Hi,

i got an Pocket PC (ARM) Apllication Exe with DLL.

When you enter the wrong Serial the Programm pops up a MessageBox with a Message like this: "Your Serial is wrong."

My Problem is, the Text "Your Serial is wrong." is in an DLL (Language.DLL)

How do i find the Adress of the Text in the DLL in the EXE?
Cause im searching the point in the EXE that pops these MessageBox.

(I think i had to find the adress in the dll, calculate the adress where the string is loaded from memory in the exe and search for the messagebox that displays these string?)

I done some search in this forum but the posts about a dll are not so usefull for me!

Several options, the simplest, at least in theory is to trace the application live, with a debugger. Search this board and EXE tools board, If I remember correctly, ShubNigurath wrote an EXELLENT tutorial about setting up a debugger for Pocket PC apps. Then you would need to put a memory read breakpoint on the bad boy string and trace your way back to the area in the .exe code that displays the message.

2) Look for calls to MessageBox in the exe. If you are lucky there could be a small number of them, and you can play to modify them.

In any event, because the complications of indirect calling and run-time indirection, I doubt your problem is solvable without live tracing.

Why so difficult? I guess the message is from a resource? So the program needs to read it before it can be used. A simple search for LoadResource or LoadString should do the trick or a specific search for the immediate with the number of the resource with a call to one of these functions directly beneath it will reveal the place where it's used. Be aware that some constants can't be loaded directly into registers with ARM instructions so you likely will see code like LDR R0, #0x450 and ORR R0, R0, #1 to get 0x451 for example.

Thanx both of you.

Hey Iwarez, nice Tip. It works ID was 400 and i found something with 0x190.
I made some changes and it works but the app checks a little bit later the same serial.. i found out that cryptlib is used. the next dialog that pops up uses the DLL String ID 401. but mvt wont stop on any of the four 0x191 i found in the text... Any Idea?

I never use evc for debugging ppc apps. I do it all with IDA. Offcourse the program can't be run then You could try to modify the codes referencing the 0x191 so that they generate an exception. You will then be sure the code you modified is run. If there is no exception you know you are at the wrong spot and can try again at a different location. Other that this I can't give any more options without knowing the app.