Tags: reverse engineering


Dear software protection developers

You know, you don't have to be this helpful :)

(To those who don't quite get it: software protection schemes depend on obfuscation, because the computer is ultimately under control of the end user. That is a corollary to "if the attacker has physical access, you've already lost". Thus, naming functions things like "decryptClass" (since this is a Java protection library) or "VerifyLicense" is... not exactly wise.)

This entry was originally posted at http://davv.dreamwidth.org/36608.html. You may comment there using OpenID, or comment here if you prefer.

Of coding and pictures

Here's a hint: when you purposefully limit your program, don't make it call a function that returns 0 when you're not allowed extended functionality and nonzero otherwise. One "OR AX, FF, RETN" later and woot.

Or just do it, to make things more easy for disassemblers.


After that little bit of fun, and Just One More Turn of Civ, and sleep and such, I was looking through DA when I found some nice pictures. They're obviously not mine, but I link to them nevertheless, since they're.. well, nice!

Aww, isn't that cute?
A little water dragon.
And a very detailed, just slightly larger ordinary dragon!
Element seal with another drake.

And, in returning


This is what you get when you're sufficiently hooked on reverse engineering; a board from an old game, data pulled off its files without any prior knowledge of its format.
Anyone recognize it?

Ah, and SkyShadow, check your box.

(I write very long or very short sentences. Such is the artifact.)

Observations of the day

Try to install SoftICE on Windows XP and you will get strange errors up to and including the good old blue screen. Breakpoints that don't trigger? Check. Breakpoints that crash the program but still don't trigger? Check. Strange intermittent symbol resolution that winks in and out of existence? Check. Searches that last forever and then crashes? Yup, you've got it!

Seems I'll have to use some other debugger. It's a pity; when Ice is good, it's really good.

[EDIT: Ooh how I enjoy anti-debugger trickery! Ah yes, and spice it up with registration number encoding routines that go on and on and on and I guess you get the point.]

This swan is not a bird.

Other things of note, I have completed writing a program to allocate parliamentary seats according to some minimizing criterion (RMSE or representation Gini). Maybe I should put it up on my webpage. *shrugs*

Also working on reverse engineering a protocol known as P3 / FDO.
I can read its bytecode now -- next is to make the decompiler understand the differing types of data (numbers, ASCII text) and discern between them.

[EDIT: Yay! The decompiler works now, except for a single strange bug with a particular parameter. The output looks like this:
Raw: 20 01 41 29 22 21 80 21 1d 20 02 

0, 1, 0         uni_start_stream
1, 9, 1         man_set_context_globalid < 1 >
2, 1, 1         act_do_action < action_tool_128 >
1, 29, 0        man_end_context
0, 2, 0         uni_end_stream