Hi,

i hope someone can help me.
This program is for a pocket pc. (like iPAQ)


Look at this:

.text:00023B38 STMFD SP!, {R4,R5,LR}
.text:00023B3C SUB SP, SP, #8
.text:00023B40 MOV R5, R0
.text:00023B44 ADD R0, SP, #0
.text:00023B48 BL sub_15378
.text:00023B4C ADD R1, SP, #0
.text:00023B50 ADD R0, R5, #0x98
.text:00023B54 BL _GetWindowTextW_CWnd__QBAXAAVCString___Z ; CWnd::GetWindowTextW(CString &
.text:00023B58 ADD R0, SP, #4
.text:00023B5C ADD R1, SP, #0
.text:00023B60 BL __0CString__QAA_ABV0__Z ; CString::CString(CString const &
.text:00023B64 LDR R4, =unk_BB6D4
.text:00023B68 LDR R1, [SP,#4]
.text:00023B6C LDR R0, [R4]
.text:00023B70 BL sub_69E78
.text:00023B74 LDR R0, [R4]
.text:00023B78 LDRB R3, [R0,#0x328]
.text:00023B7C CMP R3, #0
.text:00023B80 BEQ loc_23B94
.text:00023B84 MOV R0, R5
.text:00023B88 BL sub_23890
.text:00023B8C B loc_23BB8
.text:00023B8C ; ---------------------------------------------------------------------------
.text:00023B90 off_23B90 DCD unk_BB6D4 ; DATA XREF: .text:00023B64r
.text:00023B94 ; ---------------------------------------------------------------------------
.text:00023B94
.text:00023B94 loc_23B94 ; CODE XREF: .text:00023B80j
.text:00023B94 MOV R1, #0xAF00
.text:00023B98 LDR R2, =aInvalidRegistr
.text:00023B9C ORR R1, R1, #0xF9
.text:00023BA0 ADD R0, SP, #0
.text:00023BA4 BL sub_3ADF8
.text:00023BA8 LDR R0, [SP]
.text:00023BAC MOV R2, #0
.text:00023BB0 MOV R1, #0x40
.text:00023BB4 BL sub_8F978
.text:00023BB8
.text:00023BB8 loc_23BB8 ; CODE XREF: .text:00023B8Cj
.text:00023BB8 ADD R0, SP, #0
.text:00023BBC BL sub_845F0
.text:00023BC0 ADD SP, SP, #8
.text:00023BC4 LDMFD SP!, {R4,R5,PC}
.text:00023BC4 ; ---------------------------------------------------------------------------
.text:00023BC8 off_23BC8 DCD aInvalidRegistr ; DATA XREF: .text:00023B98r
.text:00023BC8 ; "Invalid registration key!"
.text:00023BCC


at adress 23B54 the program read the serial (i think)
at adress 23B70 the serial will be checked
at adress 23B80 the program jump to the invalid regkey.



at the sub 69E78 ida show this:

.text:00069E78
.text:00069E78 sub_69E78 ; CODE XREF: .text:00023B70p
.text:00069E78 ; sub_66B78+68p
.text:00069E78
.text:00069E78 var_74 = -0x74
.text:00069E78 var_6C = -0x6C
.text:00069E78 var_68 = -0x68
.text:00069E78 var_64 = -0x64
.text:00069E78 var_60 = -0x60
.text:00069E78 var_5C = -0x5C
.text:00069E78 var_5B = -0x5B
.text:00069E78 var_5A = -0x5A
.text:00069E78 var_59 = -0x59
.text:00069E78 var_58 = -0x58
.text:00069E78 var_57 = -0x57
.text:00069E78 var_56 = -0x56
.text:00069E78 var_55 = -0x55
.text:00069E78 var_54 = -0x54
.text:00069E78 var_53 = -0x53
.text:00069E78 var_52 = -0x52
.text:00069E78 var_51 = -0x51
.text:00069E78 var_50 = -0x50
.text:00069E78 var_4F = -0x4F
.text:00069E78 var_4E = -0x4E
.text:00069E78 var_4D = -0x4D
.text:00069E78 var_4A = -0x4A
.text:00069E78 var_46 = -0x46
.text:00069E78 var_C = -0xC
.text:00069E78 arg_0 = 0
.text:00069E78
.text:00069E78 MOV R12, SP
...


what must i do now?

I hope anyone can help me.


regards
Einstein

I've never worked with ARM processor instructions before. It looks as if the serial is checked but here is a list of all the ARM instructions. hxxp://www.heyrick.co.uk/assembler/qfinder.html. A better site is hxxp://www.crhc.uiuc.edu/ECE371EMR/qrc0001c_armside.pdf

Just a quick look at the reference card and we now know

.text:00023B7C CMP R3, #0 <---Compare
.text:00023B80 BEQ loc_23B94 <--- Branch (jump) if equal to next intructions
.text:00023B84 MOV R0, R5 <--- continues if It is not equal
.text:00023B88 BL sub_23890
.text:00023B8C B loc_23BB8


Hopefully help give you a better understanding of whats going on

hello gabri3l,

thanks for your request.
What do you think I can do?

text:00023B7C CMP R3, #0 <---Compare -change to R3, #1 ???
.text:00023B80 BEQ loc_23B94 <--- Branch (jump) if equal to next intructions -I think thats wrong, because i tried to change BEQ to BNE.
So the screen "invald registration" is never showing.
.text:00023B84 MOV R0, R5 <--- continues if It is not equal - i don`t know
.text:00023B88 BL sub_23890
.text:00023B8C B loc_23BB8

i hope you can help me.

Regards
Einsein

Another source of ARM knowledge is hxxp://www.peter-cockerell.net:8080/aalp/html/toc.html Chapt. 3 talks about the instruction set.

What happened when you changed the branch and tried registering with an invalid serial?

Are you just trying to patch the program or search for a valid string?

From cockerell.net:
----
There are sixteen instructions, and they have very similar formats. Examples of instructions from this group are ADD and CMP, which add and compare two numbers respectively. As mentioned above, the operands of these instructions are always in registers (or an immediate number stored in the instruction itself), never in memory
-----
So maybe try keeping an eye on the registers.

Hi gabri3l,

when i changed the ".text:00023B80 BEQ loc_23B94" to BNE
the message "invalid Registration..." does not appear.

Yes i will patch the program. But i need help, because i am a beginner.

Regards
Einstein

Well if you are just starting out try taking a look at
hxxp://www.searchlores.org/fravia/personalia/ipaq.htm
hxxp://www.woodmann.com/fravia/tsehp_pocketpc.htm

Have you saved the modified program and tried syncing it to your pocket pc? did it register?





--This may be better in the newbie forum, not really advanced reversing--

Hi,

yes i tried, but with no result. only the message "invalid registration" is never shown.
There is a second prob. The unregistred program shows the reg screen in short time intervals.
So it is possible to work with the program fully, but it shows allways the reg screen. (thats uggly)
Is it possible that i send the file to you?


What do you mean with the newbie forum?
Where can i find it?

Einstein

Ok, sorry.
I see, the newbie forum is here.


Einstein

It's ALL relative.

Regards,

hi JIM,

do you know the pocket language?

Einstein

Nope. Sorry.

Was just making a pun on your nick: Einstein.

You know, "the theory of relativity".

Regards,

Hello again JMI.

einstein i just shook my head when you asked where the forum was...

If you want to Private Message me with a link to the prog I'll take a look at it. Though as i said before I really dont know ARM instructions. In the meantime read up on those tutorials i gave you. Try searching for the call to the messagebox that asks you to register or try fishing out the valid serial. As said before its prob in a register and is compared to yours.

hi Gabri3l,

do you have an PDA? Then i can send you the link. Otherwise i must send you the exe file.

regards
Einstein

Yes i do. I will not be home this weekend however. So you can just PM me whenever you get a chance. And I will take a look at it on Monday.

ok, thanks.
we see us at monday.

ciao
Einstein

Hi

I have worked a little bit on ppc re. I have seen in your ida dissasembly
there is a .text:00023B70 BL sub_69E78 just before the CMP R3,1 so this BL(branch and link) go to the sub_69E78 subroutine and check your serial.this subroutine return 1 if the serial is valid and it return 0 if the serial is invalid so you should go in this sunroutine and find mov Rx,0 and replace it with mov Rx,1.as you know the serial check routine maybe called several time in different parts of the programm so by this way the check routine will allways return TRUE.
I have attached one of my tutorial to this post the protection is similar to your target take a look .

Good luck

akimp3

hello akimp3,

thanks for your post.
there is one problem:
at adress .text:00069E78 MOV R12, SP is the sign SP.
What can i do there?

Einstein

Hi,

i have tried change mov to movne and moveq and the program hangs up.
So i must soft reset my iPAQ.

Can somebody help me?

regards
Einstein

Hi
sorry for my late reply. I was out of town.
Please PM me the name of the prog i will take a look myself.
I have never seen something like the sub_69E78 code.
another way to solve your problem is to fing every BL sub_69E78
find the CMP R3, #0 and patch the BEQ after it like the first you done
yourseft but the problem was that you only patched the BEQ attext:00023B80 bu there must be a lot of call to sub_69E78 find them
all and patch the BEQ just after the call.

Good luck

akimp3

Hi akimp3,

sorry for my late aply.
Do you have an PDA? (iPAQ)

Otherwise i must send you the exe file.

Here is the whole sub_69E78 code:

.text:00069E78
.text:00069E78 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00069E78
.text:00069E78
.text:00069E78 sub_69E78 ; CODE XREF: .text:00023B70p
.text:00069E78 ; sub_66B78+68p
.text:00069E78
.text:00069E78 var_74 = -0x74
.text:00069E78 var_6C = -0x6C
.text:00069E78 var_68 = -0x68
.text:00069E78 var_64 = -0x64
.text:00069E78 var_60 = -0x60
.text:00069E78 var_5C = -0x5C
.text:00069E78 var_5B = -0x5B
.text:00069E78 var_5A = -0x5A
.text:00069E78 var_59 = -0x59
.text:00069E78 var_58 = -0x58
.text:00069E78 var_57 = -0x57
.text:00069E78 var_56 = -0x56
.text:00069E78 var_55 = -0x55
.text:00069E78 var_54 = -0x54
.text:00069E78 var_53 = -0x53
.text:00069E78 var_52 = -0x52
.text:00069E78 var_51 = -0x51
.text:00069E78 var_50 = -0x50
.text:00069E78 var_4F = -0x4F
.text:00069E78 var_4E = -0x4E
.text:00069E78 var_4D = -0x4D
.text:00069E78 var_4A = -0x4A
.text:00069E78 var_46 = -0x46
.text:00069E78 var_C = -0xC
.text:00069E78 arg_0 = 0
.text:00069E78
.text:00069E78 0D C0 A0 E1 MOV R12, SP ; Rd = Op2
.text:00069E7C 0F 00 2D E9 STMFD SP!, {R0-R3} ; Store Block to Memory
.text:00069E80 F0 5F 2D E9 STMFD SP!, {R4-R12,LR} ; Store Block to Memory
.text:00069E84 3C D0 4D E2 SUB SP, SP, #0x3C ; Rd = Op1 - Op2
.text:00069E88 00 40 A0 E1 MOV R4, R0 ; Rd = Op2
.text:00069E8C CE AF 84 E2 ADD R10, R4, #0x338 ; Rd = Op1 + Op2
.text:00069E90 01 30 A0 E3 MOV R3, #1 ; Rd = Op2
.text:00069E94 0A 00 A0 E1 MOV R0, R10 ; Rd = Op2
.text:00069E98 28 33 C4 E5 STRB R3, [R4,#0x328] ; Store to Memory
.text:00069E9C A4 69 00 EB BL sub_84534 ; Branch with Link
.text:00069EA0 00 00 8D E2 ADD R0, SP, #0 ; Rd = Op1 + Op2
.text:00069EA4 68 10 8D E2 ADD R1, SP, #0x68 ; Rd = Op1 + Op2
.text:00069EA8 55 69 00 EB BL __0CString__QAA_ABV0__Z ; CString::CString(CString const &
.text:00069EAC 00 10 9D E5 LDR R1, [SP,#0x74+var_74] ; Load from Memory
.text:00069EB0 28 00 8D E2 ADD R0, SP, #0x28 ; Rd = Op1 + Op2
.text:00069EB4 18 C4 FF EB BL sub_5AF1C ; Branch with Link
.text:00069EB8 04 00 50 E3 CMP R0, #4 ; Set cond. codes on Op1 - Op2
.text:00069EBC 6F 00 00 1A BNE loc_6A080 ; Branch
.text:00069EC0 1B 30 A0 E3 MOV R3, #0x1B ; Rd = Op2
.text:00069EC4 BA 22 DD E1 LDRH R2, [SP,#0x74+var_4A] ; Load from Memory
.text:00069EC8 18 30 CD E5 STRB R3, [SP,#0x74+var_5C] ; Store to Memory
.text:00069ECC 02 30 A0 E3 MOV R3, #2 ; Rd = Op2
.text:00069ED0 19 30 CD E5 STRB R3, [SP,#0x74+var_5B] ; Store to Memory
.text:00069ED4 48 30 A0 E3 MOV R3, #0x48 ; Rd = Op2
.text:00069ED8 1A 30 CD E5 STRB R3, [SP,#0x74+var_5A] ; Store to Memory
.text:00069EDC 09 30 A0 E3 MOV R3, #9 ; Rd = Op2
.text:00069EE0 1C 30 CD E5 STRB R3, [SP,#0x74+var_58] ; Store to Memory
.text:00069EE4 63 30 A0 E3 MOV R3, #0x63 ; Rd = Op2
.text:00069EE8 1D 30 CD E5 STRB R3, [SP,#0x74+var_57] ; Store to Memory
.text:00069EEC 08 30 A0 E3 MOV R3, #8 ; Rd = Op2
.text:00069EF0 1F 30 CD E5 STRB R3, [SP,#0x74+var_55] ; Store to Memory
.text:00069EF4 47 30 A0 E3 MOV R3, #0x47 ; Rd = Op2
.text:00069EF8 20 30 CD E5 STRB R3, [SP,#0x74+var_54] ; Store to Memory
.text:00069EFC 16 30 A0 E3 MOV R3, #0x16 ; Rd = Op2
.text:00069F00 21 30 CD E5 STRB R3, [SP,#0x74+var_53] ; Store to Memory
.text:00069F04 13 30 A0 E3 MOV R3, #0x13 ; Rd = Op2
.text:00069F08 23 30 CD E5 STRB R3, [SP,#0x74+var_51] ; Store to Memory
.text:00069F0C 0B 30 A0 E3 MOV R3, #0xB ; Rd = Op2
.text:00069F10 24 30 CD E5 STRB R3, [SP,#0x74+var_50] ; Store to Memory
.text:00069F14 11 30 A0 E3 MOV R3, #0x11 ; Rd = Op2
.text:00069F18 25 30 CD E5 STRB R3, [SP,#0x74+var_4F] ; Store to Memory
.text:00069F1C 0C 30 A0 E3 MOV R3, #0xC ; Rd = Op2
.text:00069F20 26 30 CD E5 STRB R3, [SP,#0x74+var_4E] ; Store to Memory
.text:00069F24 0F 30 A0 E3 MOV R3, #0xF ; Rd = Op2
.text:00069F28 27 30 CD E5 STRB R3, [SP,#0x74+var_4D] ; Store to Memory
.text:00069F2C 04 00 A0 E3 MOV R0, #4 ; Rd = Op2
.text:00069F30 B8 32 DD E1 LDRH R3, [SP,#0x28] ; Load from Memory
.text:00069F34 1B 00 CD E5 STRB R0, [SP,#0x74+var_59] ; Store to Memory
.text:00069F38 03 38 A0 E1 MOV R3, R3,LSL#16 ; Rd = Op2
.text:00069F3C 1E 00 CD E5 STRB R0, [SP,#0x74+var_56] ; Store to Memory
.text:00069F40 02 30 83 E0 ADD R3, R3, R2 ; Rd = Op1 + Op2
.text:00069F44 BE 22 DD E1 LDRH R2, [SP,#0x74+var_46] ; Load from Memory
.text:00069F48 08 30 8D E5 STR R3, [SP,#0x74+var_6C] ; Store to Memory
.text:00069F4C BC 32 DD E1 LDRH R3, [SP,#0x74+var_4A+2] ; Load from Memory
.text:00069F50 22 00 CD E5 STRB R0, [SP,#0x74+var_52] ; Store to Memory
.text:00069F54 18 00 8D E2 ADD R0, SP, #0x18 ; Rd = Op1 + Op2
.text:00069F58 03 38 A0 E1 MOV R3, R3,LSL#16 ; Rd = Op2
.text:00069F5C 02 30 83 E0 ADD R3, R3, R2 ; Rd = Op1 + Op2
.text:00069F60 0C 30 8D E5 STR R3, [SP,#0x74+var_68] ; Store to Memory
.text:00069F64 A7 C3 FF EB BL sub_5AE08 ; Branch with Link
.text:00069F68 10 10 8D E2 ADD R1, SP, #0x10 ; Rd = Op1 + Op2
.text:00069F6C 08 00 8D E2 ADD R0, SP, #8 ; Rd = Op1 + Op2
.text:00069F70 86 C3 FF EB BL sub_5AD90 ; Branch with Link
.text:00069F74 10 90 9D E5 LDR R9, [SP,#0x74+var_64] ; Load from Memory
.text:00069F78 14 70 9D E5 LDR R7, [SP,#0x74+var_60] ; Load from Memory
.text:00069F7C 14 31 9F E5 LDR R3, =__itod ; Load from Memory
.text:00069F80 29 88 A0 E1 MOV R8, R9,LSR#16 ; Rd = Op2
.text:00069F84 27 08 A0 E1 MOV R0, R7,LSR#16 ; Rd = Op2
.text:00069F88 00 30 93 E5 LDR R3, [R3] ; Load from Memory
.text:00069F8C 0F E0 A0 E1 MOV LR, PC ; Rd = Op2
.text:00069F90 03 F0 A0 E1 MOV PC, R3 ; Rd = Op2



ok, thats it.
I changed at adress 00069E90 Mov R3, #0 in R3, #1
(Here you can see it.)

So the program is registrated. But not 100%.



regards
Einstein

Hi

yes I have a PDA(POCKET LOOX 600 WM2003).

As i have seen(a quick look) your patching in this routine is
100% correct so it must be others subroutine we have to patch.
what the program show you that you understand it is not
100% registered? a msgbox, a label? tell me this and we should
localize it (the msbox or the label) in IDA and desactivate the jump
to it.

Good luck

akimp3

Hi,

ok, thanks.

When the program is registred, you must see the program serial number
and the Date till you can update for free.

At me, the program shows 00000 for the program serial number and nothing
about the date till you can update. I think that is not so correct.

But the program works fine.

Now you have PM.

Einstein

Hi Akimp3,

are you back?
I have another target. I think this is not so simple as my first.

Einstein

Hi

I am backed and badly stucked on see ** ****** program
I have always the 0000 serial problem and i cant find how the
serial is validated to be able to construct a valid one.I am really
sorry but i think someone expert should take a look at the routine.
I have also tried to crack it another way(from the unregistered
string in IDA)but the same problem is there. i think for now
you should download the latest version from the site and crack
this way.
About your new target please PM me more info and i will look at it.
The biggest problem in PPC reversing is the lack of a good debugger,
evc debugger is not good at all compared to ollydbg and softice,...
that we use on PC.Maybe someone should start to write a debugger
for ppc.
I will wait for your PM

akimp3

HI,

cool. You have pm.

Einstein

Hi akimp3,

your messagebox is full. please delete some mails.

I found our target with crack on emule.
Do you think if it is possible to copare the orginal exe file with the cracked.
So we can find out where we must change the exe.

What do you think?
I found a tool calles code fusion wizard.

Do you know about this?

Regards
Einstein

Hi,

you are great.
very nice. It works.

I have changed at the three adresses the code to FF B0 0B E2.

Can you tell me how you find out this three codes?
I will learn it for the next update.

Thanks
Einstein


ps.
delete some mails from you acount. I can't send you pm.

Hi

For the first 2 addresses these are adrreses that jump to the only reference
of the message"enter valid password in simulator about menu".
and for the other one you should find all the call to settimer,
see the parameters ,only one call has 92000h as parameter.
conver it to decimal =555149100 divide it by 1000(settimer parameter is
in milisecond)=598.016 then divide it by 60=9.9669333333333333333333333333333
this is 9.96 minute or 10 minute as you told.
and it is the only call that set the timer to raise and event every
10 minute so we patch it.
Thats it.You can ask me if there is any other detail you want to know.

bye

akimp3


its done you can send me pms

Hi akimp3,

thanks.
There is one question for me:

how do you come on the Opcode FF B0 0B E2? (AND R11, R11, #0xFF )
How do you find out this?

What is register 11?

Regards
Einstein

Hi

As you know there is no NOP operation in the ARM processor.
the AND of A and A give you A,The and of A and FF(logic 1)
also give A.So AND R11, R11, #0xFF change nothing and i
used it as a NOP. you can find the opcode in my first ppc re
tutorial.

Good luck

akimp3

HI,

cool. ok.
I doesn´t know that.

Now I am again a bit more clever.


Thanks for your help.

Regards
Einstein

Hi

I wish you good luck.

Akimp3

Thanks, Thanks.

I hope i can learn any more about this.
But at the moment i have no target.

So i will still wait and wait and wait...
But the updates will come. and then i will start a new session.

Ok,
thanks at all for your help.
Your great.


Regards
Einstein

Hi akimp3,

do you remember me?
Now it is a half year ago that we write about my target.

But the problem that i have is the new function in my target.
I don´t understand it.

I hope you can help me.

Best Regards
Einstein