Page 1 of 2 12 LastLast
Results 1 to 15 of 26

Thread: Script kiddies or woud be crackers ?

  1. #1

    Thumbs down Script kiddies or woud be crackers ?

    Hello everyone,

    I post it in Off topic, because it is not directly related to Software Reverse Engineering. Well kind of..

    I hope the admin and moderators won't mind me to posting this here but
    i think we are going to see posts around soon about it, i want to clarify
    the situation.

    In the past, we (at siliconrealms), have seen working attacks on Armadillo.
    Skamer made a lot of keygens because of vulnerabilities in our algo, then TMG did find a weakness in one of our PRNG after the source leak we had..

    We respect that, because this is real work.

    Now, a few days ago, a group called FFF released a keygen for two of our customers, and they were using the biggest level of Security in term of Licensing. We use Elliptic Curves Cryptography and it isn't a secret to anyone anymore. I first was impressed and respectful until i figured it all.

    If you want to read it:

    h**p://www.siliconrealms.com/fff-keygens.htm

    Don't flame for this, im just pissed off by stupidity.

    I know most of you don't care of protection authors and like to dish us, but
    I want to point out that, we respect reverse engineer works... We don't respect lamers.

    Have a good day.

    Nico
    Real ones don't need source

  2. #2
    Just a thought here,

    I guess this just goes to show that there's more to a secure system than a strong exe guard module...

    crackers rarely go the hard way when there's an easier route.

    As a protection author, you add features thinking a reverser will have to do X->Y->Z in order to counter it.. (Y being extremely long) a determined reverser will indeed go through x->y->z.. but a better one might find another route and directly apply x->z

    these people found a weakness in the system.. is that why they are lamers? What about that website that had the certificates available to anyone who could hijack the webserver.

  3. #3
    As I see it, that's an issue you need to take up with your client. "Resource" companies (such as Havok for example, who lost all their source when HL2 was leaked) often have penalty clauses for this type of thing.

    But yes, you/they/someone got rooted, and they found the pot of gold. I'd question the back-end infrastructure and security practices of the organisation in question - by virtue of the fact that they use your protection they must be selling a software product. And one which is no longer generally protected by your protection.

    Just because a company is full of coders doesn't mean they have the technical skills for security.
    Still here...

  4. #4
    I totally agree with you. Security is a global process.

    That's not the point of my post.. I start to have complains about Armadillo itself, people think the problem is in the guard module because the keygen
    brags about ECDSA-113, like they really did it.. The GFX says : breaking the limits.. C'mon, they think they are doing like TMG..

    I just want to clarify that, their keygen has nothing to do with Reverse Engineering. Of course they brag and call it real work, people on various forums thought they did it the hard way.. that's what i call lame.

    I can't be behind every customers checking out if they apply security patch on their web sites. I have of course contacted them all by now.

    To answer to Doug, the certificates are on their web sites, because like most protection systems, you can use CGI to generate keys and provide them to your customers. This isn't related to Armadillo, its every protection offering such options to their customers.

    I just want to avoid the false claims about the algo itself, when they just copy pasted the certificat they have stolen.

    As i said, i have respect for people doing real reverse engineering.
    On this, i enjoyed your paper about RPC a long time ago, that was reverse engineering..

    Don't get me wrong in my post.. Im just tired of kids bragging for things they didn't do.

    Cheers.
    Real ones don't need source

  5. #5
    Hiya Nico ;-).

    I'm not so sure I'd be _quite_so_critical about these guys, especially if people here have read the paper 'Why CryptoSystems Fail?', I'm sure you must have ;-) - thats not to say that I advocate exploiting customers websites though.

    The basic analogy as I see it (though given to me by someone else) is that copy protection is kind of like fence building. Not everyone wants to / or is capable of scaling the heights required to get over the wall, when someone does, you respect them because of the effort they've put in. However, eventually you build an insurmountable wall (or in the Armadillo case you heal all your weak PRNG's, increase your Blowfish key length and choose ECDSA-113 ;-) ). So the attackers decide rather than climb your wall they'll simply tunnel underneath, and the end result is exactly the same, except its ruthlessly more time efficient than pouring over your source code and finding weaknesses.

    Each time you got 'bruteforced' or 'keygenned' because of your weak PRNG's you healed the hole and advised your customers to upgrade - the only difference now is that your educating your customers on 'securing their websites' ..... I totally accept your point that the technical competence required to produce a 5 line keygenerator is insignificant and that anyone capable of breaking ECDSA-113 ought to have better things in the universe to attack than a few lousy shareware apps ;-).

    My point is a wider one, with the best system and will in the world, everything is subject to the _human_element_ of failure, I see today a scene where a plethora of people simply choose to hack websites or steal credit card numbers rather than play the reverse engineering game ..... you can bitch about it as much as you like, as I do on a regular basis ;-) but you just won't stop it
    .....

    Take it easy mate ;-).

    CrackZ.

  6. #6
    Heya CrackZ

    I agree with you too.
    On the other hand, i wanted to clarify how they did it to avoid any rumors.

    I still have no respect for those lame practice.

    Cheers!

    Nico
    Real ones don't need source

  7. #7
    Howdy,

    I think it would be a bit naive to think that someone/crew put in the time to reverse it the old fashioned way. They just want to be the first to say "Hey I did it". We all know its about getting "proper cred" .

    There have been more then a few of these instances when someone gets a hold of something with a big value. Everyone survives the initial onslaught, things change . Lamers will always be around, they just cant help themselves.

    -CBO-

  8. #8
    ran
    Guest
    I agree, that's no different than putting out a stolen registration key on the net.

    UCF have also been releasing Armadillo keygens lately, and I wonder if they chose this route too.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    UCF releases keygens of applications using the old registration systems
    kept for backward compatibility only. The algo is different and has weaknesses.
    Skamer proved it in the past, and UCF is doing the exact same thing nowadays.

    Many customers can't change their registration key easily because they don't have the man power to issue new ones to each of their customers.

    I doubt UCF would go the hacking / ready made exploit way anyway.. because it isn't cracking at all..

    Cheers.
    Real ones don't need source

  10. #10
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Nicolas, just out of curiousity, do you have an alias that you usually go by in the reversing scene? Or do you stay out of it entirely?

    I only ask because I (and many other reversers, I'm sure) go by both my alias and my real name, depending on the context.

  11. #11
    I have no official alias.. I usually use 0x90 or null byte because of the first letters. I don't need to explain what this 0x90 means ;-)

    Im out of the "scene", but i have to stay around and see what's going on for obvious reasons. I choose to come here to talk a little and clarify a few things.

    From the top of my head, you had an alias *many* years ago.. Stormer or something like that, Am i right ? :-)

    Im not the only one coming here, protection authors visit those forums regulary, as well as people from various governement agency :-) They just read though.

    Edit: st0rmer even
    Last edited by Nico; December 4th, 2004 at 22:59.
    Real ones don't need source

  12. #12
    jB_
    Guest
    Nico,

    I understand your reaction, and here is my point of view.
    First we never claimed to have broken the Armadillo reg. scheme. I said to *all* -but one, and I had a reason- the people who asked me about these keygens that:
    - It was easy
    - We used a lame method

    I knew you would look at the keygen. We let the encryption template because of that. I'm not dumb, I know it is impossible to recover such a long passphrase... -I studied the algo, and you can guess I've understood it-. We deliberately used codegen.dll and the encryption template.

    We could have used the stolen KeyMaker.c, and easily replaced the encryption template by the private key parameters. The point is that we didn't want to make others believe that we broke the scheme.

    I agree with you for the text in the gfx. The text doesn't represent what we've done. For the About text, there's a reason about it, and it is not to look like skilled guys as you may think.

    I can PM you if you want more information.

    jB
    Last edited by jB_; December 5th, 2004 at 08:48.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by Nico
    From the top of my head, you had an alias *many* years ago.. Stormer or something like that, Am i right ? :-)
    yes, google is a wonderful thing

    and if you're wondering why the name-switch: http://sunsite.berkeley.edu/Web4Lib/archive/9906/0332.html, namely "hope this poor gal (guy?) st0rmer doesn't suffer an fbi raid from all the attention web4lib is sending them" (you can find the rest of the thread on the site if you're interested)... yes, guy (not gal), and no, i never heard from the fbi regarding this

    it was actually my own fault though. i wasn't following the industry-accepted approach to submitting security vulnerabilities. this was five years ago, and ironically, i've met and have had intelligent conversations with some of the people in that thread since (although they only knew me by my real-life name)

  14. #14
    Quote Originally Posted by disavowed
    yes, google is a wonderful thing
    No no google
    I have been around for seven years, and i remember a Pcode crackme of yours, that was tutorialised on Fravia's site. I have good memory when it comes to nick names ;-)

    and if you're wondering why the name-switch: http://sunsite.berkeley.edu/Web4Lib/archive/9906/0332.html, namely "hope this poor gal (guy?) st0rmer doesn't suffer an fbi raid from all the attention web4lib is sending them" (you can find the rest of the thread on the site if you're interested)... yes, guy (not gal), and no, i never heard from the fbi regarding this
    I will check it out.

    it was actually my own fault though. i wasn't following the industry-accepted approach to submitting security vulnerabilities. this was five years ago, and ironically, i've met and have had intelligent conversations with some of the people in that thread since (although they only knew me by my real-life name)
    I will definitely look this thread
    Congrats for the 5 years old full disclosure mess ;-)
    Real ones don't need source

  15. #15
    Quote Originally Posted by jB_
    Nico,

    I understand your reaction, and here is my point of view.
    First we never claimed to have broken the Armadillo reg. scheme. I said to *all* -but one, and I had a reason- the people who asked me about these keygens that:
    - It was easy
    - We used a lame method
    Well, it doesn't look that evident with your keygens. You make sure to write
    about the Level 10 (ECDSA 113), you put comments about *real* work, and
    the GFX above it, which sounds definitely like you did something good.

    I was impressed and respectful when i saw those keygens.. until i figured it out. If it had been a real keygen, you can make sure that i wouldn't have written this half assed html page. Now you have every lamers spreading rumors, and customers thinking there are problems..

    I knew you would look at the keygen. We let the encryption template because of that. I'm not dumb, I know it is impossible to recover such a long passphrase... -I studied the algo, and you can guess I've understood it-. We deliberately used codegen.dll and the encryption template.
    Understanding it is one thing, breaking it, is another story.
    Well, you stole those encryption templates on those web servers, of course you used them.

    We could have used the stolen KeyMaker.c, and easily replaced the encryption template by the private key parameters. The point is that we didn't want to make others believe that we broke the scheme.
    I would still recognize the KeyMaker.c code, and those two customers had
    very common things.. actually, i looked at 3 web sites to get it.. you know which one is the third one.

    I agree with you for the text in the gfx. The text doesn't represent what we've done. For the About text, there's a reason about it, and it is not to look like skilled guys as you may think.
    I don't see anything related to *real* work in what you have done, and when you talk about stolen releases, i know that you refer to lamers stealing keygens. My comment on the other hand, was an analogy to this, and your practice.. because you did steal too.

    I can PM you if you want more information.
    I don't need anymore informations.

    Thank you, but I have everything i need.
    Last edited by Nico; December 5th, 2004 at 19:46.
    Real ones don't need source

Similar Threads

  1. [Olly Script] Molebox 2.x Unpacker / OEP Finder Script
    By Cherry in forum OllyScript Plugin
    Replies: 23
    Last Post: October 29th, 2011, 05:05
  2. seems to some script kiddies autit v3 virus
    By blabberer in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: January 24th, 2008, 12:14
  3. Any crackers idea???
    By Hero in forum Off Topic
    Replies: 14
    Last Post: April 20th, 2005, 13:06
  4. Lesson #3 kiddies
    By Rage9 in forum Mini Project Area
    Replies: 28
    Last Post: November 6th, 2001, 08:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •