Hacker News new | past | comments | ask | show | jobs | submit login
Bringing a decade old vector editor back to life (github.com/chrismiuchiz)
565 points by 2StepsOutOfLine on April 30, 2020 | hide | past | favorite | 86 comments

I've reverse engineered a number of content encryption schemes. It's always a ton of fun, and you get to see the large amount of psychological warfare at play at the higher tiers.

A very common trick that I've seen in a lot of Japanese games, for offline material, is to combine a hashing system and encryption. That is, the game will attempt to load "main.script", which is a custom bytecode scripting language. The file stored on disk would have the filename of a SHA1 hash of "main.script", but the contents would be encrypted with a private key like "tprics.niam". "main.script" then loads a number of other files using its scripting system, so it's a very annoying process to take the whole thing apart, as you need to hunt down the original filename through the scripting system. Either that or you guess at filenames.

You tend to see some really high-level effort put into systems, like the one game I took apart that had its own custom scripting language with classes and coroutines.


One game I found had a custom bytecode system that drove me nuts for weeks. The opcodes were specifically picked so that a large number of the popular ones were reflections of each other in dec, hex and binary. So you'd go "I've seen opcode 0x0353 before", but alas, you had actually seen opcode decimal 353. Similarly, there were opcodes 101 and 0x101 and 0b101 and they all did slightly different things. You think you could stick to hex, but there's enough slop in the process and your brain is so used to pattern-matching that it was pretty effective.

Indeed, it's often more fun than playing the game itself; but then again, I'm someone who has been taking things apart since I was very young (and not surprisingly, got into trouble a few times for it...) I suspect RE is something that's closer to what those in the other sciences do, i.e. analysis and thinking more about how/why things are the way they are, rather than what they can build; which is why not a lot of developers (who almost always build, except when they have to debug) seem to have any interest/skills of RE much if at all.

I've previously described physicists as reverse engineers of the universe (and biologists as reverse engineers of nature) :-)

They really are much closer disciplines than most people might imagine.

Just trying to read a mathematical paper is like RE. You could take the approach that you try to follow every step and pause until you have the full specification, but that would take months. And more importantly, it's unlikely that you are willing or able to just do that one paper over the course of 6 months.

Or, like people do in RE, you fall back to things you know (OP knew hex, decimal and binary before he encountered the reflected codes he talks about) and you try to force the paper through your personal veil. I guess when people reverse engineer hardware you follow the routes you took (maybe taking months) the first time you took something apart.

Usually, it makes sense to do so because the reason why you read the paper in the first place is because you think that it has some connection with your own work.

In Quantum Mechanics circles, many authors have different mathematical backgrounds, so just translating what they are doing and thinking is already RE. A good example of this is logical semantics: There are countless flavours of how to write logic down, each with their own symbols and motivations. I would prefer if any logic that you end up with is the internal logic of a category, but analogously this would be like Apple forcing everyone to use their hardware connector pins.

A paper usually does have a path that is chosen by the author, but the RE component is inevitable if you want the paper to be in context with your own reasearch. Otherwise I guess it would be more like a class or university module, where you are following along, but you don't really have an intention of building on the subject matter in your own time. Science also has the disadvantage to newcomers that you don't know how much has already been done, and hence you are forced to have endless lectures to just bring you up to speed.

The real reason is that open source software completely eliminates the need for reverse engineering. RE only makes sense when you don't have access to the source code. Doing things like private server emulation for an MMORPG might sound cool but the reality is that half the game content exists server side. You're not able to invest enough resources to rebuild the original experience and even if you could why not spend those resources on your own game? The demand for reverse engineering is pretty small.

There's many MMOs that now officially only exist as memory, either shut down or altered in such a way that they aren't the same games anymore. Some people don't want to make their own game, they want to play the game they used to with friends/family years ago that is now unavailable. The amount of community effort put into some private servers is impressive. I wouldn't spend my own time doing it, but I'm glad there are people that do.

I just find that more disappointing because the copyright holder is positioned to be able to open-source or public-domain-dedicate the material but they don't for various reasons and it rots on a backup drive somewhere or gets lost, and now unnecessary duplication of effort must occur to recreate it.

Often it seems rather paradoxical in nature because the main reason they don't open-source it is that they're waiting for a time in the future when the demand rises and it will be worth something again, and yet the increased demand only happens because of the efforts of reverse engineers keeping the community alive. It's almost always impossible for the reverse engineers to legally get paid for this work too. The only hopes for that is either for the copyright holders to raise enough money and decide to hire them, or to do an anonymous patreon and hope it doesn't attract the wrong kind of attention.

Indeed, and conversely that's why to a researcher like me RE feels like the only branch of coding that actually achieves something (emotionally; intelectually I know of course that's not true).

One of the reasons I was attracted to computers when I was a kid was figuring out Windows secrets.

That comparison was really insightful to me

I'm reminded of the 'xcodes' bytecode-interpreter/virtual-machine used in the original Xbox, as part of its security model.

See [0] and page 25 of [1]

[0] (PDF) https://cs.oberlin.edu/~ctaylor/classes/341F2012/xbox.pdf

[1] (PDF) https://events.ccc.de/congress/2005/fahrplan/attachments/674...

Which parts are the coroutines?

Multiple methods in that snippet use something like:

    while(true) {
        wait 200;
implies there are multiple synchronous execution stacks. It's not threading, as the synchronization points are explicit.

>synchronization points are explicit

Hmmm, I'd have just called it cooperative threading/multitasking then. Or do you think that would be wrong?

It wouldn't. That's literally what coroutines are. In-process, lightweight, cooperative multitasking, built in as a language feature (or at least close enough to it).

It is not. Coroutines are a much more fundamental feature. They can be used to implement cooperative multitasking, and since that is such a common use case, they have gotten confused with the concept of cooperative multitasking.

Actual coroutines are a lot more flexible and interesting than just cooperative multitasking, though.

Erm, I'm pretty sure I can implement coroutines using cooperative multitasking. Also, the other way around. So I'd say they're equivalent in that sense.

Cooperative multitasking usually involves a scheduler. Coroutines are called explicitly, which you can't do through a scheduler.

Now you're really just making claims about implementation details. That doesn't make one concept more "fundamental" or "flexible" than the other, while "interesting" is just a subjective judgement.

I'm not. The scheduler decides what code to execute next, the caller does not. With coroutines, the caller explicitly decides what code to execute next. That's a fundamental difference.

Explicitly selecting what code to execute next can be trivially achieved in a cooperative multitasking system. Naturally, the details work out differently. That's because both concepts are equivalent, just not the same.

Sure, you could implement some kind of anti-scheduler, but that is just plain silly, and really doesn't affect the point at all. You can do anything in any Turing-complete language, but that doesn't mean that Brainfuck is equivalent to Prolog in any way that is actually useful or interesting.

That's like saying that implementing a scheduler using coroutines is silly. Yet people do it all the time. * You may keep moving the goal posts all you want, your original claims were wrong and they stay wrong.

Can't you just say something like "I like coroutines more, they are so minimalist and elegant, and yet they are equivalent in power to cooperative multitasking!". I'd actually subscribe to that notion. But not your overblown claims of objective superiority.

* One has to wonder why so many people crave a scheduler, when they already have coroutines? Maybe because having a scheduler makes certain things easier than naked coroutines?

It's not, that is a perfectly logical thing to do: Use a more generic primitive to implement more specific functionality.

It's not about liking one thing or another more. It's that coroutines are coroutines, and cooperative multitasking is cooperative multitasking. The two are often confused, and all I am saying is that that is incorrect.

Cooperative multitasking can easily be implemented with coroutines, but doesn't have to be. You could implement coroutines with cooperative multitasking but doing so is highly silly and a massive hack.

>The two are often confused, and all I am saying is that that is incorrect.

And both are equally capable is all I'm saying.

Well, I suppose we've come close enough then to move on.

With coroutines, your program logic itself is the scheduler.

Thus why coroutines are more fundamental and powerful.

Coroutines and cooperative threading/multitasking are indeed threading. I assume they meant to say that it was neither preemptive nor parallel, which makes it somewhat limited. Some people think a system has to be one or both of those to be called threading.

For me, and for a vast majority of people I'd say, the word "threading" in common parlance implies pre-emptive scheduling with implicit synchronization points.

cooperative threading is just coroutines plus a scheduler.

>a lot of Japanese games

What kind of games are we talking about? Computer games or mobile ones?

Some Japanese arcade games are known to have byzantine content protection schemes meant to prevent cabinet bootlegging. There's been a lot written about Capcom's CPS-2 and CPS-3 systems in particular.

This is part of a larger pattern of fairly weak attempts to confuse a reverse engineer that made it frustrating to figure out what all the opcodes did, and there were many duplicate opcodes that were just implemented in different ways.

Since the code presented in the article didn't look like handwritten Asm (and if it was, it would've probably been even more insanely obfuscated and greatly confused IDA's decompilation), I wonder if compilers of the time were far worse at optimisation, or if the author deliberately disabled it so that the code would be more bloated and harder to understand as well as containing the source obfuscations; seems like "Here's addition implemented by multiplying the result with some number and its reciprocal" would be something that's replaced-on-sight by an optimiser doing constant propagation.

Also, I was not surprised to discover that this program appears to be both [1] of German origin, and [2] shareware. When I was in the cracking scene long ago, "German shareware" was widely known for the insane strength of its protection.

Pure speculation, but it's quite possible that it was written in Delphi (the last iteration of Borland's Turbo Pascal lineage), which had a fast single-pass compiler that did very little optimization. Delphi was very popular in Germany in the late 1990s and early 2000s.

Delphi makes things worse because the code it generates is incredibly ugly. The code listings use the C++ std and it looks straightforward so presumably it is just good old C++.

It could equally be C++Builder. Back in those dates, the C++ compiler used a similar backend to Delphi - it was derived from Delphi's originally, since the two products interop and you can use both languages in one app. Today's C++Builder uses LLVM.

Borland had a C++ compiler too, but it was never nearly as popular as the Pascal-based Delphi.

I doubt the compiler would optimize out multiplications like that, as floating point math is not necessarily associative. You'd have to pass -ffast-math to get the compiler to attempt to optimize that out. It looks like typical compiler output to me.

A lot of obfuscators out there use VMs with convoluted pieces of assembly implementing each opcode of the VM. Pushing, popping, swapping register values, etc, etc. In many cases the opcodes are microinstructions that can be used to implement x86 instructions making the VM an x86 emulator. It's super satisfying when you finally get x86 opcodes out of the other end and then patch those back into the program.

Historically, Germany has had issues with crackers.

This was amazing to read. Reading stories of reverse engineering and cracking long-dead programs are interesting enough, but then being able to buy the domain and re-implement the authentication servers from just what the client expects?!

I'm staggered at the skills needed to do that.

It's amazing what people can accomplish... Gives me hope that old video games will one day receive the same treatment. Way too many of them lost online multiplayer after the game company moved on.

Unfortunately, this is only possible because the obfuscation used is just weak obfuscation.

Once you throw real public-key encryption into the game, which is what any competent company trying to avoid cloned servers should be doing, there is no way to create alternate servers just from game data. You need to at the very least patch the game and change the key.

I'm not sure the parent comment is necessarily going for a patchless solution, and as you say, by the time you have got far enough with reverse engineering for the particular type of encryption to matter, you can always just patch the executable to bypass it altogether. (In fact by halfway down the article the author had done exactly that.)

Besides, I'm not even convinced that "any competent company" would bother with public/private key cryptography given that it makes little difference to them how exactly their copy protection is broken.

The bigger problem for the parent commenter is if actual game logic is executing on the server, which is probably the case for online multiplayer games.

> The bigger problem for the parent commenter is if actual game logic is executing on the server, which is probably the case for online multiplayer games.

Yes. I used to play on unofficial MMORPG servers back in the day. People reverse-engineered the network protocol and created an open source game server. It didn't have all the features of the official game but it ran fine and could be freely modded. I used to host one of these on my own home computer... Traditionally the official game client is used but some games even have custom clients!





Blizzard (I suspect) did exactly this with the original Warcraft III.

To play on an emulated Battle.net server you had to apply a patch to the client .exe or it would refuse to connect.

I remember chatting with one of the emulator developers on IRC and they said it was practically impossible to reverse engineer the key, so that sounded to me like public/private key encryption.

I suspect Blizzard reasoned that it made the emulated servers less legitimate and that people uncomfortable downloading "cracks" would be put off. It didn't have to be fool proof, just raise the bar high enough to encourage more sales.

Whoa, this editor was quite amazing! If you have two minutes, watch the "Photo Texturing" and "Photo Editing" demonstrations:


More here: https://www.youtube.com/user/Picroma/videos

It's really impressive! It's based on some kind of subdivision primitive I've never seen used like this before.

I guess you could emulate the "Photo Texturing" functionality in something like Blender with UV Unwrapping? Will give it a go later.

The "Image Warping" I'm pretty sure you can do in Photoshop these days tho'.

I've achieved a similar effect with Krita's warp tool and 'transform layers' (which let you treat a transformation as a filter layer so you can still edit the un-transformed version), but it's clearly not a use-case the developers intended and therefore is nowhere near as smooth to use.

> I guess you could emulate the "Photo Texturing" functionality in something like Blender with UV Unwrapping? Will give it a go later.

Yes, you can do exactly that. To me the app looks like a happy medium between 2D and 3D art software.

What is the backstory behind why the company stopped selling this software? Has anyone asked the author or company about it? Would it be worth asking them to release the source since it's been so long since selling it?

Wollay and most software development he does is intermittent at best. The Cube World community went 6 years without an update. He will occasionally (every few years) post screenshots and teasers on social media, but it seems very clear that development of his projects is whimsical. I don't think anyone at this point would be surprised if he tweeted out tomorrow that he's done developing Cube World.

It also seems that Plasma was never actually sold. It was a preview that just required a free signup.

In the case of Cube World, he finally decided to come out of the wood and release the game on steam. Almost none of the feature he teased during those years were included in the release or were heavily changed, and even the core gameplay was very different than the beta, which made a lot of people angry.

He wrote an article explaining that the DDOS they suffered when first releasing Cube World had a lot of impact on his mental health and that is why he rarely communicated and then he disappeared again.

At this point he can't bring it back. The article author bought the expired domain and put up his own authentication server on it.

He can, by re-releasing it with minor modifications to use another domain?

He could simply change Plasma to use an alternate server.

That was really cool and educational, especially the part about reverse engineering the VM! Makes me wonder if all companies go to such trouble to protect their IP, especially since it seems that VM was in-house

This is really cool, and certainly a solid example of why the legislation is moronic. However, isn't this a violation of DMCA's (and similar legislation worldwide) "software lock" circumvention laws?

> It's not pretty, but this is probably the first time anyone's been able to use Plasma at all in the better part of a decade. It seems that Wollay removed a critical UI file (for the sheet which artwork exists on) from Plasma, and made it so that the server would provide an obfuscated version of it to the client. That way, no amount of tampering could get an unauthorized copy of Plasma to work. Unfortunately, without the authentication server, authorized copies of Plasma cannot work anyway.

Around this time, I started looking at what the picroma.de domain used to point to. I didn't find much of interest on archive.org, but...

The domain was now available after all these years, and I bought it.

To clarify, none of the reverse engineering stuff is the issue. However, when your start reimplementing or circumventing "authorization", then you're potentially in some trouble. Worse, it's not civil, like copyright infringement, whereby the IP owner has to go after you. It's criminal, so technically law enforcement themselves can go after you.

In this case it seems unlikely, still though, be careful, folks.

(caveat: IANAL and am frequently wrong)

The DMCA provides a singularly annoying exemption process. Every three years, the Librarian of Congress makes a determination of valid exemptions to the DMCA. These exemptions are complicated to apply for, and having been previously granted theoretically has no impact on whether it is granted the next time, so anyone who wants to maintain an exemption needs to reapply and make their case every three years.

From 2018 and until 2021, there are 14 DMCA exemptions in effect. One of them is "Computer programs, except videos games, no longer reasonably available in commercial marketplace, for preservation by eligible libraries, archives, and museums." Unfortunately, while this software is not a video game, nor is it reasonably available, it is not covered by this clause, as "the work cannot be made available or distributed outside the physical premises of the eligible institution."

Not to worry, though! There is one other possible exemption. Number 11: "Computer programs, for purposes of good-faith security research." Is this good-faith security research? Well, one of the tests there is whether the "information is used primarily to promote security of devices on which the program operates." This probably does the opposite, being an effective argument and tutorial AGAINST security, so it probably doesn't work, either.

So yes, this is probably illegal. It could maybe even be a felony, technically. You could probably get years in prison for it. You wouldn't, but that won't stop a fed from convincing you of that in order to get you to sign a confession.

At least the US have an exemption process.

The US strong-armed most their trade-partners into implementing DMCA-compatible laws. Here in Australia we have "compatible" laws, but to my knowledge no exemption process.

EDIT: It's probably worth noting we didn't even bother amending our existing legislation, we just introduced new conflicting legislation. It's a real mess.

What do you mean by the "(and similar legislation worldwide)" ? DMCA is a USA-specific limitation that goes way beyond what the rest of the world has; USA has had some success pushing something like that to a few other countries through transatlantic trade treaties, but as far as I understand, most of the world does not have DMCA-like legislation; it's not universal in the way that Berne convention is. For example, EU copyright law explicitly permits reverse engineering of any software you own, and if it's needed for the purposes of interoperability you're allowed to distribute modifications to copyrighted works without permission from the author.

DanBC's comment contains useful information. The EU issued a Copyright Directive, thus all member states were told to implement compatible laws.

As pertains to Latvia specifically (I apologise if my Github <-> HN username assumption is inaccurate), then the relevant laws are implemented under "Copyright Law, Chapter XI, Section 68".

We also still have laws in Australia that permit reverse engineering for the purpose of interoperability. This is what I meant above where I wrote:

> To clarify, none of the reverse engineering stuff is the issue.

The problem is these laws are superseded when circumvention of technological measures pertaining to copy protection is involved.

True, I had missed the Information Society Directive which adds the restrictions on circumventing effective technological measures. The big problem is in the interaction between these parts of copyright law and the other parts which limit the copyrights; so even if you have the right to do something yourself, then the distribution of these "circumvention measures" is prohibited by this. Sad.

The WIPO copyright treaty in 1996 told countries to implement laws to prevent circumvention of technical means to protect copyrights.


> The Treaty obliges Contracting Parties to provide legal remedies against the circumvention of technological measures (e.g., encryption) used by authors in connection with the exercise of their rights, and against the removal or altering of information, such as certain data that identify works or their authors, necessary for the management (e.g., licensing, collecting and distribution of royalties) of their rights ("rights management information").

This got written into many local copyright laws.

I always suggest RE researchers to operate under pseudonyms and never attach patches to their personal identities, especially if the patch is classified as a circumvention device under the DMCA. While some people may want to use their personal acts to challenge the DMCA itself, but in the majority of cases, it's not the case, the goal is simply getting the job done, so avoiding unnecessary troubles is more important. Use a pseudonym, and they cannot fight ghosts.

What program do those disassembly screenshots come from?

I think it's from IDA. For example see screenshots here: https://www.hex-rays.com/products/ida/6_0/.

There are similar reverse engineering tools that are open source such as:

- Ghidra: https://ghidra-sre.org/

- radare2: https://rada.re/n/radare2.html

From the author: "the x86 disassembly comes from IDA, the VM disassembly is literally in notepad++ and generated by my disassembler"

Replying just in case you get an answer, those are cool.

What a magnificent yak shave.

I though it was FreeHand. Maybe someday

I hoped to hear someone finally ported Xara LX [1] to Cairo...

[1] https://en.wikipedia.org/wiki/Xara_Xtreme_LX

Looking forward for this as well. I've used Xara Extreme version 4 (released around 2008) couple of years after they have released Xara Extreme LX, and I've still got the CD with me. It's probably the fastest and the most intuitive graphics editor I've used. It seamlessly managed to integrate raster and vector graphics editing for the masses.

Oh that brings me way back. Got my start in dev idly editing websites in Macromedia Homesite and Freehand and Firesomething. I figured Adobe already killed off the MM stuff.

Macromedia Fireworks, I liked that one!

I still use the final version Adobe released - it's a damn shame as it is the perfect mix of pixel and vector for quick day to day editing and web layout design.

Freehand, Fireworks and Director all great Macromedia programs killed by M'Adobe. RIP.

It was brilliant. I blame the emergence of flat design on the death of Fireworks ;-)

Holy crap, this brings me back. I'll setup a Windows XP image with Macromedia stuff and indulge myself in amazing nostalgia. Thank you for the ticket.

Nice work! Coincidentally I saw the product of your work first on the CubeWorld subreddit. You didn't lead on as to how much reverse engineering was required.

This was an entertaining read and well explained.

It’s insane to me that such a full featured graphics editor was just abandoned.

My guess is that when CubeWorld went viral it sucked up all of the time of the sole developer.

Uau! Congratulations, that was lots of effort going through all of that.

Good job!

QA: Are you still need that again with your developer tools?

Something that just occurred to me - that encryption routine looked like a lot of work.

Do you think the creator would have been net up in revenue terms to add features, or using this feature to reduce piracy?

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact