RegEditCE v1.0 for
the PowerPC (SH3) – Goatass
Published by Tsehp
2002
Recommended
readings:
---------------------
Windows CE Platform
SDK (HPC Pro) - www.microsoft.com
SH3 programming
manual -
www.hitachi-eu.com/hel/ecg/products/micro/pdf/sh7700p.pdf
Any tutorial on
PocketPC -
Tools:
------
IDA
4.15
WindowsCE
SDK
PocketPC (I used
the Jornada)
The
target:
-----------
As you can tell
from the name this is a Registry Editor tool for the PowerPC
running
WindowsCE.
It's a very useful tool and it works really well.
Introduction:
-------------
This little program
allows you to browse your registry but you can not edit
anything.
That is a big
drawback so I decided to fix that.
Lets begin by checking out the program. Run it and goto "About", click the
"Register"
button, enter some fake info and click OK. Write down the error that you get and
lets
go find it.
Open up the executable in a resource editor and check out the string
refs.
First one is what
we want, we mainly care about string ref 9 and 10
(0xA).
Open up the
executable in IDA and do a text search for #h'a this
will be looking for
any referenced by the application to that
particular resource, the "Invalid registration"
message.
The first occurance is not what we are looking for, just look at the
code
around and you will see it's nothing
interesting.
The second
occurance is what we want, look here:
.text:00015216
mov #h'A,
r5
; Invalid reg message
.text:00015218
jsr @r0 ; _LoadStringW
.text:0001521A
mov.l @r3,
r4
.text:0001521C
mov.l @(h'68,pc), r0 ; [00015288] =
_MessageBoxW
.text:0001521E
mov #8,
r5
.text:00015220
mov.l @(h'54,pc), r6 ; [00015278] = unk_1CB10
.text:00015222
mov r8,
r4
.text:00015224
mov #h'30,
r7 ; '0'
.text:00015226
jsr @r0 ; _MessageBoxW
scrolling up a bit we see:
.text:0001520A
loc_1520A:
; CODE
XREF: .text:000151A0j
follow that Xref back to the caller and we land
here:
.text:0001519A
bsr
sub_14EBC
.text:0001519C
add r14,
r4
.text:0001519E
tst r0,
r0
.text:000151A0 bt loc_1520A ;<-- we land here
The bsr sub_14EBC
looks very interesting since its returned value caused us to
hit
the "Invlaid Registration" message, so lets check
it out.
At first we see
some checks to verify if the user entered an e-mail address and a
serial,
than there is some checks against blacklisted
e-mail addresses it's pretty simple to spot.
Following the code
along you can see some more length checks and stuff but towards the
end
of the sub-routine we see something that might
just be what we are looking for.
.text:00014F40
jsr @r0 ; _wsprintfW
.text:00014F42
add r15,
r4
.text:00014F44
mov.l @(h'58,pc), r0 ; [00014FA0] = _wcscpy
.text:00014F46
mov.l @(h'3C,pc), r4 ; [00014F84] = unk_1CB74
.text:00014F48
jsr @r0 ; _wcscpy
.text:00014F4A
mov r8,
r5
.text:00014F4C
mov.l @(h'4C,pc), r0 ; [00014F9C] = _wcscmp
.text:00014F4E
mov #h'10,
r4
.text:00014F50
mov r10,
r5
.text:00014F52
jsr @r0 ; _wcscmp
.text:00014F54
add r15,
r4
.text:00014F56
tst r0,
r0
; if true T bit = 1
.text:00014F58
movt r0
; change to mov #1, r0 (01E0)
In the code above
we see that the program formats an unsigned long number copies
it
and compares it to something. It's hard to tell where each number
being compared
came from but we will assume it's our serial and a
good serial. Without tracing
it's
hard to really tell what's going on but we can
guess.
So did you spot how
to patch this program? Here is what I did:
.text:00014F56
tst r0,
r0
.text:00014F58
mov #1,
r0
so get the offset at .text:00014F58 movt r0 and check out the
bytes:
29 00 change them
to: 01 E0
Remeber that these instructions are only 2
bytes each. Save your patched file
and
upload it back to the device. Click the "Register" button, enter any
e-mail and any
serial and click ok. That's it.
Greets: zip,
crackz, +
Peace
!