
Bringing a decade old vector editor back to life - 2StepsOutOfLine
https://github.com/ChrisMiuchiz/Plasma-Writeup
======
Jasper_
I've reverse engineered a number of content encryption schemes. It's always a
ton of fun, and you get to see the large amount of psychological warfare at
play at the higher tiers.

A very common trick that I've seen in a lot of Japanese games, for offline
material, is to combine a hashing system and encryption. That is, the game
will attempt to load "main.script", which is a custom bytecode scripting
language. The file stored on disk would have the filename of a SHA1 hash of
"main.script", but the contents would be encrypted with a private key like
"tprics.niam". "main.script" then loads a number of other files using its
scripting system, so it's a very annoying process to take the whole thing
apart, as you need to hunt down the original filename through the scripting
system. Either that or you guess at filenames.

You tend to see some really high-level effort put into systems, like the one
game I took apart that had its own custom scripting language with classes and
coroutines.

[https://gist.github.com/magcius/bff948b13128b70695e3841e2084...](https://gist.github.com/magcius/bff948b13128b70695e3841e208407ce)

One game I found had a custom bytecode system that drove me nuts for weeks.
The opcodes were specifically picked so that a large number of the popular
ones were reflections of each other in dec, hex and binary. So you'd go "I've
seen opcode 0x0353 before", but alas, you had _actually_ seen opcode decimal
353. Similarly, there were opcodes 101 and 0x101 and 0b101 and they all did
slightly different things. You think you could stick to hex, but there's
enough slop in the process and your brain is so used to pattern-matching that
it was pretty effective.

~~~
userbinator
Indeed, it's often more fun than playing the game itself; but then again, I'm
someone who has been taking things apart since I was very young (and not
surprisingly, got into trouble a few times for it...) I suspect RE is
something that's closer to what those in the other sciences do, i.e. analysis
and thinking more about how/why things are the way they are, rather than what
they can build; which is why not a lot of developers (who almost always build,
except when they have to debug) seem to have any interest/skills of RE much if
at all.

~~~
imtringued
The real reason is that open source software completely eliminates the need
for reverse engineering. RE only makes sense when you don't have access to the
source code. Doing things like private server emulation for an MMORPG might
sound cool but the reality is that half the game content exists server side.
You're not able to invest enough resources to rebuild the original experience
and even if you could why not spend those resources on your own game? The
demand for reverse engineering is pretty small.

~~~
mysterydip
There's many MMOs that now officially only exist as memory, either shut down
or altered in such a way that they aren't the same games anymore. Some people
don't want to make their own game, they want to play the game they used to
with friends/family years ago that is now unavailable. The amount of community
effort put into some private servers is impressive. I wouldn't spend my own
time doing it, but I'm glad there are people that do.

~~~
cycloptic
I just find that more disappointing because the copyright holder is positioned
to be able to open-source or public-domain-dedicate the material but they
don't for various reasons and it rots on a backup drive somewhere or gets
lost, and now unnecessary duplication of effort must occur to recreate it.

Often it seems rather paradoxical in nature because the main reason they don't
open-source it is that they're waiting for a time in the future when the
demand rises and it will be worth something again, and yet the increased
demand only happens because of the efforts of reverse engineers keeping the
community alive. It's almost always impossible for the reverse engineers to
legally get paid for this work too. The only hopes for that is either for the
copyright holders to raise enough money and decide to hire them, or to do an
anonymous patreon and hope it doesn't attract the wrong kind of attention.

------
userbinator
_This is part of a larger pattern of fairly weak attempts to confuse a reverse
engineer that made it frustrating to figure out what all the opcodes did, and
there were many duplicate opcodes that were just implemented in different
ways._

Since the code presented in the article didn't look like handwritten Asm (and
if it was, it would've probably been even more insanely obfuscated and greatly
confused IDA's decompilation), I wonder if compilers of the time were far
worse at optimisation, or if the author deliberately disabled it so that the
code would be more bloated and harder to understand as well as containing the
source obfuscations; seems like "Here's addition implemented by multiplying
the result with some number and its reciprocal" would be something that's
replaced-on-sight by an optimiser doing constant propagation.

Also, I was not surprised to discover that this program appears to be both [1]
of German origin, and [2] shareware. When I was in the cracking scene long
ago, "German shareware" was widely known for the insane strength of its
protection.

~~~
atombender
Pure speculation, but it's quite possible that it was written in Delphi (the
last iteration of Borland's Turbo Pascal lineage), which had a fast single-
pass compiler that did very little optimization. Delphi was very popular in
Germany in the late 1990s and early 2000s.

~~~
imtringued
Delphi makes things worse because the code it generates is incredibly ugly.
The code listings use the C++ std and it looks straightforward so presumably
it is just good old C++.

~~~
vintagedave
It could equally be C++Builder. Back in those dates, the C++ compiler used a
similar backend to Delphi - it was derived from Delphi's originally, since the
two products interop and you can use both languages in one app. Today's
C++Builder uses LLVM.

------
Multicomp
This was amazing to read. Reading stories of reverse engineering and cracking
long-dead programs are interesting enough, but then being able to buy the
domain and re-implement the authentication servers from just what the client
expects?!

I'm staggered at the skills needed to do that.

~~~
matheusmoreira
It's amazing what people can accomplish... Gives me hope that old video games
will one day receive the same treatment. Way too many of them lost online
multiplayer after the game company moved on.

~~~
marcan_42
Unfortunately, this is only possible because the obfuscation used is just weak
obfuscation.

Once you throw real public-key encryption into the game, which is what any
competent company trying to avoid cloned servers should be doing, there is no
way to create alternate servers just from game data. You need to at the very
least patch the game and change the key.

~~~
quietbritishjim
I'm not sure the parent comment is necessarily going for a patchless solution,
and as you say, by the time you have got far enough with reverse engineering
for the particular type of encryption to matter, you can always just patch the
executable to bypass it altogether. (In fact by halfway down the article the
author had done exactly that.)

Besides, I'm not even convinced that "any competent company" would bother with
public/private key cryptography given that it makes little difference to them
how exactly their copy protection is broken.

The bigger problem for the parent commenter is if actual game logic is
executing on the server, which is probably the case for online multiplayer
games.

~~~
matheusmoreira
> The bigger problem for the parent commenter is if actual game logic is
> executing on the server, which is probably the case for online multiplayer
> games.

Yes. I used to play on unofficial MMORPG servers back in the day. People
reverse-engineered the network protocol and created an open source game
server. It didn't have all the features of the official game but it ran fine
and could be freely modded. I used to host one of these on my own home
computer... Traditionally the official game client is used but some games even
have custom clients!

Examples:

[https://github.com/opentibia/server](https://github.com/opentibia/server)

[https://github.com/otland/forgottenserver](https://github.com/otland/forgottenserver)

[https://www.wireshark.org/docs/dfref/t/tibia.html](https://www.wireshark.org/docs/dfref/t/tibia.html)

------
Jerry2
Whoa, this editor was quite amazing! If you have two minutes, watch the "Photo
Texturing" and "Photo Editing" demonstrations:

[https://youtu.be/bCWX3BNT1H0?t=150](https://youtu.be/bCWX3BNT1H0?t=150)

~~~
zimpenfish
I guess you could emulate the "Photo Texturing" functionality in something
like Blender with UV Unwrapping? Will give it a go later.

The "Image Warping" I'm pretty sure you can do in Photoshop these days tho'.

~~~
rcxdude
I've achieved a similar effect with Krita's warp tool and 'transform layers'
(which let you treat a transformation as a filter layer so you can still edit
the un-transformed version), but it's clearly not a use-case the developers
intended and therefore is nowhere near as smooth to use.

------
gayprogrammer
What is the backstory behind why the company stopped selling this software?
Has anyone asked the author or company about it? Would it be worth asking them
to release the source since it's been so long since selling it?

~~~
2StepsOutOfLine
Wollay and most software development he does is intermittent at best. The Cube
World community went 6 years without an update. He will occasionally (every
few years) post screenshots and teasers on social media, but it seems very
clear that development of his projects is whimsical. I don't think anyone at
this point would be surprised if he tweeted out tomorrow that he's done
developing Cube World.

It also seems that Plasma was never actually sold. It was a preview that just
required a free signup.

~~~
jandrese
At this point he can't bring it back. The article author bought the expired
domain and put up his own authentication server on it.

~~~
eeeficus
He can, by re-releasing it with minor modifications to use another domain?

------
chocolatkey
That was really cool and educational, especially the part about reverse
engineering the VM! Makes me wonder if all companies go to such trouble to
protect their IP, especially since it seems that VM was in-house

------
Benjamin_Dobell
This is really cool, and certainly a solid example of why the legislation is
moronic. However, isn't this a violation of DMCA's (and similar legislation
worldwide) "software lock" circumvention laws?

> _It 's not pretty, but this is probably the first time anyone's been able to
> use Plasma at all in the better part of a decade. It seems that Wollay
> removed a critical UI file (for the sheet which artwork exists on) from
> Plasma, and made it so that the server would provide an obfuscated version
> of it to the client. That way, no amount of tampering could get an
> unauthorized copy of Plasma to work. Unfortunately, without the
> authentication server, authorized copies of Plasma cannot work anyway.

Around this time, I started looking at what the picroma.de domain used to
point to. I didn't find much of interest on archive.org, but...

The domain was now available after all these years, and I bought it._

To clarify, none of the reverse engineering stuff is the issue. However, when
your start reimplementing or circumventing "authorization", then you're
potentially in some trouble. Worse, it's not civil, like copyright
infringement, whereby the IP owner has to go after you. It's criminal, so
technically law enforcement themselves can go after you.

In this case it seems unlikely, still though, be careful, folks.

~~~
PeterisP
What do you mean by the "(and similar legislation worldwide)" ? DMCA is a USA-
specific limitation that goes way beyond what the rest of the world has; USA
has had some success pushing something like that to a few other countries
through transatlantic trade treaties, but as far as I understand, most of the
world does not have DMCA-like legislation; it's not universal in the way that
Berne convention is. For example, EU copyright law explicitly permits reverse
engineering of any software you own, and if it's needed for the purposes of
interoperability you're allowed to distribute modifications to copyrighted
works without permission from the author.

~~~
Benjamin_Dobell
DanBC's comment contains useful information. The EU issued a Copyright
Directive, thus all member states were told to implement compatible laws.

As pertains to Latvia specifically (I apologise if my Github <-> HN username
assumption is inaccurate), then the relevant laws are implemented under
"Copyright Law, Chapter XI, Section 68".

We also still have laws in Australia that permit reverse engineering for the
purpose of interoperability. This is what I meant above where I wrote:

> _To clarify, none of the reverse engineering stuff is the issue._

The problem is these laws are superseded when circumvention of technological
measures pertaining to copy protection is involved.

~~~
PeterisP
True, I had missed the Information Society Directive which adds the
restrictions on circumventing effective technological measures. The big
problem is in the interaction between these parts of copyright law and the
other parts which limit the copyrights; so even if _you_ have the right to do
something yourself, then the distribution of these "circumvention measures" is
prohibited by this. Sad.

------
aardvark291
What program do those disassembly screenshots come from?

~~~
blcArmadillo
I think it's from IDA. For example see screenshots here: [https://www.hex-
rays.com/products/ida/6_0/](https://www.hex-rays.com/products/ida/6_0/).

There are similar reverse engineering tools that are open source such as:

\- Ghidra: [https://ghidra-sre.org/](https://ghidra-sre.org/)

\- radare2: [https://rada.re/n/radare2.html](https://rada.re/n/radare2.html)

------
megiddo
What a magnificent yak shave.

------
tambourine_man
I though it was FreeHand. Maybe someday

~~~
purerandomness
I hoped to hear someone finally ported Xara LX [1] to Cairo...

[1]
[https://en.wikipedia.org/wiki/Xara_Xtreme_LX](https://en.wikipedia.org/wiki/Xara_Xtreme_LX)

~~~
teleforce
Looking forward for this as well. I've used Xara Extreme version 4 (released
around 2008) couple of years after they have released Xara Extreme LX, and
I've still got the CD with me. It's probably the fastest and the most
intuitive graphics editor I've used. It seamlessly managed to integrate raster
and vector graphics editing for the masses.

------
nwsm
Nice work! Coincidentally I saw the product of your work first on the
CubeWorld subreddit. You didn't lead on as to how much reverse engineering was
required.

------
bjonnh
This was an entertaining read and well explained.

------
pram
It’s insane to me that such a full featured graphics editor was just
abandoned.

~~~
vanderZwan
My guess is that when CubeWorld went viral it sucked up all of the time of the
sole developer.

------
pjmlp
Uau! Congratulations, that was lots of effort going through all of that.

------
ellis0n
Good job!

QA: Are you still need that again with your developer tools?

------
gadders
Something that just occurred to me - that encryption routine looked like a lot
of work.

Do you think the creator would have been net up in revenue terms to add
features, or using this feature to reduce piracy?

