Reverse engineering a software crack

213 点作者 nharada大约 1 年前

17 条评论

msla大约 1 年前

Threadreader:<a href="https://threadreaderapp.com/thread/1782656618015904103.html?utm_campaign=topunroll" rel="nofollow">https://threadreaderapp.com/thread/1782656618015904103.html?...</a>Archives:<a href="https://archive.ph/rpFft" rel="nofollow">https://archive.ph/rpFft</a><a href="https://web.archive.org/web/20240423175847/https://threadreaderapp.com/thread/1782656618015904103.html" rel="nofollow">https://web.archive.org/web/20240423175847/https://threadrea...</a>

stong1大约 1 年前

Oh hey, this is my thread. Thanks for reading, yall! <3I also do reverse engineering streams on YouTube: <a href="https://www.youtube.com/basteg0d69" rel="nofollow">https://www.youtube.com/basteg0d69</a>

redbell大约 1 年前

Pretty interesting!I believe being successful in reverse engineering, cracking, bypassing security layers (e.g., unlocking cars without keys), and other hacks comes down to understanding the basics of how these systems are designed to work in the first place. Add to this, the possession of the right toolbox to do the job.Back in 2010, I took on the challenge of cracking paid/licensed POS software. I am, in no way, a cracker or hacker, but once I understood how this app works, I followed a simple logic based on these rules:<pre><code> a. The app had a trial version with a number of *runs* set, and with each launch of the app, the number will decrease by one. It was set to around 100, I believe. b. The app runs on a LAN, on multiple computers, with one being the server. To my surprise, there were no IP configurations, and it turned out that it worked on LAN by setting the app directory as a *shared folder* in Windows!! c. On each app launch, even from other computers (having access to the shared folder), the count will decrease. </code></pre> So, I started my investigation:<pre><code> 1. Since you have a shared folder, based on (c) above, I assumed the location where the count number is stored *must be inside* this shared folder, not in the Windows registry or other places. 2. I launched the app, wrote down the current count, and closed it. 3. I searched inside this shared folder for *.* (all files), then sorted them by last edited. 4. I picked the first one from the search result as it was the only one with the same time as *now*; it was in a binary format. 5. I opened it using a hex editor, converted (using calc.exe) to HEX the count I wrote down on (2), searched for it, and found it. I identified its position. 6. I closed the hex editor, repeated (2),(3) and (4), and got the same results. 7. Now, I typed 999 in calc.exe and converted it to HEX, and in the open HEX editor, I edited the count at its current position with the new value, saved, and closed the binary file. 8. Restarted the POS app, went to about, and.. booooom , it now thinks that you have 999 days remaining :) </code></pre> Although I never used this Point of Sale software, it was an exciting achievement for me. I felt like a real hacker.

评论 #40142882 未加载

评论 #40146972 未加载

评论 #40149739 未加载

alin23大约 1 年前

It’s done in a similar way on macOS: a dylib is added to the bundle and an LC_LOAD command is added to the app binary. The dylib is the first thing that runs because of using the constructor attribute, like this: <a href="https://notes.alinpanaitiu.com/Injecting%20a%20DYLIB%20into%20a%20macOS%20app" rel="nofollow">https://notes.alinpanaitiu.com/Injecting%20a%20DYLIB%20into%...</a>The nice thing is that a signed app will refuse to load a dylib that does not have the same signature. So crackers will be forced to change the whole app signature which can be easily detected in app code.I have that kind of protection in Lunar (<a href="https://lunar.fyi/" rel="nofollow">https://lunar.fyi/</a>) and Clop (<a href="https://lowtechguys.com/clop" rel="nofollow">https://lowtechguys.com/clop</a>) and it seems to be good enough as they have no recent cracks.

评论 #40140580 未加载

评论 #40139099 未加载

评论 #40137423 未加载

评论 #40139184 未加载

评论 #40138039 未加载

WirelessGigabit大约 1 年前

What is interesting here is that a signed piece of software can pick up an unsigned dll, execute it, and that execution causes a compromise of the system.

评论 #40136906 未加载

评论 #40138164 未加载

评论 #40138189 未加载

pests大约 1 年前

All the swearing turned me off. I don't mind cussing and use them myself, but does every tweet need to drop the f bomb?

评论 #40141151 未加载

评论 #40140777 未加载

hermitcrab大约 1 年前

If anyone is interested in crackers and their motivation, you might find this interview interesting: <a href="https://successfulsoftware.net/2011/04/07/interview-with-a-cracker/" rel="nofollow">https://successfulsoftware.net/2011/04/07/interview-with-a-c...</a>

评论 #40136319 未加载

评论 #40146826 未加载

smolsky大约 1 年前

Nice!P.S. who remembers the legendary Phrozen Crew cracks? They were minimal byte patches that often toggled a conditional jump in an MS-DOS app/game...

评论 #40152026 未加载

lossolo大约 1 年前

"downloaded torrent is a split rar. lolin 2024"That doesn't have anything to do with being old fashioned. It's about how racing works in scene FTPs. When you release something race begins starting from so called affil "sites" (group release to all their affil sites at the same time) from there it propagates to whole scene by couriers. Because of how FTP works you need to split the file into multiple files so it can be uploaded by multiple people from multiple sources making distribution fast. And rar is used for that, there are scene rules for it and it's not using compression option.

评论 #40149415 未加载

评论 #40152051 未加载

cedws大约 1 年前

Very interesting. I really should get back into RE.Selfish question for a project of my own: is there any way to magically gain early code execution in a process on Windows other than a shim DLL? I'm too lazy to write one to pass through the all exports (reflective shim DLL possible...?)

评论 #40138538 未加载

lionkor大约 1 年前

I found this pretty insufferable to read, and in good X fashion, the second comment from the top is "we should teach llama3 to do this stuff!".Thanks for sharing, it was interesting, but wow that's a bad format and bad writing.

hruzgar大约 1 年前

this is really interesting!

ptsneves大约 1 年前

A nice topic and insight if not for the way it is written. I could not finish it. It feels the author is unable to articulate his thoughts without interjecting curses and write incoherently. Is this how people communicate technically in the newer generations?

评论 #40137459 未加载

评论 #40138052 未加载

评论 #40137281 未加载

skilled大约 1 年前

<a href="https://nitter.poast.org/gf_256/status/1782656618015904103" rel="nofollow">https://nitter.poast.org/gf_256/status/1782656618015904103</a>

评论 #40137119 未加载

评论 #40134483 未加载

评论 #40134257 未加载

can16358p大约 1 年前

Why can't I see the rest but only the first title tweet?Is that the case or is it a bug?

评论 #40136152 未加载

评论 #40136114 未加载

评论 #40136134 未加载

评论 #40137284 未加载

doix大约 1 年前

This was a pretty long read and I didn't really get much from it. The format of a million tweets is awful.tl;dr it patches the executable by having a shim dll that does the patch when it gets loaded. Pretty common in the game modding community. It finds where it needs to patch by scanning for a byte pattern.What does the actual patch do? No idea, that's what I was waiting for and I never got it. I was expecting a disassembly comparison of the before and after.Someone please correct me if I'm wrong.

评论 #40136251 未加载

评论 #40134511 未加载

评论 #40135246 未加载

评论 #40136086 未加载

评论 #40135680 未加载

评论 #40135736 未加载

评论 #40137277 未加载

brcmthrowaway大约 1 年前

Stop this at once. Ableton folks are gonna go hungry