RegEditCE v1.0 for
the PowerPC (SH3) – Goatass
Published by Tsehp
2002
Recommended
readings:
---------------------
Windows CE Platform
SDK (HPC Pro) - www.microsoft.com
SH3 programming
manual - www.hitachi-eu.com/hel/ecg/products/micro/pdf/sh7700p.pdf
Any tutorial on PocketPC
-
Tools:
------
IDA 4.15
WindowsCE SDK
PocketPC (I used
the Jornada)
The target:
-----------
As you can tell
from the name this is a Registry Editor tool for the PowerPC running
WindowsCE. It's a
very useful tool and it works really well.
Introduction:
-------------
This little program
allows you to browse your registry but you can not edit anything.
That is a big
drawback so I decided to fix that.
Lets begin by checking out the program. Run it and goto "About", click the
"Register"
button, enter some fake info and click OK. Write down the error that you get and lets
go find it.
Open up the executable in a resource editor and check out the string
refs.
First one is what
we want, we mainly care about string ref 9 and 10
(0xA).
Open up the
executable in IDA and do a text search for #h'a this
will be looking for
any referenced by the application to that
particular resource, the "Invalid registration"
message. The
first occurance is not what we are looking for, just look at the code
around and you will see it's nothing interesting.
The second
occurance is what we want, look here:
.text:00015216 mov #h'A, r5 ; Invalid reg message
.text:00015218 jsr @r0 ; _LoadStringW
.text:0001521A mov.l @r3, r4
.text:0001521C mov.l @(h'68,pc), r0 ;
[00015288] = _MessageBoxW
.text:0001521E mov #8, r5
.text:00015220 mov.l @(h'54,pc), r6 ;
[00015278] = unk_1CB10
.text:00015222 mov r8, r4
.text:00015224 mov #h'30, r7 ; '0'
.text:00015226 jsr @r0 ;
_MessageBoxW
scrolling up a bit we see:
.text:0001520A
loc_1520A: ; CODE XREF: .text:000151A0j
follow that Xref back to the caller and we land here:
.text:0001519A bsr sub_14EBC
.text:0001519C add r14, r4
.text:0001519E tst r0, r0
.text:000151A0 bt loc_1520A ;<-- we land
here
The bsr sub_14EBC
looks very interesting since its returned value caused us to hit
the "Invlaid Registration" message, so
lets check it out.
At first we see
some checks to verify if the user entered an e-mail address and a serial,
than there is some checks against blacklisted
e-mail addresses it's pretty simple to spot.
Following the code
along you can see some more length checks and stuff but towards the end
of the sub-routine we see something that might
just be what we are looking for.
.text:00014F40 jsr @r0 ; _wsprintfW
.text:00014F42 add r15, r4
.text:00014F44 mov.l @(h'58,pc), r0 ;
[00014FA0] = _wcscpy
.text:00014F46 mov.l
@(h'3C,pc), r4 ; [00014F84] = unk_1CB74
.text:00014F48 jsr @r0 ; _wcscpy
.text:00014F4A mov r8, r5
.text:00014F4C mov.l @(h'4C,pc), r0 ;
[00014F9C] = _wcscmp
.text:00014F4E mov
#h'10, r4
.text:00014F50 mov r10, r5
.text:00014F52 jsr @r0 ; _wcscmp
.text:00014F54 add r15, r4
.text:00014F56 tst r0, r0 ; if true T bit = 1
.text:00014F58 movt r0 ; change to mov #1, r0 (01E0)
In the code above
we see that the program formats an unsigned long number copies it
and compares it to something. It's hard to tell where each number being
compared
came from but we will assume it's our serial and a
good serial. Without tracing it's
hard to really tell what's going on but we can
guess.
So did you spot how
to patch this program? Here is what I did:
.text:00014F56 tst r0, r0
.text:00014F58 mov #1, r0
so get the offset at .text:00014F58 movt
r0 and check out the bytes:
29 00 change them
to: 01 E0
Remeber
that these instructions are only 2 bytes each. Save
your patched file and
upload it back to the device. Click the "Register" button, enter
any e-mail and any
serial and click ok.
That's it.
Greets: zip,
crackz, +
Peace !