Category Archives: Reverse Engineering

Brainstorming and case studies relating to craft of software reverse engineering.

Java Multimedia Library

Every so often, a discussion of the Java Multimedia Format (JMF) library pops up on an open source multimedia development list. I had never given it any kind of attention until a Google search recently led me to the documentation. I always assumed that it just supported raw formats and some common, open MPEG formats. It turns out that the library actually supports a few better known codecs, some of which are not completely reverse engineering. Of course, my interest in this would be decompiling them and de-obfuscating them beforehand, as necessary. The library contains a non-obfuscated, pure-Java implementation of the Cinepak codec. It also includes an obfuscated, pure-Java implementation of what I believe are some or all of the MPEG-1 codecs.

However, most interesting codecs (including all of those that are not yet RE’d) are only supported via the Win32 or Linux/Solaris “Performance Packs” which are presumably compiled, SIMD-optimized x86 code.

Some curious features– the pure-Java portion of the library supports some of the quirkier Sound Blaster playback frequencies like 11127 Hz and 22254 Hz (while the performance packs support 8000 Hz -> 48000 Hz). Also, I can not get over the fact that the documentation for the javax.media.format.VideoFormat class states that SMC corresponds to “Sorenson format”. (Here is the SMC format, apparently named for its creator, one Sean M. Callahan.)

Intel Syntax Using ‘objdump’

At first I was planning to conduct a survey of binary disassemblers just to find one that could disassemble a Linux ELF binary and show the machine instructions in Intel format instead of AT&T format. However, a little man page perusal revealed that the standard objdump utility– part of the GNU binutils suite– knows how to disassemble into this syntax. For the curious, the extra command line parameter that will do this is ‘-M intel’. There it is! No more ugly AT&T ASM syntax.

Just a little FYI.

Pretty Call Graphs Based On The call/ret Monitor

Thanks for Benjamin Larsson for advising me on how to make a proper graph using Graphviz (specify a graph of type ‘prof’ vs. ‘unix’). Thus, here are some nice (and big) graphs based on the call/ret experiment at this point:

See this post (“Refining The call/ret Monitor”) for details on how the graph data is generated.

And as a bonus, I put the toolset to work analyzing Linspire’s WMV3/WMV9 decoding module. Here are some call graphs (I used the teaser trailer from Halo 2, hence the “halo2” in the filenames):

Refining The call/ret Monitor

Reverse engineering is, of course, a tedious, time-consuming, and error-prone task. It requires a lot of concentration that I either do not have or do not care to invest in the RE task. That is why so many of my RE experiments are geared toward automating the task as much as possible. To that end, I am optimistic about this call/ret monitoring experiment since it yields such a good high-level overview of an algorithm contained in a binary (with debug symbols). But it can use some improvement(s):

Continue reading