| generations?
|
| I suspect this question is in bad faith but I'll answer anyway:
| this live tweeted thread is more like someone's thought stream,
| it is not a technical report.
|
| Many humans are capable of both technical writing, free of
| cursing, and also of dumping a swear-filled thought stream
| right into their favourite medium - especially when excitedly
| reverse engineering, or doing anything they're passionate
| about.
|
| This has been happening for a long time and is not about "the
| newer generation". You could've found me writing in a similar
| way on IRC in the late 90s, also talking about reversing.
|
| FWIW your comment feels valid enough up until your final
| sentence, you just didn't need to attack "the newer
| generations".
| axoltl wrote:
| Having worked with stong before I can assure you they're
| perfectly capable of articulating their thoughts when they want
| to. This is quite a bit more off-the-cuff.
| alin23 wrote:
| It's done in a similar way on macOS: a dylib is added to the
| bundle and an LC_LOAD command is added to the app binary. The
| dylib is the first thing that runs because of using the
| constructor attribute, like this:
| https://notes.alinpanaitiu.com/Injecting%20a%20DYLIB%20into%...
|
| The nice thing is that a signed app will refuse to load a dylib
| that does not have the same signature. So crackers will be forced
| to change the whole app signature which can be easily detected in
| app code.
|
| I have that kind of protection in Lunar (https://lunar.fyi/) and
| Clop (https://lowtechguys.com/clop) and it seems to be good
| enough as they have no recent cracks.
| reactordev wrote:
| While code signing and verification is the way, you should also
| include a step on your own and not rely on the OS to do that
| for you. Apple's code signing has been bypassed a few times.
| Granted they patch it, however one can include a script that
| enables developer mode in a terminal process that can then
| disable code signing (enable in-secure apps via developer-mode
| AppleScript).
|
| It's impossible to get past inspection on the Apple Store due
| to that extra script in the app bundle but a downloaded dmg off
| the web...
| alin23 wrote:
| Yes, I was referring to the fact that I do a manual code sign
| check in my own code. Otherwise, Gatekeeper will be happy to
| run any cracker-signed app, they even found ways to staple
| forged notarization tickets.
|
| Manual code sign checks can only be cracked by patching the
| binary, which requires a lot more effort than swizzling some
| methods in a dylib. Or by process injection with Frida, but
| that requires disabling SIP which most people won't do just
| for a cracked app.
| int3 wrote:
| seems like crackers could just patch the app code that detects
| this, no?
| alin23 wrote:
| For sure, it's just a bit more effort to reverse the app
| binary and find that part of the code. Enough effort to deter
| most crackers apparently.
___________________________________________________________________
(page generated 2024-04-23 23:00 UTC)