Reverse EngineerZINE

Reverse EngineerZINE
Released by: The Immortal Descendants and DREAD
Editors: Steinowitz and Volatility

Issue 006

February 2000

Forward

Greetings once again. This issue is being released passed its deadline, mainly because I've been sick alot, but also because it's been a very slow, boring month :( Steinowitz was also unable to help in the production, due to time restraints, so I hope I can bring you the same quality you've come to expect :) As always though, I'll try to scrape up enough interesting material for this issue to keep you satisfied :) Any feedback or submissions can be sent to Volatility@ImmortalDescendants.com

Enjoy!
Steinowitz and Volatility

Scene News

- What do you think of Fravia's new site www.searchlores.org?
- There is finally an essay out on reversing IDA 4.01, you can check it out at Tsehp's Mirror. Please don't be lame and use this information to hurt this wonderful company.
- IDA 4.02 has been released.
- The Reverse EngineeRING has recently been revamped by Mr. WhiTe of WkT. Hopefully he can breathe some refreshing air into this ring, and bring it back to where it once was.

Tools of the Trade

Since we've started adding "ReverseMe's" to the zine, I thought it would be fitting to mention MSDN. I realize that 90% of the people who read this zine are newbies, but that shouldn't stop you from giving these exercises a shot... once you learn a few fundamentals, adding functionality, etc, really isn't that difficult. Give it a try! If you aren't fortunate enough to have a copy of the MSDN CDs, you can alway use the online version, at http://msdn.microsoft.com.

A reader sent in the following bit of wonderful news:

Hello I think you'll like this :)

Finally, long awaited BIEW 5.0 is released under GNU GPL, and is available from http://biew.sourceforge.net Biew is a portable multiplatform console viewer/editor, with binary, hexadecimal and disassembler (with Pentium III and K7 Athlon instructon sets) modes.

Here's partial ChangeLog (since 5.0pre10):

+License changed to GNU GPL
+ Undocumented opcodes of i387SL, Cyrix487
+ Help system
+ Opcodes of AMD-K7 Athlon
+ CPU performance utility (restored from 4.x versions)
+ User screen (Ctrl-O)
+ Utilities rewritten as addons
+ Integer calculator
+ .Ini file has saved more number of modes
+ Crypt/Decrypt block
+ Fixed error of buffering of file
+ Fixed search system error
+ Correct disassembler error in SIB-block (existed since 0.xx versions)
+ Released time slice while waiting for input
+ Virtual jump
+ Display information about current position of file.
+ 'Put structures' in Save as dialogs for disassembler mode. (Attemp to recreate internal structures of current file).
+ Added RDOFF support
+ Restored 0F BA opcodes family.
+ Disassembler block rewritten as plugin
+ Accelerated video output
+ Fixed memory leak (existed since v5.0.0-pre.9)
+ Corrected minor errors

As for Linux/Unix version - several bugs were fixed, all code was completely rewritten, and ncurses version now is available. Along with other goodies, BIEW sources also provide text window library, working at DOS/WIN32/OS2/Linux/ncurses/VT100 platforms. Enjoy :)

Regards, Konstantin

Coded Stupidity

Several submissions this month... keep 'em coming in! These are always good for humor and entertainment :)

========================================================================
Hey Vola,
Just wanted to try and help contribute to the RE-Zine. I was cracking this program the other day called Winrescue. It helps backup and restore the windows registry. http://superwin.com

Just disassembling the program and searching for string references like "Thanks for registering" etc... I found a string reference to "Registration Key Accepted" and just above it was a string reference to the serial right before the call to see if what was entered equals this string.

Just thought this example demonstrated that commercial stupidity is alive and well :)
Amante4
========================================================================
hi, Volatility!
I'm sending you a piece of commercial stupidity. It's about the Iris Pnone 3.0. It's hard to dig around the protection routine, so the guys decided to write a separate program, that registers the main one. So it's easy to locate the "protection". They were kind enough to say that the reg number begins with "#", and then they are so nice to tell us that the reg number length doesn't match. When I fired Wdasm I thougth that it would be fast to locate the number, after I find the length. But it turned out that it is not necessary! When I typed 26 figures it said:"registered". Very stupid!
Crackenstein
========================================================================
Well thx for your work, keep on informing us!...here you have a little proggie, i´m nothing but a wannabe, a cracking newbie but here you have my little colaboration...i hope you like it ;P

The program is Constructor99 4.0, another HTML editor...it can be found at tucows...There´s no possibility of introduce our registration details but there are some clues at the nags that made me think that it can be registered, perhaps with a .reg...so i started regmon...

QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\Mark Carrington\Constructor 99\4\Name Success
QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\Mark Carrington\Constructor 99\4\Name Success
QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\Mark Carrington\Constructor 99\4\Company Success
QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\Mark Carrington\Constructor 99\4\Company Success
QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\Mark Carrington\Constructor 99\4\Serial NotFound
QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\Mark Carrington\Constructor 99\4\ExpiresOnSuccess
QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\Mark Carrington\Constructor 99\4\LastRun Success
QueryValueEx HKEY_LOCAL_MACHINE\SOFTWARE\MarkCarrington\Constructor99\4\Registered NotFound

Well i was right, let´s introduce a fake serial nº and that stuff...i opened again the proggie waiting for an error before using the usual breakpoints...boom a messagebox we have to pay 25$, press OK and surprise! another messagebox, this one is giving us the real reg code!...no comments...this is not commercial stupidity, ONLY bad programming skills...

Well volatility, as you can see my english is really poor, if you are going to put this at your ezine please consider explain it yourself, retranslate my translated email ;P...Thx again ;P
karlitoxZ
========================================================================

(EDITOR'S NOTE: We try not to change or reword any submissions, to keep them original. Sometimes, it's necessary, but in this case, it wasn't.. we get your point :)

Links of Interest

Keep the link submissions coming in, as the editors don't have all the time they'd wish to scour the web looking for interesting sites :)

Nitallica's Helpful Links & URLs is the place to go! She's put alot of effort into compiling a HUGE list of reversing/programming etc related sites. I don't think I'd be going too far to say that this is the most comprehensive site for reversing links on the web!

douby and sepulcrum have opened The Reversing Course. This is a really neat course, and everyone should learn alot from it. Sign up and start today!

Thought I'd throw a shameless plug in here, for a guy who's repeatedly mailed me about adding his link to the ID site, but I haven't, because I keep forgetting. Krobar's Site is a nice essay repository, he puts alot of effort into collecting many essays from around the web. Give him a visit!

Most of you probably know of this site... but if not, it's a good place to visit regularly, as it always has current information on the scene, the laws regarding it, and the news. http://www.slashdot.org (news for geeks :P)

Articles, Essays and Associated Literature

X-Calibre has volunteered to write an "installment-series" C programming essay for the zine. As much as he and I don't agree on many things, he knows his shit when it comes to C programming. Here's the first installment:

C: The beginning
----------------


Well, C is a relatively simple language, in that it does not have too many
language constructs. That's because the language is relatively low-level,
it's quite close to the machine, so to say. And the machine is a thing of
anarchy and chaos. C was developed to get some structure in this, without
sacrificing too much performance, and size.

We have:

- Data declarations
- Functions
- Operators
- Flow control statements
- Type definitions

That is what you have to work with. In short, code consists of functions,
containing (flow control) statements, with operations on data of specific
types.
That may seem a bit to grasp at this point, but we'll take it one step at a
time.

Data
----

Ofcourse we need data... like text or numbers. On data, we can perform
operations, like adding, subtracting, multiplying and such.
So first, let's see how we can give our programs some data.

We have 2 kinds of data: initialized data, and uninitialized data. They are
declared in much the same way, except that initialized data gets a value,
and uninitialized data does not.

First you give the type of your data variable, then you give the name:

char myChar;

This is an unintialized data variable. Initialized data works by assigning an
initial value to the variable:

char myChar = 'a';

Well, char is just 1 primitive data type of C. I will give you the complete
list and their sizes in memory here:

- char          1 byte integer, also used for characters.
- short         2 bytes integer.
- int           2 or 4 bytes integer, depending on the system architecture.
- long          4 bytes integer.
- float         4 bytes floating point number.
- double        8 bytes floating point number.
- (pointers)    depending on the system architecture.

As you see, some data types are dependant on the system. So to make things
easier, I will choose the popular x86 system in 32 bit mode from now on.
Note that other systems may vary.

On the x86 system, ints are 4 bytes, and so are pointers. Pointers are a
special group of data types, which I will cover later.

These data types are seen as signed numbers by default. You can control this
behavior with the signed and unsigned directives:

signed int;
unsigned int;

It is also legal to define multiple variables of the same type on one line,
even intermixing initialized and uninitialized data.
It works by simply separating all variables by comma's, like this:

unsigned int myVar1, myVar2, myVar3 = 50, myVar4;

... More to come next issue

X-Calibre

Interview

This month's interview is from a good British coder/reverser who wishes to be known as Corn. You'll find his site listed in the interview

<Volatilit> How long have you been reversing?
<Corn> a few years, I spose
<Volatilit> What originally got you interested?
<Corn> hmmm I spose here I should talk about how I was interested in understanding protections, to be able to reality reverse shampoo bottles, but I guess it was 'cos I was too skint to pay for some software I wanted
<Volatilit> Cracking for free software is, unfortunately, usually the motive that most people use to start... but as you progress, I think the attitude changes, what do you think?
<Corn> I think you get to a point where you're able to in some way circumvent a protection (even if it's just a lame patch) and you tire of it. I think cracking is about getting free software (no matter what anyone says..) but when you reach a certain level you begin to take an interest in the protections themselves, otherwise the process would be mundane
<Corn> The majority of crackers I know learnt assembly so that they could crack, then moved onto coding, and adding functionality to programs.. this is more worthwhile imho
<Volatilit> What are some of your proudest achievements?
<Corn> tough one ;) there's no one instance really.. I think the 'proudest' you can be is when you return to a protection that stumped you previously and find a solution.. it's good to know you're making some progress
<Volatilit> Are there any essays, utilities, etc. that you've released and are pretty proud of?
<Corn> not particularly.. I'm not much into self pride, I've received e-mails from people telling me that a few of my tutorials were very easy to understand and that they helped them a lot it's nice to receive that kind of feedback
<Volatilit> Where is your website, and what can visitors expect to learn there?
<Corn> http://cornsoup.cjb.net/ has a few coding tutes, some nice ones (by other leetos) covering process related subjects that may be of interest to reversers btw, I know the site looks shite :)
<Corn> I don't think information needs to be presented with bells and whistles
<Volatilit> What are some of your current interests and/or projects?
<Corn> I'm working on a few tools, one for ISO manipulation and a couple of tools for palm pilot reversing (debugger,decompiler). I'm also trying vainly to get my "Gamespy Cracking Certification", but it's very difficult.
<Volatilit> "Gamespy Cracking Certification"?
<Corn> Yeah, apparently it's obtainable.. maybe I should write to SpySoft and ask them.
<Volatilit> I'm assuming your language of choice is C/C++. What advantages does this language have over others?
<Corn> Hrmm I think C speaks for itself really.. fast, compact (obviously compiler dependant) code. Great for both quick hacks and massive projects. I wouldn't say that C has any particular 'advantages' over other languages, the majority of languages are written for some purpose which they serve well, C is just a good all rounder
<Volatilit> Well, I guess that's all I have... anything else you think people should know about you?
<Corn> I'm lazy, pig ignorant and I fart too much (according to the gf). Greets to anyone that knows me.. oh, and our cows don't have BSE (anymore).... and ACTION BIKER!!!
<Volatilit> hahaha.. alright, thanks Corn :)

Exercises

Here is a new reversme created by sepulcrum (DREAD). These exercises are meant to give you all a taste of what TRUE reversing is all about... adding/removing/changing functions etc... these exercises are definitely not for complete newbies, but if you want to learn more about real reversing, give these exercises a shot. :) I was a little disappointed in the lack of feedback on last issue's Reverseme... I think newbies thought it would be too difficult to try.

ReverseMe 2: Goals are listed in the .txt file included.

Credits, Greetings

Thanks for checking out this issue. I hope you've found it helpful, and interesting. Please don't hesitate to send me your comments. Any additions for the next issue will be MUCH appreciated.

Credits and thanks for this issue go to: amante4, Authors of BIEW, Corn, Crackenstein, douby, KarlitoxZ, Konstantin, sepulcrum, X-Calibre

Volatility's personal greetings fly out to: ACiD_BuRN, alpine, Carpathia, Corn, douby, JosephCo, knotty, Latigo, LaZaRuS, Lord Soth, Lucifer48, Neural, _pain, +Sandman, S^witz, Tornado, WarezPup, X-Calibre, Yoshi, and everyone I forgot (probably MANY)

Steinowitz' personal greetings fly out to: Knotty Dread, douby, Rhythm, Volatility, Dracon, ~S~, BaneOldMan, Malattia, NeuRaL_NoiSe, _duelist, korretje, MisterE, Bill Goats, PeeWee, sepulcrum, Kwazy Webbit, night, Tornado, ACiD_BuRN and everyone else in #dread, #cracking4newbies and #immortaldescendants