Pursuant to my last post on IDA Pro, Benjamin Larsson kindly pointed me to an older version of IDA Pro that has been released as freeware: IDA Pro v4.3. The version is uncrippled for what it can do so you can save your work and not have to worry about needing to RE an entire target in one sitting. This version is also reported to work beautifully under Wine, if that’s your thing. This version is supposed to have great support for Win32 PE files (the most common executable format you will find under Windows) but somewhat lacking in the area of Linux ELF files (apparently, it is not entirely correct when loading relocation tables).

I decided to take a step back and examine an old favorite target, xanlib.dll. This is the binary module responsible for decoding video data in the ‘Xxan’-fourcc format used in certain Origin games circa 1995. The format has remained a thorn in my side since it should be so simple yet I have never quite reverse engineered the entire thing.

Perhaps the most curious feature I see in IDA Pro is its graphing feature. Actually, IDA Pro subcontracts to a GPL’d graphing library named Visualization and Computer Graphics Lib to handle its graph display. The Win32 graph viewer features a number of fish eye perspective modes for warping the graph view. This is the “fixed radius polar fish eye perspective”:

What is the reason for this feature? If I were a guessing man, I would probably have to guess: “Because they could.” Weird perspective aside, you can see how clearly IDA Pro + VCG illustrate the flow of the assembly language blocks (also called basic blocks in certain academic RE literature), as well as the way I am able to substitute my own identifiers (xan_1000_validate_struct as the function name and xan_last_error for a particular global variable). I am eager to explore more of IDA Pro’s legendary RE features as I finish tearing apart this ancient codec.