RegEditCE v1

RegEditCE v1.0 for the PowerPC (SH3) � Goatass

Published by Tsehp 2002

Recommended readings:

---------------------

Windows CE Platform SDK (HPC Pro) - www.microsoft.com

SH3 programming manual - www.hitachi-eu.com/hel/ecg/products/micro/pdf/sh7700p.pdf

Any tutorial on PocketPC - tsehp.cjb.net

Tools:

------

IDA 4.15

WindowsCE SDK

PocketPC (I used the Jornada)

The target:

-----------

As you can tell from the name this is a Registry Editor tool for the PowerPC running

WindowsCE.� It's a very useful tool and it works really well.

Introduction:

-------------

This little program allows you to browse your registry but you can not edit anything.

That is a big drawback so I decided to fix that.

Lets begin by checking out the program.� Run it and goto "About", click the "Register"

button, enter some fake info and click OK.� Write down the error that you get and lets

go find it.� Open up the executable in a resource editor and check out the string refs.

First one is what we want, we mainly care about string ref 9 and 10 (0xA).

Open up the executable in IDA and do a text search for #h'a this will be looking for

any referenced by the application to that particular resource, the "Invalid registration"

message.� The first occurance is not what we are looking for, just look at the code

around and you will see it's nothing interesting.

The second occurance is what we want, look here:

.text:00015216�� mov�� #h'A, r5�� ; Invalid reg message

.text:00015218�� jsr�� @r0 ; _LoadStringW

.text:0001521A�� mov.l�� @r3, r4

.text:0001521C�� mov.l�� @(h'68,pc), r0 ; [00015288] = _MessageBoxW

.text:0001521E�� mov�� #8, r5

.text:00015220�� mov.l�� @(h'54,pc), r6 ; [00015278] = unk_1CB10

.text:00015222�� mov�� r8, r4

.text:00015224�� mov�� #h'30, r7 ; '0'

.text:00015226�� jsr�� @r0 ; _MessageBoxW

scrolling up a bit we see:

.text:0001520A loc_1520A:�� ; CODE XREF: .text:000151A0j

follow that Xref back to the caller and we land here:

.text:0001519A�� bsr�� sub_14EBC

.text:0001519C�� add�� r14, r4

.text:0001519E�� tst�� r0, r0

.text:000151A0�� bt�� loc_1520A�� ;<-- we land here

The bsr sub_14EBC looks very interesting since its returned value caused us to hit

the "Invlaid Registration" message, so lets check it out.

At first we see some checks to verify if the user entered an e-mail address and a serial,

than there is some checks against blacklisted e-mail addresses it's pretty simple to spot.

Following the code along you can see some more length checks and stuff but towards the end

of the sub-routine we see something that might just be what we are looking for.

.text:00014F40�� jsr�� @r0 ; _wsprintfW

.text:00014F42�� add�� r15, r4

.text:00014F44�� mov.l�� @(h'58,pc), r0 ; [00014FA0] = _wcscpy

.text:00014F46�� mov.l�� @(h'3C,pc), r4 ; [00014F84] = unk_1CB74

.text:00014F48�� jsr�� @r0 ; _wcscpy

.text:00014F4A�� mov�� r8, r5

.text:00014F4C�� mov.l�� @(h'4C,pc), r0 ; [00014F9C] = _wcscmp

.text:00014F4E�� mov�� #h'10, r4

.text:00014F50�� mov�� r10, r5

.text:00014F52�� jsr�� @r0 ; _wcscmp

.text:00014F54�� add�� r15, r4

.text:00014F56�� tst�� r0, r0�� ; if true T bit = 1

.text:00014F58�� movt�� r0�� ; change to mov #1, r0� (01E0)

In the code above we see that the program formats an unsigned long number copies it

and compares it to something.� It's hard to tell where each number being compared

came from but we will assume it's our serial and a good serial.� Without tracing it's

hard to really tell what's going on but we can guess.

So did you spot how to patch this program? Here is what I did:

.text:00014F56�� tst�� r0, r0

.text:00014F58�� mov�� #1, r0

so get the offset at .text:00014F58� movt� r0 and check out the bytes:

29 00� change them to:� 01 E0

Remeber that these instructions are only 2 bytes each.� Save your patched file and

upload it back to the device.� Click the "Register" button, enter any e-mail and any

serial and click ok.� That's it.

Greets: zip, crackz, +tsehp, and my pals in the scene

Peace !