Monthly Archives: August 2005

Going About This All Wrong

So the people who make movies are making a movie about Doom. Forgive this brief digression but I must get something off my chest. Have you downloaded the trailer(s) for this movie? Here is the QuickTime file for the second Doom trailer (25 MB, 640×352, SVQ3 video, MP3 audio). What I would like to draw attention to is a feature of the movie that is prominently showcased in the second trailer:

FPS Movie

Why does this irk me so much?

Continue reading

Java Deobfuscation In Use; Eclipse For Refactoring

Believe it or not, other people actually are using my Java de-obfuscation via RetroGuard solution. Further, they are finding a lot of problems with my basic solution and have contributed a number of patches to make the program stronger. I hope to incorporate the patches in the next few days and also maybe figure out how to release an actual .jar file so that using the program will be simpler.

On a Java-related topic, there is the Eclipse project. I am not especially familiar with it but apparently it is supposed to be God’s gift to software engineering. The reason I bring it up is that one of the Java de-obfuscator contributors passed along that Eclipse can help refactor Java code (automatically searching for and replacing identifier names throughout an entire project). The catch, it seems, is that the source code needs to be compilable. The de-obfuscator did not always meet that requirement which is why this particular individual needed the program fixed.

Anyway, I just thought I would mention it since I have not seen a tool that can do this. The refactoring support would be useful for reverse engineering/de-obfuscation work.

Fun Graphs With IDA Pro

Pursuant to my last post on IDA Pro, Benjamin Larsson kindly pointed me to an older version of IDA Pro that has been released as freeware: IDA Pro v4.3. The version is uncrippled for what it can do so you can save your work and not have to worry about needing to RE an entire target in one sitting. This version is also reported to work beautifully under Wine, if that’s your thing. This version is supposed to have great support for Win32 PE files (the most common executable format you will find under Windows) but somewhat lacking in the area of Linux ELF files (apparently, it is not entirely correct when loading relocation tables).

I decided to take a step back and examine an old favorite target, xanlib.dll. This is the binary module responsible for decoding video data in the ‘Xxan’-fourcc format used in certain Origin games circa 1995. The format has remained a thorn in my side since it should be so simple yet I have never quite reverse engineered the entire thing.

Perhaps the most curious feature I see in IDA Pro is its graphing feature. Actually, IDA Pro subcontracts to a GPL’d graphing library named Visualization and Computer Graphics Lib to handle its graph display. The Win32 graph viewer features a number of fish eye perspective modes for warping the graph view. This is the “fixed radius polar fish eye perspective”:

fixed radius polar fish eye perspective

What is the reason for this feature? If I were a guessing man, I would probably have to guess: “Because they could.” Weird perspective aside, you can see how clearly IDA Pro + VCG illustrate the flow of the assembly language blocks (also called basic blocks in certain academic RE literature), as well as the way I am able to substitute my own identifiers (xan_1000_validate_struct as the function name and xan_last_error for a particular global variable). I am eager to explore more of IDA Pro’s legendary RE features as I finish tearing apart this ancient codec.

Reverse Engineering Blackberry Java Native Modules (?)

Readers of this blog have highly diverse reverse engineering goals. I was contacted by a reader who is interested in reverse engineering a .cod file. This file comes from the Blackberry run time environment and has to do with Java. I suspect that it is a file full of native CPU code for whatever CPU happens to run inside of a Blackberry. Anyway, since I have neither the time nor the inclination to chase after every code format in existence (and I have never even been entirely sure on what a Blackberry even is), I thought I would put it to the readers in case anyone happens to know off the top of their head. Pertinent details, questions, and speculations:

  • Blackberry JDE is available here
  • Blackberry development documentation
  • Is the .cod a native CPU code file?
  • If it is a native code file, is this a fabled Java Native Interface (JNI) code file?
  • If yes, is there a standard way to disassemble the files?
  • If no, and this is some kind of custom file format, what is the format, the section definitions, etc.?
  • I have examined one sample .cod file. It starts with hex bytes DE C0 FF FF (CODE FFFF in little endian). No other patterns jump out at me except for a few embedded PNG files.

If you have any insight into this format, feel free to contact me.