Page 1 of 2 12 LastLast
Results 1 to 15 of 29

Thread: Patching symbian exe

  1. #1
    treby
    Guest

    Patching symbian exe

    Greeting from a newbee...
    Using IDA, I disassembled a symbian arm based exe file. some sample result:

    .text:0015C4BC BL __cxa_end_catch
    .text:0015C4C0 MOV R0, R4
    .text:0015C4C4 BL __cxa_end_cleanup

    Let say I want to change BL to BE to bypass the checkpoint. The hex sequence value (showed by IDA) is: 53 6C 00 EB 04 00 A0 E1 1F 6B 00 EB 50 6C 00 EB .. so on....

    However, using hex editor, I can't find that hex sequence in the same exe file. What's the catch?
    Pls help on this...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Sounds like a packer/crypter to me...
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    treby
    Guest
    @dELTA
    Are you saying that IDA automatically unpack the file? I use IDA standard installation, nothing fancy. The dissassembled file is very clean & easy to follow with bunch of readable strings & functions.
    I was suspecting the difference between ARM (which is used in the mobile where the application is hosted) & intel x86 architecture (in which I use the hex editor), but I have no idea about it.
    Any idea?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Well, I think that the most probable thing is that you've different files open in IDA and in the HexEd, or you've mistyped the string of bytes in the search form. Check the offsets in IDA and in the hex editor.
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Sorry, I misread your post, and thought you were working on a dump or in an active debugger.

    Like Polaris said, I would double and triple check that you're working on the right file, and that the opcode sequence you think those instructions have is correct (opcode display width setting in disassembler, opcode prefixes etc), try to search for smaller parts of the sequence until you find anything, and then go from there.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #6
    Registered User
    Join Date
    Jul 2007
    Posts
    107
    Blog Entries
    6
    I don't disassemble ARM executables very often but IDA still shows the physical offset on disk at the same time as the virtual offset in the usual status bar at the bottom of the IDA View window.

    http://img176.imageshack.us/my.php?image=capturels0.png

    Patching in IDA and exporting a diff file should also tell you exactly which offsets to patch with an hex editor after.

    TiGa
    Programming today is a race between software engineers to build bigger and better idiot-proof programs and the Universe trying to produce bigger and better idiots.
    So far, the Universe is winning.

  7. #7
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Hi,
    you probably opened two files or misspelled something. Because what you did is correct, conceptually. Anyway to avoid problems just use the IDA option that allows to see the bytecodes beside the instructions. Just go in options -> select the Disassembly tag -> find (on right) the edit field "number of opcode bytes" and set it to 4 (all the ARM instructions have fixed length).

    Then beside the instructions you will get the corresponding opcodes, simpler of going all the times back and forward from the hex view.

    The file offset ida shows is enough for an hex editor anyway.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  8. #8
    treby
    Guest
    Quote Originally Posted by Polaris View Post
    Well, I think that the most probable thing is that you've different files open in IDA and in the HexEd, or you've mistyped the string of bytes in the search form. Check the offsets in IDA and in the hex editor.
    Triple checked, they're the same file, and I didn't mistype because it's a copy-paste.

    Quote Originally Posted by dELTA View Post
    try to search for smaller parts of the sequence until you find anything, and then go from there.
    I even stripped it down to 2 hex values only and still no luck.


    @all folks
    Please take a look at this idb file (disassembled from a freeware):

    Code:
    http://rapidshare.com/files/83111699/s_explorer.rar.html


    IDA found some strings which I can't with hex editor.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by treby View Post
    IDA found some strings which I can't with hex editor.
    Did you search UNICODE?

  10. #10
    treby
    Guest
    @naides
    I search unicode, ascii, and manually..
    Maybe you can download it from the link above and check it, I included the exe file.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    After looking at the file, things are now clear. Basically, your file is compressed. In fact, from Nokia website, you can get the definition of the header of the EPOC v9 file format. I copy it here highlighting an interesting field:

    class E32ImageHeader
    {
    public:
    TUint32 iUid1;
    TUint32 iUid2;
    TUint32 iUid3;
    TUint32 iUidChecksum;
    TUint iSignature;
    TUint32 iHeaderCrc;
    TUint32 iModuleVersion;
    TUint32 iCompressionType;
    TVersion iToolsVersion;
    TUint32 iTimeLo;
    TUint32 iTimeHi;
    TUint iFlags;
    TInt iCodeSize;
    TInt iDataSize;
    TInt iHeapSizeMin;
    TInt iHeapSizeMax;
    TInt iStackSize;
    TInt iBssSize;
    TUint iEntryPoint;
    TUint iCodeBase;
    TUint iDataBase;
    TInt iDllRefTableCount;
    TUint iExportDirOffset;
    TInt iExportDirCount;
    TInt iTextSize;
    TUint iCodeOffset;
    TUint iDataOffset;
    TUint iImportOffset;
    TUint iCodeRelocOffset;
    TUint iDataRelocOffset;
    TUint16 iProcessPriority;
    TUint16 iCpuIdentifier;
    };
    Now, if we look at what is the explanation of that field, you can read:

    iCompressionType, is the UID of the library used to compress the executable file. It is 0 if the executable is not compressed or KUidCompressionDeflate (=0x101F 7AFC) if it is compressed with Deflate algorithm.
    Now, if we open the file with an hexeditor, guess what we do see?

    0x1C: FC7A1F10
    So now you know what is happening: basically IDA's EPOC v9 loader knows the file format and unpacks automatically the file for your disassembling pleasure.

    Have fun!
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  12. #12
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    First read this:

    http://64.233.183.104/search?q=cache:UnJlpvoYT6cJ:newlc.com/topic-4473+symbian+decompress&hl=sv&ct=clnk&cd=11&gl=se

    Then this:

    http://blogs.forum.nokia.com/blog/paul-todds-forum-nokia-blog/symbian-c/2007/08/09/updates-from-symbian

    (look for "imgdump (including deflate code) is included" on the page)

    Let us know how it goes.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  13. #13
    Good find Polaris! Shows the benefits of starting with the "basics."

    Regards
    JMI

  14. #14
    treby
    Guest
    Thanks folks! I'll do my homework to patch it..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Devoney
    Guest
    Hi all,
    Why does no body post anymore to this topic? do i miss something?

    So the exe file is packed/compressed. This prevents us from seeing the same hex data in a hex editor as in IDA debugger when we debug our EXE file which we extracted from the sis package. After reading on fro the links given in this topic I have found petran.exe a tool used to do somethings with the EXE file, and one option is to "nocompress". The petran application comes standard with any Symbian OS SDK. Try to download a SDK and install it. After installing the SDK petran is found in: "C:\Symbian\9.3\S60_3rd_FP2_Beta\epoc32\tools\petran.exe" (standard installation folder). Then open command (start -> run -> cmd.exe) and type <path to petran> -nocompress <path to exe file extracted from sis package>. (see its parameters by only typing the path to petran)
    For example: "C:\petran.exe -nocompress C:\testapp.exe" (use convient directorys offcourse instead of typing the whole path to the SDK tools).

    Now the file to be "nocompressed" is updated and the hex values in the hex editor are the same as in IDA.
    I have also included a assembly analysation of petran.exe using OllyDbg. I have highlighted the use of the compression integer 101F7AFC there mentioned by Polaris earlier.
    Is this helping to you all?

    Grtz Devoney
    --< Share your Knowledge >--
    Attached Files Attached Files
    Last edited by Devoney; January 25th, 2008 at 19:56. Reason: Update attachments and more info
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. hi need help for symbian application
    By drshail23 in forum The Newbie Forum
    Replies: 1
    Last Post: October 5th, 2010, 18:48
  2. ARTeam: searching for symbian reversers
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: July 1st, 2008, 03:27
  3. help: symbian UIQ crack
    By nguyencaoky in forum The Newbie Forum
    Replies: 0
    Last Post: June 1st, 2005, 10:32
  4. symbian / armi
    By trecky in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: November 22nd, 2002, 15:44
  5. symbian 6 and 6.1 difference !
    By trecky in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: November 22nd, 2002, 14:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •