Recent “leak” of IDA pro 7.2 — a brief timeline

asynchronous collaboration FTW

Jerry Ho
Jerry Ho
3 min readJun 28, 2019

--

The whole “leaking” in chronological order is kind of cool.

It’s a worldwide effort, and everyone in the process is crucial. One missing link, and a fully functional “leak” cannot be achieved. That impressed me a lot.

I have to say — piracy is not cool, and we already have Ghrida
sometimes people like me (dirt poor+a student without work) still need IDA pro as most of the tutorials / convenient steps are conducted via IDA pro.

Thank you for developing such a powerful tool; and sorry, Hex-ray.
(To be honest, by using a pirated copy, I got my IP banned from their website. Sweet sweet karma for me.)

You may wonder: the earliest IDA pro 7.2 installation package can be found in 2019.01, but why does it take 5 months+ to have a working copy?

Well, multiple hurdles have to be conquered before anything feasible went out.

Otherwise, you’ll end up having a non-decryptable installation package, a partial installation without x86 decompiler, or even an invalid license file with outdated license structure.

Three hurdles are waiting to be solved before we have a working copy:
1. installation package password (SHA1 hashed as encryption key),
2. license generation algorithm, and
3. incompatible distros (leak) with different configurations(steganography-equipped).

And this took people 7 months. At least on visible internet surfaces.

Disclaimer: I learned all of these on public, non-membership websites and forums. You can correct the details if you want to, though…

In order:

  1. 2018.08, somebody called CZC wrote a program called IDA-Pro-KeyGen for IDA pro 7.1. Here are his words.
    Unfortunately, no installation decryption key was reversed and leaked at the time.
    Also, the RSA license checking algorithms changed in IDA pro 7.2 later this year. Efforts by CZC did pave a way for people in the future, though.
  2. 2018.11, IDA pro 7.2 released.
  3. 2019.01, IDA pro 7.2 leaked.
    SHA1 for the executable: 17f4e6a959f92fcb9a58da53e5215a3f9df573cd
    However, no valid license was available — The ESET one, said to be accidentally uploaded to VirusTotal — was not suitable for this leaked distro.
  4. Somebody who’s responsible for the leak hid the license file paired for this distro. It belongs to “Octavian Dima”, and was not found on the internet until ~2019.06.24. Even if the license file’s there, the installation package was yet to be decrypted.
  5. 2019.01~2019.06.21, Taiwanese people from devcore tried their best to solve the install package decryption, and they succeeded, in a very creative way. Although the algorithm changed in IDA pro 7.3(2019.06.14), this is still a very educational reverse write-up.
  6. 2019.06.23~24, people on Reddit followed this path, and sorted out all the keyphrases used in IDA installation packages. The seeds and PRNG used can be seen here: https://removeddit.com/r/ReverseEngineering/comments/c3myjd/operation_crack_hacking_ida_pro_installer_prng/
    The crucial hint was provided by hishe, and we found out that devcore’s post intentionally omitted a few details. Very ethical of them!
  7. 2019.06.24 The license belongs to Octavian Dima was released online. People can now install his distro on Windows with only x64 decompiler available. A functionality limited license is not useful to many people, though.
  8. 2019.06.23~24 People from PEDIY(看雪) worked their ass off, reversed a new version of RSA(?) license generation algorithms and license checking procedures.
    Now with a sufficiently useful license generated, and a patched license checking mechanism (ida.dll, ida64.dll), IDA pro 7.2 is fully compromised.
    You’d still have to provide, put the decompiler plugins of hexrays.dll(x86), hexarm.dll and hexarm64.dll into IDA pro’s plugin folder (not included in Octavian Dima’s license, hence no dll files installed).

I did not provide any files, but I hope that this information could help people in need like 8-hours-ago-me.

To be honest, I am a bad person by taking advantages on Hex-Ray’s masterpiece. But, in the same time, I’m truly impressed by the worldwide collaborative efforts on “cracking a puzzle”.

The articles produced in the process are truly educational to me.
As an MS cryptography student who’s only going to graduate this year, I have little to no idea how the cryptographic primitives can be assembled for real-world usages.

Personally, I learned a lot in this event, from everyone in the community.

Thank you, Hex-Rays, devcore, PEDIY, and many anonymous people who participate in this event!

Hope that I can earn enough to purchase a legal copy of IDA pro in the near future.

--

--

Jerry Ho
Jerry Ho

A cryptographer, rigorous defender of civil liberties on blockchain. Trilingual in Mandarin, Japanese and English, I firmly believe in self-sovereign identity.