--- Log opened Sun Jan 18 00:00:08 2009
00:32 -!- Netham45 [~Netham45@c-71-229-253-50.hsd1.co.comcast.net] has joined #tiasm
00:32 -!- TehStorm [~TheStorm@CPE-24-167-219-81.wi.res.rr.com] has quit [Read error: Connection reset by peer]
00:32 <@efneTI92> [Netham45] Narf!
00:33 < BrandonW> The things that I.Q. Joe does with the stack is truly scary.
00:33 -!- TehStorm [~TheStorm@CPE-24-167-219-81.wi.res.rr.com] has joined #tiasm
00:33 < BrandonW> It's obvious that this guy is extremely knowledgeable with z80, but not so much with the calculator itself.
00:34 <@chronomex> who?
00:35 < BrandonW> I.Q. Joe!
00:36 <@chronomex> ... okay
00:39 < BrandonW> This guy is really good.
00:39 < BrandonW> He knows how to obfuscate code.
00:41 -!- Netham45 [~Netham45@c-71-229-253-50.hsd1.co.comcast.net] has quit [Read error: Connection reset by peer]
00:41 -!- Netham45 [~Netham45@c-71-229-253-50.hsd1.co.comcast.net] has joined #tiasm
00:41 -!- Netham45 [~Netham45@c-71-229-253-50.hsd1.co.comcast.net] has quit [Client Quit]
00:43 <@chronomex> hmmm
00:44 < BrandonW> There's stuff in here that's not in Zoom Algebra, so he's learned a few things.
00:44 < BrandonW> I wonder if he knows about me.
00:45 <@chronomex> http://www.zoommath.com/CompanyNews.html <-- broken!
00:46 <@chronomex> maybe, it's hard not to know about you if you're into that sort of thing
00:46 <@chronomex> but he's not on irc, is he?
00:46 < BrandonW> As far as I know, no. But he could be hiding.
00:46 < BrandonW> So I'm discussing it only here.
00:46 <@chronomex> ah, right
00:46 <@chronomex> hiding like his opcodes :)
00:47 < BrandonW> This really is hard to break...so I only want to have to do this once. I don't want him learning about it and then changing everything.
00:47 <@chronomex> yeah
00:47 <@chronomex> do you think he uses much in the way of machine aids?
00:47 <@chronomex> or is he just basically a genius?
00:48 < BrandonW> I'm leaning towards genius.
00:48 <@chronomex> and if you think so ...
00:48 <@chronomex> damn
00:48 < BrandonW> I can easily screw with the code that gets the calc ID and validates the registration key, but the problem is that he uses calculations on the key to determine what code to jump to next. So I could generate fake keys, but they would cause advanced features to crash.
00:49 < BrandonW> It's really a beautiful thing.
00:49 <@chronomex> oh wow
00:49 <@chronomex> That is truly wonderful
00:49 <@chronomex> do you think that there are multiple completely valid keys for each ID, or is that really unlikely?
00:50 < BrandonW> I have no idea, the code to generate the "zCode" you enter on his web site is insanely complicated.
00:50 < BrandonW> It's math I couldn't possibly understand.
00:50 <@chronomex> hm
00:51 < BrandonW> I came up with this ridiculously complicated scheme last time to put the flash debugger in an infinite loop until it found a key that caused a certain section of code to not crash, and then patched the application to always return the calc ID that went with it, so it'd work on any calculator.
00:52 < BrandonW> I can't remember how long it ran.
00:52 < BrandonW> But a long time.
00:52 <@chronomex> did it work?
00:52 < BrandonW> Yes.
00:53 < BrandonW> The guy doesn't understand anything unique beyond the first 5 bytes of the calc ID, so that's what we have to work with.
00:53 < BrandonW> So if I get the registration key that goes with a given calc ID (meaning someone buys it once), it's piss easy to crack.
00:53 <@chronomex> what do you mean, doesn't understand?
00:53 < BrandonW> I'd rather not have to resort to that, though.
00:53 <@chronomex> ah
00:53 < BrandonW> There's more he could get, like out of the certificate.
00:53 <@chronomex> right, I see that
00:54 <@chronomex> so he doesn't have you give him your calc ID, it's something generated from it?
00:54 < BrandonW> Yes.
00:54 <@chronomex> I wonder why
00:54 < BrandonW> And I understand very little about it, even looking directly at the code, so I'm not sure if it's 1:1 or not.
00:54 <@chronomex> makes sense that you think he's newish to z80calc but not to z80 in general, then
00:55 < BrandonW> The techniques he uses are only things you'd find out of the 83+ SDK.
00:55 < BrandonW> None of our stuff.
00:55 < BrandonW> So I wonder if he even acknowledges this community.
00:55 <@chronomex> hmmm
00:55 < BrandonW> And he does freaky stack stuff you wouldn't see in any of our code.
00:56 <@chronomex> well the domain zoommath.com is registered to  Hatch, Vance  vance.hatch@iqjoe.com  29000 S Western Ave., Ste. 304  Rancho Palos Verdes, CA 90275
00:56 <@chronomex> so I think it may be a small shop
00:56 < BrandonW> Yeah, his brother or cousin or something is in on it.
00:57 <@chronomex> ah
00:57 < BrandonW> I innocently e-mailed them once and asked when Zoom Math 100/200 would be out (so I could break it), and some woman responded.
00:58 <@chronomex> “Some math teachers gasped the first time they saw a textbook-style fraction typed in Zoom Algebra! "How did you do that?" they asked.”
00:58 <@chronomex> “Easy, have you ever read the Wikipedia article on "case-swapping"?”
00:59 <@chronomex> I doubt that they acknowledge the community, then, because they're, well, they're older than us
00:59 < BrandonW> I'm seeing this random garbage every so often in page 0...it's consistent, but never referenced.
00:59 < BrandonW> This guy does some wacky multi-page stuff, too.
00:59 < BrandonW> It's not a good sign.
00:59 < BrandonW> He might be validating the app somehow.
00:59 <@chronomex> hm?
01:00 < BrandonW> To make sure it's not being tampered with.
01:00 <@chronomex> ah
01:00 < BrandonW> Which would be bad for me.
01:00 <@chronomex> right
01:00 <@chronomex> never ever referenced?
01:00 < BrandonW> Not from that page, but it could be from another page, but I can't easily detect that.
01:00 < BrandonW> He's good.
01:01 <@chronomex> I wonder how they got so good
01:01 < BrandonW> It bothers me.
01:01 < BrandonW> I want to know, too.
01:03 < BrandonW> It's a three page application, and he has page 3 COMPLETELY filled up.
01:03 < BrandonW> Pages 1 and 2 are relatively empty, especially 2.
01:03 <@chronomex> what's remarkable about that?
01:03 <@chronomex> pardon my n00bness
01:03 < BrandonW> He puts all his code on another page and makes calls to it from the main one, page 1.
01:03 < BrandonW> It's harder to follow.
01:03 <@chronomex> oh, fun
01:04 < _aegis_> can't you write a script to combine it?
01:04 < _aegis_> every time it does a jump to page three, copy that code until it jumps back
01:04 < _aegis_> or something
01:05 < BrandonW> I need to not be making any assumptions about the layout of this thing.
01:05 < BrandonW> He's good enough to embed junk within the code and use it as some sort of validation check.
01:05 < BrandonW> Which I suspect he's done.
01:05 < BrandonW> Which would be the perfect defense against me.
01:05 < BrandonW> So I wonder if he knows about me.
01:05 < _aegis_> can't you tell which parts of his code try to access the memory used by the app's code?
01:06 <@chronomex> I don't think he knows about you, but he most likely has experience cracking programs in the past
01:07 < _aegis_> but he wouldn't make it more secure than the previous unless he knew it had been cracked?
01:07 < BrandonW> It's the perfect defense against the way I cracked it last time, that's why I say that.
01:07 <@chronomex> did that get publicised?
01:08 < BrandonW> I'm not sure. It's publicly accessible.
01:08 < BrandonW> http://brandonw.net/crap/ZoomAlg2.zip
01:15 < BrandonW> Oh man..
01:15 < BrandonW> This is going to be rough.
01:16 < BrandonW> I found where it's pulling the calc ID at least.
01:17 < BrandonW> I found http://errors.zoommath.com/ embedded in it.
01:17 < BrandonW> But that appears to not work.
01:18 < BrandonW> Or maybe it's to find out who's in here sniffing around.
01:18 <@chronomex> errors.zoommath.com.	1200	IN	CNAME	premium12.geo.yahoo9.akadns.net.
01:18 <@chronomex> akamai DNS
01:18 <@chronomex> weird
01:19 <@chronomex> and that has eight IPs associated with it
01:19 < _aegis_> cdn
01:19 <@chronomex> uhh, no, don't worry about that
01:19 <@chronomex> _aegis_: I know {
01:19 <@chronomex> :)
01:40 < BrandonW> Considering the deal he made with TI to get App4Math pre-installed on 83+ calculators, TI might have given him some help.
01:40 < BrandonW> I'm surprised to see them support this kind of validation, though.
01:41 < BrandonW> TI had their own paid app system.
01:42 < BrandonW> Although it does suck, so maybe this just means he's intelligent.
01:42 <@chronomex> heh
01:50 < _aegis_> heh
01:51 < _aegis_> zoommath is vulnerable
01:51 < _aegis_> the website
01:52 <@chronomex> oh?
01:55 < _aegis_> http://zoommath.com///etc/hosts
01:55 < _aegis_> allows accessing files on the server by adding extra //s
01:56 < _aegis_> he's hosting on geocities? o_O
01:56 < _aegis_> makes sense
01:57 <@chronomex> ... not really
01:57 < BrandonW> I have all of Zoom Math 100 loaded into the disassembler.
01:58 < BrandonW> This is going to take time to figure out.
01:59 < Tari> that server is screwed up
01:59 < Tari> /etc/passwd and /etc/group 404
01:59 < Tari> er, no
01:59 < Tari> /etc/shadow 404s
01:59 < Tari> but /etc/group works
02:00 < _aegis_> server is YTS/1.17.9
02:00 < BrandonW> He's doing a lot of stuff himself that the OS could be doing for him.
02:01 < _aegis_> yahoo traffic server
02:04 < BrandonW> He's still doing that "return NC if error" thing...
02:04 < BrandonW> I really don't understand that.
02:10 < BrandonW> Apparently ALL of this guy's calculations rely heavily on the stack, and he does tons of wacky things to error out gracefully if he runs out.
02:12 < BrandonW> At the start of the application he pushes a random value on the stack, and if it's different when you exit, it displays a message saying RAM is corrupted.
02:15 <@chronomex> crazy
02:17 < BrandonW> A recursive string display routine...
02:17 < BrandonW> It's just completely backwards from everything we're used to seeing from ourselves or TI.
02:18 <@chronomex> maybe he's also got some lisp experience
02:33 < TehStorm> I'd really want to see this code just for the hell of it
02:33 < TehStorm> It sounds quite interesting
02:33 -!- TehStorm is now known as TheStorm
02:34 < BrandonW> I'll post it just like the old one.
02:34 < TheStorm> I guess I could go find a copy of IDA 
02:34 < TheStorm> Oh yeah I forgot you posted the code
02:44 -!- Merthsoft [~Shaun@140.141.26.108] has joined #tiasm
02:49 -!- TheStorm [~TheStorm@CPE-24-167-219-81.wi.res.rr.com] has quit [Ping timeout: 335 seconds]
02:54 -!- TheStorm [~TheStorm@CPE-24-167-219-81.wi.res.rr.com] has joined #tiasm
04:08 < BrandonW> Good lord, the guy's actually got some sort of dynamic key lookup table...
04:08 < BrandonW> So it's not obvious what the getKey values are.
04:09 < BrandonW> Now that's just freaking crazy.
04:10 < Merthsoft> wait what?
04:11 < BrandonW> The obfuscation that the Zoom Math guy has done.
04:12 < Merthsoft> Zoom Math?
04:12 < BrandonW> He wanted to make it just about impossible to crack this thing.
04:12 < TheStorm> Do you think some of it may be more optimization than obfuscation?
04:12 < BrandonW> http://www.zoommath.com/
04:12 < BrandonW> This is obfuscation. It's three pages and the second page is damn near empty.
04:13 < BrandonW> Chock full of code that the OS already has.
04:13 < BrandonW> It's like he took it upon himself to do everything.
04:14 < BrandonW> And it's all done in bizarre ways.
04:14 < TheStorm> Wow, thats just stupid.
04:14 < Merthsoft> whoa, neat program
04:14 < BrandonW> Yeah, if it worked and all.
04:14 < BrandonW> And was free.
04:14 < Merthsoft> it doesn'/t work?
04:15 < BrandonW> I personally find it to be buggy.
04:15 < BrandonW> He has it wrapped so much that it won't actually crash, just not useful.
04:15 < TheStorm> yeah I've seen it do some weird stuff, but it always seems to exit gracefully
04:16 < Merthsoft> screen shots look good
04:16 < BrandonW> It's definitely from the flash debugger.
04:17 < TheStorm> and simview, at least the 84 ones
04:17 < BrandonW> http://www.zoommath.com/ZoomAlgebra.php I...missed this.
04:17 < BrandonW> I can just use the Zoom Algebra crack!
04:18 < BrandonW> I'll still have to crack it, but I won't have to do any real work.
04:18 < TheStorm> Nice, any chance of getting it back down to 2 pages?
04:19 < BrandonW> And if he validates the application to check for changes, screw him, I'll just patch the BCALL routine to always return the same calc ID.
04:19 < BrandonW> No.
04:19 < Merthsoft> you gonna release the crack?
04:19 < TheStorm> I figured but I thought I'd ask anyway
04:20 < BrandonW> There's scary stuff I could do, but with the amount of checks this guy does, they might not work.
04:20 < TheStorm> Merthsoft why else would he crack it
04:20 < BrandonW> Of course I'll release it.
04:20 < BrandonW> I'm not even concerned about Zoom Math 200 then.
04:20 < Merthsoft> TheStorm: for fun id unno
04:20 < BrandonW> Good thing I started with 100.
04:21 < TheStorm> It'll most likely be the same thing then right?
04:21 < BrandonW> Hard to say.
04:22 < BrandonW> Zoom Math 200 might be bound to certain restrictions since it's linked with Zoom Algebra now.
04:22 < BrandonW> I mean, who knows, it might just be looking at the appvar and validating it and then does its own thing.
04:22 < BrandonW> There's no way to know until I get in there and find out.
04:22 < BrandonW> And I can't just get it to say "Congratulations, you're now registered!" and call it a day, I have to really test the thing to make sure I really did crack it.
04:23 < BrandonW> Because you can generate false positives for keys and the app just becomes unstable instead of working correctly.
04:23 < BrandonW> That's what Zoom Algebra does.
04:23 < BrandonW> So I need to test this thing.
04:23 < BrandonW> Have you used 100 or 200? Can you make it do things where it tells you that you have to register first?
04:23 < BrandonW> It would be helpful if you or others did that.
04:23 < BrandonW> And then tested the crack.
04:24 < BrandonW> He cripples certain features, and they're just about impossible to find in the code.
04:26 < BrandonW> Okay, now I know the guy's looking at our documentation...he's using hooks.
04:32 < BrandonW> The bastard kills all hooks during its run.
04:33 < TheStorm> Sorry I have no way to send it atm, wait yes I do jsut a sec
04:55 < TheStorm> ok before I start fireing up TI-connect what exactly do you need me to test?
05:02 < Tari> hehe
05:02 < Tari> you said it does funky stuff but manages to exit gracefully
05:02 < Tari> except when you try to make it divide by zero
05:02 < Tari> then it just crashes
05:10 < BrandonW> Just come up with a list of expressions or equations that work fine, and also ones that cause it to give you an error about how you have to register/pay first.
05:10 < BrandonW> What did you do to make it crash, Tari?
05:10 < BrandonW> What exactly, I mean.
05:10 < BrandonW> Basically I just need an example of every advanced feature it won't let you do.
05:10 < BrandonW> So that when I crack it and we try them, we either see it work fine, or crash.
05:11 < BrandonW> And yeah, I really think you only get the errors.zoommath.com message if you're doing something scary.
05:13 < TheStorm> what version should I do first?
05:14 < BrandonW> Zoom Math 100 is the only one I care about.
05:14 < BrandonW> 200 in theory is as good as done, and 100 is the only one I'm focusing on.
05:16 < TheStorm> ok
05:19 < Tari> I was referring to TheStorm's earlier comment
05:19 < Tari> with ZoomAlg
05:23 < TheStorm> ok zoom100 installed
05:28 < TheStorm> ok well it won't graph x^2/5x so thats looks to be a good place to start
05:29 < BrandonW> This code is laid out as if he used the same code base for 100 and 200.
05:30 < BrandonW> It wouldn't surprise me at all if it's the same thing with a compiler flag to generate one or the other.
05:33 < TheStorm> Yeah They seem to be very similar
05:33 < TheStorm> its stupid that they want you to pay for two almost identical apps
05:35 < BrandonW> Hmm...
05:35 < TheStorm> what?
05:35 < BrandonW> I think he got a little smart with the serial thing.
05:35 < BrandonW> It defaults to a hard-coded one.
05:35 < TheStorm> really?
05:35 < TheStorm> hmm thats interesting
05:35 < BrandonW> Yes, 0A 25 46 45 77.
05:36 < BrandonW> Which would be sweet, I could just NOP out the call to _getCalcSerial (and change those bytes if necessary) and generate the key.
05:36 < TheStorm> lol nice
05:38 <@chronomex> that would be pretty funny
05:38 < BrandonW> Generating the key is insanely hard.
05:38 < BrandonW> I'm honestly not even sure I can.
05:39 < TheStorm> can you change the hardcoded one to match the key you used last time?
05:42 < TheStorm> well I have all tree of the new apps on my calc
05:43 < BrandonW> Yes, but the application will have different logic than the Zoom Algebra one did.
05:43 < TheStorm> true
05:43 < BrandonW> That's no different from your average person who bought Zoom Algebra trying their key on Zoom Math 100.
05:46 < TheStorm> Well time for me to get some sleep. G'night all
05:50 < BrandonW> Alright, so I've got what I need now to generate keys.
05:50 < BrandonW> Now to generate the right one.
05:50 < BrandonW> Meaning finding a piece of code that works only if you have the right key.
05:58 < BrandonW> And that's very hard.
06:23 < BrandonW> I have to admit, I'm kind of losing interest.
06:24 < BrandonW> If Zoom Math 200 really does everything 100 does, I should just patch the calc ID code in 200 and see if it works.
06:36 < BrandonW> Zoom Math 200 isn't doing anything.
06:36 < BrandonW> Even though the appvar and the key are right.
06:38 < BrandonW> GRRR
06:38 < BrandonW> I guess I'll dig in and see what's wrong.
14:41 < TheStorm> Good luck with that.
16:38 -!- Merthsoft [~Shaun@140.141.26.108] has quit [Ping timeout: 240 seconds]
17:23 -!- Merthsoft [~Shaun@140.141.26.108] has joined #tiasm
20:25 -!- TheStorm [~TheStorm@CPE-24-167-219-81.wi.res.rr.com] has quit [Quit: Leaving]
21:50 -!- Merthsoft [~Shaun@140.141.26.108] has quit [Quit: ☮♥♫]
23:38 -!- Merthsoft [~Shaun@140.141.26.108] has joined #tiasm
23:45 < Merthsoft> l
--- Log closed Mon Jan 19 00:00:08 2009