RegEditCE v1.0 for the PowerPC (SH3) Goatass

Published by Tsehp 2002

 

 

Recommended readings:

---------------------

Windows CE Platform SDK (HPC Pro) - www.microsoft.com

SH3 programming manual - www.hitachi-eu.com/hel/ecg/products/micro/pdf/sh7700p.pdf

Any tutorial on PocketPC - tsehp.cjb.net

 

Tools:

------

IDA 4.15

WindowsCE SDK

PocketPC (I used the Jornada)

 

The target:

-----------

As you can tell from the name this is a Registry Editor tool for the PowerPC running

WindowsCE. It's a very useful tool and it works really well.

 

Introduction:

-------------

This little program allows you to browse your registry but you can not edit anything.

That is a big drawback so I decided to fix that.

 

Lets begin by checking out the program. Run it and goto "About", click the "Register"

button, enter some fake info and click OK. Write down the error that you get and lets

go find it. Open up the executable in a resource editor and check out the string refs.

First one is what we want, we mainly care about string ref 9 and 10 (0xA).

Open up the executable in IDA and do a text search for #h'a this will be looking for

any referenced by the application to that particular resource, the "Invalid registration"

message. The first occurance is not what we are looking for, just look at the code

around and you will see it's nothing interesting.

The second occurance is what we want, look here:

 

.text:00015216 mov #h'A, r5 ; Invalid reg message

.text:00015218 jsr @r0 ; _LoadStringW

.text:0001521A mov.l @r3, r4

.text:0001521C mov.l @(h'68,pc), r0 ; [00015288] = _MessageBoxW

.text:0001521E mov #8, r5

.text:00015220 mov.l @(h'54,pc), r6 ; [00015278] = unk_1CB10

.text:00015222 mov r8, r4

.text:00015224 mov #h'30, r7 ; '0'

.text:00015226 jsr @r0 ; _MessageBoxW

 

scrolling up a bit we see:

 

.text:0001520A loc_1520A: ; CODE XREF: .text:000151A0j

 

follow that Xref back to the caller and we land here:

 

.text:0001519A bsr sub_14EBC

.text:0001519C add r14, r4

.text:0001519E tst r0, r0

.text:000151A0 bt loc_1520A ;<-- we land here

 

The bsr sub_14EBC looks very interesting since its returned value caused us to hit

the "Invlaid Registration" message, so lets check it out.

At first we see some checks to verify if the user entered an e-mail address and a serial,

than there is some checks against blacklisted e-mail addresses it's pretty simple to spot.

Following the code along you can see some more length checks and stuff but towards the end

of the sub-routine we see something that might just be what we are looking for.

 

.text:00014F40 jsr @r0 ; _wsprintfW

.text:00014F42 add r15, r4

.text:00014F44 mov.l @(h'58,pc), r0 ; [00014FA0] = _wcscpy

.text:00014F46 mov.l @(h'3C,pc), r4 ; [00014F84] = unk_1CB74

.text:00014F48 jsr @r0 ; _wcscpy

.text:00014F4A mov r8, r5

.text:00014F4C mov.l @(h'4C,pc), r0 ; [00014F9C] = _wcscmp

.text:00014F4E mov #h'10, r4

.text:00014F50 mov r10, r5

.text:00014F52 jsr @r0 ; _wcscmp

.text:00014F54 add r15, r4

.text:00014F56 tst r0, r0 ; if true T bit = 1

.text:00014F58 movt r0 ; change to mov #1, r0 (01E0)

 

In the code above we see that the program formats an unsigned long number copies it

and compares it to something. It's hard to tell where each number being compared

came from but we will assume it's our serial and a good serial. Without tracing it's

hard to really tell what's going on but we can guess.

So did you spot how to patch this program? Here is what I did:

 

.text:00014F56 tst r0, r0

.text:00014F58 mov #1, r0

 

so get the offset at .text:00014F58 movt r0 and check out the bytes:

 

29 00 change them to: 01 E0

 

Remeber that these instructions are only 2 bytes each. Save your patched file and

upload it back to the device. Click the "Register" button, enter any e-mail and any

serial and click ok. That's it.

 

 

 

Greets: zip, crackz, +tsehp, and my pals in the scene

 

Peace !