Hi,

need once again a little help.

After I finally installed this recommended IDA Pro 4.04 for doing some reverse engineering for my ipaq, read several newbie first steps tuts and crackme solutions, i started my very first try with phone manager from ia style. (iastyle.com)
It has a evaulation period of 14 days and is protected by a registration code combined with the email address listed in the ipaq device information.

First of all, i installed the app on my ipaq and copied the exe back to my pc.
Then, loaded into IDA, the upcoming messages for some missing dlls (aygshell, mfcce300,olece) canceled (allright?) and okay, now i have a good look at the code.
Next step, I tried to find some text like 'sorry', 'expired', 'registration' or 'purchasing', but noting found.

okay, more difficult as i whished for my beginning, but no cause to stop.

Next chance, perhaps i could find a function call to get system date, but negative, i only found a GetTimeZoneInformation, i believe this isn't the right way.

Does anyone have the right hint for me?

okay, i found out that the serial is limited to length of 5 chars.
So i looked for 'strlen' and found a heap.
But nothing was compared with 0x05,
then i looked for all cmp R0,0x05 found one location but a simple check by changing the value to 8 didn't result the wanted effect, the same with 0E (the trial works for 14 days)
Changing the system date results:
'Program data or start time for using has been modified'

It seems to be a hard job (not only for me?), because i'm to able to set brps.

I found something like a disassembler running on the device itself (h**p://w*w.rainer-keuchel.de/software.html)
but i'm not sure it's working as requested.

Would be nice if someone could aid me with some hot hints.

All, about you are talking, you must done y0rself.
Search, Read & Learn

Dear Newbie!

What do you think about getting a resource viewer and searching the strings there? After you get the ID you should search for loadresstring with that specific ID. Should help you out.

@Iwarez: do u know any ressource viewer running on ipaq?

Now i've installed MS Emb.V.Tools and was able to debug this little thing.
But totally confused on what the code is doing.
Certainly it belongs to my inadequacy.

Here's the program entry point:
start
STMFD SP!, {R4-R7,LR} ; sub_0_50F54
MOV R4, R0
MOV R5, R1
MOV R6, R2
MOV R7, R3
BL loc_0_51048 #what the heck is done here?
MOV R3, R7
MOV R2, R6
MOV R1, R5
MOV R0, R4
BL WinMain # inside, the nagscreen is opened and displayed, including the button functionality
LDMFD SP!, {R4-R7,LR}
B loc_0_510A8

I wasn't able to find any time cmp or set reg flag. I didn't find also a if-clause which let display the nagscreen or not. But this must be inside one of these two BL's?!

@ evaluator: i'm still searching, reading and (trying to) learn(ing), but the way could be a little bit easier with a direction to walk, or?

Hello hambam !

"BL" is the "Call" function.

The code you showed us is the same as writing:

Application.Init
Application.Run <- somewhere here is the nagscreen
Application.Done

Not only the nagscreen is shown in "Run", but the whole program is initialized and run. So you've basically found nothing.

You might want to read this (http://www.woodmann.net/fravia/hexc_evtdebug.htm) and this (http://www.woodmann.net/fravia/nchanta_Abusing_microsoft_EVT2.htm) tutorial for some information on applications not running on x86 CPUs.

You need to copy the .exe over to your PC and view the resources there. If you use resource hacker (Very good) you need to convert the ID's first to HEX before searching them in IDA with Alt-i. I believe you can also search direct by removing the '0x'.

BL loc_0_51048 #what the heck is done here?

BL is the ARM "Branch and Link" instruction, basically a call.
The return address is stored in the LR reg (r14) rather than on the stack as x86.

You've had some good advice on this board already - load the arm executable into some resource viewer (brw, whatever) and search the string table just as Iwarez said... however, there is one small thing to add here. Because of the way ARM stores it's instructions (and uses the internal barrel shifter) you will need to do something like... eg:

You're searching for "Registration failed!", and it's string ID 0x7F13.

Becase the ARM code will compile to something like:

Mov r0,#0x7f00
Orr r0,r0,#0x13

You will need to (obviously) search for "0x7f" to make sure you find the string reference you're looking for.

After that it's all fairly simple usually, in fact easier than most x86 things because all opcodes are 4 bytes long so finding space for your code is a simple matter

-WK

Hi,

clearly, the BL is a call, i knew.
i'm able to follow the program while debugging (mostly), but don't understand what the program really does.
I tried to debug the app step by step so see whe the screen is opened. Somewhre before there must be testing sequence. But wether i found out how and where the program holds the regged status and where it's read,
nor where it branches to good or bad guy. "Suddenly" the nagscreen pops up and i'm as clever as before.

i explored the ressources with ressource hacker and found the dialogs at 30001 and 3002 and found the myst string 'sorry...' at 50400 (Hex: C4E0).
And i searched through with IDA all occurences of 0xC4 but didn't find one MOV with 0xC4 in.

ok, in that case the program probably stores the string reference "locally" (in what ARM calls a "literal pool", to make it close enough to be pc-relative)... so what you get is something like:

ldr r0,[pc,#0x208] <-- loads 32bits from pc+0x208 to r0

and suddenly r0 points to your string reference.

Search again for all 0xC4's, and see if there is one after a chunk of code stored as DCD 0x0000C4E0 for example, then scroll up a little in IDA and you should see the code you need...

Good luck

ARM programs are easy to crack as the source is very clear to read and related to the intel IS. I suggest you don't search for 0xc4 but for 0xc400 or for 0xE0. It can't be very hard.

I think waynek meant that but swapped the codes he typed before...

If you are really really stuck, contact me at xxx.sharewood.org. (xxx = www) The people there would also like to learn and are PPC and HPC minded

First of all, thx for your hints.

Searching for 0xC400 was succesful, so i found the str-ref for 'sorry evaluation period expired' and 'x remaining days'

BL j_mfcce300_366
LDR R3, [R4,#0x7C]
MOV R1, R4
ADD R0, SP, #0
CMP R3, #0
LDR R3, [R1,#0xC8]!
LDR R3, [R3,#-8]
BNE loc_0_4BD04 ...... to str-ref '...expired...'
CMP R3, #0
BLE loc_0_4BB7C ...... to '...days remaining...'
BL j_mfcce300_321
B loc_0_4BB88

I debugged with a breakpoint just a few bytes before and let the prog 'ignore' the BNE and the BLE.
The result was, that the prog displays the 'start trial'-button again, but pressing this button, quits the prog nevertheless.

The subroutine was called from
DCD j_mfcce300_2379
DCD j_mfcce300_1079
.rdata:0005673C DCD sub_0_4B9E8 .... here! ...
DCD j_mfcce300_2013
DCD nullsub_14

and i can't find the call for this location.


further hints are welcome as always

Hmmm, ok...

BL j_mfcce300_366 <-- which syscall is this?
LDR R3, [R4,#0x7C] <-- your "good guy" flag...
MOV R1, R4
ADD R0, SP, #0
CMP R3, #0 <-- is flag 0?
LDR R3, [R1,#0xC8]!
LDR R3, [R3,#-8]
BNE loc_0_4BD04 ...... to str-ref '...expired...' <-- if flag != 0
CMP R3, #0
BLE loc_0_4BB7C ...... to '...days remaining...' <-- if flag < 0
BL j_mfcce300_321
B loc_0_4BB88


So... without saying anything more, I think you should be able to see what you need to do? Of course it's possible there are other good/bad flags and other checks, but for this particular one...

-WK

BL j_mfcce300_366 <-- which syscall is this? = str manipulation i think, but which meaning?
LDR R3, [R4,#0x7C] <-- your "good guy" flag... i assumed but ...
MOV R1, R4
ADD R0, SP, #0
CMP R3, #0 <-- is flag 0?
LDR R3, [R1,#0xC8]!
LDR R3, [R3,#-8]
BNE loc_0_4BD04 ...... to str-ref '...expired...' <-- if flag != 0
CMP R3, #0
BLE loc_0_4BB7C ...... to '...days remaining...' <-- if flag < 0
BL j_mfcce300_321 <-- str manipulation, too, what meaning , too?
B loc_0_4BB88

ok, as i said, simply setting r3 to 0 or nop'ing the BNE and BLE isn't the right way. On one hand, the nagscreen appears with the 'start trial' button again (instead of the register button), looking like the app can't expire any more but on the other hand, pressing 'start trial' quits.
So there must be another flag which turns the button functionable.

But i would prefer to disable the nagscreen completely, but i've probs with going back the code.

The subroutine starts from 4B9E8 and is refrenced from 5673C. (as mentioned above) But how could i resolve the location where the prog goes to 4B9E8?

>The subroutine was called from
>DCD j_mfcce300_2379
>DCD j_mfcce300_1079
>.rdata:0005673C DCD sub_0_4B9E8 .... here! ...
>DCD j_mfcce300_2013
>DCD nullsub_14

ok, this is a jumptable, so you need to find the address of the first item in this table (00056734?) and look for the instructions that load that address (everything else will be an offset from that)...eg:

ldr r0,[pc,#0x100] <-- might load base of table
add r0,r0,#0x08
mov pc,r0

or similar sort of rout I guess... IDA will do it's best and cross-ref these for you, but it won't recognise them as call/ret (or branch in ARM ) because technically speaking they're not...

Good luck! And if you want to PM me the name of the app, I'll take a look myself if I get time so I can answer your questions better.

-WK

another day, another try, ...
could it be that a debugger protection found his way to the portable devices?
Setting a breakpoint and run never breaks again after the window is once opened.
And it could be sooo easy, with this little wcscmp...

the following code looks very suspiciously :
MOV R1, R7 --> R7 holds my entered test serial, i think
ADD R0, SP, #0xC --> no idea
BL j_wcscmp --> whooop?
MOVS R3, R0
BEQ loc_0_4F2D4 --> jump to?
MOV R0, #0x410
ORR R0, R0, #0xC
BL j_mfcce300_315
CMP R0, #0
BEQ loc_0_4F2CC --> jump to?
MOV R3, #0x1E
STR R8, [SP,#8]
MOV R1, #0xB400 ->B403 = str_ref 'Serial invalid'
STR R3, [SP]
MOV R3, #0x64
STR R8, [SP,#4]
MOV R2, #0xC8
ORR R1, R1, #3 ->
BL sub_0_41CA0
B loc_0_4F2D0

4F2CC: MOV R0, R8
4F2D0: BL j_mfcce300_704
4F2D4: ADD SP, SP, #0x3C
LDMFD SP!, {R4-R8,PC}

Something other looks strange:
the window which is displayed after entering a bad serial, displays also an strange text: '200:200:20:0' which isn't depending on the entry.

Well, to be honest I'm not sure that it's anti-debug protection, I've had a lot of problems using the embedded VC debugger on various programs, some of which I wrote myself and I *KNOW* they didn't have any protection (except for being very poorly coded...)

Anyway, to your src snippet:

MOV R1, R7 --> your serial, or the one calced by the program?
ADD R0, SP, #0xC --> r0 = a "serial" from the stack
BL j_wcscmp --> compare unicode strings
MOVS R3, R0 --> put the result code in r3 (and set flags)
BEQ loc_0_4F2D4 --> jump to end of subrout below
MOV R0, #0x410
ORR R0, R0, #0xC
BL j_mfcce300_315 --> which rout? using resource id 0x41c?

----8<---snip!---

wcscmp should return 0 if the strings match (which I assume is good for our purposes), so disasm the code that the program would take if r0=0 when it returns from the BL j_wcscmp...

Keep digging

another idea,

could it be possible, instead of displaying 'invalid serial number' just simple displaying one or two register values?

something like:

LDR R0, [serial] --> not really needed, because of the right one should be already be in R0, or?
MOV R1, #0
MOV R2, #0
BL MessageBox

would be sooo nice!

I've tried this:

The mfcce_300_674 (SendMessage) is at 50918.
The BL fount at 4F288.
That results the BL to A2 05 00 EB, or?

MOV R1, R7
ADD R0, SP, #0xC
MOV R2, # 0
A2 05 00 EB: BL j_SendMessage
BEQ loc_0_4F2D4
MOV R0, #0x410
ORR R0, R0, #0xC
BL j_mfcce300_315 --> what is this BL doing?

But the MessageBox isn't displayed.
Shouldn't the program pause at this SendMessage waiting for a OK from me?

Sorry, you've totally lost me now

I think you should tell me what the program is you're looking at, so I can disasm it for myself and make sure I'm looking at the same code as you are...

If you want me to take a look + try to help, private message me the name or publically reply if you want others to help instead hehe!

-WK

oh, i really sent you a pm, but never been read

i mentioned it allready in my very first opening post:

the program comes from 'ia style' found at iastyle.com
the program is called 'phone manager'

would be very nice, if someone throws me a new hint.
I'm running out of ideas.

ok, i simply tell you my next episode...

I've finally found out, that i'm able to set a working breakpoint just after entering a serial of free choice.
the program breaks and brings me to 4C6C8. There's a lot of wcscpy's, two reg entries were read ({7CA42CDB-C9A6-4c1d-A803-094B448EC405} and {4286CEC3-9F62-4735-8F5B-677683B1617F})
and then the strange code:

BL j_setjmp
MOVS R3, R0
BNE loc_0_4C838 -> to bad guy str ref
MOV R3, #0x254
ADD R3, SP, R3
MOV R2, #0x19C
ADD R2, SP, R2
ADD R1, SP, #0x5C
ADD R0, SP, #0x18
BL sub_0_4E09C -> a big checking sub

The big sub makes the whole checking thing returning several times at the MOV R3,R0 instead after the sub (as normally).
As you can imagine, it's no solution to simply nop'ing this BL. The result is in displaying the 'thanks for register' message but quitting the prog nevertheless. So it seems to be very tricky. I believe that the serial number is used to calculate a different return address. How clever.

I had a very quick look at this app at the weekend, and I think you're in the correct place now - the string refs I found interesting were 0xC3B5-8, and the subrout starting @ 4c520 seems to be the one to work on.

I also noticed a string ref that said "This program has been modified" or something similar, so expect a CRC somewhere along your path

Sorry I don't have time to dig deeper right now, I'm very busy IRL. If you're still looking at it in a week or so, I'll be happy to take another look with you...

-WK

yes, C3B8 i found too (thanks...).
the code which loads the str for displaying is found only a couple of bytes below of my code snipet (at 4C7B4).

The 'program has been modified' doesn't seem to be a real CRC check. I've made code changes several times now and no prob with this message.
This message is displayed if you try to modify system date.
So i think, it's only to block some newbies like me (but without success )

I think, i will need your assistence next week, because of i didn't found a bad guy / good boy- switch so far and there's too much knowledge missing.

deep thx so long and i'm looking forward for your reversing job. (Certainly i'm still on my way to understand the prog)

in the meanwhile, i've totally lost any new ideas how to go on, so i decided to simply look trough the code and just patch something somewhere, just were the code looks strange.
I know it's the worst way to get any result, but i'm a little bit frustrated now.

Perhaps in the middle of a night, a new strategie bites me and i find my way back to seriousity.