Hacker News new | comments | show | ask | jobs | submit login

I wouldn't venture to say this doesn't belong on HN since it really is interesting (if it was actually done correctly), but the files available for download are most likely illegal, were most likely created with pirated tools (IDA Pro/Hex-Rays, and yes, as a customer of theirs for over a dozen years I've reported it), and of course, the usual vilification of reverse engineering.

If you're reading this on a desktop or laptop system (rather than a phone), then you are most likely using an "IBM PC Compatible" even if you're using an Intel based Apple, and hence, you're using the fruits of completely legal reverse engineering.

The way to do reverse engineering legally is to have one team reverse engineer the target and completely document how it works. Once it's documented, another disconnected team writes a new implementation from the documentation. This process is how you're using an IBM PC Compatible today, so yes, reverse engineering for compatibility is perfectly legal.

If there is a patented algorithm required, it's not a sure thing. There are most likely compatible ways around the patent, but there's also the fact that the patent is only valid in the US. With open source hosted in some other country, who are you going to sue? The users in the US? --Nope, users are the ones paying for skype.

You might say, "But we forbid reverse engineering in our license!!!"

Contract clauses forbidding reverse engineering are invalid in many countries and jurisdictions, and of course, you also have to prove the other party agreed to the contract/license. With this said, it's very easy to create a international jurisdictional nightmare to render any such contract clause tactically impossible to enforce.

The easiest way to think about this is security research. The folks finding and reporting exploitable flaws in software are obviously reverse engineering it. Occasionally companies have tried to legally go after people who have published security research on their products, but usually this ends very badly for the company. Additionally, doing security research is protected use in some countries and jurisdictions.

In short, competition is good for markets, and competing by studying and mimicking the competition is both normal and legal.

For the "rights" advocates out there, there are legal problems with the three file downloads available:

1.) According to the first file name, the original binaries are being redistributed which may be (and usually is) against the license terms and default rights granted by copyrights.

2.) The IDA Pro database (most likely) contains the entire target binary, so you do have (illegal) redistribution of a copyrighted work. You can load only parts of a target binary into IDA, but that doesn't matter since it is still a portion of the original work. As for whether or not said portion could fall under fair use is debatable (i.e. lawsuit). In general usage, the entire binary is loaded, since without it, you're limited to static analysis (i.e. no debugging).

3.) Decompilation, and to a lesser degree disassembly, are equivalent to "machine translation" in the sense of copyright. Creating a translation is considered creating a "derivative work" and unless you have been given rights to create derivative works, then you're in trouble. One of the comments here on HN claims the "source code" file is the output of the Hex-Rays Decompiler.

I've never used skype and I've never read their license so I don't know if they specifically allow redistribution.

I have no love for skype or microsoft, but if this had been done CORRECTLY by releasing written documentation so an entirely new implementation could be written, then I'd have no problem with it. There are right ways and wrong ways to legally create compatible (open source) software through reverse engineering, and this is a perfect example of the wrong way.

HN is an internationally read site. Things that are illegal in some countries are not illegal in others. As responsible citizens, it is up to the individual to not engage in illegal activities in the region said individual is in.

I think you misread my statement. I should have been more clear, but if you read it again, you'll see I agree with you. It is interesting and belongs here.

I don't have to not admit it, but your failure to not use double negatives caused me to not be unconfused.

Just a bit.

I agree that your comment should have been more clear.

"The way to do reverse engineering legally is to have one team reverse engineer the target and completely document how it works. Once it's documented, another disconnected team writes a new implementation from the documentation."

Yes, it is a common silly practice that stems from the real madness that are copyright laws. Considering that the documentation passed between the two teams contain all the informations to make the software work correctly, I wonder what makes it different from a source code. I could easily write a code generator that would be fed a "documentation" file and generate the C code that creates the final program. Hell, a C program is a specification on how to generate a given binary code. I wonder how often this really happens behind the doors at these "clean room implementation" teams.

Why do you assume the tools are pirated?

I think you actually want two answers, the question you asked and "why report it?"

The IDA Pro disassembler and the Hex-Rays decompiler are not only very expensive tools, but they are very difficult to purchase. Due to constant problems with piracy, these days they will only sell their products to three areas; (1) governments/law enforcement, (2) very well established corporations (typically well known security research people), (3) very well established university researchers.

Typically, they refuse to sell to individuals, but there is a fourth class of customers who are individuals; very old customers like me who have a perfect track record of maintaining possession of their copy of the software.

Every copy of the software is custom compiled and watermarked so it is traceable to a particular person. Every database created by the software is also watermarked, so when someone who is not a licensed customer publishes a database (.idb), the software can be traced and the account will be terminated (i.e. no further purchases allowed).

When someone does something blatantly stupid like disassembling and decompiling skype then publicly making all of the files available, it is fairly certain that they are using a illegal copy of the software. They do not understand what they're doing. They do not understand the tool they are using. And they don't have any respect for either the tool or the work of others. --All of this loudly screams PIRATE!

The pirates either don't know about or don't care about the watermarks in the databases they create. They don't realize that publishing a database is discouraged. I've never heard of a case where a database watermark was successfully forged (i.e. pin the blame on someone else), but a cracker named "Quine" once successfully removed the watermarking in IDA back in the late 90's.

The "correct" method to publicly share the research work done in IDA is to dump the database to an IDC script (an internal language), then provide the IDC script and the target binary. Customers know this, or at least they should. With that said, friends do toss databases back and forth on occasion, but that's a matter of trust between friends where both of them are customers. Some people in the InfoSec and AntiVirus crowds exchange databases, even across competing corporate lines since they're all working together towards the same goal and they've known each other for years.

What? This isn't true at all. Anyone can buy IDA.

This copy of IDA was probably pirated for the same reason Photoshop is usually pirated: because it's expensive. But you don't know it was pirated.

Also: by editing your comments to account for the responses, you make the thread incoherent. I'd appreciate it if you wouldn't do that, or, at least, if you must do it, to do so in corrections at the end of your comment. It's fine to be wrong. I'm wrong all the time.




That is simply incorrect. I do not "know" Ilfak. I just emailed him, discussed the cost of a student license, provided proof of being a student, and filed an order form for IDA Pro Standard 6.0. The only thing that at all fits with your story is that a bank transfer was required, instead of paying by credit card, but I believe that is only for students.

Even so, Hex-Rays does sell to individuals. It's not even necessary to ask Ilfak: if copies are being sold to individuals, then they sell to individuals. And those copies are being sold. Here's a picture of my CD, purchased this year, as an individual: http://dl.dropbox.com/u/3177211/idaomg.png

That is incorrect. I purchased IDA Pro as an individual this year, and I am a simply a student interested in reverse engineering. (I believe what you are saying may be true for the "advanced" version, but from what I can tell anyone can purchase IDA Pro Standard.)

It's not true of "Advanced" either (all "Advanced" does is give you x86-64 and a bunch of exotic architectures; "Advanced" is a price segregation scheme, not a community safeguard).

No, it is true for Advanced; they will only sell it to entities they've dealt with before.

I mean you would know, I know, and we've been customers for awhile so maybe they just don't bat an eye, but I just assumed everyone bought Advanced now. How do you not have x64?

You really think this is because they want to safeguard the public or something?

Assuming that the deleted parent is about the difficulty of purchasing IDA, as you know, it's only somewhat incorrect. I have wanted to buy IDA for almost a year now, but Hex-Rays is very picky about how they receive their money; I could probably arrange for it somehow but it is an completely inordinate amount of hassle. (And no, bank transfers are not only required with a student discount; I was willing to pay twice as much to avoid the requirement but it wasn't possible.)

I think bank transfer is a requirement only for first-time private users, probably because credit cards are too easy to steal/fake and chargeback.

Improving our tools is part of our birthright and responsibility; being able to modify and learn from software is a natural outgrowth of that. We of all people should not respect work intended to discourage collaboration by anyone who isn't "established" (granted the privilege of relating to software as a human being, not just a consumer).

Thank you for the insight into your field. Now I'm sorely tempted to try my hand at decompilation.

I've purchased IDA Pro for years for legitimate reversing work, but on the rare occasion that I need to do some more dodgy work for clients, where I don't want to reveal any identity (previously name, now license number) via the watermarks in the database, I will use a pirated version of the software.

My point is that it is not possible to know for sure if the user of a pirated software is indeed a pirate, as there are reasons of privacy to use these editions of the IDA (as well as the most common one of just not paying for it in the first place.)

As to the question of whether Bushmanov has used a pirated edition of IDA for his work, it's interesting to note that the distributed .idb files are in two different formats - as far as I can tell versions 5.2 and 5.5, but the license key is the same for both: A2-86E4-B9BB-D3. It's not one I recognise from any of the common pirated versions but I suppose only Ilfak could tell for sure.

Igor Skochinsky at Hex-Rays has verified it is a pirated version, but at least it is an old leak instead of a new one.

Ah, then I guess Bushmanov must have originally created all three databases in that pirated version 5.2, then only re-edited two of them in pirated version 5.5.

Thanks for your insight. The spelling errors in the blog posts aren't the hallmark of professionalism either, but what about the information in comment header?

    |*| Skype 4142 Decompression v1.002 by Sean O'Neil.
    |*| Copyright (c) 2004-2009 by VEST Corporation.
    |*| All rights reserved. Strictly Confidential!
    |*| Date: 29.10.2009
is this just a special brand of stupid?

edit: some info about this corporation and Sean O'Neil: http://en.wikipedia.org/wiki/VEST

the official web page points to beach resort?!?

edit2: same guy: http://cryptolib.com/ciphers/skype/

Don't pick on the spelling. Have you considered users who don't have English as their first language? I hear there a few is all ;)

yeah, the author of the blog post said the stuff he has came from VEST. so it's basically a POC based on the code released 2 years ago. if you google it there's a blog post by some other random guy who made a python plugin and some POC code from that stuff too

You are completely right. But why so serious? This is just tools for make peoples happy.

Is that true about that they won't sell to everybody? I've been playing with the idea of buying a IDA Pro license recently.

Has someone more information about that?

The older IDA Pro 5.0 is licensed as freeware, free for non-commercial use.


Yes, but the Hex-Rays decompiler is not. I can't touch the files, so I can't tell you what version was used, but in the comments here, there is a claim that the supposed source code is Hex-Rays output.

You are mentioning Compaq BIOS. Think Samba though.

Even OOo/LO .doc support is based on 1-2 FTE revEngs (which btw is dumped mfc/w32 memory on a FAT, but read Sun/IBM anyway).

The team will write a public spec, print it out on paper, and another team Down and Under will scan it and create new code (think RSA patent export). The skype protocol has long been reverse engineered and is available to several parties.

I'm not a US citizen or a lawyer but is the separation of implementation and exploration really required by the copyright laws (ignoring patent issues)?

I can understand that exploration/implementation division as a preemptive "don't sue us" move, but do US copyright really provide that such strong protection that someone who has looked at a decompilation can't be writing an independent implementation? It seems to me the writing an implementation with a different structure or in another language ought to be different enough for copyright reasons.

>If you're reading this on a desktop or laptop system (rather than a phone), then you are most likely using an "IBM PC Compatible" even if you're using an Intel based Apple, and hence, you're using the fruits of completely legal reverse engineering.

Not if you are booting via EFI, for example if you are booting Mac OS X on an Apple.

Also, for 1) this is not original binaries. This is obfuscation and anti-debug features removed.

This does not change the legal status much. It is derived work (at best.)

The way to do reverse engineering legally is to have one team reverse engineer the target and completely document how it works. Once it's documented, another disconnected team writes a new implementation from the documentation.

So you'd Skype's co-operation to do this? They are able to prevent reverse engineering by not writing the documents?

Not at all.

Suppose you and I work for the same company. I bust open Skype through decompilation, reading memory, the network, whatever trick I want. With that, I write documentation for how Skype's protocols work.

You read my documentation, and implement it in a new program. Since we haven't talked, and you've never seen a line of Skype's code, you haven't infringed on any copyrights.

It is important to note, though, that this does not necessarily protect us against a patent suit.

If it is done correctly, co-operation from skype is not required. The team that does the reverse engineering will write the specs and documentation from what they learn by examining and analyzing the executable binaries.

They are writing spec documents...


it would be nice to see linphone be able to talk to skype people...

Who cares? It's done now. Time continues on; use it or don't use it.

While you are correct about this particular instance of RE, I want to just take this opportunity to remind you that hands-on black-box RE is the technique used to create many of the drivers you see in Linux and BSD. Prior to AMD and Intel releasing video card documentation, every video card supported through community drivers was usually best-understood through RE experiments.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact