Category Archives: Reverse Engineering

Brainstorming and case studies relating to craft of software reverse engineering.

Java Deobfuscation In Use; Eclipse For Refactoring

Believe it or not, other people actually are using my Java de-obfuscation via RetroGuard solution. Further, they are finding a lot of problems with my basic solution and have contributed a number of patches to make the program stronger. I hope to incorporate the patches in the next few days and also maybe figure out how to release an actual .jar file so that using the program will be simpler.

On a Java-related topic, there is the Eclipse project. I am not especially familiar with it but apparently it is supposed to be God’s gift to software engineering. The reason I bring it up is that one of the Java de-obfuscator contributors passed along that Eclipse can help refactor Java code (automatically searching for and replacing identifier names throughout an entire project). The catch, it seems, is that the source code needs to be compilable. The de-obfuscator did not always meet that requirement which is why this particular individual needed the program fixed.

Anyway, I just thought I would mention it since I have not seen a tool that can do this. The refactoring support would be useful for reverse engineering/de-obfuscation work.

Fun Graphs With IDA Pro

Pursuant to my last post on IDA Pro, Benjamin Larsson kindly pointed me to an older version of IDA Pro that has been released as freeware: IDA Pro v4.3. The version is uncrippled for what it can do so you can save your work and not have to worry about needing to RE an entire target in one sitting. This version is also reported to work beautifully under Wine, if that’s your thing. This version is supposed to have great support for Win32 PE files (the most common executable format you will find under Windows) but somewhat lacking in the area of Linux ELF files (apparently, it is not entirely correct when loading relocation tables).

I decided to take a step back and examine an old favorite target, xanlib.dll. This is the binary module responsible for decoding video data in the ‘Xxan’-fourcc format used in certain Origin games circa 1995. The format has remained a thorn in my side since it should be so simple yet I have never quite reverse engineered the entire thing.

Perhaps the most curious feature I see in IDA Pro is its graphing feature. Actually, IDA Pro subcontracts to a GPL’d graphing library named Visualization and Computer Graphics Lib to handle its graph display. The Win32 graph viewer features a number of fish eye perspective modes for warping the graph view. This is the “fixed radius polar fish eye perspective”:


fixed radius polar fish eye perspective

What is the reason for this feature? If I were a guessing man, I would probably have to guess: “Because they could.” Weird perspective aside, you can see how clearly IDA Pro + VCG illustrate the flow of the assembly language blocks (also called basic blocks in certain academic RE literature), as well as the way I am able to substitute my own identifiers (xan_1000_validate_struct as the function name and xan_last_error for a particular global variable). I am eager to explore more of IDA Pro’s legendary RE features as I finish tearing apart this ancient codec.

Reverse Engineering Blackberry Java Native Modules (?)

Readers of this blog have highly diverse reverse engineering goals. I was contacted by a reader who is interested in reverse engineering a .cod file. This file comes from the Blackberry run time environment and has to do with Java. I suspect that it is a file full of native CPU code for whatever CPU happens to run inside of a Blackberry. Anyway, since I have neither the time nor the inclination to chase after every code format in existence (and I have never even been entirely sure on what a Blackberry even is), I thought I would put it to the readers in case anyone happens to know off the top of their head. Pertinent details, questions, and speculations:

  • Blackberry JDE is available here
  • Blackberry development documentation
  • Is the .cod a native CPU code file?
  • If it is a native code file, is this a fabled Java Native Interface (JNI) code file?
  • If yes, is there a standard way to disassemble the files?
  • If no, and this is some kind of custom file format, what is the format, the section definitions, etc.?
  • I have examined one sample .cod file. It starts with hex bytes DE C0 FF FF (CODE FFFF in little endian). No other patterns jump out at me except for a few embedded PNG files.

If you have any insight into this format, feel free to contact me.

Jumping In With IDA Pro

This may come as a surprise to many hardcore reverse engineers out there but I have actually never used DataRescue’s IDA Pro disassembler tool. Chalk it up to a general aversion to non-free software as well as the chore of having to boot into Windows for the experiment (there is supposed to be a limited Linux version available as well). Add to that the fact that it’s always hard to get myself psyched about any RE-related task, necessary though it may be.

I finally tried the program tonight. It really is every bit as amazing as I have heard about. Recognizing that the computer can not be smart enough to completely reverse engineer as program, IDA’s guiding principle is to give the reverse engineer a powerful workbench of tools to apply towards the craft. One tool maps functions in blocks of ASM instructions grouped by code branches. Another tool allows you to edit a function’s prototype, which is then taken into account in the function’s analysis. Another tool allows you to create new structure definitions to be used as functions parameters.

Fortunately, a trial version of the software that can analyze Windows PE and Linux ELF files is free for download. Unfortunately, it is set to expire after an unspecified period of time. Further, it will not allow you to save your work. The full version of the software will set you back several hundred dollars or euros. Alternatively, you could put a fresh installation of the program on a reliable computer plugged into a UPS and do as much as you can with it. I suppose another workaround is virtualization– set up a virtual environment to save and load the entire machine state.

I had no idea that IDA Pro (full version) can even process console executable files from Nintendo GameBoy and N64 games, Sony Playstation games, Sega Dreamcast games, and Microsoft Xbox games. Makes me wish there were some interesting targets there.