Zeezee's comments to Quine's IDA reversing (PHASE 1)
2 November 1997

   Some words about advanced cracking/quine essay.
   I use IDA from version 2.x sent to me on 5 inch floppy.
   Imagine that I've never, never used WDasm.
   IDA is excellent. I even bought an early version for $7 (this price was for
   ex-USSR citizens and I used name of my colleague in Russia to register it).
   For others the price was about $20 or so. The updates worked until 3.5 with
   my key, and then Ilfak started to make money with datarescue and wanted $199
   what is IMHO quite high comparing with $7 I've given for it. There was no
   cheap update to 3.6 pro possible, so I've found 3.6 regged on the ftp world.
   Sorry, Ilfak,

   I wonder until now, that IDA-s quality was discovered so late.
   Look at Ilfak's pages. There is Flirt, IDA SDK and FAQ and more.

   Now, Ilfak Guilfanov released old version as freeware (ida37fw.zip,
   but it's not 3.7, it's reworked 3.6). Thanks anyway, Ilfak.

   The version 3.7 (demo37.zip from datarescue) is much, much better
   - quine said, I agree.
   Syntax highlighting and stack variables are great. In fact, they helped me
   to quickly crack date protection in IDA itself.
   But there is a (not so) subtle problem. IDA cannot load old databases.
   Although quine says that .IDC loading may help, but it's not so.
   Not all changes are written into .IDC and .IDC loading takes soooo long.
   With .IDB it goes amazingly fast, specially if you have lots of RAM (64M).

   I cracked the load check, now it loads old .idb file, tries to execute
   main() after loading and... crash. Exception D. Tries to read from 00000064
   Seems to be another long->int typecast in the code.
   quine, are you reading this? Start your BC and... can you find it?
   Until now, I did not found the solution.
   The file-load check is just below date check.
   mail me at zee_zee@hotmail.com for details.
   here some help: IDA.HLP message decoder. Run in dir where IDA.HLP exists.
   You may quickly identify message numbers before call to (kinda) msgbox.
------------------------------------------------------------------------------- // dida.c // quick &amp; dirty IDA.HLP texts extractor // by zeezee // no comments regarding quality of this code, please // usage: dida &gt;dida.txt // must be run from dir where ida.hlp exists #include <STDIO.h> #include <STDLIB.h> main() { FILE *ifil; unsigned long p1, p2, ox, plimit; unsigned cnt, plen; char msg[4001]; // should be enough for almost all msgs ifil = fopen( &quot;ida.hlp&quot;, &quot;rb&quot; ); if( ifil == 0 ) exit( 1 ); //forgot to put ida.hlp here ox = 0xd; fseek( ifil, ox, SEEK_SET ); // start of pointers fread( &amp;p1, sizeof( p1 ), 1, ifil ); // read ptr to first text p2 = p1; // p2 will point to (length/text) pair plimit = p1; // when we reach this offset reading pointers it's time to end cnt = 0; // what we will print as msg number do { fseek( ifil, p2, SEEK_SET ); fread( &amp;plen, sizeof( plen ), 1, ifil ); // plen is msg lengt if( plen <4000 ) { printf( "%03X: ", cnt ); // put length fread( msg, 1, plen, ifil ); // get msg msg[plen]="0;" // just to be sure puts( msg ); // put msg , don't use printf, } else { printf( "%03X: ", cnt ); puts( "msg too long" ); // obvious } ox +="4;" // move to next pointer fseek( ifil, ox, SEEK_SET ); fread( &p2, sizeof( p2 ), 1, ifil ); // get this pointer cnt++; } while( ox < plimit ); // check if all pointers read fclose( ifil ); // that's all } -------------------------------------------------------------------------------
I can post results of my work on IDA 37 pro when you think it will be useful.

zeezee (zee_zee@hotmail.com)
Yes, I do
(c) zeezee 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to the Advanced cracking series
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?