18 comments

[ 0.22 ms ] story [ 46.9 ms ] thread
author here. the irony is enigma protector's documentation literally explains how to add runtime checks to your payload. they just... didn't read it
(comment deleted)
Or maybe they knew about the runtime checks, but made a decision not to add them? As others have pointed out, this plugin can be used during live performances. The last thing a plugin author wants is a reputation for their software being flaky at really bad times. A runtime copy protection check might fail for spurious reasons, who knows.
(comment deleted)
For VST performance and timing is important so you can't protect the actual plugin
Is it not more "VST author just does the bare minimum to keep honest people honest, because more invasive DRM risks ruining a live performance"? I'm not understanding why TFA author has such an attitude about this. Is the VST author a horrible person or running a toxic business model or something?
And furthermore, if a product designed to protect my income was only $200, I wouldn’t expect “serious security”, I’d expect exactly The kind of janky crap that was received.
> I'm not understanding why TFA author has such an attitude about this

To me it reads like an ego trip rather than any kind of righteous vendetta against the author. Implicit in "look at the dumb thing this other person did" is "I'm smarter than them because I noticed the dumb thing".

> no winhttp.dll, wininet.dll, or ws2_32.dll. offline validation only. all crypto is local, so theoretically extractable.

You can't possibly know that by the mere lack of these DLLs from the import directory.

This is definitely just me, but the diagram with "motivation to buy" was amusing to me. I (try to) refuse to be manipulated by these tactics - if I think the software is worth buying, I will purchase and use it, otherwise I will look elsewhere! Nothing sets my "motivation to buy" to zero quicker than aggressive, "uncrackable" DRM. In fact, it usually skyrockets my "motivation to reverse", whether or not I actually need the thing (though usually this is overruled by having better things to do with my time).
For $200 how many casual pirates does it have to dissuade to pay for itself. Not many. At that price it doesn’t need to be very good.
Is this LLM slop? One cannot truncate RSA signatures and still check them. The sample hook code is nonsense, it lacks an address to hook (and would break Enigma‘s self-checks). The sentence structure and all lower-case looks like a bad prompt attempt to hide LLM usage.
Personally, I would change the article to anonymize the actual plugin that was cracked. The plugin author seems to be a solo dev/musician, actually more a musician than a developer, which might explain the poorly implemented copy protection*. But they're good at crafting sounds, and that's what they're selling. Or trying to sell. Or taking donations for, by the way: https://ko-fi.com/bassbullyvst

* I highly doubt it was deliberate as some others are suggesting.

Nice going Jean, after you've scammed people out of thousands of dollars, associated with known furry pedophiles, your membership in a skid gang, leeching off your parents money in France to remove your dox and steal even more money from them so you can make a new startup every month while larping about living lavishly. We know what you did.
> I cracked a $200 software protection

No, not really. You "cracked" some random guy's $20 VST plugin. You never actually cracked Enigma Protector. The article started talking about cracking it then pivoted at the end to "I wrote a Python script to copy files from the installer" and said "the protection itself works fine"

(comment deleted)
Hi, I am the developer of Bass Bully Premium and I wanted to clarify a few things from my perspective.

I chose to protect only the installer with a simple lock-door method because my priority has always been stability and performance, especially at runtime. In the VST and plugin world, heavy or aggressive DRM can cause glitches or failures during a live performance. That risk felt far more harmful to my paying customers than the risk of casual piracy.

I understand that reverse engineering is part of how some people learn, and I am not here to criticize that. But when a post becomes a look-at-how-I-cracked-this thread, especially one that singles out a small independent developer, it starts to feel like a hit piece rather than a technical discussion.

The protection was minimal. It could be cracked. Maybe I should have done more. But this was not about being stingy with security. It was about delivering a stable and reliable plugin to real users without introducing bugs, system conflicts, or performance issues that can come from heavier protection systems.

I appreciate honest technical discussion and feedback. I also hope people understand that not every developer has a large team or a big budget. Many of us have to balance protection with usability, and for me, making music was more important than building an unbreakable DRM wall.

For some context, the original Bass Bully plugin started as a free release. It unexpectedly went viral, and users reached out asking for a more premium version with more sounds and features. I created Bass Bully Premium because the demand was there. It ended up being used in the production of Playboi Carti’s music, which later led to a collaboration VST with his producer wakeupf1lthy. The plugin also made its way onto Lil Wayne’s Carter album through producer Keyboard Kid.

If you like the plugin and it helps your workflow, supporting it by buying a legitimate license goes much further than any crack-test ever will.

Thanks for taking the time to read this.

Josh, Director Bass Bully VST https://www.bassbullyvst.com/