Hi everyone, just like to find out if anyone does reverse engineering on Palm OS software. I used to be able to use tools to disassemble programs made for the 86k (motorola) processors but since they came out with Palm OS 5, I can't seem to find any disassemblers that can correctly disassemble OS 5 programs with ARM specific codes (besides IDA which I do not have the processor module for). Anyone knows how to go about it? Thanks for the help.

Like this?

http://www.dreamimpression.com/palmdemon/

Hi Kayaker, thanks for replying. I'm currently using pdemon v0.27 and I think it doesn't support native ARM codes (when I try to disassemble, it gives me a lot of unrecognised "armc" resources). Do you know of any disassemblers that can work with native ARM codes? Thanks for your help.

Hi there. You are right, pdemon doesnt support armlets at the moment. I had looking at adding support in the middle of last year, but documentation was sparse, and test binaries were just non existant.

I would be grateful if you could provide URL's to any PRC's utilising ARM, as I am still interested in adding ARM support when I get a spare moment. Sadly I no longer have time to trawl the palm sites inspecting apps myself

Thanks

Carpii

Hi Carpathia, one program that I've found containing armlet codes is PocketTunes which you can find at: h**p://www.pocket-tunes.com/pockettunes/dl/pTunes1.2.zip
Good luck and thanks for making suck a great disassembler!

Thanks for the information. ARM uses a very elegant instruction set, and so hopefully it shouldnt take very long to add rudimentary support to pdemon.

Although IDA does support the ARM chip, it apparently does not disassemble arm extensions embedded in palm binaries, (possibly due to the fact there seems to be no support for IDA switching processors in the middle of a disassembly, I dont know). Im sure they'll fix this tho ;-)

In the meantime be aware that all calls to a native ARM subroutine must be preceded by trap to PceNativeCall. You can at least possibly use this to determine if anything of interest might be in the ARM routine.

If you havent yet subscribed to the pdemon mailing list, please do so, as that is the only place I announce new versions.

Cheers

Carpii

Hi Carpathia, thanks for the info and good luck with the program enhancements.
Anyway, know of any tutorials that deals with cracking "packed" or "installation" PRCs like Palmwars? When I look at the code of the program, it's just a small code that unpacks its code. Any help will be appreciated. Thanks.

I remember three very old tutes by a guy called BadToast but they were all trivial patches and not really worth reading. Latigo wrote a palm reversing tute on this site, but Im not aware of many others.

There is no way I know of to easily (read quickly) unpack a palm app. It can be done with debuffer, I spent a long time on a doc reader app, dumping portions from debuffer, turning this hex dump back into real binary, and then patching this back into the app and fixing up the structure. Its not much fun but can be done if youre willing to put the time in. Perhaps todays pda debuggers have progressed enough to make this easier, maybe try palmdebugger or southdebugger.

Im hoping to add a feature to pdemon which will allow you to replace code segments, and it will fix up the application structure, but at the moment its just another feature on my long to do list

RE: Palmwars, this is not actually packed that I can tell, but appears to be compiled as a standalone binary written in FORTH (Oh FORTH, my day grows brighter every time we cross paths).

The actual code is held in the p4ap resource, locked into memory by the stub (the only bit of the disassembly palmdemon is showing you), and then executed. This doesnt really help you because you still need to be able to get at the p4ap disassembly. Palmdemon is currently 'in between' versions and so I am reluctant to release a version which allows you to disassemble the p4ap segment. In the meantime however, you should be able to export the resource from pdemon (right click on tree view node), and then run this through one of the other disassemblers (pildis, pilotdis), and see what this brings up. Note that I havent tried this, there is a possibility the dumped p4ap is still packed, with the decompression routine begin written in FORTH :-)
I will investigate further when I have time.

Regards

Carpathia

Thanks for the very lengthy and informative reply. Programs made with Forth is definitely out of my league for the moment. Probably I'll try and look up some information when I get the time. Thanks a lot for the invaluable info.