Cracking Live.Application.encrypt_challenge2

[Reiszecke]

Hey guys, has anyone touched the encrypt_challenge2 yet? The Launchpad Pro script requires it. What's basically happening is the following

[Launchpad_Pro.py]
def _is_response_valid(self, midi_bytes):
response = long(midi_bytes[7])
response += long(midi_bytes[8] << 8)
        return response == Live.Application.encrypt_challenge2(self._challenge)

So it's taking the note that you send and then adds the next note but shifts it so you end up with a pretty big number. This then runs through the challenge so the response can be compared in order to find out whether or not the connected controller is legit.

My first try would be to run this script for every number there is in order to obtain a lookup table. But it would end up pretty big and might not be the finest solution of them all. Maybe it makes some calculations obvious (e.g. the first byte just gets multiplied by 3 or stuff like that) but am pretty sure they won't make it that simple.

Another way would be to try getting the challenge decompiled but Ableton isn't just a simple Java app with 2 classes - it's pretty much the most advanced DAW I've ever gotten my hands on so I bet there is tons of native code and such in there, probably obfuscated and optimized like nothing else. Idk how long it took to decompile these Python scripts here but I don't think it won't take longer for parts of the Ableton.app.

I do have one or two working handshakes for the old launchpad script and its "encryption" is pretty similar to the one for the Pro BUT the handshakes that I use might have been taken from the very first Launchpad when they maybe haven't implement the challenge yet. (I really don't know)

[Launchpad.py]
def handle_sysex(self, midi_bytes):
        if len(midi_bytes) == 8:
            if midi_bytes[1:5] == (0, 32, 41, 6):
                response = long(midi_bytes[5])
                response += long(midi_bytes[6]) << 8
                if response == Live.Application.encrypt_challenge2(self._challenge):
                    self._on_handshake_successful()

The only difference is that for the Pro it's bytes[7:8] and for the older one it's bytes[5:6]

Any ideas?

[mat1jaczyyy]

Disassembled and decompiled from the Launchpad Pro's bootloader. Compared against the MK2's bootloader, functions match. About to hack some firmware onto my Pro to confirm.

[Reiszecke]

What the fuck

I did NOT expect a reply, let alone more than 3 years later. Incredible job

[mat1jaczyyy]

@Reiszecke come talk to us on discord if you'd like, i think we could have an interesting chat https://discord.gg/upSFBwy

[rpgaleksy]

[Reiszecke]

@Reiszecke come talk to us on discord if you'd like, i think we could have an interesting chat https://discord.gg/E9bvjW

Unfortunately I'm not into all that anymore, I don't even own a push as I am busy covering another field at the moment but I got a few things in mind to get back into it hopefully, let's see what 2020 is gonna look like :)

I might join at some point to see how you guys are doing

[mat1jaczyyy]

All good mate, I'm also on and off working on other stuff, we're sitting in voice right now so uh yeah