Exetools - The installation package for IDA Pro 9.0 beta leaked

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - The installation package for IDA Pro 9.0 beta leaked (https://forum.exetools.com/showthread.php?t=21066)

The installation package for IDA Pro 9.0 beta leaked

it install ??
source:

Code:

https://x.com/gmhzxy/status/1821962897888780446

download:

Code:

https://we.tl/t-uzO2qS3lwo

yes, it is installer withour password.

'ida64.exe' File Version Information :

Quote:

CompanyName : Hex-Rays SA
FileDescription : The Interactive Disassembler
FileVersion : 9.0.24.0807
InternalName : idat64
LegalCopyright : Hex-Rays SA
OriginalFilename : idat64.exe
ProductName : The Interactive Disassembler
ProductVersion : 9.0.24.0807

with the cloud licensing?

Seems no need password to install. It's cloud licensing maybe.
Asking for "ida*.hexlic" local license or floating license server.
Also is BETA VERSION that expires on 2024-09-01.

The full beta program

Code:

https://out5.hex-rays.com/beta90_6ba923/

Crack for leaked IDA 9.0 Beta (windows only, since I only care about windows)

Code:

https://gofile.io/d/gBif62

Patch address is RVA or File Offset, TOM_RUS ?

Tks you very much !

Quote:

Originally Posted by TQN (Post 131454)

Patch address is RVA or File Offset, TOM_RUS ?

Tks you very much !

File offset.

Fully working Keygen ^_^

https://pastebin.com/ScRRt9R8

Quote:

Originally Posted by TQN (Post 131458)

Python keygen not work :(

Run the script in the same dir as the IDA installation where the dynamic lib is.
And make sure you renamed the ".patched" files to the original names ^_^

Don't miss the part below the main links that says "The extra signatures are initially available as separate download" and are found here:

Quote:

https://dl.hex-rays.io/goodies/signatures-bundles-9.0-beta.zip

Pretty strange "leak" as they have been pretty careful with security for some years now, but they do tend to blunder a pretty amateurish mistake every few years, like the PRNG seed vulnerability a while back. That site is getting hammered it seems, very slow all the sudden. I imagine it will be gone within hours.

Could not unzip signatures-bundles-9.0-beta.zip. It is password protected !!!???

Did anyone manage to fix

Quote:

Oops! internal error 30016 occurred.

for maOS?

Does he pay for bug? :) :) :)

https://prnt.sc/kS0kdSkJT-gn

what about expiration of beta on 1-9-2024?

Does anyone know what kind of passwords are used on zip files on their site usually? Might we recover by dictionary or other methods using a tool like hashcat? Would be nice to have a hint. If it is 14 characters and random then impossible.

But it should leak. There is no watermark issue in this case... though if the password was shared with too limited amount of people would be risky.

More versions found:

Code:

https://out5.hex-rays.com/beta90_6ba923/idademo_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idademo_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idademo_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idademo_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idaedu_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idaedu_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idaedu_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idaedu_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idafree_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idafree_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idafree_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idafree_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idaarm_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idaarm_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idaarm_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idaarm_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idam68k_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idam68k_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idam68k_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idam68k_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idamips_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idamips_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idamips_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idamips_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idapc_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idapc_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idapc_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idapc_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idappc_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idappc_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idappc_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idappc_90_x64mac.app.zip



https://out5.hex-rays.com/beta90_6ba923/idapro_90_x64win.exe

https://out5.hex-rays.com/beta90_6ba923/idapro_90_x64linux.run

https://out5.hex-rays.com/beta90_6ba923/idapro_90_armmac.app.zip

https://out5.hex-rays.com/beta90_6ba923/idapro_90_x64mac.app.zip

hexvault+hv+hvui cracked

Code:

https://gofile.io/d/E1oCvH

hexvault server requires Linux to run, you can run it in WSL on Windows, in Linux VM or on dedicated Linux server.

source:
[

Code:

https://x.com/gmhzxy/status/1822871063795315135

translation:

This is a common .DS_Store path leak flaw @HexRaysSA

1. Subdomain enumeration to get the second-level domain name http://out5.hex-rays.com
2. Download http://out5.hex-rays.com/.DS_Store file
3. Decrypt .DS_Store and get the relative path beta90_6ba923

You can still download the infamous .DS_Strore file
But you cannot download files :/

After dowloading the .DS_Store file from this url:

Code:

http://out5.hex-rays.com/.DS_Store

You can extract the path by using the python script below:

Code:

'''SCT'''

import ds_store



def extract_paths(ds_store_path):

    paths = []

    with ds_store.DSStore.open(ds_store_path, 'r') as ds:

        for record in ds:

            paths.append(record.filename)

    return paths



# Usage

ds_store_path = './Untitled.DS_Store'

extracted_paths = extract_paths(ds_store_path)

for path in extracted_paths:

    print(path)

You need 2 python packages to install in you environment

Code:

mac-alias

ds-store

https://out5.hex-rays.com/.DS_Store
Forbidden
You don't have permission to access this resource.

https://out5.hex-rays.com/beta90_6ba923

Not Found
The requested URL was not found on this server.

but works https://out7.hex-rays.com/files/idafree84_windows.exe

some subdomains:

Code:

partners.hex-rays.com

docs.hex-rays.com

api.hex-rays.com

my.hex-rays.com

hub.hex-rays.com

assets.hex-rays.com

dist5.hex-rays.com

dist7.hex-rays.com

public-lumina.hex-rays.com

plugins.hex-rays.com

mx200.hex-rays.com

mail.hex-rays.com

lumina.hex-rays.com

mx100.hex-rays.com

forum.hex-rays.com

out5.hex-rays.com

out7.hex-rays.com

None of the links work anymore by the look of it.

Quote:

Originally Posted by jonwil (Post 131512)

None of the links work anymore by the look of it.

forum.hex-rays.com works for me

damn thats crazy, thanks to all involved!

Quote:

Originally Posted by JMP-JECXZ (Post 131509)

some subdomains:

Code:

partners.hex-rays.com

docs.hex-rays.com

api.hex-rays.com

my.hex-rays.com

hub.hex-rays.com

assets.hex-rays.com

dist5.hex-rays.com

dist7.hex-rays.com

public-lumina.hex-rays.com

plugins.hex-rays.com

mx200.hex-rays.com

mail.hex-rays.com

lumina.hex-rays.com

mx100.hex-rays.com

forum.hex-rays.com

out5.hex-rays.com

out7.hex-rays.com

Don't know what you were using to subdirectory brute but here are more:

Code:

hex-rays.com (FQDN) --> ns_record --> davina.ns.cloudflare.com (FQDN)

hex-rays.com (FQDN) --> ns_record --> garrett.ns.cloudflare.com (FQDN)

hex-rays.com (FQDN) --> node --> api.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> dist5.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> out5.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> mx100.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> mx200.hex-rays.com (FQDN)

api.hex-rays.com (FQDN) --> cname_record --> phgftqutpkutozwgtvoj.supabase.co (FQDN)

dist5.hex-rays.com (FQDN) --> cname_record --> out5.hex-rays.com (FQDN)

mx100.hex-rays.com (FQDN) --> a_record --> 91.183.32.78 (IPAddress)

mx200.hex-rays.com (FQDN) --> a_record --> 95.211.160.134 (IPAddress)

hex-rays.com (FQDN) --> mx_record --> smtp.google.com (FQDN)

hex-rays.com (FQDN) --> node --> forum.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> docs.hex-rays.com (FQDN)

forum.hex-rays.com (FQDN) --> a_record --> 95.211.160.134 (IPAddress)

docs.hex-rays.com (FQDN) --> a_record --> 13.227.37.107 (IPAddress)

docs.hex-rays.com (FQDN) --> a_record --> 13.227.37.69 (IPAddress)

docs.hex-rays.com (FQDN) --> a_record --> 13.227.37.102 (IPAddress)

docs.hex-rays.com (FQDN) --> a_record --> 13.227.37.94 (IPAddress)

hex-rays.com (FQDN) --> node --> out7.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> dist7.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> get.support.hex-rays.com (FQDN)

dist7.hex-rays.com (FQDN) --> cname_record --> out7.hex-rays.com (FQDN)

get.support.hex-rays.com (FQDN) --> cname_record --> get-support-hex-rays-com-49d4571b-07ee-402f-a4f5-76ce5b74ceb5.saas.atlassian.com (FQDN)

lumina.hex-rays.com (FQDN) --> a_record --> 95.211.194.33 (IPAddress)

hex-rays.com (FQDN) --> node --> mail.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> a_record --> 85.17.15.247 (IPAddress)

hex-rays.com (FQDN) --> node --> assets.hex-rays.com (FQDN)

mail.hex-rays.com (FQDN) --> cname_record --> hex-rays.com (FQDN)

phgftqutpkutozwgtvoj.supabase.co (FQDN) --> a_record --> 104.18.38.10 (IPAddress)

phgftqutpkutozwgtvoj.supabase.co (FQDN) --> a_record --> 172.64.149.246 (IPAddress)

assets.hex-rays.com (FQDN) --> a_record --> 85.17.15.247 (IPAddress)

out5.hex-rays.com (FQDN) --> a_record --> 212.32.227.138 (IPAddress)

support.hex-rays.com (FQDN) --> a_record --> 172.67.202.197 (IPAddress)

support.hex-rays.com (FQDN) --> a_record --> 104.21.77.5 (IPAddress)

support.hex-rays.com (FQDN) --> aaaa_record --> 2606:4700:3031::ac43:cac5 (IPAddress)

support.hex-rays.com (FQDN) --> aaaa_record --> 2606:4700:3033::6815:4d05 (IPAddress)

get-support-hex-rays-com-49d4571b-07ee-402f-a4f5-76ce5b74ceb5.saas.atlassian.com (FQDN) --> a_record --> 108.157.142.117 (IPAddress)

get-support-hex-rays-com-49d4571b-07ee-402f-a4f5-76ce5b74ceb5.saas.atlassian.com (FQDN) --> a_record --> 108.157.142.18 (IPAddress)

get-support-hex-rays-com-49d4571b-07ee-402f-a4f5-76ce5b74ceb5.saas.atlassian.com (FQDN) --> a_record --> 108.157.142.50 (IPAddress)

get-support-hex-rays-com-49d4571b-07ee-402f-a4f5-76ce5b74ceb5.saas.atlassian.com (FQDN) --> a_record --> 108.157.142.107 (IPAddress)

hex-rays.com (FQDN) --> node --> my.hex-rays.com (FQDN)

my.hex-rays.com (FQDN) --> cname_record --> portal-web-six.vercel.app (FQDN)

hex-rays.com (FQDN) --> node --> partners.hex-rays.com (FQDN)

hex-rays.com (FQDN) --> node --> public-lumina.hex-rays.com (FQDN)

partners.hex-rays.com (FQDN) --> cname_record --> ghs.googlehosted.com (FQDN)

public-lumina.hex-rays.com (FQDN) --> a_record --> 37.48.109.121 (IPAddress)

plugins.hex-rays.com (FQDN) --> a_record --> 37.48.115.12 (IPAddress)

Coming back from summer break, I notice numerous discussions about IDA 9.0 leaks. Could someone be so kind as to provide a recap or a step-by-step tutorial on limitations and how to obtain, install and patch it?

thanks
Shub

Quote:

Originally Posted by Shub-Nigurrath (Post 131624)

hi,check this thread:
https://forum.exetools.com/showthread.php?t=21067&page=4

your trying to access was logged

Quote:

Originally Posted by niculaita (Post 131627)

your trying to access was logged

what the f**k?
i just replied to Shub-Nigurrath!

Quote:

Originally Posted by jonwil (Post 131512)

None of the links work anymore by the look of it.

http://web.archive.org/web/20240810003031/https://out5.hex-rays.com/beta90_6ba923/

Quote:

Originally Posted by hx47 (Post 131645)

http://web.archive.org/web/20240810003031/https://out5.hex-rays.com/beta90_6ba923/

Incredible! Web Archive made a backup including the files?!?
How did it do that? How did it find the path /beta90_6ba923?

Quote:

Originally Posted by val2032 (Post 131647)

How did it find the path /beta90_6ba923?

They don't. Users can create an account on wayback machine and say them to archive specific files or web pages:
Go to this site and check the edit box on the bottom right corner:

Code:

https://web.archive.org/

Or directly go to this page:

Code:

https://web.archive.org/save

Get it while it lasts. Especially now that it is publicly shared here which is monitored by Hex-Rays, and I imagine they even check the non public parts via a registered account, so they will almost surely get hit with DMCA takedown notice within days.

How many people chooses Ghidra/Binja over IDA Pro with full decompiler? Even though this is a leak, I though hex-rays people are purposely slow (and they are ok with the leak. They will still get new customers). They are dominating the field! What do you think?

don't want to be over-paranoid but this story sounds like a well organised CTF. A stupid error left the beta for free to anyone without an installation pwd, an old pwd protected zip file which they surely know can be fixed using bkcrack, the DS-Store trick and lastly the web archive trick .. everything smells a bit strange if you consider who they are..

Quote:

Originally Posted by blue_devil (Post 131650)

Using both Ghidra and Binja as well as Cutter and gdb, this race to get latest iDA is non sense to me

what's new in Ida 9.0

Code:

https://www.youtube.com/watch?v=c9ehQfLY-d4

https://docs.hex-rays.com/release-notes/9_0

this one is interesting "A custom Hex-Rays licencing server replaces the FlexNet licensing server for floating licenses"

Btw. this guy have youtube channel with nice IDA tutorials.