Yearly Archives: 2005

Linspire’s Binary Decoding Modules

One of Linspire’s big selling points is that it supports Microsoft Windows Media decoding out of the box. How does it do this? Several colleagues have written and informed me that Linspire has licensed binary decoding modules from Microsoft. Linspire’s packaged distribution comes with such x86/Linux-native shared objects as libwma2.so, libwma3.so, libwmv2.so, libwmv3.so.

So why is this such a big deal? My informants tell me that the binaries are un-strip’d which means that they have a lot of debugging symbols packaged inside. Thanks, Linspire.

Monitoring The Competition

I learned that this blog ranks highly on Google with the search query “deobfuscating java”. I decided to see what other items come up with such a term. In doing so, I found someone who eats, sleeps, and breathes code obfuscation the same way I do de-obfuscation and reverse engineering.

And if “deobfuscating java” brought you here, this page on Retroguard deobfuscation is the reason.

Meet Paul Tyma, Ph.D. I became aware of him through this I, Cringely column entitled “Misinterpretation”. Tyma and his company PreEmptive Solutions have developed code obfuscators for both the Java and .NET languages. The article notes that one technique under development (possibly already deployed?) is called “Program State Code Protection”. From what I can discern, it almost sounds like self-modifying code for Java. I would be interested to see it in action.

Further, the company has 2 patents assigned to it:

  • 6,102,966: Method for renaming identifiers of a computer program
  • 5,903,761: Method of reducing the number of instructions in a program code sequence

Tyma also has an article in a Java publication entitled “The New Obfuscation”. This piece presents some examples of code mangling that are difficult to decompile and would be almost impossible to recompile.

Legal Threat #00001

Party! Do you have any idea how long I have been involved in multimedia hacking and reverse engineering? About 5 years now. All that while, folks have warned me sternly, and constantly, that this type of work would get me sued to death. I am pleased to announce that today I received my first legal threat. I feel that my work has finally been validated!

Well, it was not necessarily a legal threat, like those notorious “nastygram” cease & desist letters. It was more like a veiled reference to a possible future legal threat. Someone identifying himself as the assistant general counsel for On2 said that the company took exception to the fact that I was posting decompilations of their Java decoder.

And just when I was starting to feel that no one cared about my work…

Naturally, this raises some pressing questions. First and foremost, why was I contacted by the assistant general counsel? Why doesn’t my case warrant the attention of the lead/primary/head general counsel? Maybe if I went after their latest generation codec, VP7, my actions would merit an escalation.

For the time being, I have decided to not post the Java decompilations on my Practical Reverse Engineering site. This entire site is partially an experiment to test where the limits are. Looks like we found one such limit.

I never had a compelling reason to research legal options surrounding these RE activities. Maybe it is time to start. But I am just so lazy… As always, this subject may be revisited. Feel free to email me regarding this situation.

VP5 Progress In The Distributed Arena

I am pleased to report that people have been jumping on the decompiled Java-based VP5 decoder. Notably, it was clear to one individual that the method called clinch() that read bits from the stream using some bizarre algorithm is, in fact, an arithmetic decoding algorithm.

Regarding credits: I realize that many people engaged in reverse engineering activities are a little paranoid about having their achievements recognized. As such, my default policy is to not mention a contributor’s name unless they specifically ask for credit.

This is the current version of the decompiled VP5 Java cryptogram. Updates may occur at any time so check on the version number and timestamp inserted by SVN.