Reverse Engineering War Stories

Read the FCopy story for C-64 here:

In the 80s, the Commodore C-64 had an intelligent floppy drive, 1541, i.e. an external unit that had its own processor and that's it.

C-64 will send the commands to disk, which, in turn, will execute them on their own by reading files, etc., then send data to C-64 throughout the proprietary serial cable.

In the manual for 1541, in addition to commands for reading and writing files, it was read and written to the internal memory space. Even more exciting was that you could load the 6502 code into the drive’s memory and execute it there.

It got me hooked, and I wanted to play around with it - execute the code on disk. Of course, there was no information about what code could be executed there, and what functions it could use.

My friend wrote a disassembler in BASIC. and so I read out the entire contents of my ROM, which was 16 KB 6502 processor code, and tried to understand what it was doing. The OS on the disk was pretty amazing and advanced IMO - it had a kind of task management, and the commands are sent from the communication module to the disk I / O task handler.

I have learned enough to understand how to use disk I / O to read / write disk sectors. In fact, having read Apple’s book [DOS 3.3], which explained in detail all the work of its disk format and algos, was a big help in understanding all this.

(Later, I found out that I could also find information on reserve-eng'd on more than 4032/4016 disks for Commodore business models, which worked almost the same as in 1541, but it was not available to me as quite unrelated hobby programmer at the time.)

Most importantly, I also found out how serial comm works. I realized that a serial connection using 4 lines, two for data, two for a handshake, was programmed very inefficiently, all in software (although done correctly using the classic serial handshake).

Thus, I was able to write a much faster compromise procedure in which I made fixed assumptions about the timing, using both data and the communication link for data transmission.

Now I was able to read and write sectors, and also transfer data faster than ever before.

Of course, it would be great if you could just load some code into the drive, which speeds up data exchange, and then use the usual commands to read a file, which, in turn, will use a faster connection. This was not possible, however, since the OS on the disk did not provide any hooks for this (remember that the entire OS was in ROM, could not be modified).

So I was wondering how I can turn my exciting results into a useful application.

As a programmer for a while, all the while processing data loss (music tapes and floppy disks were not very realistic), I thought: Backup!

So, I wrote a backup program that could duplicate a floppy disk at an unprecedented speed: the first version copied the entire disk to 170 KB in just 8 minutes (yes, minutes), the second version did it even in 4.5 minutes. While the applications in front of mine took more than 25 minutes. (Mind you, Apple] [, which had a disk operating system that runs directly on Apple with fast parallel access to data, did it in a minute or so).

And so FCopy was born for the C-64.

It soon became very popular. Not as a backup program, as I expected, but as the main choice for those who want to copy games and other software for their friends.

It turned out that a simplification in my code that simply skips unreadable sectors by writing a sector with bad CRC to a copy circumvented most of the copy protection schemes used then, allowing you to copy the most previously inaccessible disks.

I tried to sell my application and actually sold it 70 times. When he began to advertise in magazines, claiming that he would copy a disc in less than 5 minutes, customers would call and not believe him, “knowing better” that this could not be done, but having tried it.

Not much later, others began to reconstruct my application and optimize it, making comm even faster, which led to the copying of applications that did this even after 1.5 minutes. Faster was impossible, because due to the limited amount of memory available on the 1541 and C-64, you had to change the drives several times on the same drive to copy all 170 KB of its contents.

After all, FCopy and its optimized successors were probably the most popular C-64 software in the 80s. And although it didn’t pay off financially for me, it was still proud of me, and I learned a lot about reverse engineering, the futility of copy protection, and how fame looks. (Actually, Jim Butterfield, editor of C-64 magazine in Canada, told my readers my story, and soon I had a check for about $ 1000 CA for me - collected by the magazine from many grateful users sending $ 5 accounts, this it was a lot of money then for me.)

Well, that wasn't reverse engineering (pretty), but a simple hardware hack spawned by sheer frustration. In the early 90s, I was an IT manager in the Southwestern Bell cell phone region. My IT department was significantly underfunded, so we spent money on smart people, not on equipment.

We had a global network between major cities, used exclusively for customer service, with critical IP connections. Our corporate executives insisted that we install a network monitoring system to notify us when the lines went down (there is no money for redundancy, but they spend money to handle failures.).

The recommended STRONGLY solution was implemented on the SPARC workstation and started at $ 30 thousand plus the cost of the SPARC station (about $ 20 thousand then), which was a significant amount of my budget. I could not see it - it was a waste of $$. So I decided to hack a bit in order.

I took the old computer that was planned for destruction and placed a copy of ProComm (remember ProComm?) And asked to ping each of the necessary nodes along the route (this was one of the later versions of ProComm in which the FTP script was installed, as well as serial lines , KERMIT, etc.). A bit of coding logic caused by a pager message when node could not be reached. I already used it to create a pager for our technicians, so I used the pager code again. The script ran continuously, sending ping once per minute across each of the critical links and forking into the pager code when the ping did not return.

We duplicated this system in every critical location for less than $ 500 and received very quick notification when the link went down. The next question - one of our first troubleshooting methods was to use our routers and / or terminal servers. I have several X10 dialing controllers and several X10 on / off power switches. You should have known the correct phone number to use and the correct tones to press, but we printed a cheat card for each technician and they saved it with their pager. Instant fast response! One of my technicians programmed the telephones, which we all had to reset specific equipment on each site, as speed dialing. One-tech solves the problem!

Now you said "you said."

I am sitting at dinner with our corporate network manager in Dallas, who insists on buying a Sun Network Management product. I get the page where one of our links is located, and then the second page. Since the pager messages come from two different servers, I know for sure which router is involved (this was the setting, I still knew, because the technology at the meeting with me was queued up "down the router" during meals, so we could show ourselves.) I show the pager messages to the manager and ask him what he will do to solve this problem. He looks at me suspiciously, as he has not yet been uploaded by his Solaris NMS system, which should track critical links. "Well, I think you better call technology and get them to reset the router and see if this fixes it." I turned to the technique that had lunch with us and asked him to handle it. He pulled out his mobile phone (this time above the table) and clicked on the speed dial, which he programmed to reset the router in question. The phone dialed the X10 switch, told him to turn off the power of the router, paused it for five seconds, told him to turn on the router and turn it off. Our ProComm script sent us pages stating that the link was restored within three minutes after this procedure. :-)

The corporate network manager was very impressed. He asked me what the price is for my new system. When I told him less than 1 thousand. Dollars, he was apoplexy. He just ordered the Sun Solaris Network Management BIG Kit for the tasks I illustrated. I think he spent something like $ 150 thousand. I told him how it was done and offered him a ProComm script for the price of lunch. TANSTAAFL. He told me that he would buy me lunch to close my mouth.

Clearing my old disk boxes, etc., I found a copy of the code - "Pingasaurus Rex" is the name I gave it. It was a hack in the good old days.

Once, while playing Daggerfall II, I couldn’t let Daedrick Dai-Katana, so I changed the hexadecimal version of savegame.

Being serious, I managed to remove the key verification on my AutoCAD installation using SoftICE many years ago. That was before the Internet was big. He works as an engineer, so he has a legal copy. He had just forgotten the key at his job, and he needed to do something, and I thought it would be a fun challenge. After that I was very proud.

The most painful thing for me was for this product, where we wanted to include an image in an Excel spreadsheet (a few years ago before open standards). Therefore, I needed to understand and "understand" if such a thing also exists for an internal document for documents. In the end, I made a Hex comparison between files with and without an image, to figure out how to put it, and also work on some little math ...

I once worked on a tool that collected inventory information from a PC when entering a network. The idea was to keep track of all the PCs in your company.

We have a new requirement to support the Banyan VINES network system, which is now long forgotten, but pretty cool at the time of its release. I could not figure out how to get the Ethernet MAC address from the Banyan adapter, since there was no documented API for this.

Digging on the Internet, I found a program that was published by some other Banyan botanist who performed this exact action. (I think it will save the MAC address in an environment variable so you can use it in a script). I tried to write to the author to find out how his program works, but he either didn’t want to tell me or wanted to get some ridiculous amount for the information (I don’t remember).

So, I just ran the disassembler and parsed its usefulness. It turned out that he was making one simple call to the server, which was undocumented functional code in the Banyan API. I detailed the details of the call, he basically asked the server for this workstation address through RPC, and the MAC was part of the Banyan network address.

Then I just emailed the engineers in Banyan and told them what I needed to do. "Hey, it looks like the RPC 528 function number (or something else) is returning what I need. Is it safe to call?"

The Banyan engineers were very cool, they confirmed that the function that I found was correct and hardly succeeded. I wrote my own new code to call him, and I was turned off and working.

Over the years, I used basically the same method as reversing the undocumented compression scheme in a documented format. I found a little-known support tool provided by the (now defunct) company that unpacked these files, and reverse engineering. This turned out to be a very simple version of Lempel-Ziv, used in the block structure of their file format. The results of this work are written for posterity in the Wireshark source code , just find my name.

Almost 10 years ago, I picked up the UFO / XCOM Collector Edition in a tray for sale at a local bookstore, mainly because of nostalgia. When I returned home, I was very glad that it was ported to Windows (DOS versions did not run under win2k) ... and then became disappointed that it had distorted graphics.

I was going to shrug my shoulders (bargaining and all), but then my friend said: “Don't you know ... the software before?”, Which led to a night of drinking a lot of cola and reverse engineering while talking with my friend. In the end, I wrote a bug fix loader that fixed the pitch and width problem, and finally was able to play the first two XCOM games without loading the old hardware (DOSBOX was not there yet, and my machine was not powerful enough for full-scale virtualization )

Loader gained some popularity and was even distributed with the re-release of STEAM games for a while - I think they have now switched to dosbox.

I wrote a driver for Atari ST that supported Wacom tablets. Some of the Wacom data can be found on their websites, but I still had to deal a lot.

Then, as soon as I wrote a library for accessing wacom tables (and a test application to show the results), it became clear to me that the API for the OS (the GEM window system) for actually placing the mouse cursor somewhere. As a result, I had to intercept some interrupts into something called VDI (for example, GDI in windows), and be very careful not to damage the computer inside. I got some help (in the form of suggestions) from the developers of the accelerated version of VDI (NVDI), and everything was written in PurePascal. I still have people who ask me how to move the mouse cursor in GEM, etc.

I had to redesign a video processing application where I had only part of the source code. It took me weeks and weeks to develop a control thread, as it continued to use CORBA to call itself or to be called from CORBA in some part of the application that I could not access.

Clear idiocy.

I recently wrote an application that downloads all content from a Domino Webmail server using Curl. This is because the subcontractor running on the server requests several hundred dollars for each archive request.

They changed their version of webmail about a week after I released the department app, but managed to get it working again using the BIG deal of regular expressions and XML

When I was in high school, they introduced special hours every week (it was 3 hours, if I remember correctly), in which we had to choose a class with a teacher to help with any questions on their subject. No, of course, everyone always wanted to spend time in the computer room to play on computers there.

To choose the room you were supposed to be in, there was an application that would control how many students would go to a particular room, and therefore you had to reserve your slot on time or else there was no choice where to go.

At that time, I always liked to play on computers there, and I got access to the administrator already, only for this application, which did not help me much. Therefore, I used my access to the administrator to make a copy of the application and send it home to check. Now I don’t remember all the details, but I found that this application used an access database file located on a hidden network share. Then, taking a copy of this database file, I found that the database has a password. Using some Linux database access tools, I could easily get around this, and after that it was easy to import this database into my own mysql server. Then, although with a simple web interface, I could find the details for each student in the school to change their slots and promote themselves to sit in their room each time.

The next step was to write my own application, which would allow me to simply select a student from the list and change something without having to look for my password, which was implemented in just a few hours.

Although this is not a very impressive story, like some others in this topic, I still remember that it was very fun to do for a child with a high level of education.