Category Archives: Reverse Engineering

Brainstorming and case studies relating to craft of software reverse engineering.

Unholy Alliance

Ma.tt (his actual domain name), the father of the WordPress blogging system, snapped this photo at the SxSW event and it gave me a cold chill for some reason:


Blu-Ray/Java Segway

I did a little searching and realized that I had already been exposed to the idea that Blu-Ray was colluding with Java. Now it occurs to me to wonder: Has there been demand for free multimedia players to support the Java functionality necessary to play Blu-Ray discs?

Shortcut To The Treasure

Followup: Some Reddit readers tackled this challenge and conquered it. Read up on it here.


Treasure Master (NES) cartridge

Back in the glory days of the old 8-bit Nintendo Entertainment System, I used to read my Nintendo Power magazine issues religiously. One issue that stood out to me, and that I never forgot about, is one that briefly mentioned Treasure Master (volume 26, July 1991, Robin Hood: Prince of Thieves issue).

This will be the first NES game where you can actually win prizes by playing it to the finish! The Game Pak will be released in the fall, and everyone will have time to master it. When you finish the game, you’ll reach a point where you can enter a speical password. In February of 1992, American Softworks will reveal the password that will allow you to play a secret portion of the game. The first person to finish the secret level and call in will win a $25,000 bond. Many of those who finish later will still be eligible for prizes– the sooner you finish, the better the prize. As you can imagine, the code is top secret, and the password system has been proven uncrackable by MIT and the CIA. (emphasis added)

Nintendo Power -- Robin Hood cover       Treasure Master (NES) -- Nintendo Power
click for larger image

So the gimmick for this substandard, side-scrolling, run & jump game was that players would buy it, play it, and build up skill in a few months. Then, after everyone has had a chance to get really good at the game, the company would release a password that would unlock a secret stage. Play through this stage and you could win big prizes.


Treasure Master (NES) -- Title screen

Naturally, the part about the uncrackable code caught my attention. I didn’t even realize the CIA provided such a vetting service. Anyway, I didn’t hear anything else about the game again. Many years passed and I saw the game in a used video game shop. I figured it was time to revisit the uncrackable code issue since I know a little more about computers and codes now. And I also know better than to accept an uncrackable code claim at face value.

How uncrackable is the code? The introductory blurb from Nintendo Power raises some questions, many of which can be answered by the Treasure Master instruction manual. The full details of the contest are provided. Apparently, the password was to be announced on MTV on April 11, 1992, probably during a commercial. Players would enter the password, along with their game cartridge’s unique serial number, in order to unlock the special levels of the game. Upon completion of the levels, the game would return a special winning number that the player could give to the operator on the other end of a 1-900 phone number to try to win a prize.

To be fair, the official manual doesn’t mention the uncrackable code nonsense. The James Bond material highlighted in the Nintendo Power preview can probably be attributed to some Marketing/PR flunkie at American Softworks working more closely with the magazine than their own engineering department.

Also, Nintendo really wants you to know that they have nothing to do with the contest:


Treasure Master (NES) -- Disclaimers

Threat Model
Continue reading

Android Multimedia SDK

Google has unveiled their mighty Android platform SDK today. It apparently based uses that phone-based flavor of Java. An ergonomic Eclipse-based development environment and a software emulator are both provided for your experimentation.


Android logo

That’s nice. But let’s cut to what really matters — multimedia. The SDK specifies the Media API along with its MediaPlayer and MediaRecorder APIs. According to the AudioEncoder class, audio can be encoded to AMR-NB. The VideoEncoder class specifies H.263, H.264, and MPEG-4 SP. All pretty standard for a mobile application, I suppose.

Who handles the multimedia heavy lifting? Vitor noticed this press release and associated fluffy overview from PacketVideo

It’s Java, though, and that means obfuscated Java bytecode programs. Time for a renaissance for my Java de-obfuscator?

XIntra8 In FFmpeg

Rejoice! Thanks to the inimitable multimedia hacker Allan Smithee, FFmpeg now supports the XIntra8 coding scheme! Why is this important? Also known informally as the J-frame (and X8Intra and IntraX8), the XIntra8 coding mode has long been the missing piece of the Microsoft WMV2 puzzle and is apparently also used in certain variations of WMV3.

Update: Check out Kostya’s rant on the matter for better details on exactly what XIntra8 is, and why it is so painful.

This has been a longstanding problem for FFmpeg’s open source WMV2 decoder. You would be watching a WMV2-encoded video and suddenly, obnoxiously, there would be a severe glitch where you could watch blocks of incorrect colors moving around the screen. For example:


Britney Spears -- Not A Girl, Not Yet A Woman -- XIntra8 blocky decode

The XIntra8 is a different type of intraframe from the usual I-frame found in WMV2. Since the decoder could not handle the data, the policy was to just copy over the previous interframe and proceed with more frames, and hope that a regular I-frame was not too far in the future.

But now, I can finally properly watch this WMV2 encode of Britney Spears old music video for “Not A Girl, Not Yet A Woman”:


Britney Spears -- Not A Girl, Not Yet A Woman -- XIntra8 correct decode

Oh, don’t try to claim that you don’t have an extensive collection of her works. It’s okay to state that you have amassed the collection strictly for the academic purpose of multimedia study. That’s my story and I’m sticking to it.