Exetools and exe-scene
 

Hi All!

I see exe-scene and exe-software-releases are dying counting new posts of forum it's so small for a months.

Or just exe-scene are gone underground (private one) ?

Or Windows Vista/7 and etc are killed interest of all pe-exe-addicted people?

Remebered for example 1998 year till 2006 so many kewl releases it be.

People are loosing interest to exe-scene.... so pity...

Just my IMHO:)

the same for many other scenes .. people in the last few years either goes corporate or underground.

And I suppose due to the fact that lately attacks on protectors etc. have been highly successful and updates of these quite lame, people are losing interest..
Sadly enough it seems the crackers have the edge right now..

After they switched to VM the crackers were lagging behind a bit, but that has changed and now it seems the protector developers aren't thinking of new stuff.. Which perhaps makes everything somewhat less interesting..

Even Oreans is doing a sucky job at updating. And the new armadillo is dreadful. VMprotect perhaps is still interesting.
But well there's always new ground somewhere you just have to look harder. :)

IMHO, it dying because there're many boards with closed registration or with hard to join requirements and many things you can't get for free (like unpack.cn) and you must prove something to someone to became a cool-guy, etc

One thing I notice is that there is almost no information in public about reverse engineering the protection systems commonly used for current commercial products (those that arent simply product specific custom jobs).
For example, there is basically NO information around about the modern versions of Securom (either the dvd-based check or the newer "product activation tied to the hardware" check.

the scene is not dead .
it's still alive but much smaller then it use to be.
this is due to ppl that are much more older and stop to crack because they
are not seeing the need to do it anymore . the persones that are still active in the scene are trying to save the scene by removing the need for any leech ratio that once was to keep talented ppl in the scene.

about the protections:
there is a simple rule about any protection:
"If it can run fully once, it can run like this all the time"
it doesn't metter how much they will invest in developing new complex protections there is still this rule and they know it.
the only protections that the cracking of it is still in private are the CD protections.
about all other protections they are usually public or just not that updated but you can still lern from them to continue on your own.

Regards,
LaBBa.

Pretty much all is documented including securom, read the paper from ARteam then fill in the blanks.. (Since there are a few.) There are automatic unpackers and papers for almost all protectors, if there are not then well the protector is rare or niche..

There are no simple guides to securom due to the simple fact that it is unlikely newbie reversers will succeed with any length of tutorial. There's a to much "gimme tut to learn because else it's impossible" mentality. Tuts are to help you a bit on the way, you must connect the dots yourself. That's how you become a good cracker. You can't follow one tut and expect to be able to crack all programs protected with that tut.. You must adapt yourself.

My guess, the atractive are the innovations, when Virtual Machines appeared in exe/protectors were a nice stuff to study, but that emotion don-t last forever, some people wait until another kind of innovation.

I am going to say open source is killing reversing. There is hardly any products that do not have a legitimate open source competitor. There is no need to reverse if you have the source code and its free. Aside from this fact, it is definitely true that reversers are just getting bored. There is a lack of new protection schemes. How many times can you unpack TMD or Armadillo before you get bored? (About 5-ish?)

>I am going to say open source is killing reversing.

I suppose cracking killing shareware. All products for users should be open source. There are many other pretty ways to get money from developing programs. Technical support, documentation, etc. Model of free open source apps works fine. Developer doesn't spent a lot of time on protection, others can help him with bugs.

For example my friend is developer of small games. Early all games were shareware. He tired delete cracks from file shares. For now, all products is freeware with donate system. He works more on improving soft. He get much more money via donate model than via shareware.

Maybe it's a objective of crack scene? Free non-bugged, good open source applications.

This is technically true. But financially?

I am interested in the numbers if you can (and are willing to) share, and maybe the market segment that he is targeting.

Sorry if I go off-topic, but this discussion about marketability is really interesting.

PS: I thought I had a query about what you think could be the next big thing in exe-scene. Well, maybe it was deleted due to inappropriate discussion.

Yeah saw that question as well, found it quite appropiate and interesting.
But honestly it's hard to say.. Imho to up the ante they have to go hardware.
There's not much left in x86..

There are less people into hardware hacking than RE, so there's some gain there.. But well if they go hardware RE goes hardware as well.. So it should be a nice new round in the battle between DRM and crackers.

However I doubt it's feasible, no sane person would give up the free computer model and turn them into restrictive consoles.

I see Intel have incorporated AES encryption and key hardware into Core i7 and later.

Git

so, this will be new protections schemes in near future

As far as I can tell they're simply adding new instructions to the CPU in order to speed up AES en-/decryption...

And key generation tied to individual CPU.

Git

Quite true.

At the moment, our computing model is still more or less a static model. Code is compiled into static instructions. Packers have static signatures. Data is treated as data, code is treated as code. So in a sense, it is still a (albeit less) restrictive console.

Maybe the future is in dynamicism. Code and data is mixed up, stirred well, one cannot tell if it's code or data. Code is generated on-the-fly, morphing from time to time.

> Code is generated on-the-fly, morphing from time to time.

Rather negates the huge speedup gained by the multi tiered large caches we enjoy today.

Git

Yea, that's the sad part. Whether it is a fair trade off remains to be seen. We also make this trade off when we decide to use VM code.

But at the moment, we still do not have a good instrumentation tools for PE files. There are very useful tools for Java VM (ObjectWeb ASM), and probably .NET CLR too. This is probably what holds us back from seeing realizations of such dynamicism.

Maybe the next step in evolution is a morphing VM. Let us wait and see.

As for morphing VM, well themida has got all already..

Bytes -> handler = dynamic (if 00 equals mov in the first instruction it will be different the second, and also different between programs.)
handler sequence = dynamic/random
byte encryption = carrying, modified by each byte(s) and each next byte(s) is encrypted with it.
+ Handler obfuscation
+ VM_code obfuscation

Not much more they could've done..

sometimes life just gets in the way, or goals about things change......not much you can do, but enjoy the ride

> We also make this trade off when we decide to use VM code

But we don't make that choice, it is thrust upon us by software manufacturers thinking they are protecting their product. Nobody would choose to have VM'd apps rather than plain 386, would they?

Git

I've really no clue on how Themida works, so I'm just guessing blindly here.

To me, morphing means the code is changed in each __run__, not in each __application__. Or even better if the code is changed after some condition, even in one run.

Well doable but that won't change it much.. If you'd make the handler -> bytes changeable and the accompanying handler location as well, it would however open a massive security problem.. I can force the VM to become static, by shutting down it's randomization, this way I get an Identical VM on all apps.. Making it a lot weaker then it is now.

If you'd morph VM_code however, you can attack the morpher which can interpret VM_code to morph it and very likely extract usable info from it. (If not pure asm.)

Could it be that the scene is smaller because the scene is getting older?? The younger generation are too lazy to spend the time cracking software protection...and that combined with the fact that there is not too much teaching going on out there (imho) so the tricks of the trade are dying with those that know them. And the older scene "is getting too old for this sh%$" to mess with the newer stuff...

my two cents.

Hehe well thank you. :) But you got a point, how I see it all the 15 and 16, 17 year olds are used to internet spoon feeding. Seems that group are around at the RE sites but not quite cracker material.

The scene's getting smaller for sure. I'm not in the scene for a long time yet but it wasn't hard to notice that trend.

Internet spoon feeding describes the whole attitude perfectly fine (thanks quo :P). But that's also why I don't wonder that the amount of teaching decreases if there's no one left interested in how to solve a RCE problem but rather having the problem solved at all.

This, combined with move to obfuscated code, is the causing less and less people to get involved with rce. Earlier in the decade, the code from protectors was easy to read and there was only anti-debugging techniques, but now you have to search for the right code (sift through thousands of commands). It's much harder to jump right in to reversing, so people quit before they even get started. And the scene is getting smaller because (well, the reason why I retired) is because it's the same old crap. There was a shift toward vm and obfuscated code, then no changes since. The protections haven't changed so people just get bored. And those who do stay in the scene and do know how to deal with new protections do not want to share the information because it takes so long to perfect an attack, which is another reason why the new generation is not getting involved (lack of information on new protections).

perhaps open-source solutions are working well,
thats why scene is not effective as the way it used to be.
for an isntance for the FTP client its been a long time that I'm using filezilla instead of cuteFTP or any other 3rd party commercial software.
don't you think?

I think quite simply its all about time now... it is a very time consuming process now and many have grown out of it / got bored.. Girlfriends / kids dont help either.. lol Although i tend to disagree about a lot of the tutorials out there that rely on things such as scripts or other tools that pretty much do it all and you learn nothing.. also many ways of defeating anti debug tricks are often not explained.. usually just use this plugin it does it for you.. I think a complete understanding of why the debugger is being caught and the way to defeat it should be explained a lot more..

Would you mind writing a detailed analysis on such subject? Perhaps a walkthrough of some existing plugin? I'll be your reviewing eye if you need one.