Pocket PC reversing SlovoED
A 5 minute crack

Your_date
by +Tsehp
 
Courtesy of Fravia's page of reverse engineering
slightly edited
+Tsehp
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner (x)Intermediate ( )Advanced ( )Expert

Essays concerning pocket pc are pretty hard to find, so I begin here with the usual first steps : Download every possible docs and try to switch to this emerging world, the pocket pc's.
Pocket PC reversing SlovoED
A 5 minute crack
Written by Tsehp


Introduction 
The main purpose of this essay is to adapt yourself on the ARM processor that populate most of pocket pcs running windows ce.
You'll find all processor related doc here.
Instructions seems to be pretty close than palm device, read latigo's related essays on this site.


Tools required
Ida 4.15
Exescope (res editor)
windows ce sdk (download at micro$oft)


Target's URL/FTP
http://www.penreader.com/download/Dictionaries.html

Multiple dictionnaries made for pda's.

Essay 
Install every language you want on your pocket pc, then you'll realise that the trial version shows "unregistered copy..." instead of the
translation of 1 word of 2.
Try to register on about box, and note the msg : Incorrect serial number

Launch exescope and look at the strings numbers into slovoed.exe's resource part, you note dec 40020 -> 0x9c54

Launch ida and disassemble slovoed.exe, you'll find the commctrl.dll and others after you have installed the windows ce sdk, the download is
pretty big , about 300 megs. But worth the time, there's a nice emulator and a debugger.

Seach for 0x9c54 in ida listing, you'll find nothing...

But we're on still on windows, so what api is used to load a string from a resource ? LoadstringA or LoadstringW.

Look at the ida listing and check all the refs, you'll land here :

.text:00016788                 BEQ     loc_167E0
.text:0001678C                 EOR     R3, R2, R1
.text:00016790                 CMP     R3, R0
.text:00016794                 BEQ      loc_167E0
.text:00016798                 LDR     R0, =unk_21428
.text:0001679C                 MOV     R1, #0x9C00
.text:000167A0                 MOV     R3, #0x64
.text:000167A4                 LDR     R0, [R0]
.text:000167A8                 ADD     R2, SP, #0x10
.text:000167AC                 ORR     R1, R1, #0x54   <- 0x54 + 0x9c00 = 9c54 , bingo !
.text:000167B0                 BL      LoadStringW     
.text:000167B0                                         
.text:000167B4                 MOV     R3, #0x40000
.text:000167B8                 LDR     R2, =unk_22C74
.text:000167BC                 ORR     R3, R3, #0x10
.text:000167C0                 ADD     R1, SP, #0x10
.text:000167C4                 MOV     R0, #0
.text:000167C8                 BL      MessageBoxW
.text:000167CC                 B       loc_16850

So you just have to change the BEQ at 16794 to B meaning in hex 0x0a to 0xea

Use activesync to upload the modified slovoed.exe into your pocket pc, register with any serial, and it works !!! All the words are translated.

Final Notes 
I hope that this essay will be the first to the pocket pc series, consider buying one, especially the hp jornada 568, it's a jewel.


Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.
You are deep inside Fravia's page of reverse engineering, choose your way out:


redhomepage redlinks redsearch_forms red+ORC redhow to protect redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?