KVR Audio

JCJR · Post by **JCJR** » Mon Jul 10, 2017 5:53 pm

Automated internet sales requiring minimal human labor per order can be a great expense cutter compared to the past.

Long ago when I wanted to make and sell hardware and software, always wanted to sell it real affordable. This might be easier today if you can mostly sell web-direct. Maybe what I report is no longer applicable, but back then when I'd talk to some marketing experts about hawking low-price gear thru dealers or big pre-www catalog-sales companies. I was told that it is easier to sell high-price product to dealers or big sales companies, and harder to sell low-price product to dealers and big sales companies.

It was explained that a salesman in a store often needs to spend just as much time hard-selling a $20 box as the time he spends hawking a $200 box. If the salesman can often-enough turn over $200 boxes then he has no motivation to even stock the $20 boxes. Stocking the $20 boxes would be an annoyance taking up valuable time he could better use trying to sell $200 boxes.

Same deal with catalog companies. If the company spends a zillion dollars per month mass-mailing 50 page color catalogs then it is more important to allocate page space to the expensive gear with higher profit margin.

Dunno if that mentality has applicability to a modern huge web music store. The cost of fulfilling the $20 orders is perhaps so low that it makes no sense to boycott the cheap products. OTOH even for the cheap products, a giant web music store has to pay somebody to format a web page for each item offered. And even though the price of server storage and bandwidth might be low, there is still a per-product internet cost overhead for each item offered fer sail, and a per-product warehousing cost, etc.

Finally, a "captain obvious" nugget for any newbs who might have not learned it-- If the marketing plan is to sell wholesale to dealers while also selling direct-- NEVER offer discounts on direct sales. Some dealers sell barely above their cost and others might charge retail, but if you start price-competing with the dealers then the dealers will get pissed-off and eventually you won't have any dealers and direct-sales will be your only revenue stream.

You can wiggle around this by "indirectly competing" with dealers-- Emails to previous customers offering upgrades, cross-grades, special bundles to registered customers, etc. But if you direct-sell to new customers at lower than your list price then it probably won't turn out so good if you also want to sell wholesale to dealers.

Chaotikmind · Post by **Chaotikmind** » Mon Jul 10, 2017 11:01 pm

Urs wrote:
Chaotikmind wrote:It will really depends if you're lucky or not, if a really good reverser does it, then you're mostly f**ked, no matter what.
I guess I'm lucky because I don't do operating systems, banking stuff or anything else that is an interesting target for anyone but a beginner.

We actually know a lot about the way they work, and they're totally at "let's try to make this jz a jnz". There is no indication in the cracks which show any knowledge of larger context.
because the knowledge gap between crack users, and cracks makers is insane, they logically end up being perceived as "gods".

If you think most of the reverser think that they just have to replace a jz by jnz , then i would think you miss the point, it's actually true and false at the same time.
It always boil down to a jump or no jump issue (philosophically ofc), in that regards you're right.
But i hope you don't imagine they're (for most of them) not just replacing jumps ? (i know i abuse your sentence here)
i just have a decent level, and reversing is a lot of work, and it involves knowledge in a lot of programming/computing fields.
Maybe there are "reversers" than just have a naive view of the thing (script kiddies), but in that case they're not reversers any more, i think it's utterly incompatible.
Reversing involve reading assembly like your native language, high speed pattern matching, good to very good programming skills, understanding the internals of compilers, good understanding of system api, and the system itself as well, inner structure of executable files, grammar and semantics, etc etc.
it's by no means an activity for "uneducated" people.
That said i can perfectly understand it gets people angry !

Yes, but what gets me is the total disregard for the people who wrote the software in the first place

I can only agree with that.
But i'm not sure fighting human nature is a good answer, not that i know the good answer either...

As a purely philosophical point of view (and being a libertarian) i would say that the real value is in the human doing the work , not in the work, but that won't help you eating everyday

(at least in our time)

aciddose · Post by **aciddose** » Tue Jul 11, 2017 4:46 am

The argument that crackers are equivalent to "reversers" with "very good programming skills" is just flat out wrong and requires that cognitive dissonance I pointed out earlier.

If it were true those individuals would simply create original works the same way we programmers do. If they are so skilled they could even chop out the portions of our code that work best and use those in order to save time. I've never seen such a thing; I wonder why?

My own free software is preschooler level work. Any actual retard could accomplish far better work in far less time. (Core portions were written when I was 13.) Yet these crackers prefer to spend a lot of time and effort breaking locks ... ? Perhaps it is because such a task requires far less skill and knowledge and is over-all much easier for them.

If the cracker had nothing to "unlock" are you saying they would have written the software themselves? The truth is that if there were no "locks" almost all the skills of the cracker would be useless skills and they would achieve nothing at all.

... that is the definition of cognitive dissonance.

Urs · Post by **Urs** » Tue Jul 11, 2017 5:37 am

Chaotikmind wrote:the reverser

I'm not talking about reverse engineers. I'm talking about the poor lads who crack audio software. They understand simple branch logic and integer math, but once you move parts of your protection to floating point arithmetic (read: DSP) they just gaze at the screen with an empty stare.

That said, I'm sure there are skilled reverse engineers out there doing a touch job. And I dearly hope they have a paid job in a kick ass field, far away from audio plug-ins.

Richard_Synapse · Post by **Richard_Synapse** » Tue Jul 11, 2017 10:34 am

Chaotikmind wrote:The specific case your talking about seems to relate well to the way Themida VM used to work
which was defeated by automatic(mostly) analysis and recompilation.
Basically Themida was taking part of the original code, replacing it with a call to the VM and emulating it's execution , obviously a bitch to reverse, but it was finally reversed like anything else.

They constantly update their software, it's very easy for them to change VMs or add new VMs as they please and thus break any automatic attempt at recompilation. The way I see it, the crackers will always trail behind when it comes to this type of obfuscation technology (or any decent obfuscation, for that matter). That said, obfuscation does not necessarily make anything safe, just impossible to understand.

Richard

Chaotikmind · Post by **Chaotikmind** » Tue Jul 11, 2017 8:24 pm

aciddose wrote:The argument that crackers are equivalent to "reversers" with "very good programming skills" is just flat out wrong and requires that cognitive dissonance I pointed out earlier.

If you want to say that not all cracker are reversers, and not all reverser are doing cracks, then i can probably agree.

If it were true those individuals would simply create original works the same way we programmers do. If they are so skilled they could even chop out the portions of our code that work best and use those in order to save time. I've never seen such a thing; I wonder why?

I strongly disagree with that, they are creating original work, but only in the reversing domain, there are some marvelous tools created by some of those guys.
Some people are only interested in programming stuff in a specific domain, some other people are "only" interested in reversing software.

To me, what you're saying is more or less equal to something like , "why the very good system programmer don't use their skills to do DSP stuff"
sorry if i misunderstood you, but it sounds like a stupid argument. reductio ad absurdum.

My own free software is preschooler level work. Any actual retard could accomplish far better work in far less time. (Core portions were written when I was 13.) Yet these crackers prefer to spend a lot of time and effort breaking locks ... ? Perhaps it is because such a task requires far less skill and knowledge and is over-all much easier for them.

Yes i indeed believe they like to break locks, i used to like it, and i still do....
It's just not the same skill set that is needed to make DSP software for example.

If the cracker had nothing to "unlock" are you saying they would have written the software themselves? The truth is that if there were no "locks" almost all the skills of the cracker would be useless skills and they would achieve nothing at all.
... that is the definition of cognitive dissonance.

They would very probably not write the program themselves , ok with that.
But i disagree that the corresponding set of skills would be useless, having a good understanding of the system and assembly, etc, is useful in a lot of domains.
i don't see any cognitive dissonance here.

For the record, i play music live, and i use my own live software (modest one), which is specifically tailored for my use. (and which sadly don't support VST yet, so i only use my FX)

Urs wrote:I'm not talking about reverse engineers. I'm talking about the poor lads who crack audio software. They understand simple branch logic and integer math, but once you move parts of your protection to floating point arithmetic (read: DSP) they just gaze at the screen with an empty stare.

Frankly i'm not sure what you describe exists at all, but i guess i could be surprised by the truth.

Richard_Synapse wrote: They constantly update their software, it's very easy for them to change VMs or add new VMs as they please and thus break any automatic attempt at recompilation. The way I see it, the crackers will always trail behind when it comes to this type of obfuscation technology (or any decent obfuscation, for that matter). That said, obfuscation does not necessarily make anything safe, just impossible to understand.

Richard

Huhu, that why all those protection are cracked one day/week after they're updated?
So yes they're trailing behind, but by a so short time it's ridiculous most of time.
the only one that broke a record is Denuvo, but we start to see proper crack appearing too.

aciddose · Post by **aciddose** » Tue Jul 11, 2017 8:45 pm

It's cognitive dissonance. Your arguments are all due to it.

I do not agree any cracker focused only on cracking skills is also an expert at reverse engineering. This is due to the fact that reverse engineering in any domain requires extensive knowledge specific to that domain in order to facilitate the reverse engineering.

If those "reversing" crackers had any skills or interest in anything other than breaking software "locks" I could at least agree that you are partially correct. Their skills could be applied to creating better locks, or they could work as a locksmith does by testing, repairing and opening locks for which the key has been lost. Unfortunately that just doesn't happen in real life.

So the motivation of the cracker does not come purely from an interest in engineering specific to one field. Their interest in that particular subset of engineering fields is rather rooted in their desire to break locks!

If that were untrue the majority of them would be investing their time and skills into more productive areas. Specialists in the security field can make some of the highest incomes of all fields of engineering. They work for government agencies and the military and deal with protection of classified data. They work for banks and other firms where protection of confidential data is absolutely essential to their business.

Your problem is that you are conflating two separate groups. I admit there may be some very small overlap between them but it is tiny at best. A highly specialized contractor with military clearance is likely not spending a week to crack some lame audio plug-in protection. How would they find that interesting in the least compared to their day-to-day work?

This is where your argument falls apart. Reduction to absurdity indeed.

You'll even find they've cracked free software to remove nag screens "if you use this software regularly please consider making a donation: (not right now) (don't ask me again) (take me to the donate page)." What is the point of that exactly?

While highly skilled reverse engineers specializing solely in the field of software protections certainly do exist I believe they are extremely rare. You are vastly, vastly overestimating the capability of the majority of crackers out there.

resynthesis · Post by **resynthesis** » Tue Jul 11, 2017 9:55 pm

In EVERY university I've worked at there have been students (both UG and PG) who have been known to crack software. These have often been some of the brightest and most competent and have used cracking as a challenge akin to a crossword puzzle. I don't know if any of these students were the sources of cracks on the web but I don't think that was their main aim. And, yes, a number do work in security and in compiler design these days.

Chaotikmind · Post by **Chaotikmind** » Tue Jul 11, 2017 11:37 pm

aciddose wrote:It's cognitive dissonance. Your arguments are all due to it.

I do not agree any cracker focused only on cracking skills is also an expert at reverse engineering. This is due to the fact that reverse engineering in any domain requires extensive knowledge specific to that domain in order to facilitate the reverse engineering.

If those "reversing" crackers had any skills or interest in anything other than breaking software "locks" I could at least agree that you are partially correct. Their skills could be applied to creating better locks, or they could work as a locksmith does by testing, repairing and opening locks for which the key has been lost. Unfortunately that just doesn't happen in real life.

So the motivation of the cracker does not come purely from an interest in engineering specific to one field. Their interest in that particular subset of engineering fields is rather rooted in their desire to break locks!

If that were untrue the majority of them would be investing their time and skills into more productive areas. Specialists in the security field can make some of the highest incomes of all fields of engineering. They work for government agencies and the military and deal with protection of classified data. They work for banks and other firms where protection of confidential data is absolutely essential to their business.

Your problem is that you are conflating two separate groups. I admit there may be some very small overlap between them but it is tiny at best. A highly specialized contractor with military clearance is likely not spending a week to crack some lame audio plug-in protection. How would they find that interesting in the least compared to their day-to-day work?

This is where your argument falls apart. Reduction to absurdity indeed.

You'll even find they've cracked free software to remove nag screens "if you use this software regularly please consider making a donation: (not right now) (don't ask me again) (take me to the donate page)." What is the point of that exactly?

While highly skilled reverse engineers specializing solely in the field of software protections certainly do exist I believe they are extremely rare. You are vastly, vastly overestimating the capability of the majority of crackers out there.

Maybe i'm overestimating the overlap between both groups, but i also think your underestimating it, i can't prove it ofc, so i guess it's pointless to argue more.

And i still disagree with you on one point, when i get a reversing contract, it's often more of less interesting stuff, but i still time to time help people with a stupid protection (recently i removed the protection from a software that was piloting a CNC , the dongle was poorly implemented, and its hardware was failing from time to time, hence the poor guy working on it was periodically loosing his work, i guess it can count as a legit crack , since it did more good than harm to anyone (and anyway the software need a 150k€ machine to work....) , but believe it or not, it was deceptively simple to do, and i still took pleasure doing it, and was not paid for it, it was just for helping)

Anyway , i don't get why people are protecting their software knowing it's so easy to defeat 99% of the time, they're loosing time that could be used in a more useful way, eventually it creates problems for the end user, and it doesn't prevent cracked version to be everywhere.

aciddose · Post by **aciddose** » Wed Jul 12, 2017 12:20 am

For the point about students: I've only ever known students to produce cracks. There are probably some number of oldschool crackers out there but I've never known any of them. I'm not sure how they would have enough time to focus on the same kind of pointless stuff.

I've been invited into a number of groups myself but despite the number of "cracks" or reverse engineering jobs I've done for my own benefit I just never found the idea of doing it without any specific personal motivation to be interesting in the least. I don't see any "benefit" or "common good" coming out of the public release of cracks.

Maybe I'm just a totally selfish asshole; but then aren't most crackers inconsiderate sociopaths?

I just don't believe the majority of cracks are done by a highly skilled group. These sorts of low-grade cracks applied to VST plug-ins are mostly coming from the lowest levels of amateurs and newbies. Yes, cracking certain types of security features may be interesting to the highly skilled but I do not believe most VST plug-ins are except in the rare cases where the cracker does it out of personal interest in using the software themselves.

That's all part of the cognitive dissonance though: it requires an us vs. them mentality placing the authors of the software in the "enemy" category and excusing the release of cracks with "try before buy!" and similar nonsense. (Not to mention the common use of stolen credit card numbers and similar schemes; We're really discussing a group comprised significantly of low-grade criminal scum here.)

That said I believe while it is genuinely possible to justify from the perspective of a sociopath; the lack of awareness as to the scope of harm done is astounding. It is certainly nowhere near a reasonable trade-off once you consider all of the consequences; not just to the cracked commercial products or authors themselves but to the whole ecosystem.

aciddose · Post by **aciddose** » Wed Jul 12, 2017 12:33 am

Chaotikmind wrote:Anyway , i don't get why people are protecting their software knowing it's so easy to defeat 99% of the time, they're loosing time that could be used in a more useful way, eventually it creates problems for the end user, and it doesn't prevent cracked version to be everywhere.

The important thing is to provide an interface to the user that appears secure. It isn't trivial for a user without experience to simply plug in a random number and have the product function.

It is easier for them to plug in a valid signature/key that they purchased than to go hunting for cracks loaded with malware and unintended side-effects due to poor and incomplete reverse engineering.

That is all that matters. It isn't a waste of time at all. What do you propose? The honor system? I think we already have plenty of evidence that system doesn't work. See your own comment (quoted here.)

Chaotikmind · Post by **Chaotikmind** » Wed Jul 12, 2017 7:45 am

aciddose wrote:
That is all that matters. It isn't a waste of time at all. What do you propose? The honor system? I think we already have plenty of evidence that system doesn't work. See your own comment (quoted here.)

i don't have the answer here.

aciddose wrote: I just don't believe the majority of cracks are done by a highly skilled group. These sorts of low-grade cracks applied to VST plug-ins are mostly coming from the lowest levels of amateurs and newbies. Yes, cracking certain types of security features may be interesting to the highly skilled but I do not believe most VST plug-ins are except in the rare cases where the cracker does it out of personal interest in using the software themselves.

I don't know if there are some specifics depending of the type of software that are cracked, you could very well be right for VST.
But i don't think that holds for everything, do you really think the guy that cracked denuvo is not skilled?

Also i don't know if you ever read Fravia site, he was clearly a good reverser, and he also did cracks, he probably considered it as a good way to learn.

Richard_Synapse · Post by **Richard_Synapse** » Wed Jul 12, 2017 8:53 am

Chaotikmind wrote:Huhu, that why all those protection are cracked one day/week after they're updated?

Because in order to break into a house, you don't need to understand the lock - you take a crowbar and go in

My point is that it is easy to write code that is incomprehensible. This can be done in an automated way (which is vulnerable to automated tools reversing this process, as you pointed out earlier) but there is many other ways. For instance code could be based on complex mathematical principles not published anywhere, or one could write a script adding an arbitrary amount of nonsense code on a source code level. Another way is a data-driven protection like Urs suggested earlier. Any of this, or a combination thereof, is sufficient to prevent keygens from ever appearing.

Like aciddose pointed out earlier, if someone were really able to fully understand any code on an assembly level, they could just create products themselves (and way better ones that anyone has ever come up with).

Chaotikmind wrote:So yes they're trailing behind, but by a so short time it's ridiculous most of time

For audio-related stuff it can easily take a couple of years and that is not short in my book. Of course developers can always make a mistake somewhere and post an update that is not properly protected so it gets spread immediately. We're all humans and make mistakes.

Richard

SLiC · Post by **SLiC** » Wed Jul 12, 2017 9:05 am

I am sure there are some people who will used 'old' hacked versions of software and risk viruses, bugs (and potentially prosecution) but anyone who cares about their craft or is remotely professional will know the benefits of buying there tools- regular free updates (low cost major updates), support etc...we invest in our tools/instruments with our money and our time, people who use pirated software tend to do neither.

I wonder what the legalities would be if you could write software that if it was hacked/pirated contained some sort of Trojan that would lock the host computer until they paid for the software!

AnX · Post by **AnX** » Wed Jul 12, 2017 9:12 am

That would be illegal

More copy protection...