惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

有赞技术团队
有赞技术团队
博客园 - 三生石上(FineUI控件)
月光博客
月光博客
F
Full Disclosure
C
Check Point Blog
雷峰网
雷峰网
WordPress大学
WordPress大学
Vercel News
Vercel News
The GitHub Blog
The GitHub Blog
博客园 - Franky
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
Martin Fowler
Martin Fowler
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
MyScale Blog
MyScale Blog
M
MIT News - Artificial intelligence
IT之家
IT之家
博客园 - 聂微东
L
LangChain Blog
博客园 - 司徒正美
博客园_首页
云风的 BLOG
云风的 BLOG
L
LINUX DO - 最新话题
Jina AI
Jina AI
Latest news
Latest news
L
LINUX DO - 热门话题
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
B
Blog RSS Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Palo Alto Networks Blog
T
Tor Project blog
Microsoft Azure Blog
Microsoft Azure Blog
T
Tenable Blog
爱范儿
爱范儿
T
The Exploit Database - CXSecurity.com
酷 壳 – CoolShell
酷 壳 – CoolShell
V
V2EX
S
Securelist
F
Fortinet All Blogs
AWS News Blog
AWS News Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Security Latest
Security Latest
J
Java Code Geeks
T
Threatpost
The Register - Security
The Register - Security
G
Google Developers Blog
Know Your Adversary
Know Your Adversary
T
Tailwind CSS Blog

Yi's Blog

Solving Jane Street's 'Dropped a Neural Net' Puzzle HRM Explained: A 27M Parameter Model That Reasons Without Chain-of-Thought BrushNet & BrushEdit Explained: From Inpainting Architecture to Intelligent Editing U-Net Explained: A Visual Guide for Beginners Building an Image Captioning Transformer from Scratch Building a Language Transformer Step by Step Vibe Coding - Extracting Pet Sprites from Cross Gate Breaking Up with Evernote: Building a Custom Migration Tool for Apple Notes 《世上为什么要有图书馆》读书笔记 - Yi's Blog 《纳瓦尔宝典》推荐阅读 - Yi's Blog 与冰山交谈 - Yi's Blog Claude Code Complexity: Safety, Safety, Safety 微信读书:LLM 自动化问答 PK - Yi's Blog Working on Moonshot Projects - Yi's Blog Vibe Coding - Baby Sleep Tracker 独立思考的人 - Yi's Blog Magic Moment - Yi's Blog 《思辨力35讲:像辩手一样思考》读书笔记 - Yi's Blog Daily Watched YouTube Videos - Yi's Blog
Reverse Engineering Guitar Pro 8's Locked Files
Yi · 2026-01-17 · via Yi's Blog
  • The Problem
  • The Breakthrough
    • 1. The Salt
    • 2. The Password
  • The Solution
    • The Script
  • The Role of LLMs in Reverse Engineering
  • Conclusion

Have you ever worked on a Guitar Pro tab, saved it, and then realized you couldn’t edit it anymore because it was “locked”? Or perhaps you downloaded a tab that was perfect but needed just one small tweak, and the author had locked it?

I recently went down a rabbit hole reverse-engineering this “protection” mechanism in Guitar Pro 8. What I found was a classic case of “security through obscurity” — and not very deep obscurity at that.

The Problem

Guitar Pro has a feature to “lock” a file. When locked, the file can be opened and played, but the editing features are disabled. If you peek inside the .gp file (which is just a ZIP archive), you’ll see a few interesting things:

  1. A file named editLocked.
  2. The main content Content/score.gpif is encrypted (it doesn’t have the standard XML header).

Removing editLocked isn’t enough. The app sees it’s missing, but the content remains encrypted and unreadable.

The Breakthrough

As Guitar Pro can open and play the file without ever prompting for a password, it was clear that the key to decrypt the content must be available to the application without user input. This realization led me to investigate how the application handles these files internally.

I analyzed the GuitarPro binary and its libraries, specifically libGPIO.dylib.

1. The Salt

Deep in the binary, I found a reference to a static salt used in the encryption routine. da40cc64900b617a0f72ad4e6ef42f9c

2. The Password

Tracing the assembly code for Score::setLockPwd, I found something surprising. The application reads the entire content of the editLocked file (which contains a salt and a hash of the user’s original password) and sets that string as the internal password for decryption.

So, the “password” to decrypt audio and score data isn’t what you typed. It’s the metadata file itself.

The Solution

Putting it all together, the encryption scheme is:

  • Algorithm: AES-256-CBC
  • Key Derivation: PBKDF2-HMAC-SHA1 (4096 iterations)
  • Password: The content of editLocked (e.g., salt$hash)
  • Salt: The static binary salt (da40cc...)

With this information, I wrote a Python script unlock_score.py that fully unlocks these files.

The Script

Here is the core logic of the unlocker:

STATIC_SALT_HEX = "da40cc64900b617a0f72ad4e6ef42f9c"

def decrypt_gpif(encrypted_data, password):
    salt = binascii.unhexlify(STATIC_SALT_HEX)
    # PBKDF2 with 4096 iterations
    key = hashlib.pbkdf2_hmac("sha1", password.encode(), salt, 4096, 32)
    
    iv = encrypted_data[:16]
    ciphertext = encrypted_data[16:]
    
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
    decryptor = cipher.decryptor()
    decrypted = decryptor.update(ciphertext) + decryptor.finalize()
    
    # Decompress zlib payload
    return zlib.decompress(decrypted)

You can find the full tool on GitHub Gist.

The Role of LLMs in Reverse Engineering

A fascinating part of this project was using an LLM to accelerate the reverse engineering process. While tools like otool and grep provided the raw data, the AI acted as a “force multiplier”:

  • Reading Code at Scale: The most daunting part of reverse engineering is the sheer volume of information. A binary dump can contain millions of lines of assembly instructions. For a human, “reading” this to build a mental model of the software’s behavior is a task that takes days or weeks. The LLM, however, could digest these massive text dumps instantly.
  • Semantic Understanding: It didn’t just match patterns; it understood the intent of the low-level code. By analyzing the context around function calls (like AES_encrypt or setLockPwd), the AI could infer high-level logic—such as identifying that the password was being sourced from file metadata—without us having to manually trace every register.
  • Time Compression: This ability to essentially “read” the binary allowed us to bypass the tedious manual tracing phase entirely. We could ask high-level questions about the software’s behavior and get answers derived from the raw assembly, compressing what would be an “forever” task for a human into a quick conversation.

This collaboration turned what could have been a multi-day debugging session into a targeted, systematic investigation.

Conclusion

This exercise showed that the “lock” feature in Guitar Pro is effectively just a UI flag backed by a fixed-key obfuscation. It prevents casual editing but offers no real security against someone determined to access the data.

Disclaimer: This information is for educational purposes only. Always respect copyright and the wishes of content creators.