> I mainly cracked games on the ZX Spectrum, using a Z80 processor.
I started out programming by cracking games on my ZX Spectrum, (by cracking I mean altering them to make sure I never ran out of lives, rather than for pirating.)
I remember for a while there were some good articles in one of the Spectrum magazines by Jon North.. he explained step by step how to alter games to make yourself invincible, etc.
Right now, as several people have mentioned, there is a resource that is very similar : Fravias reverse engineering site - This is primarily a cracking resource but its very informative nontheless.
> Uncommented assembler is very difficult to understand,
This is very true, but for win32 dissasemblers at least, you tend to get the names of the functions that are being called in the dissasemblers. If you use something like IDA it will even give you the names of MFC functions that are being called...
> I'm working with MS crap all the time, were back engineering is almost impossible, or too time consuming.
This is true for some things.. but even Microsoft products can be decompiled. Just beware the size of the output files! (A 1Meg.exe can easily be decompiled as a 40Mb text file).
I still think that a knowledge of dissasembly is a good tool for the general programmer, after all how many of us have to work with buggy/undocumented third party librarys?
Steve
Beginners guide to reversing win32 binaries
on
Reverse Engineering?
·
· Score: 5
I've been reverse engineering, or reversing, Intel binaries for a while now, and although I'm not really qualified this is roughly how I started.
First of all you need a target program, something that you'd like to reverse. Initially I'd suggest writing a smallish C/C++ program yourself, compiling it, then reversing that - I say this because it'll be small, and you should know how it works.
Once you have a program to reverse - Around 20-40k would be a good size for a start, then you'll need a dissasembler there are several around, mostly commercial ones, and some free ones.
Heres the few that I've heard of / used:-
IDA This is a great dissasembler, with different back-ends that can dissasemble different things. (For example.class files). Its a commercial one, but you can get a demo. Find this at www.datarescue.com.
WinDasm this is also a good one, I can't remember where I saw it.
Dis is the best free dissasembler I found, with source code at: http://www.geocities.com/~sangcho/disa sm.html - The beauty of this is that it builds under Linux, so you can decompile a Windows Program from your windows partition, and study it under Linux.
Anyway by now you should be able to decompile most executables, and study the assembly language. Much of this is going to be strange to you, so try to seperate out the different parts of the assembly - such as the startup code, the function calling, and the error handling.
After a bit of study you'll soon realise what a lot of the common code is doing.
Heres a small example of the sort of thing the DIS.exe will produce:
From this you can see the names of the win32 function calls that the program is making - this will help you "copy" the program back into C.
This is what I've done - with a good read of the assembly language you can see which Win32 API calls the program is making, and that should give you a good head starting into reimplimenting the code... *grin*
Of course if you are just interested in cracking, (Removing protection from programs, etc), then the same things apply - you just search through your listing till you find "Incorrect Serial", etc, and change the conditional jumps appropriately - But thats' bad so I'm not going to encourage you.
Once you have your program, you can then try to translate it into C.. could be tricky.. or modify it in place. For that you'll need a good hex editor, and some understanding of assembly language. (A quick tip, you can see the instructions, and op codes in the dissasembly so to replace JNZ, with JMP you could search the dissembly for a JMP and find the opcode to use.;)
Another to decompiling via static analysis is to study the program inside a debugger. Without a double NuMega's Soft Ice is the best debugger - but its also very, very terse, and quite hard to learn.
To give you some idea of the power of soft ice, when it is loaded you can set a breakpoint on a function such as "MessageBoxA", (Called from AfxMessageBox, et al), with
bpx MessageBoxA
Then when any running program calls this function Soft-Ice will pop up, allowing you to study / modify the running process.
Anyway thats enought encouragement for now. Just have patience and it will all come to you.
> Some,.. would use freedom software even if it > wasn't as good as a proprietary alternative in > terms of convenience or performance or other >measures. How about you?
I can see what you're saying but I have to disagree with the piece above. If there was something about our nice platform that wasn't as good as was available in a proprietry software I'd want to be either :
Using the proprietry software Writing a free replacement for it.
After all I have the freedom to make my own choice..
This could be a security hole for some machines... depending on how it is done.
When I installed RedHat 5.1 for the first time I made a login for a user "shutdown", and put it in the/etc/passwd file, something like this:-
shutdown:x:0:0::/sbin/:/sbin/shutdown -h now
This worked fine for me... But it was a huge hole for X - If you do this you can login to X as the user shutdown, and xdm trips up over the spaces in the shutdown command.
End result you get a default login to X, if you're setup to use fvwm, etc, you can click on the start button and get a root shell.
[As of 31 December 1998, Microsoft Corporation owns 12.3% of SCO.]
But the agreement that you mention was created at around the time that SCO sold Microsoft Xenix. This was for a certain amount of time, and has since expired. (Actually this reminds me of the guy who created Pong... Wasn't he supposed to have agreed not to compete with Atari(?) in the video game arena until ~1985??)
> "We can only do something *after* a crime has been committed"
Isn't that how police work everywhere though?
(Forgetting about entrapment, and the like)
I think that in the UK you are not as likely to need the gun in the first place, what you're saying is that if somebody was to attempt to mug you with a gun - you could pull out yours and be okay, _before_ the police arrived.
Over not so many people have guns, so its much less likely that somebody would ever threaten you with one.
Perhaps you could still get mugged, but you'd be unlikely to get killed.
I think its much too easy to kill somebody with a gun, self-defence to a lot of Americans seems to equate to killing your attacker -> I think that's wrong, self-defence should be just that. Be it shooting in the leg, or Tai Chi..
> If you ask me, pagers are the most worthless hack
I've resisited getting a mobile phone for a very long time... when I'm not working I don't want people to be able to get in touch with me, but I could settle for a pager.
It seems to me that very few people actually *need* mobile phones, people who are acting like their phone is a toy are doing that because their phone is a toy to them.
The reason that I like pagers is because I can just put it in my pocket, and not have to look at it unless I want to... theres nothing more frustrating than talking to a friend, and getting interrupting by them being phoned up in the street.
I like toys as much as the next man, but do we really need to be in contact with the world 24Hrs a day? (Forgetting Doctors/Nurses/Firemen/Tech Support/etc).
I remember having a competition with some friends to see who could remember enough Z80 instructions to create a working program for the Sinclair Spectrum This is the best I could come up with
33,0,64// start of screen 1,0,27// size of screen 62,255,// A=255 55// scf ? 205.86.5// call load-file 201// return.
Slashdot Mirror
> I mainly cracked games on the ZX Spectrum, using a Z80 processor.
.. he explained step by step how to alter games to make yourself invincible, etc.
.. but even Microsoft products can be decompiled. Just beware the size of the output files! (A 1Meg .exe can easily be decompiled as a 40Mb text file).
I started out programming by cracking games on my ZX Spectrum, (by cracking I mean altering them to make sure I never ran out of lives, rather than for pirating.)
I remember for a while there were some good articles in one of the Spectrum magazines by Jon North
Right now, as several people have mentioned, there is a resource that is very similar : Fravias reverse engineering site - This is primarily a cracking resource but its very informative nontheless.
> Uncommented assembler is very difficult to understand,
This is very true, but for win32 dissasemblers at least, you tend to get the names of the functions that are being called in the dissasemblers. If you use something like IDA
it will even give you the names of MFC functions that are being called...
> I'm working with MS crap all the time, were back engineering is almost impossible, or too time consuming.
This is true for some things
I still think that a knowledge of dissasembly is a good tool for the general programmer, after all how many of us have to work with buggy/undocumented third party librarys?
Steve
First of all you need a target program, something that you'd like to reverse. Initially I'd suggest writing a smallish C/C++ program yourself, compiling it, then reversing that - I say this because it'll be small, and you should know how it works.
Once you have a program to reverse - Around 20-40k would be a good size for a start, then you'll need a dissasembler there are several around, mostly commercial ones, and some free ones.
Heres the few that I've heard of / used:-
Anyway by now you should be able to decompile most executables, and study the assembly language.
Much of this is going to be strange to you, so try to seperate out the different parts of the assembly - such as the startup code, the function calling, and the error handling.
After a bit of study you'll soon realise what a lot of the common code is doing.
Heres a small example of the sort of thing the DIS.exe will produce:
:00402001 E8AA220000 call 004042B0
:00402006 83F801 cmp eax, 00000001
:00402009 7434 je 0040203F
:0040200B 6A00 push 00000000
:0040200D 68A0034100 push 004103A0
(StringData)"Startup Message"
:00402012 6878034100 push 00410378
(StringData)"Program Starting In Interactive Mode"
:00402017 6A00 push 00000000
:00402019 C705F839410000000000 mov dword[004139F8], 00000000
:00402023 FF1560644100 call dword[00416460]
:00402029 EB0A jmp 00402035
From this you can see the names of the win32 function calls that the program is making - this will help you "copy" the program back into C.
This is what I've done - with a good read of the assembly language you can see which Win32 API calls the program is making, and that should give you a good head starting into reimplimenting the code... *grin*
Of course if you are just interested in cracking, (Removing protection from programs, etc), then the same things apply - you just search through your listing till you find "Incorrect Serial", etc, and change the conditional jumps appropriately - But thats' bad so I'm not going to encourage you.
Once you have your program, you can then try to translate it into C
Another to decompiling via static analysis is to study the program inside a debugger. Without a double NuMega's Soft Ice is the best debugger - but its also very, very terse, and quite hard to learn.
To give you some idea of the power of soft ice, when it is loaded you can set a breakpoint on a function such as "MessageBoxA", (Called from AfxMessageBox, et al), with
bpx MessageBoxA
Then when any running program calls this function Soft-Ice will pop up, allowing you to study / modify the running process.
Anyway thats enought encouragement for now. Just have patience and it will all come to you.
Steve
There is work in that direction though KDevelop is out and working just fine - its as pointy-clicky as Visual C++.
There also a whole lot of Java products that have integrated GUI builders inside them that should work properly - check out Gamelan for some.
After that there are the GUI builders that are used for creating Tk applications, such as Tkinter.
The list goes on .. of course none of these have a big name behind them, but personally I don't think that matters...
Steve
> Some, .. would use freedom software even if it > wasn't as good as a proprietary alternative in > terms of convenience or performance or other >measures. How about you?
I can see what you're saying but I have to disagree with the piece above.
If there was something about our nice platform that wasn't as good as was available in a proprietry software I'd want to be either :
Using the proprietry software
Writing a free replacement for it.
After all I have the freedom to make my own choice..
Steve
This could be a security hole for some machines ... depending on how it is done.
When I installed RedHat 5.1 for the first time I made a login for a user "shutdown", and put it in the /etc/passwd file, something like this:-
shutdown:x:0:0::/sbin/:/sbin/shutdown -h now
This worked fine for me... But it was a huge hole for X - If you do this you can login to X as the user shutdown, and xdm trips up over the spaces in the shutdown command.
End result you get a default login to X, if you're setup to use fvwm, etc, you can click on the start button and get a root shell.
Moral of the tale do this better than I did!
Steve
Microsoft own a small amount of SCO, see their yearly report:
SCO 1999 DEF 14A
[As of 31 December 1998, Microsoft Corporation owns 12.3% of SCO.]
But the agreement that you mention was created at around the time that SCO sold Microsoft Xenix. This was for a certain amount of time, and has since expired. (Actually this reminds me of the guy who created Pong... Wasn't he supposed to have agreed not to compete with Atari(?) in the video game arena until ~1985??)
Steve
> Harris and Klebold took out, what, 13 people with all those big evil nasty guns you're so fixated upon? Lam3rz by comparison, I'd say.
... and that is they killed children.
I think theres a big difference here
Here in the UK we had a guy run rampent for a while in Hungerford, he killed a few people and we were all shocked - but nothing was done about it.
Then we have the killings at the school in Dunblane - that was shocking, and that directly prompted the UK gun ban.
Its a lot easier to get media attention when children are killed - and its a lot worse for society too.
Steve
> "We can only do something *after* a crime has been committed"
..
Isn't that how police work everywhere though?
(Forgetting about entrapment, and the like)
I think that in the UK you are not as likely to need the gun in the first place, what you're saying is that if somebody was to attempt to mug you with a gun - you could pull out yours and be okay, _before_ the police arrived.
Over not so many people have guns, so its much less likely that somebody would ever threaten you with one.
Perhaps you could still get mugged, but you'd be unlikely to get killed.
I think its much too easy to kill somebody with a gun, self-defence to a lot of Americans seems to equate to killing your attacker -> I think that's wrong, self-defence should be just that.
Be it shooting in the leg, or Tai Chi
Steve
> If you ask me, pagers are the most worthless hack
... when I'm not working I don't
... theres nothing more frustrating than talking to a friend, and getting interrupting by them being phoned up in the street.
I've resisited getting a mobile phone for a very long time
want people to be able to get in touch with me, but I could settle for a pager.
It seems to me that very few people actually *need* mobile phones, people who are acting like their phone is a toy are doing that because their phone is a toy to them.
The reason that I like pagers is because I can just put it in my pocket, and not have to look at
it unless I want to
I like toys as much as the next man, but do we really need to be in contact with the world 24Hrs a day? (Forgetting Doctors/Nurses/Firemen/Tech Support/etc).
Steve
---
Am I the only one to remember playing Sabre Wolfe on the Spectrum ... that was a game that really packed in the code.
One of the most impressive games of the time I thought, although Manic Miner and Chuckie egg were also pretty cool.
The Chuckie Egg Appreciation Society has information on ports to other platforms..
Steve
I remember having a competition with some friends to see who could remember enough Z80 instructions to create a working program for the Sinclair Spectrum
// start of screen // size of screen // A=255 // scf ? // call load-file // return.
This is the best I could come up with
33,0,64
1,0,27
62,255,
55
205.86.5
201
I *think* thats right
Steve
This is exactly what the KickStart file is used for, it allows you to select the packages, etc, that will be used for the installation.
You can find info in the RedHat manual once you have installed it, or online at:
Steve