Hello everyone,

I post it in Off topic, because it is not directly related to Software Reverse Engineering. Well kind of..

I hope the admin and moderators won't mind me to posting this here but
i think we are going to see posts around soon about it, i want to clarify
the situation.

In the past, we (at siliconrealms), have seen working attacks on Armadillo.
Skamer made a lot of keygens because of vulnerabilities in our algo, then TMG did find a weakness in one of our PRNG after the source leak we had..

We respect that, because this is real work.

Now, a few days ago, a group called FFF released a keygen for two of our customers, and they were using the biggest level of Security in term of Licensing. We use Elliptic Curves Cryptography and it isn't a secret to anyone anymore. I first was impressed and respectful until i figured it all.

If you want to read it:

h**p://www.siliconrealms.com/fff-keygens.htm

Don't flame for this, im just pissed off by stupidity.

I know most of you don't care of protection authors and like to dish us, but
I want to point out that, we respect reverse engineer works... We don't respect lamers.

Have a good day.

Nico

Just a thought here,

I guess this just goes to show that there's more to a secure system than a strong exe guard module...

crackers rarely go the hard way when there's an easier route.

As a protection author, you add features thinking a reverser will have to do X->Y->Z in order to counter it.. (Y being extremely long) a determined reverser will indeed go through x->y->z.. but a better one might find another route and directly apply x->z

these people found a weakness in the system.. is that why they are lamers? What about that website that had the certificates available to anyone who could hijack the webserver.

As I see it, that's an issue you need to take up with your client. "Resource" companies (such as Havok for example, who lost all their source when HL2 was leaked) often have penalty clauses for this type of thing.

But yes, you/they/someone got rooted, and they found the pot of gold. I'd question the back-end infrastructure and security practices of the organisation in question - by virtue of the fact that they use your protection they must be selling a software product. And one which is no longer generally protected by your protection.

Just because a company is full of coders doesn't mean they have the technical skills for security.

I totally agree with you. Security is a global process.

That's not the point of my post.. I start to have complains about Armadillo itself, people think the problem is in the guard module because the keygen
brags about ECDSA-113, like they really did it.. The GFX says : breaking the limits.. C'mon, they think they are doing like TMG..

I just want to clarify that, their keygen has nothing to do with Reverse Engineering. Of course they brag and call it real work, people on various forums thought they did it the hard way.. that's what i call lame.

I can't be behind every customers checking out if they apply security patch on their web sites. I have of course contacted them all by now.

To answer to Doug, the certificates are on their web sites, because like most protection systems, you can use CGI to generate keys and provide them to your customers. This isn't related to Armadillo, its every protection offering such options to their customers.

I just want to avoid the false claims about the algo itself, when they just copy pasted the certificat they have stolen.

As i said, i have respect for people doing real reverse engineering.
On this, i enjoyed your paper about RPC a long time ago, that was reverse engineering..

Don't get me wrong in my post.. Im just tired of kids bragging for things they didn't do.

Cheers.

Hiya Nico ;-).

I'm not so sure I'd be _quite_so_critical about these guys, especially if people here have read the paper 'Why CryptoSystems Fail?', I'm sure you must have ;-) - thats not to say that I advocate exploiting customers websites though.

The basic analogy as I see it (though given to me by someone else) is that copy protection is kind of like fence building. Not everyone wants to / or is capable of scaling the heights required to get over the wall, when someone does, you respect them because of the effort they've put in. However, eventually you build an insurmountable wall (or in the Armadillo case you heal all your weak PRNG's, increase your Blowfish key length and choose ECDSA-113 ;-) ). So the attackers decide rather than climb your wall they'll simply tunnel underneath, and the end result is exactly the same, except its ruthlessly more time efficient than pouring over your source code and finding weaknesses.

Each time you got 'bruteforced' or 'keygenned' because of your weak PRNG's you healed the hole and advised your customers to upgrade - the only difference now is that your educating your customers on 'securing their websites' ..... I totally accept your point that the technical competence required to produce a 5 line keygenerator is insignificant and that anyone capable of breaking ECDSA-113 ought to have better things in the universe to attack than a few lousy shareware apps ;-).

My point is a wider one, with the best system and will in the world, everything is subject to the _human_element_ of failure, I see today a scene where a plethora of people simply choose to hack websites or steal credit card numbers rather than play the reverse engineering game ..... you can bitch about it as much as you like, as I do on a regular basis ;-) but you just won't stop it
.....

Take it easy mate ;-).

CrackZ.

Heya CrackZ

I agree with you too.
On the other hand, i wanted to clarify how they did it to avoid any rumors.

I still have no respect for those lame practice.

Cheers!

Nico

Howdy,

I think it would be a bit naive to think that someone/crew put in the time to reverse it the old fashioned way. They just want to be the first to say "Hey I did it". We all know its about getting "proper cred" .

There have been more then a few of these instances when someone gets a hold of something with a big value. Everyone survives the initial onslaught, things change . Lamers will always be around, they just cant help themselves.

-CBO-

I agree, that's no different than putting out a stolen registration key on the net.

UCF have also been releasing Armadillo keygens lately, and I wonder if they chose this route too.

UCF releases keygens of applications using the old registration systems
kept for backward compatibility only. The algo is different and has weaknesses.
Skamer proved it in the past, and UCF is doing the exact same thing nowadays.

Many customers can't change their registration key easily because they don't have the man power to issue new ones to each of their customers.

I doubt UCF would go the hacking / ready made exploit way anyway.. because it isn't cracking at all..

Cheers.

Nicolas, just out of curiousity, do you have an alias that you usually go by in the reversing scene? Or do you stay out of it entirely?

I only ask because I (and many other reversers, I'm sure) go by both my alias and my real name, depending on the context.

I have no official alias.. I usually use 0x90 or null byte because of the first letters. I don't need to explain what this 0x90 means ;-)

Im out of the "scene", but i have to stay around and see what's going on for obvious reasons. I choose to come here to talk a little and clarify a few things.

From the top of my head, you had an alias *many* years ago.. Stormer or something like that, Am i right ? :-)

Im not the only one coming here, protection authors visit those forums regulary, as well as people from various governement agency :-) They just read though.

Edit: st0rmer even

Nico,

I understand your reaction, and here is my point of view.
First we never claimed to have broken the Armadillo reg. scheme. I said to *all* -but one, and I had a reason- the people who asked me about these keygens that:
- It was easy
- We used a lame method

I knew you would look at the keygen. We let the encryption template because of that. I'm not dumb, I know it is impossible to recover such a long passphrase... -I studied the algo, and you can guess I've understood it-. We deliberately used codegen.dll and the encryption template.

We could have used the stolen KeyMaker.c, and easily replaced the encryption template by the private key parameters. The point is that we didn't want to make others believe that we broke the scheme.

I agree with you for the text in the gfx. The text doesn't represent what we've done. For the About text, there's a reason about it, and it is not to look like skilled guys as you may think.

I can PM you if you want more information.

jB

yes, google is a wonderful thing

and if you're wondering why the name-switch: http://sunsite.berkeley.edu/Web4Lib/archive/9906/0332.html ("http://sunsite.berkeley.edu/Web4Lib/archive/9906/0332.html"), namely "hope this poor gal (guy?) st0rmer doesn't suffer an fbi raid from all the attention web4lib is sending them" (you can find the rest of the thread on the site if you're interested)... yes, guy (not gal), and no, i never heard from the fbi regarding this

it was actually my own fault though. i wasn't following the industry-accepted approach to submitting security vulnerabilities. this was five years ago, and ironically, i've met and have had intelligent conversations with some of the people in that thread since (although they only knew me by my real-life name)

No no google
I have been around for seven years, and i remember a Pcode crackme of yours, that was tutorialised on Fravia's site. I have good memory when it comes to nick names ;-)



I will check it out.



I will definitely look this thread
Congrats for the 5 years old full disclosure mess ;-)

Well, it doesn't look that evident with your keygens. You make sure to write
about the Level 10 (ECDSA 113), you put comments about *real* work, and
the GFX above it, which sounds definitely like you did something good.

I was impressed and respectful when i saw those keygens.. until i figured it out. If it had been a real keygen, you can make sure that i wouldn't have written this half assed html page. Now you have every lamers spreading rumors, and customers thinking there are problems..



Understanding it is one thing, breaking it, is another story.
Well, you stole those encryption templates on those web servers, of course you used them.



I would still recognize the KeyMaker.c code, and those two customers had
very common things.. actually, i looked at 3 web sites to get it.. you know which one is the third one.



I don't see anything related to *real* work in what you have done, and when you talk about stolen releases, i know that you refer to lamers stealing keygens. My comment on the other hand, was an analogy to this, and your practice.. because you did steal too.



I don't need anymore informations.

Thank you, but I have everything i need.

NICO = Nelson ..... sorry to hear bad news again.. but obviously you're mad about the new hole found... Asprotect haven't been keygenned for a while ... remember TMG got help to keygen what they had . maybe those from FFF are lamers .. you shouldn't care too much then

Here we go.

Nico and Chad are two different guys.
I read your comments on exetools, no need to post twice

You don't seem to understand what happened (and for some reasons, it doesn't surprise me...) but the same could have happened to the protector you are
talking about.. actually it did. And its not related to their protector either.

Oh well..

Just to add ; and kill ANY conspiracy theories right here and now.

I can guarantee that Nico != Chad ;-). In fact Nico bares more resemblence to the Silicon Realms cat than Chad, but thats another story yet again.....

Regards

CrackZ

It seems that everyone thinks Skamer made a lot of arm. keygens. Point is he only released them, actual work was done by another cracker who didn't want to be known.

I have heard a lot of rumors about that too.
One of them saying the author of those keygens is P.C..

Author of those keygens is not P.C. but both live in the same country.
P.C retired long time ago and doesn't crack anymore.

Im just repeating the rumors i heard.

Who ever was the real guy. i respect his work, because he broke the registration system.

Speaking of "script kiddie way" vs. the "hardcore reverse engineering way", I have a question for Nico.

Why did not Silicon Realms do it "properly"? You could have underestimated the time required to fake a key (a quote from Armadillo 2.61 "A level-1 signed key is at least 28 digits long. On a 450MHz Pentium-II class system, it would take roughly 71 days to learn to forge it." but after the first keygens it was clear that the keysystem was insecure. The obvious solution was to adequately increase the key length and probably switch to another crypto scheme. But until recently this was not done.

I'm really curious what caused this. Did you consider key length to be more important than security? Or were there some marketing reasons involved?

This rumor is not true . It doesn't matter who the real guy was but I have to say it because P.C wouldn't want
his name to be connected with it. I knew Skamer,P.C and the real guy. P.C and the real guy were awesome crackers
but Skamer, well he shouldn't get respect for making those keygens.

And for those who know P.C., yes he is damn good table tennis player .

Hi,

First, I have nothing to do with the registration system. I didn't work on
it any single time.

Anway, the registration proved to be insecure. I told SR to changes the key system, or a least to use bigger key, and to review it etc.

The problem is : backward compatibility. When you have a lot of customers, you can't change the key system all of a sudden, especially when you don't have man power to issue new keys.

Even if its a security problem.. SR tried to introduce new level thinking it would fix the problem, yet allowing to keep the backward compatibility.

Oh well..

You can't change everything you want in a protection system, when you have a lot of customers.. it needs testing etc.

The page has been removed from our web site.

I wanted to clarify this issue, and my point has been made.

Thank you to the board members who didn't flame right away and sorry about this fuss.

Im glad protections authors can have mature discussions with Reversers here.

You can remove the thread if you like too.

Take care,

Nico