We've overlooked the one protection (yet complicated) in the last work. This
extra protection kills some of essential function like preset recalling after
triggered. Mostly it is used for another Anti-R2R trick to detect RSA-Key
modification, but there are some hidden checks for non-keygen bypass crack
too.
To detect RSA-Key modification, SS (Spectrasonics) app has RSA encrypted
content inside. It will be decrypted after a while, then some calculation
will be done. If content is corrupted (because RSA-Key is tampered by R2R),
it bombs.
- Encrypted Content + Legit RSA Key = Valid Decrypted Content
- Encrypted Content + R2R RSA Key = Decryption Failed, bombs!
Theoritically, it can be defeated like this :
- Encrypted Content ---[Decrypt by Legit RSA Key]---> Valid Decrypted Content
---[Re-Encrypt by R2R RSA Private Key]---> Encrypted Content for R2R Key
- Then, swap original encrypted content to new re-encrypted one. Done!
However, there are many content, and the content changes by months (1 content
per month = 12 variants available). While it's still possible to swap all
content, the testing phase will be complicated. To avoid that, we injected
some nice code to decrypt the content instead of swapping content :)
We want to explain all the magic tricks SS used - but that will make NFO
too long. If you are a cracker who has interests :
- Check our injected code and how we decrypt the original content :)
- Find their month-magic. SS changes the routine they use by months.
- Search value 0x54B1B. You can find the delay RSA Content Decryption.
- Search value 0x673948DE. It does something like this :
hiddenState = hiddenState XOR decryptedContentVal
XOR hiddenXorVal
XOR 0x673948DE;
if (!isTimebombed) {
if (hiddenState != validValue) {
isTimebombed = true;
}
}
* "hiddenState" is also used by other places. We missed that part
last time!
* "decryptedContentVal" is changed by months.
* "hiddenXorVal" is static value but changed by months.
* "validValue" is not fixed value :)
* "isTimebomed" is bool value in static memory.
- As we stated in the first paragraph, there are some hidden extra checks
to disable license-check-bypass-cracks. At least you need to know the
license data structure to trace some bombs.
Happy Reversing!
Home page
CLiCK HERE FOR DOWNLOAD