Archive for April, 2010

Some RE anecdotes

Thursday, April 1st, 2010

I think it’s a good day to tell some stories about some peculiarities in codecs that may be a bit funny.

Intel Audio Coder (and maybe IMC) unpacks bitstream into integer array. Yes, one bit into 32 bits. It makes sense for codecs operating on single bits probably but looking how it tries to reconstruct variable in a loop from that bit array is hilarious. And do you know how that codec encodes sound? It loads “iacenc.dll” or something and calls encode function from it. Was it that hard to make it totally separate encoder instead of pretending it can encode but screw it when encoder library is missing?

VoxWare series of codecs (sorry, metacodecs — MetaVoice, MetaSound) features its own codec subsystem. There is main codec library which really can’t do coding or decoding. It loads actual codecs (with “.vwp” extension) and uses its own system of calls to do the work. Entry point in those overlays is appropriately named VoodooQuery.

Now to MetaSound decoder (I call it double messy because it’s named “msms01.vwp”). First, it features quite a lot of arrays of floats. I think it has the biggest relative non-zero data segment I’ve ever seen in binaries. Also it features and additional segment with code named “CODE” and it contains single function for performing FFT. And it has functions for zeroing or copying arrays of floats written quite poorly and nowhere near as good as plain memcpy/memset.

Interplay video player uses self-modifying code for pattern output. It does so by loading two colours into registers and modifying output commands to use either one of those two registers as source. For the record, another popular method is to duplicate value 4 times in the register, apply mask to one register and inverse of that mask to another register, bitwise OR them and output.

And most mind-boggling code I’ve ever seen is Discworld III game engine (which also performs FMV decoding). While REing ADPCM variants used there is relatively easy, video decoding is maybe the most obfuscated code I’ve ever seen. Let just say that decoding function avoids using stack but does a lot of indirect calls to modify register values.