Tuesday, April 21, 2020

Piracy: My Thoughts and Opinions

In the world of reverse engineering, piracy and copyright law have always been a subject of debate, often filled with a wild variety of opinions. Being a hobbyist reverse engineer, one inescapable fact that I have come to realize while interacting with professional reverse engineers around the world is that the majority of us became drawn to this field by software piracy.

In my teenage years, I was the child of a single mother. I grew up in a small mountain town of less that 3000 people, 40 miles from the nearest city. Money was always scarce in our household. For me to have $20 dollars in my possession was something I considered a substantial amount of money. I was fascinated by chess in my youth and wanted to further my expertise so that I may one day become a famous chess player. While these dreams eventually faded years down the line, it led me to the underground chess scene where many rather expensive chess programs were being shared free of charge. These were programs which I had dreamed of having, but knew I could likely never afford. Many of these programs had protections on them that prevented me, as well as the rest of the chess forum from accessing them. There were several community famed software doctors, as they were called, that were breaking these protections in their leisure. They were using their carefully honed skills to make these programs available free for all the underprivileged chess prodigies to enjoy. To me they were heroes. They represented a sense of selflessness by giving these programs to the community without any desire to be rewarded or praised for their efforts. To me, this deed is what I considered to be the true beauty of the world.

As time went on, I became fascinated by the methodologies they were using to reverse engineer these applications, and began researching what went into this endeavor. Within a few months, I managed to crack my first chess software. It was such a rush at that time to feel like an entire community of like-minded people benefited from this mere act of selflessness. I felt like a comic book hero who had defeated an arch-nemesis. From this point onward, I spent countless hours reading tutorials. What started as a simple patching endeavor evolved into the more advanced skill of keygenning, unpacking complicated protections, and ultimately releasing what is probably over 1000 doctored applications. What started as a mere fascination, grew into an obsession.

Fast-forwarding 10 years, and having the short-lived experience of running a software company of my own, I began to understand the other side of the spectrum. For over a decade, I viewed software developers as wealthy, greedy people who were making millions off of a single piece of code. I didn't realize that most of them were simple people, just like me, who were trying to earn enough money to support their families and buy more time where they could be home to raise their children without having to work 2-3 jobs just to support them. From a market perspective, $100 for what at the time was "the strongest chess program ever created" was not an unreasonable price, but to my youthful, student mind, it seemed greedy.

While I look back on these aforementioned memories with guilt, I still feel that there are some instances where software piracy could be morally justified. These are instances where software developers are charging exorbitant amounts of money for a niche software, priced primarily for wealthy corporations, while offering no reasonably priced avenue for hobbyist users or new startup companies to obtain a legal copy of equal functionality. These are programs that cost in excess of $1000+. Not only does this create unrealistic boundaries of entry for startup companies who can't compete financially with wealthier corporate entities, it ultimately increases the cost of educational programs built around them. These programs are often equipped with further anti-piracy measures they require you to plug in a usb "dongle", a security device that is used for software license validation, every time you run the software, in order to unlock it. If for some reason you misplace this tiny device, or it becomes stolen or destroyed in a fire, you will no longer have access to this software. Many developers refuse to replace this device in these circumstances, forcing you to pay the full price of the software again in order to restore your access. Imagine being a startup company, who went through all of the legal hurdles to get your business up and running, to have a disgruntled or negligent employee, or even a dirty competitor, steal or destroy your software dongle. While this is a negligible loss to a wealthy company, this could cause a startup company to close their doors.

While I know this is not a legally justifiable argument, nor am I directly promoting piracy, I feel that piracy of these programs protest these corporately geared prices, and what I feel are greed-based protections. However, a true, legal solution to this dilemma would be to collectively work together to create free, open source alternatives to these programs. When the NSA released its free reverse engineering software Ghidra in March of 2019, it became the first free and open source competitor to the popular IDA Pro software, that with all of its decompiler plugins costs nearly $10,000 a license. Since Gidra's release, IDA Pro's developer Hex Rays has begun development of a home edition of their program, that on its May 2020 debut, will cost a justifiable $365.

Friday, April 10, 2020

Gilisoft USB Encryption 10.0.0: Lies About Encryption

Gilisoft USB Encryption v10.0.0 is a popular product that is marketed as a USB/flash drive encryption solution. It appears to be a continuation of the now discontinued Wondershare USB Drive Encryption product. According to Gilisoft's product description, it claims to be using AES-256 on-the-fly encryption to secure your files. However, after diving into the methodologies employed by this application, as well as the former Wondershare USB Drive Encryption product, I came to discover that no actual file encryption occurs, making the aforementioned statement a blatant lie. Furthermore, your password is stored as plain text along side of your unencrypted files in the application's hidden data store(NTFS Alternate Data Stream) on the NTFS file system.

In this short article, I'm going to show you not only how to recover your password, but how this application stores your files. To begin, I have prepared an 8gb flash drive and have created a 65mb secure section to store files. I used the provided agent.exe, which was placed on the drive, to access the secure section with my specified password. I placed a simple text file named SecretStuff.txt in this section to be encrypted.

Afterwards, I followed the manufacturer's guidelines to correctly close this "secure area".

After this, most consumers would be under the belief that their files have been securely encrypted. Let's dive a little deeper and take a look at how this is simply not the case.

NTFS Alternate Data Streams

Alternate Data Streams(ADS for short) is a file attribute in the NTFS file system that was originally created for compatibility with the Macitosh file system. It allows for the use of more than one stream of data, which enables you to essentially store multiple files in a single record. This is a feature not commonly needed today. Because of this, most file viewers, including Windows Explorer, do not include a method for reading these files.  This has enabled this tool as well as many strains of malware to exploit this to effectively hide files on a particular drive or partition, completely unbeknownst to the user. With this knowledge, we can use a special tool from Nirsoft called AlternateStreamView to views these streams/files. Let's take a look at our flash drive and see.

It appears to have located several files with this attribute. While most of the files appear to be libraries used by the Agent.exe program, the most interesting file appears to be the data.img file which is approximately the 65mb size that I specified for secure storage. Let's use this tool to extract this file and take a closer look at it in a hex editor.

After opening the extracted file in HxD, I immediately saw my chosen password stored in plain text near the beginning of the file:

 After scrolling down a bit, I noticed the start of an NTFS file system at offset 0x800. The system appears to run the full remaining length of the file.

Knowing this, we can simply delete the first 0x800 bytes and save the output so that it can be opened in an appropriate viewer.

My viewer of choice for this is 7-zip. After opening this, I immediately see my file "SecretStuff.txt". Upon extraction and opening, it becomes clear that this file is not encrypted.

This is proof that all the claims by Wondershare and Gilisoft that this product employs encryption are completely false. This is false advertising and completely deceitful to their customers who have chosen this product because they believed it was secure. I hope that this article has helped to expose these fraudulent claims and helps you make a more enlightened decision when choosing your security products. Until next time, happy reversing.

Saturday, July 7, 2018

Inline Empty Byte Finder

Inline Empty Byte Finder is a tool designed to help you find a location inside an executable or dll file to create an inline patch or code cave. It can check for specific section flags to meet the requirements for your inline. Inline finder searches for areas the meet the size that you specify, but also lists how many extra bytes are available at that offset.

  • Drag and Drop Support
  • Command line Support
  • Define Empty Byte Value
  • Define needed Section Flags
1.0 Download:

1.3 Update:

New Features:
  • Follow Offset or RVA in Hiew
  • Added Column Sorting
1.3 Download:

Tuesday, September 19, 2017

PE Appended Data Viewer 1.02

PE Appended Data Viewer is a tool designed to view and save the overlay of a PE file.

  • x86 and x64 support
  • Save Data or Data Selection
  • Xor Decryption
  • Begin and End Selection
  • Data Interpreter

New in 1.02:
  • Added Entropy Testing
  • Added Hashing/CRC-32
  • Added Ability to Register Shell Extension
  • Added Hex Values to Data Interpreter
  • Added Select Range Form
  • Added Ability to Load Appended Data Using Virtual Size
  • Fixed Memory Leak on Drag and Drop of New File



Monday, July 31, 2017

JexePack Unpacker

JexePack Unpacker is a freeware utility that unpacks JexePack wrapped java applications.


Download Version 2:

exe4j Unpacker

exe4j Unpacker is a freeware utility that unpacks exe4j wrapped java applications.

Please consider making a donation if used within a commercial environment.

Thursday, July 13, 2017

Launch4J Unpacker: Updated 07/26/2017

Launch4J Unpacker is a free utility to extract the embedded jar archive from a Launch4J wrapped java program.

07/26/2017: Version 1.01 Released:
  • Added Support for Launch4j applications signed with sign4j.

Version 1.01:

Version: 1.0: