Reverse EngineerZINE
Released by: The Immortal Descendants and DREAD
Editors: Steinowitz and Volatility
Issue 005
January 2000
Forward
Greetings, and Happy New Year!  Well, the year rolled over, without so much as a glitch, which was mostly expected...  the people that made millions on exploiting people with this bogus scare should be ashamed of themselves... as should the people who spent countless dollars on all this bogus "testing".  The New Year has caused no "glitches" in the production of the zine! In fact, there is now another editor and many more contributors!  With new and exciting content, we're sure you'll enjoy this and all the issues to come!  Of course, none of this can be done without you...  as usual, please send any contributions to: Volatility@ImmortalDescendants.com

Enjoy!
Steinowitz and Volatility

Scene News
- If you haven't heard yet, Fravia has requested all mirrors of his site to be closed, and taken offline.
- Several individuals are still planning to host all the essays that were at Fravia's on a new site.  You'll know when we do :)
- Talking about the essays on Fravia's site: isn't it about time to start a new site with all old and new essays regarding reverse engineering? It would require quite some effort, but it'd be worth it...
- Windows 2000 has been tested, and seems to be deemed unappropriate for cracking purposes...  maybe they'll release a personal edition?
- There are still not enough fast servers available for the book project mentioned in a previous issue of this magazine. As a result of that, the project won't go public soon.
- More newcomers seem to be truly interested in the knowledge, and not just releasing cracks/keygens...  very good to see!
- +Sandman's CD Project seems to be nearing completion.
- Carpathia has started a nice newsletter, to keep people informed of new essays. To subscribe, e-mail him at re_subscription@hotmail.com, and mail any new submissions to re_knowledge@hotmail.com

Interesting Protections
This is a protection Steinowitz has investigated...  here's what he has to say:

I always thought it's impossible to code a good Java protection, because JAD always gives us the source code of Java applets. I still think it's hard to code a good protection in Java, but I now know it's possible...

You should have a look at DigiChat, which you can find at http://www.digichat.com. It seems clear where the protection resides and that first thought turns out to be true: in the SerialInfo and KeyInfo classes. Decompiling these classes is no problem, as usual. But have a good look at the source code... It's possible to reverse, but it isn't as easy as other protections written in Java  (see the jIRC example elsewhere in this RE-zine). Good work, makers of DigiChat!

Tools of the Trade
There are three tools we'd like to mention this month. The first one is UPX, which is a great executable packer. It strongly reduces the size of your executables. UPX is an abbreviation for 'Ultimate Packer for eXecutables'. Well, that should say enough. If you don't already know the program, check it out now. You can find it at http://wildsau.idv.uni-linz.ac.at/mfx/upx.html.

The second tool we'd like to mention is a nice program you could use to create your own NFO files. It's often difficult to design nice ASCII nfo's, because Notepad (or The Gun) doesn't exactly view these files as they should. You can find elton's NFO Builder at http://fnw.hello.to.

Lastly, is a Linux Disasassembler called REAP(Reverse Engineers Assembly Producer) by The Grugq. It is apparently getting great reviews by the PC underground, and by Linux affecionados. It is available at the Immortal Descendants site, or at the REAP homepage: http://reap.cjb.net

Coded Stupidity
This example was contributed by:  stillgreen@onebox.com:

Hi there,
Yesterday i saw ur page,and i thought i can contribute this, hope this will help u, so her goes:

I Guess u heard about Satori webFX 2000(v3.02) http://www.satoripaint.com/
Some Graphix tool for the Web, Now for the stupidity:

It stores the number of trial days left for use in the registry [HKCU\software\microsoft numeric dlinit]like 9,13 etc
without encryption that's right plain number, with a lot of protection to stop the program from cracking the serial.
I guess that's because i am a newbie.

hope this has helped you.
bye for now..

Links of Interest
KGS stands for KeyGen Script and is a scripting language based on Perl. The purpose of the design of KGS is to provide an easy scripting language which you could use to write keygenerators. Since KGS is based on Perl and a web-interface has already been written, it's easy to use on the WWW.

Visit Steinowitz' http://kgs.cjb.net now and have a look at the sample scripts. The language is easy to learn and easy to use. There are no helpfiles on KGS yet, but those will soon be added to the website. Try the sample scripts, find out how they work, write your own scripts and test them online. You can even add your own scripts to the online script library, but make sure that it does what you want before adding it!

Articles, Essays and Associated Literature
Here's a mini-essay by Steinowitz, on a key-generation algorithm in Java:

Java reversing - JPilot's jIRC

First of all, you should get yourself jIRC from JPilot's website: http://www.jpilot.com. For those who don't have a Java decompiler: download JAD from http://web.unicom.com.cy/~kpd/jad.html. Unzip and decompile all classes (.class-files) of which you think they're important. If you want to preserve the digital signature of the compressed jIRC packages, you can't replace one of the class-files by your own version. Therefore, you'll have to create your own serial.

I'm not going to make an extensive essay of this, all I'm going to do is explain to you in general what the Register class does. With that information, you should be able to reverse this and similar Java protections. I won't paste the whole decompiled source code, only those parts which are interesting.

public Register(String s)
{
    ConstructOK = false; // OK = false. Will become true with a valid serial.
    InputKey = s;
    try
    {
        int i = 0; int j = 7;
        CheckSum = Integer.parseInt(s.substring(i, j)); // first 7 characters of key have to be a number
        i = j; j += 7;
        Seed = Integer.parseInt(s.substring(i, j)); // next 7 characters, also a number
        setJumpValue(Seed);
        i = j; j += 3;
        URLLength = Integer.parseInt(s.substring(i, j)); // next 3 characters, another number
        i = j; j += 3;
        CompLength = Integer.parseInt(s.substring(i, j)); // next 3 characters, another number
        i = j; j += 3;
        DescLength = Integer.parseInt(s.substring(i, j)); // and again...
        i = j += 5; j += URLLength;
        DecodedWeb = Decode(s.substring(i, j)); // skip 5 chars, take URLLength chars and decode them. This decoded string should be the URL where the applet may be used.
        i = j; j += CompLength;
        DecodedComp = Decode(s.substring(i, j)); // decode next CompLength chars. DecodeComp should then hold the company name.
        i = j; j += DescLength;
        DecodedDesc = Decode(s.substring(i, j)); // decode next DescLength chars. Desc = Description.
        ConstructOK = true; // if no exceptions occur, the construction of the key was ok
        return;
    }
 // the rest of the code here is done when something's wrong and the key is thus invalid
}

    public boolean verify()
    {
        return ConstructOK && CheckSumOK(); // construction of key must be ok, but CheckSumOK() must also be true!
    }

    private boolean CheckSumOK()
    {
        int j = InputKey.length();
        int k = 0;
        for(int i = 7; i < j; i++)
        {
            char c = InputKey.charAt(i); // get Unicode # of character at position i
            k += c;
        }

        if(CheckSum == k) // generated checksum k must be equal to CheckSum we got from the key
            return true;
        }
    }

    private String Decode(String s)
    {
        String s1 = "";
        for(int k = 0; k < s.length(); k++) // for each character in string s
        {
            char c = s.charAt(k); // get Unicode # of character at position k
            int i = c + getOffset(c); // translate character code
            s1 = s1 + new Character((char)i).toString(); // add translated character to decoded string
        }
        return s1;
    }

    private void setJumpValue(int i)
    {
        JumpValue = i % 80 + 1; // % is 'modulo', no more explanations necessary
    }

    private int getOffset(int i)
    {
        int k = i - JumpValue; // think about this one
        int j;    // remember that the 'seed' for jumpvalue can be chosen
        if(k > 31)   // when constructing your own key! this means that you
        {     // may choose your own jumpValue, how about making it 1?
            j = -JumpValue;  // that way, we don't even need to look at the code
        }     // between
  // HERE
        else
        {
            k = 126 - 31 - k;
            j = k - i;
        }
  // AND HERE.
  // Unicode of space is 33, which means that always i - jumpValue > 31
  // with jumpValue 1
        return j;
    }

You could try your own key by adding one <PARAM> tag to the HTML file containing the applet,
like this:

<param name="LicenseKey" value="YOUR_KEY_HERE">

If your license key is correct, you'll see the text you chose in the about dialog...

Exercises
I'm pleased to announce in this issue, that the Reverse EngineerZINE now has an official exercise to stimulate your minds. :)  These exercises are meant to give you all a taste of what TRUE reversing is all about...  adding/removing/changing functions etc...  these exercises are definitely not for complete newbies, but if you want to learn more about real reversing, give these exercises a shot. :)  Here is the first file, of, hopefully, many more to come!  Thanks to douby for his work on these :)

Reverseme1: Goal is to code the functions to enable load, save and exit.

Credits, Greetings
Thanks for checking out this issue. I hope you've found it helpful, and interesting. Please don't hesitate to send me your comments. Any additions for the next issue will be MUCH appreciated.

Credits and thanks for this issue go to: Authors of DigiChat, _duelist, Authors of jIRC, Authors of webFX 2000, douby, still green, Dracon, The Grugq, Author of NFO Builder, Authors of UPX.

Volatility's personal greetings fly out to: ACiD_BuRN, alpine, Corn, douby, JosephCo, knotty, Latigo, LaZaRuS, Lord Soth, Lucifer48, Neural, _pain, +Sandman, S^witz, Tornado, WarezPup, X-Calibre, Yoshi, and everyone I forgot (probably MANY)

Steinowitz' personal greetings fly out to: Knotty Dread, douby, Rhythm, Volatility, Dracon, ~S~, BaneOldMan, Malattia, NeuRaL_NoiSe, _duelist, korretje, MisterE, Bill Goats, PeeWee, sepulcrum, Kwazy Webbit, night, Tornado, ACiD_BuRN and everyone else in #dread, #cracking4newbies and #immortaldescendants

Copyright 2000
Volatility and the Immortal Descendants
Steinowitz and DREAD
All Rights Reserved.