So the people who make movies are making a movie about Doom. Forgive this brief digression but I must get something off my chest. Have you downloaded the trailer(s) for this movie? Here is the QuickTime file for the second Doom trailer (25 MB, 640×352, SVQ3 video, MP3 audio). What I would like to draw attention to is a feature of the movie that is prominently showcased in the second trailer:

Why does this irk me so much?

Read the rest of this entry »

Believe it or not, other people actually are using my Java de-obfuscation via RetroGuard solution. Further, they are finding a lot of problems with my basic solution and have contributed a number of patches to make the program stronger. I hope to incorporate the patches in the next few days and also maybe figure out how to release an actual .jar file so that using the program will be simpler.

On a Java-related topic, there is the Eclipse project. I am not especially familiar with it but apparently it is supposed to be God’s gift to software engineering. The reason I bring it up is that one of the Java de-obfuscator contributors passed along that Eclipse can help refactor Java code (automatically searching for and replacing identifier names throughout an entire project). The catch, it seems, is that the source code needs to be compilable. The de-obfuscator did not always meet that requirement which is why this particular individual needed the program fixed.

Anyway, I just thought I would mention it since I have not seen a tool that can do this. The refactoring support would be useful for reverse engineering/de-obfuscation work.

Pursuant to my last post on IDA Pro, Benjamin Larsson kindly pointed me to an older version of IDA Pro that has been released as freeware: IDA Pro v4.3. The version is uncrippled for what it can do so you can save your work and not have to worry about needing to RE an entire target in one sitting. This version is also reported to work beautifully under Wine, if that’s your thing. This version is supposed to have great support for Win32 PE files (the most common executable format you will find under Windows) but somewhat lacking in the area of Linux ELF files (apparently, it is not entirely correct when loading relocation tables).

I decided to take a step back and examine an old favorite target, xanlib.dll. This is the binary module responsible for decoding video data in the ‘Xxan’-fourcc format used in certain Origin games circa 1995. The format has remained a thorn in my side since it should be so simple yet I have never quite reverse engineered the entire thing.

Perhaps the most curious feature I see in IDA Pro is its graphing feature. Actually, IDA Pro subcontracts to a GPL’d graphing library named Visualization and Computer Graphics Lib to handle its graph display. The Win32 graph viewer features a number of fish eye perspective modes for warping the graph view. This is the “fixed radius polar fish eye perspective”:

What is the reason for this feature? If I were a guessing man, I would probably have to guess: “Because they could.” Weird perspective aside, you can see how clearly IDA Pro + VCG illustrate the flow of the assembly language blocks (also called basic blocks in certain academic RE literature), as well as the way I am able to substitute my own identifiers (xan_1000_validate_struct as the function name and xan_last_error for a particular global variable). I am eager to explore more of IDA Pro’s legendary RE features as I finish tearing apart this ancient codec.

Readers of this blog have highly diverse reverse engineering goals. I was contacted by a reader who is interested in reverse engineering a .cod file. This file comes from the Blackberry run time environment and has to do with Java. I suspect that it is a file full of native CPU code for whatever CPU happens to run inside of a Blackberry. Anyway, since I have neither the time nor the inclination to chase after every code format in existence (and I have never even been entirely sure on what a Blackberry even is), I thought I would put it to the readers in case anyone happens to know off the top of their head. Pertinent details, questions, and speculations:

• Blackberry JDE is available here
• Blackberry development documentation
• Is the .cod a native CPU code file?
• If it is a native code file, is this a fabled Java Native Interface (JNI) code file?
• If yes, is there a standard way to disassemble the files?
• If no, and this is some kind of custom file format, what is the format, the section definitions, etc.?
• I have examined one sample .cod file. It starts with hex bytes DE C0 FF FF (CODE FFFF in little endian). No other patterns jump out at me except for a few embedded PNG files.

If you have any insight into this format, feel free to contact me.

This may come as a surprise to many hardcore reverse engineers out there but I have actually never used DataRescue’s IDA Pro disassembler tool. Chalk it up to a general aversion to non-free software as well as the chore of having to boot into Windows for the experiment (there is supposed to be a limited Linux version available as well). Add to that the fact that it’s always hard to get myself psyched about any RE-related task, necessary though it may be.

I finally tried the program tonight. It really is every bit as amazing as I have heard about. Recognizing that the computer can not be smart enough to completely reverse engineer as program, IDA’s guiding principle is to give the reverse engineer a powerful workbench of tools to apply towards the craft. One tool maps functions in blocks of ASM instructions grouped by code branches. Another tool allows you to edit a function’s prototype, which is then taken into account in the function’s analysis. Another tool allows you to create new structure definitions to be used as functions parameters.

Fortunately, a trial version of the software that can analyze Windows PE and Linux ELF files is free for download. Unfortunately, it is set to expire after an unspecified period of time. Further, it will not allow you to save your work. The full version of the software will set you back several hundred dollars or euros. Alternatively, you could put a fresh installation of the program on a reliable computer plugged into a UPS and do as much as you can with it. I suppose another workaround is virtualization– set up a virtual environment to save and load the entire machine state.

I had no idea that IDA Pro (full version) can even process console executable files from Nintendo GameBoy and N64 games, Sony Playstation games, Sega Dreamcast games, and Microsoft Xbox games. Makes me wish there were some interesting targets there.

A few weeks ago, I posted a new thread over on Bisqwit’s Nesvideos forums about my experimental codec research: Custom Video Codec For Console Movies. There has been some interesting discussion regarding PAVC-related compression concepts and it is worth reading.

It has been a little while since I have posted a gratuitous console game screenshot. For a change, instead of posting a screenshot of a game of which I have fond memories, I am posting a screenshot of one of the most dreadful games ever published on the NES:

Heroes of the Lance

Thanks as always to MobyGames and their vast screenshot archive.

Every so often, a discussion of the Java Multimedia Format (JMF) library pops up on an open source multimedia development list. I had never given it any kind of attention until a Google search recently led me to the documentation. I always assumed that it just supported raw formats and some common, open MPEG formats. It turns out that the library actually supports a few better known codecs, some of which are not completely reverse engineering. Of course, my interest in this would be decompiling them and de-obfuscating them beforehand, as necessary. The library contains a non-obfuscated, pure-Java implementation of the Cinepak codec. It also includes an obfuscated, pure-Java implementation of what I believe are some or all of the MPEG-1 codecs.

However, most interesting codecs (including all of those that are not yet RE’d) are only supported via the Win32 or Linux/Solaris “Performance Packs” which are presumably compiled, SIMD-optimized x86 code.

Some curious features– the pure-Java portion of the library supports some of the quirkier Sound Blaster playback frequencies like 11127 Hz and 22254 Hz (while the performance packs support 8000 Hz -> 48000 Hz). Also, I can not get over the fact that the documentation for the javax.media.format.VideoFormat class states that SMC corresponds to “Sorenson format”. (Here is the SMC format, apparently named for its creator, one Sean M. Callahan.)

I realized recently that I have completed my initial goals laid out in this post. And since this is a post about PAVC, let’s start out with some pretty console screenshots:

Metalstorm, NES,
one of the most graphically complex games on the NES console

Read the rest of this entry »

Looking forward to the intercoding portion of this codec, it is very common for palettized graphic animations to use palette tricks to achieve certain graphical effects. One of the most prevalent such uses is screen fades– rather than suddenly showing the entire screen, set all the palette colors to 0 and then draw the graphics. After a certain time delta, adjust the palette to dim colors, wait, set the palette a little brighter, and repeat until the screen is at full color. Perform the inverse process for a fade out effect.

fade-in frame #1

Read the rest of this entry »

I have mirrored an old website of music video reviews called eMpTyV. Seems like an odd thing to do, I know. But if this is the strangest thing you see on the internet, friend, you are not searching hard enough. These reviews seemed to be popular when I mirrored them on another server some time ago and they are back up now. Check them out and have a good laugh at some ridiculous music videos from years past. I particularly enjoy the October 23, 2001 entry for which I supplied the classic 1980s videos.