Zeezee's comments to Quine's IDA reversing (PHASE 1)
2 November 1997
Some words about advanced cracking/quine essay.
I use IDA from version 2.x sent to me on 5 inch floppy.
Imagine that I've never, never used WDasm.
IDA is excellent. I even bought an early version for $7 (this price was for
ex-USSR citizens and I used name of my colleague in Russia to register it).
For others the price was about $20 or so. The updates worked until 3.5 with
my key, and then Ilfak started to make money with datarescue and wanted $199
what is IMHO quite high comparing with $7 I've given for it. There was no
cheap update to 3.6 pro possible, so I've found 3.6 regged on the ftp world.
Sorry, Ilfak,
I wonder until now, that IDA-s quality was discovered so late.
Look at Ilfak's pages. There is Flirt, IDA SDK and FAQ and more.
Now, Ilfak Guilfanov released old version as freeware (ida37fw.zip,
but it's not 3.7, it's reworked 3.6). Thanks anyway, Ilfak.
The version 3.7 (demo37.zip from datarescue) is much, much better
- quine said, I agree.
Syntax highlighting and stack variables are great. In fact, they helped me
to quickly crack date protection in IDA itself.
But there is a (not so) subtle problem. IDA cannot load old databases.
Although quine says that .IDC loading may help, but it's not so.
Not all changes are written into .IDC and .IDC loading takes soooo long.
With .IDB it goes amazingly fast, specially if you have lots of RAM (64M).
I cracked the load check, now it loads old .idb file, tries to execute
main() after loading and... crash. Exception D. Tries to read from 00000064
Seems to be another long->int typecast in the code.
quine, are you reading this? Start your BC and... can you find it?
Until now, I did not found the solution.
The file-load check is just below date check.
mail me at zee_zee@hotmail.com for details.
here some help: IDA.HLP message decoder. Run in dir where IDA.HLP exists.
You may quickly identify message numbers before call to (kinda) msgbox.
-------------------------------------------------------------------------------
// dida.c
// quick & dirty IDA.HLP texts extractor
// by zeezee
// no comments regarding quality of this code, please
// usage: dida >dida.txt
// must be run from dir where ida.hlp exists
#include
#include
main()
{
FILE *ifil;
unsigned long p1, p2, ox, plimit;
unsigned cnt, plen;
char msg[4001]; // should be enough for almost all msgs
ifil = fopen( "ida.hlp", "rb" );
if( ifil == 0 )
exit( 1 ); //forgot to put ida.hlp here
ox = 0xd;
fseek( ifil, ox, SEEK_SET ); // start of pointers
fread( &p1, sizeof( p1 ), 1, ifil ); // read ptr to first text
p2 = p1; // p2 will point to (length/text) pair
plimit = p1; // when we reach this offset reading pointers it's time to end
cnt = 0; // what we will print as msg number
do
{
fseek( ifil, p2, SEEK_SET );
fread( &plen, sizeof( plen ), 1, ifil ); // plen is msg lengt
if( plen <4000 ) { printf( "%03X: ", cnt ); // put length fread( msg, 1, plen, ifil ); // get msg msg[plen]="0;" // just to be sure puts( msg ); // put msg , don't use printf, } else { printf( "%03X: ", cnt ); puts( "msg too long" ); // obvious } ox +="4;" // move to next pointer fseek( ifil, ox, SEEK_SET ); fread( &p2, sizeof( p2 ), 1, ifil ); // get this pointer cnt++; } while( ox < plimit ); // check if all pointers read fclose( ifil ); // that's all }
-------------------------------------------------------------------------------
I can post results of my work on IDA 37 pro when you think it will be useful.
zeezee (zee_zee@hotmail.com)
Yes, I do
(c) zeezee 1997. All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back
to the Advanced cracking series
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?