-
Investigating a proprietary early-2000s abandonware ebook format
This article concerns a Windows software product which featured the ability to compile HTML websites and multimedia content into a standalone EXE file. The last release of this product was in 2003, and the product website has ceased to operate from 2012. Content was stored… »
-
Spoofing Android device model via Smali patching
I recently came up against an Android application which gates certain functionality behind detecting a ‘compatible’ Android device – which mine was not. My usual approach, on a rooted device, would be to use XPrivacyLua to spoof the device information returned to the application, but… »
-
Reverse engineering software licensing from early-2000s abandonware – Part 3
In part 2, we reverse engineered the decrypted format of the licence file data for this particular software. In this part, we investigate that how exactly that licence file is encrypted.
Into the fray
In part 2, we identified that the decrypted licence file… »
-
Reverse engineering software licensing from early-2000s abandonware – Part 2
In part 1, we reverse engineered the registration code licensing mechanism of this particular software. However, that mechanism was not the mechanism actually in use in 2004; rather, a different mechanism was used based on licence files named license.bin. In this part, we… »
-
Reverse engineering software licensing from early-2000s abandonware – Part 1
Background
This series concerns a software licensing system used in a proprietary software application from circa 2004. The software was available in an unregistered trial mode with limited functionality. A free licence could be obtained by registering online with the software vendor. The software became… »
-
Investigating and disabling hard-coded certificate pinning in an Android application
mitmproxy is an open source interactive HTTPS proxy, which makes it easy to intercept HTTPS for reverse engineering, including an Android clients. It does this by installing its own CA certificate on the client device.1
Recently, I was attempting to reverse engineer the HTTPS… »
-
Illegal numbers
Legal counsel for various companies, including AACS LA (Advanced Access Content System Licensing Administrator) LLC, DVD Copy Control Association Incorporated, Intel Corporation, Motion Picture Association of America Incorporated, Sony Computer Entertainment America Incorporated and Texas Instruments Incorporated, have determined that the possession or distribution of… »
-
Investigating Google Cast: Disabling device authentication on Android with Xposed
Background
Google Cast is a proprietary protocol by Google which enables controlling playback of Internet-streamed audiovisual content on the Chromecast, Android TV and other compatible devices.
From the consumer perspective, Google Cast connects two devices: a sender (such as a smartphone) and a receiver (such… »
-
Investigating a MIDI music DRM system (c. 1998)
Background
This post concerns a DRM system used in a proprietary JavaScript-based music player. The music is sequenced locally in the client based on instrument and note data, à la MIDI. The music player does not have any export capabilities, but like the previous instalment… »
-
Investigating a legacy document delivery DRM system – Part 2
Last time, we investigated the HTML5 viewer for a document delivery DRM system, rehosting the viewer to give us unlimited access to documents – but only through the standard print procedure, which inserts watermarks and copyright information. This time, we'll investigate how we can… »
-
Investigating a legacy document delivery DRM system – Part 1
Background
This post concerns a DRM system used in an online document delivery platform (think PDFs, but proprietary), established circa 2000 and still in popular operation. Documents purchased through the platform are delivered in a proprietary encrypted file format, which can be opened using a… »
-
Investigating a recent ebook DRM system (c. 2018)
Background
This post concerns a DRM system used in an online ebook platform, released circa 2018. Users of the platform can purchase ebooks and either view them online, or download them for offline viewing using a proprietary Android/iOS app.
As usual, the particular DRM system… »
-
Crypto failures in the wild
Sony PlayStation 3 ECDSA random number reuse
The Sony PlayStation 3 (2006) uses Elliptic Curve DSA (ECDSA) to sign executable binaries.
ECDSA takes a private key \(d_A\) and a random number \(k\) with public parameters \(G\), \(n\) and public key \(Q_A = d_A G\), and… »
-
Investigating an early-2010s gaming DRM system: Part 4
Last time, we investigated how an early-2010s gaming DRM system approached machine-based licensing. This time, we'll investigate exactly how the DRM system interacts with the game to accomplish its ends.
Structure of the DRM system
Looking at the game binary, FooBarBazX.exe, for the… »
-
Investigating an early-2010s gaming DRM system: Part 3
Last time, we investigated how an early-2010s gaming DRM system stored licences for games. This time, we'll investigate how those licences are tied to particular devices.
From last time, we know that the licence file contains an encrypted XML payload:
… »<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-
Investigating an early-2010s gaming DRM system: Part 2
Last time, we investigated part of a gaming DRM system from the early-2010s, looking at some of the configuration files. This time, we'll investigate how the licences for these games are stored.
Is is known that the licence data for the games is stored… »
-
Investigating an early-2010s gaming DRM system: Part 1
Background
This post concerns a DRM system used in a PC gaming platform introduced in the early 2010s. The particular DRM system is not relevant and will not be identified, but will be familiar to many.
One function of the DRM system is to require… »
-
Hacking a cheap fitness tracker – Setting the time
The cast
The Mambo HR is a no-name $30 fitness tracker from Chinese manufacturer Lifesense, and I recently acquired one as a gift. Let's look this horse in the mouth, shall we?
Oof, it's not pretty. The Mambo HR has no buttons or touch functionality,… »