Reverse engineering software licensing from early-2000s abandonware – Part 3
In part 2, we reverse engineered the decrypted format of the licence file data for this particular software. In this part, we investigate that how exactly that licence file is encrypted.
Into the fray
In part 2, we identified that the decrypted licence file… »
Reverse engineering software licensing from early-2000s abandonware – Part 2
In part 1, we reverse engineered the registration code licensing mechanism of this particular software. However, that mechanism was not the mechanism actually in use in 2004; rather, a different mechanism was used based on licence files named license.bin. In this part, we… »
Reverse engineering software licensing from early-2000s abandonware – Part 1
This series concerns a software licensing system used in a proprietary software application from circa 2004. The software was available in an unregistered trial mode with limited functionality. A free licence could be obtained by registering online with the software vendor. The software became… »
Investigating and disabling hard-coded certificate pinning in an Android application
mitmproxy is an open source interactive HTTPS proxy, which makes it easy to intercept HTTPS for reverse engineering, including an Android clients. It does this by installing its own CA certificate on the client device.1
Recently, I was attempting to reverse engineer the HTTPS… »
Legal counsel for various companies, including AACS LA (Advanced Access Content System Licensing Administrator) LLC, DVD Copy Control Association Incorporated, Intel Corporation, Motion Picture Association of America Incorporated, Sony Computer Entertainment America Incorporated and Texas Instruments Incorporated, have determined that the possession or distribution of… »
Investigating Google Cast: Disabling device authentication on Android with Xposed
Google Cast is a proprietary protocol by Google which enables controlling playback of Internet-streamed audiovisual content on the Chromecast, Android TV and other compatible devices.
From the consumer perspective, Google Cast connects two devices: a sender (such as a smartphone) and a receiver (such… »
Investigating a MIDI music DRM system (c. 1998)
Investigating a legacy document delivery DRM system – Part 2
Last time, we investigated the HTML5 viewer for a document delivery DRM system, rehosting the viewer to give us unlimited access to documents – but only through the standard print procedure, which inserts watermarks and copyright information. This time, we'll investigate how we can… »
Investigating a legacy document delivery DRM system – Part 1
This post concerns a DRM system used in an online document delivery platform (think PDFs, but proprietary), established circa 2000 and still in popular operation. Documents purchased through the platform are delivered in a proprietary encrypted file format, which can be opened using a… »
Investigating a recent ebook DRM system (c. 2018)
This post concerns a DRM system used in an online ebook platform, released circa 2018. Users of the platform can purchase ebooks and either view them online, or download them for offline viewing using a proprietary Android/iOS app.
As usual, the particular DRM system… »
Crypto failures in the wild
Sony PlayStation 3 ECDSA random number reuse
The Sony PlayStation 3 (2006) uses Elliptic Curve DSA (ECDSA) to sign executable binaries.
ECDSA takes a private key \(d_A\) and a random number \(k\) with public parameters \(G\), \(n\) and public key \(Q_A = d_A G\), and… »
Investigating an early-2010s gaming DRM system: Part 4
Last time, we investigated how an early-2010s gaming DRM system approached machine-based licensing. This time, we'll investigate exactly how the DRM system interacts with the game to accomplish its ends.
Structure of the DRM system
Looking at the game binary, FooBarBazX.exe, for the… »
Investigating an early-2010s gaming DRM system: Part 3
Last time, we investigated how an early-2010s gaming DRM system stored licences for games. This time, we'll investigate how those licences are tied to particular devices.
From last time, we know that the licence file contains an encrypted XML payload:… »
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
Investigating an early-2010s gaming DRM system: Part 2
Last time, we investigated part of a gaming DRM system from the early-2010s, looking at some of the configuration files. This time, we'll investigate how the licences for these games are stored.
Is is known that the licence data for the games is stored… »
Investigating an early-2010s gaming DRM system: Part 1
This post concerns a DRM system used in a PC gaming platform introduced in the early 2010s. The particular DRM system is not relevant and will not be identified, but will be familiar to many.
One function of the DRM system is to require… »
Hacking a cheap fitness tracker – Setting the time
The Mambo HR is a no-name $30 fitness tracker from Chinese manufacturer Lifesense, and I recently acquired one as a gift. Let's look this horse in the mouth, shall we?
Oof, it's not pretty. The Mambo HR has no buttons or touch functionality,… »