Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 34

Thread: pocket program need help

  1. #16
    Hi

    I have worked a little bit on ppc re. I have seen in your ida dissasembly
    there is a .text:00023B70 BL sub_69E78 just before the CMP R3,1 so this BL(branch and link) go to the sub_69E78 subroutine and check your serial.this subroutine return 1 if the serial is valid and it return 0 if the serial is invalid so you should go in this sunroutine and find mov Rx,0 and replace it with mov Rx,1.as you know the serial check routine maybe called several time in different parts of the programm so by this way the check routine will allways return TRUE.
    I have attached one of my tutorial to this post the protection is similar to your target take a look .

    Good luck

    akimp3
    Attached Files Attached Files

  2. #17
    einstein
    Guest
    hello akimp3,

    thanks for your post.
    there is one problem:
    at adress .text:00069E78 MOV R12, SP is the sign SP.
    What can i do there?

    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    einstein
    Guest
    Hi,

    i have tried change mov to movne and moveq and the program hangs up.
    So i must soft reset my iPAQ.

    Can somebody help me?

    regards
    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    Hi
    sorry for my late reply. I was out of town.
    Please PM me the name of the prog i will take a look myself.
    I have never seen something like the sub_69E78 code.
    another way to solve your problem is to fing every BL sub_69E78
    find the CMP R3, #0 and patch the BEQ after it like the first you done
    yourseft but the problem was that you only patched the BEQ attext:00023B80 bu there must be a lot of call to sub_69E78 find them
    all and patch the BEQ just after the call.

    Good luck

    akimp3

  5. #20
    einstein
    Guest

    Talking

    Hi akimp3,

    sorry for my late aply.
    Do you have an PDA? (iPAQ)

    Otherwise i must send you the exe file.

    Here is the whole sub_69E78 code:

    .text:00069E78
    .text:00069E78 ; S U B R O U T I N E
    .text:00069E78
    .text:00069E78
    .text:00069E78 sub_69E78 ; CODE XREF: .text:00023B70p
    .text:00069E78 ; sub_66B78+68p
    .text:00069E78
    .text:00069E78 var_74 = -0x74
    .text:00069E78 var_6C = -0x6C
    .text:00069E78 var_68 = -0x68
    .text:00069E78 var_64 = -0x64
    .text:00069E78 var_60 = -0x60
    .text:00069E78 var_5C = -0x5C
    .text:00069E78 var_5B = -0x5B
    .text:00069E78 var_5A = -0x5A
    .text:00069E78 var_59 = -0x59
    .text:00069E78 var_58 = -0x58
    .text:00069E78 var_57 = -0x57
    .text:00069E78 var_56 = -0x56
    .text:00069E78 var_55 = -0x55
    .text:00069E78 var_54 = -0x54
    .text:00069E78 var_53 = -0x53
    .text:00069E78 var_52 = -0x52
    .text:00069E78 var_51 = -0x51
    .text:00069E78 var_50 = -0x50
    .text:00069E78 var_4F = -0x4F
    .text:00069E78 var_4E = -0x4E
    .text:00069E78 var_4D = -0x4D
    .text:00069E78 var_4A = -0x4A
    .text:00069E78 var_46 = -0x46
    .text:00069E78 var_C = -0xC
    .text:00069E78 arg_0 = 0
    .text:00069E78
    .text:00069E78 0D C0 A0 E1 MOV R12, SP ; Rd = Op2
    .text:00069E7C 0F 00 2D E9 STMFD SP!, {R0-R3} ; Store Block to Memory
    .text:00069E80 F0 5F 2D E9 STMFD SP!, {R4-R12,LR} ; Store Block to Memory
    .text:00069E84 3C D0 4D E2 SUB SP, SP, #0x3C ; Rd = Op1 - Op2
    .text:00069E88 00 40 A0 E1 MOV R4, R0 ; Rd = Op2
    .text:00069E8C CE AF 84 E2 ADD R10, R4, #0x338 ; Rd = Op1 + Op2
    .text:00069E90 01 30 A0 E3 MOV R3, #1 ; Rd = Op2
    .text:00069E94 0A 00 A0 E1 MOV R0, R10 ; Rd = Op2
    .text:00069E98 28 33 C4 E5 STRB R3, [R4,#0x328] ; Store to Memory
    .text:00069E9C A4 69 00 EB BL sub_84534 ; Branch with Link
    .text:00069EA0 00 00 8D E2 ADD R0, SP, #0 ; Rd = Op1 + Op2
    .text:00069EA4 68 10 8D E2 ADD R1, SP, #0x68 ; Rd = Op1 + Op2
    .text:00069EA8 55 69 00 EB BL __0CString__QAA_ABV0__Z ; CString::CString(CString const &)
    .text:00069EAC 00 10 9D E5 LDR R1, [SP,#0x74+var_74] ; Load from Memory
    .text:00069EB0 28 00 8D E2 ADD R0, SP, #0x28 ; Rd = Op1 + Op2
    .text:00069EB4 18 C4 FF EB BL sub_5AF1C ; Branch with Link
    .text:00069EB8 04 00 50 E3 CMP R0, #4 ; Set cond. codes on Op1 - Op2
    .text:00069EBC 6F 00 00 1A BNE loc_6A080 ; Branch
    .text:00069EC0 1B 30 A0 E3 MOV R3, #0x1B ; Rd = Op2
    .text:00069EC4 BA 22 DD E1 LDRH R2, [SP,#0x74+var_4A] ; Load from Memory
    .text:00069EC8 18 30 CD E5 STRB R3, [SP,#0x74+var_5C] ; Store to Memory
    .text:00069ECC 02 30 A0 E3 MOV R3, #2 ; Rd = Op2
    .text:00069ED0 19 30 CD E5 STRB R3, [SP,#0x74+var_5B] ; Store to Memory
    .text:00069ED4 48 30 A0 E3 MOV R3, #0x48 ; Rd = Op2
    .text:00069ED8 1A 30 CD E5 STRB R3, [SP,#0x74+var_5A] ; Store to Memory
    .text:00069EDC 09 30 A0 E3 MOV R3, #9 ; Rd = Op2
    .text:00069EE0 1C 30 CD E5 STRB R3, [SP,#0x74+var_58] ; Store to Memory
    .text:00069EE4 63 30 A0 E3 MOV R3, #0x63 ; Rd = Op2
    .text:00069EE8 1D 30 CD E5 STRB R3, [SP,#0x74+var_57] ; Store to Memory
    .text:00069EEC 08 30 A0 E3 MOV R3, #8 ; Rd = Op2
    .text:00069EF0 1F 30 CD E5 STRB R3, [SP,#0x74+var_55] ; Store to Memory
    .text:00069EF4 47 30 A0 E3 MOV R3, #0x47 ; Rd = Op2
    .text:00069EF8 20 30 CD E5 STRB R3, [SP,#0x74+var_54] ; Store to Memory
    .text:00069EFC 16 30 A0 E3 MOV R3, #0x16 ; Rd = Op2
    .text:00069F00 21 30 CD E5 STRB R3, [SP,#0x74+var_53] ; Store to Memory
    .text:00069F04 13 30 A0 E3 MOV R3, #0x13 ; Rd = Op2
    .text:00069F08 23 30 CD E5 STRB R3, [SP,#0x74+var_51] ; Store to Memory
    .text:00069F0C 0B 30 A0 E3 MOV R3, #0xB ; Rd = Op2
    .text:00069F10 24 30 CD E5 STRB R3, [SP,#0x74+var_50] ; Store to Memory
    .text:00069F14 11 30 A0 E3 MOV R3, #0x11 ; Rd = Op2
    .text:00069F18 25 30 CD E5 STRB R3, [SP,#0x74+var_4F] ; Store to Memory
    .text:00069F1C 0C 30 A0 E3 MOV R3, #0xC ; Rd = Op2
    .text:00069F20 26 30 CD E5 STRB R3, [SP,#0x74+var_4E] ; Store to Memory
    .text:00069F24 0F 30 A0 E3 MOV R3, #0xF ; Rd = Op2
    .text:00069F28 27 30 CD E5 STRB R3, [SP,#0x74+var_4D] ; Store to Memory
    .text:00069F2C 04 00 A0 E3 MOV R0, #4 ; Rd = Op2
    .text:00069F30 B8 32 DD E1 LDRH R3, [SP,#0x28] ; Load from Memory
    .text:00069F34 1B 00 CD E5 STRB R0, [SP,#0x74+var_59] ; Store to Memory
    .text:00069F38 03 38 A0 E1 MOV R3, R3,LSL#16 ; Rd = Op2
    .text:00069F3C 1E 00 CD E5 STRB R0, [SP,#0x74+var_56] ; Store to Memory
    .text:00069F40 02 30 83 E0 ADD R3, R3, R2 ; Rd = Op1 + Op2
    .text:00069F44 BE 22 DD E1 LDRH R2, [SP,#0x74+var_46] ; Load from Memory
    .text:00069F48 08 30 8D E5 STR R3, [SP,#0x74+var_6C] ; Store to Memory
    .text:00069F4C BC 32 DD E1 LDRH R3, [SP,#0x74+var_4A+2] ; Load from Memory
    .text:00069F50 22 00 CD E5 STRB R0, [SP,#0x74+var_52] ; Store to Memory
    .text:00069F54 18 00 8D E2 ADD R0, SP, #0x18 ; Rd = Op1 + Op2
    .text:00069F58 03 38 A0 E1 MOV R3, R3,LSL#16 ; Rd = Op2
    .text:00069F5C 02 30 83 E0 ADD R3, R3, R2 ; Rd = Op1 + Op2
    .text:00069F60 0C 30 8D E5 STR R3, [SP,#0x74+var_68] ; Store to Memory
    .text:00069F64 A7 C3 FF EB BL sub_5AE08 ; Branch with Link
    .text:00069F68 10 10 8D E2 ADD R1, SP, #0x10 ; Rd = Op1 + Op2
    .text:00069F6C 08 00 8D E2 ADD R0, SP, #8 ; Rd = Op1 + Op2
    .text:00069F70 86 C3 FF EB BL sub_5AD90 ; Branch with Link
    .text:00069F74 10 90 9D E5 LDR R9, [SP,#0x74+var_64] ; Load from Memory
    .text:00069F78 14 70 9D E5 LDR R7, [SP,#0x74+var_60] ; Load from Memory
    .text:00069F7C 14 31 9F E5 LDR R3, =__itod ; Load from Memory
    .text:00069F80 29 88 A0 E1 MOV R8, R9,LSR#16 ; Rd = Op2
    .text:00069F84 27 08 A0 E1 MOV R0, R7,LSR#16 ; Rd = Op2
    .text:00069F88 00 30 93 E5 LDR R3, [R3] ; Load from Memory
    .text:00069F8C 0F E0 A0 E1 MOV LR, PC ; Rd = Op2
    .text:00069F90 03 F0 A0 E1 MOV PC, R3 ; Rd = Op2



    ok, thats it.
    I changed at adress 00069E90 Mov R3, #0 in R3, #1
    (Here you can see it.)

    So the program is registrated. But not 100%.



    regards
    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    Hi

    yes I have a PDA(POCKET LOOX 600 WM2003).

    As i have seen(a quick look) your patching in this routine is
    100% correct so it must be others subroutine we have to patch.
    what the program show you that you understand it is not
    100% registered? a msgbox, a label? tell me this and we should
    localize it (the msbox or the label) in IDA and desactivate the jump
    to it.

    Good luck

    akimp3

  7. #22
    einstein
    Guest
    Hi,

    ok, thanks.

    When the program is registred, you must see the program serial number
    and the Date till you can update for free.

    At me, the program shows 00000 for the program serial number and nothing
    about the date till you can update. I think that is not so correct.

    But the program works fine.

    Now you have PM.

    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #23
    einstein
    Guest

    Talking

    Hi Akimp3,

    are you back?
    I have another target. I think this is not so simple as my first.

    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24

    yes i am backed..

    Quote Originally Posted by einstein
    Hi Akimp3,

    are you back?
    I have another target. I think this is not so simple as my first.

    Einstein
    Hi

    I am backed and badly stucked on see ** ****** program
    I have always the 0000 serial problem and i cant find how the
    serial is validated to be able to construct a valid one.I am really
    sorry but i think someone expert should take a look at the routine.
    I have also tried to crack it another way(from the unregistered
    string in IDA)but the same problem is there. i think for now
    you should download the latest version from the site and crack
    this way.
    About your new target please PM me more info and i will look at it.
    The biggest problem in PPC reversing is the lack of a good debugger,
    evc debugger is not good at all compared to ollydbg and softice,...
    that we use on PC.Maybe someone should start to write a debugger
    for ppc.
    I will wait for your PM

    akimp3

  10. #25
    einstein
    Guest
    HI,

    cool. You have pm.

    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    einstein
    Guest
    Hi akimp3,

    your messagebox is full. please delete some mails.

    I found our target with crack on emule.
    Do you think if it is possible to copare the orginal exe file with the cracked.
    So we can find out where we must change the exe.

    What do you think?
    I found a tool calles code fusion wizard.

    Do you know about this?

    Regards
    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    einstein
    Guest

    Talking

    Hi,

    you are great.
    very nice. It works.

    I have changed at the three adresses the code to FF B0 0B E2.

    Can you tell me how you find out this three codes?
    I will learn it for the next update.

    Thanks
    Einstein


    ps.
    delete some mails from you acount. I can't send you pm.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28

    good

    Hi

    For the first 2 addresses these are adrreses that jump to the only reference
    of the message"enter valid password in simulator about menu".
    and for the other one you should find all the call to settimer,
    see the parameters ,only one call has 92000h as parameter.
    conver it to decimal =555149100 divide it by 1000(settimer parameter is
    in milisecond)=598.016 then divide it by 60=9.9669333333333333333333333333333
    this is 9.96 minute or 10 minute as you told.
    and it is the only call that set the timer to raise and event every
    10 minute so we patch it.
    Thats it.You can ask me if there is any other detail you want to know.

    bye

    akimp3

    Quote Originally Posted by einstein
    ps.
    delete some mails from you acount. I can't send you pm.
    its done you can send me pms

  14. #29
    einstein
    Guest

    Talking

    Hi akimp3,

    thanks.
    There is one question for me:

    how do you come on the Opcode FF B0 0B E2? (AND R11, R11, #0xFF )
    How do you find out this?

    What is register 11?

    Regards
    Einstein
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30

    Nop

    Hi

    As you know there is no NOP operation in the ARM processor.
    the AND of A and A give you A,The and of A and FF(logic 1)
    also give A.So AND R11, R11, #0xFF change nothing and i
    used it as a NOP. you can find the opcode in my first ppc re
    tutorial.

    Good luck

    akimp3

Similar Threads

  1. looking for program
    By book in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: November 20th, 2005, 09:21
  2. how to cr@ck a pocket pc application?
    By hambam in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: August 8th, 2002, 08:57
  3. help, or is there a program?
    By Rage9 in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: December 11th, 2001, 08:40
  4. Help with finding keyfile a program used by program
    By Polt in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: August 14th, 2001, 15:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •