Palm Reversing - A live approach - by Latigo/UCF
Published by Tsehp September 2000.

Hi! My first palm reversing tutorial was focused on a dead-listing reversing approach. Now the technique used is a little bit different. We'll be using a debugger to get a serial out of Yearly and i'll also show you to make a KeyGen. Our target is 'Yearly'

Tools used: IDA Disassembler,PalmDebugger,PalmEmulator (this two last can be downloaded from,PrcView (get it at my site :)

We'll start by loading our app in the emulator or palm and trying to register it giving as serial any garbage. And all we get is 'You entered a wrong code!'. Sweet :) lets look for this string inside the Alert resources. Split the whole file with prcview (or any other similar tool of course) A little search shows us that the alert resource named 'Talt0x138d.bin' is the one that is fired when we enter a wrong serial. So lets search in IDA's dead listing the '138d' string.

    code0001:000048B6 loc_0_48B6:  
    code0001:000048B6   move.w  8(a0),d0
    code0001:000048BA   cmpi.w  #$44D,d0
    code0001:000048BE   bne.s   loc_0_48FA
    code0001:000048C0   move.l  $A0C(a4),-(sp)
    code0001:000048C4   systrap FldGetTextPtr()     <- get a Ptr to our serial
    code0001:000048C8   move.l  a0,-(sp)            <- push that Ptr now
    code0001:000048CA   lea     $560(a4),a0         <- load in A0 other pointer
    code0001:000048CE   pea     2(a0)
    code0001:000048D2   systrap StrCopy()           <- copy it!
    code0001:000048D6   bsr     sub_0_5CC           <- Jump to Reg Function
    code0001:000048DA   adda.w  #$C,sp              <- Clean Stack
    code0001:000048DE   tst.w   $28(a4)             <- RegFlag is 0?
    code0001:000048E2   beq.s   loc_0_48EC          <- JZ bad boy msg
    code0001:000048E4   move.w  #$138C,-(sp)        <- show good msg
    code0001:000048E8   bra     loc_0_48F0
    code0001:000048EC loc_0_48EC:
    code0001:000048EC   move.w  #$138D,-(sp)	<-- HERE!
    code0001:000048F0 loc_0_48F0:
    code0001:000048F0   systrap FrmAlert()
    code0001:000048F4   addq.w  #2,sp
    code0001:000048F6   bra     loc_0_4900

So after a little glance we find out that the scheme is the typical one. Call 'Reg' Function (000048D6), compare RegFlag (000048DE), JZ BadBoy (000048E2) or else show 'Thank you' Message (000048E4). Lets get inside the 'Reg' function now (not going to paste all the disassembly) The first thing i always do is just take a look at the whole function. I mean, a rapid glance to see how long it is and to check for the existance of any other API calls which might facilitate my work. At the end of this subroutine i find some juicy code:

    code0001:000006BE loc_0_6BE:
    code0001:000006BE   lea     $560(a4),a0
    code0001:000006C2   pea     2(a0)             <- Pushes here the same ptr as in 000048CA
    code0001:000006C6   pea     $2A0(a4)          <- Address of the generated serial
    code0001:000006CA   systrap StrCompare()      <- beloved API which will be breakpointed :)
    code0001:000006CE   tst.w   d0                <- Are they the same?
    code0001:000006D0   bne.s   loc_0_6D8         <- JNE Bad Boy
    code0001:000006D2   move.w  #1,$28(a4)        <- put 1 in the regflag
    code0001:000006D8 loc_0_6D8:
    code0001:000006D8   movem.l var_18(a6),d3-d7/a2 <- pop registers (?)
    code0001:000006DE   unlk    a6
    code0001:000006E0   rts                        <- RET      				


Time to 'live' reverse! What we are going to do now is to put a breakpoint on the StrCompare SysTrap using the PalmDebugger. How to do this? the command for 'breakpointing' on an API (set an a-trap) is 'ATB'. So in PalmDebugger you must 'ATB ApiNumber' in order to succesfully set a bpx. I must confess that i spent lots of days looking for some API reference.. and in the end i found out that this same list can be found in the PalmOs SDK. Anyway, i provide you with a nice and comprehensible list here.
StrCompare is 0XC8. That means we have to fire PalmDebugger, Go to 'Connection' in the menu and then click on 'Emulator' (in the case you want to debug a program which is running on the emu of course) invoke the 'ATT' command, (for ATTaching the debugger to the emu),go for a 'atb 0c8' and then 'g' (the same as x or f5 in SoftIce) Now go back to Yearly in the palm and try to register it as before (Remember, everytime the emulator breaks on some bp, execution is freezed and you must work in the debugger. To return execution to the palm or emu, just press 'g' and then the 'enter' key of course).

Type any serial and then click on 'ok'. bOOm! there we got it!. StrCompare takes two parameters, one (in this case) being the seriall you typed and the other one being the generated one.. so its just a question of dumping the correct place in memory to see our serial! :) (btw Yearly takes as a username the HotSync username, which in my case is 'Latigo'). Just throw an 'il' command to disassembly 10 lines of code starting from the breakpoint. I do this to compare this code to the one in IDA in order to know if i'm in the right spot.
Back to the disassembled code we know the pushed pointers are:

    code0001:000006BE   lea     $560(a4),a0
    code0001:000006C2   pea     2(a0)             <- Pushes here the same ptr as in 000048CA
    code0001:000006C6   pea     $2A0(a4)          <- Address of the generated serial

We are interested in $2A0(A4) since the other one just contains a copy of our serial.
'$2A0(A4)' Means the following: 'Take the address that is contained in the A4 register, add 0x2A0 to it and you get a pointer to something,then dump that pointer and you got the real thing'
To know the contents of A4 you must perform a 'REG' command (which shows the contents of ALL the registers). In this case, A4 contains '0001306A'. 0x2A0 should be added to this, giving us 0x1330A as a result. THIS is the pointer to the string. All that is left to be done is to 'DM 1330A' (DM = Display Memory) This are the results of the dump:

	0001330A: 35 36 36 38 00 00 00 00   00 00 00 00 00 00 00 00      "5668............"

Sweeet Baybeee! this is our serial :)
Of course, the other pointer passed as parameter to StrCompare was our username, but just in case you wanna double check do the following: 0x1306A + 0x560 + 0x2 = 0x135CC
'DM 135CC' and you'll see what you entered as a serial. (Btw, the last '0x2' is added to our addresses cos that is what happens at code0001:000006C2)

That's It! There we have it! a nice 'dead listing' + 'memory echo' approach!
For aesthetical reasons, the keygen part of this tutorial has been made in a separate html file which can be found here.

Usefull commands for PalmDebugger.exe (check PalmDebugger's help for further help on these commands):

Command Description
ATB: Sets a trap break. Sytanx = atb 'SysTrap number'
G: Continue execution. Takes a memory address as an optional parameter
ATT: Attaches the debugger to the remote unit.
IL: Disassembles code at current program counter (EIP).
DM: (Dumps) Displays Memory.
REG: Displays all registers.

Ok, that was all! Hope you liked it and/or learned something. Any request, question, suggestion or whatever just send it to latigo_at_ciudad_dot_com_dot_ar.

Check more coding and reversing tutes at Bye!