|
Experience
a brand new taste in cracking :
Juggle with the PalmPilot's DragonBall
|
+HCU papers
|
|
16
May 1998
|
by TeK
|
|
|
Courtesy of Fravia's page of reverse engineering
|
|
fra_00xx
98xxxx
handle
1100
NA
PC |
Mmmm! Juicy! Motorola disassembling! Was
about time we all took a vacation from the dull routine of the
intel routines!
Motorola, nice sweet sound of an almost extint, yet
once glorious, really POWERFUL processor family!
Repeat it swinging
slowly your hawajian shirt: MO-TO-RO-LA...
hola-hop, Aloha, aloha,
sommer sun, deep blue sea...Yeah! Let's crack our "palmtops" sitting in
the shadow of the palms, or, if in Europe, feeling the breeze under our
sail, while the boat rolls gently in the calm waters of the
little greek harbour, and we are awaiting the opening hour of the bars
for our wodka-martinis (or ouzos)...
what the hell is an "Atomic Fire Ball"?
A great essay, that for once
walks completely different paths... and comes to the same known conclusions:
protections are useless against reversing magi like Tek, and I'm very
happy that Tek volunteered (at the bottom) to start the new "other worlds" reversing
section of my site :-)
The "tools"
section of this essay is VERY important for any reverser, btw...
|
|
|
There is a crack, a crack in everything That's how the light
gets in
|
|
|
Rating
|
( )Beginner (x)Intermediate
(x)Advanced ( )Expert
|
|
Crack on a new platform using the dead list approach. Experience the
M68000 assembler. Make your own Java key generator for a Pilot application.
Experience
a brand new taste in cracking :
Juggle
with the PalmPilot's DragonBall
Written
by TeK
Cracking Windows and DOS apps is fun. Cracking dongles is even more
fun. But what about taking some holidays and cracking something that you've
never cracked before ? In this essay, I will try to teach you how to crack
applications running on the PalmPilot. Believe me, that will be like taking
some holidays on the Azure Coast...
I couldn't find any tutorial or anything about Pilot cracking on the
web, so I decided to write this essay. This is not intended to be a tutorial,
even if I will try to go far enough to make you discover all the nice pieces
of code that are hidden inside these little black-and-green babes.
I assume that you have some slight knowledge of the X86 assembler.
Anyway, we won't talk much X86; we'll talk M68000.
As the platform changes, the tools change. It took me much time to
find the right tools and the best tools to achieve my first Pilot crack
Here are the tools you'll need and where you'll find them :
Necessary :
Palm OS Emulator
: you'll need this to use your PC to emulate the Pilot. You don't really
need it if you already have a REAL Pilot. Anyway, this emulator is amazing.
PRC2BIN
: this will extract all the resources linked in a Pilot .PRC executable
file.
PilDis
: the best Pilot disassembler around.
M68K
Disassembler 1.1 : I experienced some problems with this one (it
made me lose one hour of my life :(), but sometimes it disassembles a bit
better than PilDis.
Pila
: the Pilot assembler.
Hacker's
View 5.66 : this is the hex-editor I prefer, but any other will
do.
Optional :
ROM
File : You'll find debug ROM's for the Palm OS Emulator at 3COM's,
but with them I experienced some unexpected crashes (yes, usually I expect
crashes under WinSuxx95 :). That's why I encourage you to take a released
ROM. If you don't have a real Pilot, you'll find some on the Net. This
URL might be down by the time you read these lines, but anyway, you know
how to search, don't you.
ASDK
: this is an almost complete toolbox that contains many very useful programs
like PilDis, PRC2BIN and Pila.
The Copilot
Home Page : there you'll find some infos about the original PalmPilot
emulator.
Pilot
Assembler Reference : excellent compilation of infos to program
(and crack) Pilot apps.
CrossFire
5.10 : this program doesn't interest us much in itself, but it
contains an excellent description of most M68000 instructions.
Pilot Programming
FAQ : if you know how to program, you've done a good part of the
way to the crack.
MC68328
DragonBall : official informations about Motorola's processor.
Atomic Fire Balls : you'll need these hot cinammon candies to
fight against the DragonBall processor. If you cannot find them in Europe,
you can place an order at CandyDirect.
One ball should last long enough for you to read this essay. If you prefer
the more classical Martini/Vodka, I advise you NOT to eat an Atomic Fire
Ball while sipping your favorite cocktail...
A Good Bootleg : just put on a good concert of Lush, Garbage
or Nirvana while cracking Pilot programs. You'll see, it helps to feel
the code. If you fancy trading bootlegs with me, my list is here.
You will find all the targets we'll treat in this essay and many other
potential ones at : http://www.pilotgear.com
Usually we don't care enough about the history of the applications we are going
to crack, but the Pilot's history is important.
The Pilot has a multiple use : diary, address book, calculator, text
editor, web browser, ... It is small but not limited as it is quite easily
programmable.
The Pilot was first developped by USRobotics. When 3COM bought USR,
they also got the license for the Pilot and they put their logo on it.
The version 3.0 of the Pilot was released lately. A big advantage of the
Pilot is that you can upgrade it just by changing its little ROM card.
All Pilots contain the Motorola MC68328
DragonBall processor.
It may also interest you to know that IBM bought the Pilot's license.
They rehashed it a bit (i.e. changed the logo) and they called it "WorkPad".
The PalmPilot and the WorkPad are compatible.
The PalmPilot doesn't have a keyboard. It has a good built-in OCR,
so you just have to write on the touch-screen with a pen and use a special
font. You will spend much time to write your first characters but then
you'll get used to it.
Of course you have the possibility to connect the Pilot to your PC.
This is done through a protocol called HotSync. Note that there is a HotSync
ID that is defined on the PC and which contains your user name. This ID
will be used by one of our future targets...
You might experience a strange (but normal) behavior of the Palm OS.
It isn't really multi-tasking, but it can execute the application launcher
and one application in parallel. Pilot apps do not have a QUIT option.
It seems that you have to run another app to quit the previous one. If
someone has more infos about this feature (!?!), please drop me a line.
Let's talk a bit about the Copilot, the Pilot emulator for PC and Mac.
This excellent program was written by Greg Hewgill and it was lately bought
(or simply taken, I don't know) by 3COM who called it Palm OS Emulator.
3COM are acting exactly like Micro$hit; they suck everything they can.
Fortunatelly, the Palm OS Emulator is free along with a debug ROM.
We'll treat three applications in this essay. I chose them in order
to give you a wide view of the cracking possiblities you have on the Pilot.
We will begin with an easy crack to show how it works and we'll finish
with a key generator written in Java.
Ok, before we begin, just put the Atomic Fire Ball in your mouth and
play your favorite bootleg.
The first target will be Currency Calculator 3.12. You'll find
it at PilotGear. Maybe there is
a newer version there, but I know that you're smart enough to handle the
offset changes by yourselves.
After unzipping the file, you'll find three .PRC files and two .PDB
files. PDB files are databases and we won't have to deal with them. PRC
files are compiled Pilot resources. They contain many internal parts such
as : code, icons, forms, alert forms, menu bars, strings, ... If you're
an experienced cracker, I'm sure that you can already see the light through
it :)
CURRCAL1.PRC is compatible with the Palm OS 1.0 and CURRCAL2.PRC is
a more powerful version of the program, but it needs the Palm OS 2.0 and
MATHLIB.PRC must be installed in order to let it run. We'll work on CURRCAL1.PRC
here, but the other version has exactly the same protection scheme located
at a different offset.
As always, we must first analyse what is to be cracked. Run the emulator.
It will create a Palm1024.ram file the first time you run it. This is the
space you have to install programs on your emulated PalmPilot. You can
see that there is also a palm.rom file. You can upgrade your virtual Pilot
only by changing this file. If you have a real Pilot you can even download
its ROM into your PC to use it with the emulator... wonderful, isn't it
?!
Now that the emulator is running, press the right mouse button to load
CURRCAL1.PRC. I won't teach you how to use the Pilot. Just experience and
read the docs. With the emulator you do not need to use the OCR. Just type
in everything with the keyboard; that's much easier. Run CurrCalc. If you
don't get the Info/Register panel, just click on the "i" logo in the upper
left. Click "Register" and here we are : you have to enter your user name
and registration number. As you can see, Pilot shareware programmers are
as greedy as PC shareware programmers. I would say even more greedy. Anyway,
at the end of this essay, this (nice) program will be cracked to the bone.
We will always use the dead list approach to deal with PalmPilot programs
as a debugger would not help us much but would surely slow us down. The
Copilot contained a quite nice debugger but it was built for version 1.0
of the OS. Unfortunatelly it was based on static memory addresses and when
the OS changed, the memory locations changed too, which made the debugger
crash. I tried it anyway but I could never go further than the welcome
screen. You'll see that the dead list approach is so easy that we'll never
miss the debugger. If you were planning to use SoftIce, you can forget
it straight away. As the code is emulated, it would be the same as debugging
InstallShield's SETUP.EXE. Note for the protectionists out there : interpreted
code (i.e. compiled script) is an excellent protection. Try to crack a
Java program by debugging JAVA.EXE... it would take you at least one month.
Now take 30 minutes to decompile the program with WingDis and you'll need
5 minutes to get through it. NaTzGUL surely knows what I'm talking about...
After this little digression, let's enter something in both fields
of the registration window. Click OK and note down the error message that
says "Wrong registration number!". If we find the part of the code that
fetches this error message to display it, the good_guy/bad_guy comparison
cannot be far.
The first thing to do is to split the CURRCAL1.PRC into atomic resources
to find our error message. Therefore we use PRC2BIN. It creates 68 resource
files out of CURRCAL1.PRC (you'd better create a separate directory for
these ones). A good thing to do is to browse all resources with HIEW to
see what's inside. You can also make a quick string search over the directory
to quickly locate the file that contains "Wrong registration number!".
You'll find it in TALT05DC.BIN. This filename is not random at all.
ALT means ALERT. We will often have to deal with these forms as most
"Registration Error" processes use them.
05DC is an hex number which represents the Resource ID (ResID) of the
Alert Form. This handle is used to display the form. Remember this number.
Now we know what we're looking for : a call to resource 05DC.
Let's disassemble the code. There are two ways : either you use PilDis
on CURRCAL.PRC (the packaged resources), either you use it on CODE0001.BIN
(the code resource itself). The second approach is more logic, but I prefer
the first one as the offsets in the disassembled output file will be the
same as in the original .PRC and therefore easily patchable (you won't
need to make a hex search throughout the .PRC). For this essay, I will
use the first method.
CURRCAL1.PRC is now disassembled in CURRCAL.PRC.s. Take your prefered
text viewer and open CURRCAL1.PRC.s (I personally use 4DOS's LIST... pretty
quick for string searches).
Search for "05DC". You'll get some false positives; this is due to
the fact that ALL the .PRC resource was disassembled and not only the code
area. When your string search stops at a DC.? instruction (called DB, DW
or DD with the X86) you know that you're in a data area. The search stops
twice in the code area : at 00005D18 and 00007DFA.
Now it's time to introduce the Pilot API. The Palm OS contains a good
lot of meaningful API's that are very well recognized by PilDis. There
is a non-exhaustive list of API's that may be helpful to our cracking purpose
in the Appendix section of this essay. Depending on the program's behavior,
you can usually determine which API should be called. In our case, an Alert
Form is displayed after entering a bad registration number. Guess what,
there is an API called sysTrapFrmAlert... getting the picture ?
Let's examine the first occurrence of our ResID (05DC) at 00005D18
(as comments I translated the most important instructions into X86 assembler)
:
00005d18 363c05dc
MOVE.W #1500!$5dc,D3 ;mov word ptr D3, 05DCh
00005d1c 6052
BRA L885
;jmp L885
00005d1e 363c0640
MOVE.W #1600!$640,D3
00005d22 604c
BRA L885
00005d24 363c06a4
MOVE.W #1700!$6a4,D3
00005d28 6046
BRA L885
00005d2a 363c0708
MOVE.W #1800!$708,D3
00005d2e 6040
BRA L885
00005d30 363c076c
MOVE.W #1900!$76c,D3
00005d34 603a
BRA L885
00005d36 363c07d0
MOVE.W #2000!$7d0,D3
00005d3a 6034
BRA L885
00005d3c 363c0834
MOVE.W #2100!$834,D3
00005d40 602e
BRA L885
00005d42 363c0898
MOVE.W #2200!$898,D3
00005d46 6028
BRA L885
00005d48 363c08fc
MOVE.W #2300!$8fc,D3
00005d4c 6022
BRA L885
00005d4e 363c0960
MOVE.W #2400!$960,D3
00005d52 601c
BRA L885
00005d54 363c09c4
MOVE.W #2500!$9c4,D3
00005d58 6016
BRA L885
00005d5a 363c0a28
MOVE.W #2600!$a28,D3
00005d5e 6010
BRA L885
00005d60 363c0a8c
MOVE.W #2700!$a8c,D3
00005d64 600a
BRA L885
00005d66 363c0af0
MOVE.W #2800!$af0,D3
00005d6a 6004
BRA L885
00005d6c 363c0b54
MOVE.W #2900!$b54,D3
00005d70 4a43
L885 TST.W D3
;cmp word ptr D3, 0
00005d72 6708
BEQ L886
;jz L886
00005d74 3f03
MOVE.W D3,-(A7)
00005d76 4e4f
TRAP #15
00005d78 a195
DC.W sysTrapFrmHelp ;display a Help Form
00005d7a 544f
ADDQ.W #2,A7
00005d7c 4cdf0438
L886 MOVEM.L (A7)+,D3-D5/A2
00005d80 4e75
RTS
;ret
If you have never dealt with the M68000 assembler before, this piece
of code needs some comments. You may have noticed that the second operand
of each instruction is the target and not the source (contrary to the X86
assembler).
MOVE.W #1500!$5dc,D3 means that the value 1500d (= 05DCh) will be put
into the register D3 using the space of a WORD. The M68000 processor contains
8 data registers (D0-D7), 7 address registers (A0-A6) and a stack pointer
(A7). Registers have 32 bits.
Instructions that use registers are followed by a .B (byte : 8 bits),
.W (word : 16 bits) or .L (long : 32 bits). This tells the processor how
much bits of the register the instruction will act on (almost like our
BYTE PTR, WORD PTR and DWORD PTR).
BRA means "branch". This is a simple unconditional jump to the specified
location. The TST instruction may be useful to us : it tests if the register
(here D3) equals zero and sets the flags accordingly. The flags are then
checked by BEQ (Branch if EQual). This conditional jump will branch if
the result of the TST instruction was zero.
Finally, there is the call to sysTrapFrmHelp preceded by the TRAP instruction
(interrupt call) to display the Help Form and the RTS (ReTurn from Subroutine)
to return to the caller.
If you're interested in getting more informations about the M68000
processor and assembler, please refer to the Tools section of this essay.
Seemingly, in our protection we do not expect a Help Form but an Alert
Form. Let's have a look at the second occurrence of the ResID :
00007d8a 2c48
L1174 MOVEA.L A0,A6
00007d8c 2f0c
MOVE.L A4,-(A7)
00007d8e 4e4f
TRAP #15
00007d90 a139
DC.W sysTrapFldGetTextPtr ;get a pointer on the first text
field (User Name)
00007d92 2808
MOVE.L A0,D4
00007d94 2444
MOVEA.L D4,A2
00007d96 2f0e
MOVE.L A6,-(A7)
00007d98 4e4f
TRAP #15
00007d9a a139
DC.W sysTrapFldGetTextPtr ;get a pointer on the second text
field (Reg. Num.)
00007d9c 2a08
MOVE.L A0,D5
00007d9e 4a84
TST.L D4
;first text field pointer = null ?
00007da0 4fef000c
LEA 12(A7),A7
00007da4 6748
BEQ L1177
;if yes, branch to Bad_Guy
00007da6 4a85
TST.L D5
;second text field pointer = null ?
00007da8 6610
BNE L1176
;if no, calculate the right Reg. Num.
00007daa 6042
BRA L1177
;if yes, branch to Bad_Guy
00007dac 1012
L1175 MOVE.B (A2),D0
;calculate the right Reg. Num. from the User Name
00007dae 4880
EXT.W D0
00007db0 d046
ADD.W D6,D0
00007db2 064004a3
ADDI.W #1187!$4a3,D0
00007db6 3c00
MOVE.W D0,D6
00007db8 528a
ADDQ.L #1,A2
00007dba 4a12
L1176 TST.B (A2)
00007dbc 66ee
BNE L1175
;loop while not end of User Name string
00007dbe 2f05
MOVE.L D5,-(A7)
00007dc0 4e4f
TRAP #15
00007dc2 a0ce
DC.W sysTrapStrAToI ;convert
the entered Reg. Num. to Integer
00007dc4 7200
MOVEQ #0,D1
00007dc6 3206
MOVE.W D6,D1
00007dc8 b280
CMP.L D0,D1
;are the calculated and the entered Reg. Nums equal ?
00007dca 584f
ADDQ.W #4,A7
00007dcc 6620
BNE L1177
;no, then branch to Bad_Guy
00007dce 2f04
MOVE.L D4,-(A7)
;Good_Guy, the entered Reg. Num. is right
00007dd0 486dfc66
PEA -922(A5)
00007dd4 4e4f
TRAP #15
00007dd6 a0c5
DC.W sysTrapStrCopy ;save
the User Name
00007dd8 2f05
MOVE.L D5,-(A7)
00007dda 486dfc86
PEA -890(A5)
00007dde 4e4f
TRAP #15
00007de0 a0c5
DC.W sysTrapStrCopy ;save
the Reg. Num.
00007de2 1b7c0001fc96
MOVE.B #1,-874(A5)
;put on the "Registered" flag
00007de8 4fef0010
LEA 16(A7),A7
00007dec 6016
BRA L1178
;branch over Bad_Guy and continue normal execution
00007dee 422dfc66
L1177 CLR.B -922(A5)
;Bad_Guy - clear the User Name variable
00007df2 422dfc86
CLR.B -890(A5)
;clear the Reg. Num. variable
00007df6 422dfc96
CLR.B -874(A5)
;clear the "Registered" flag
00007dfa 3f3c05dc
MOVE.W #1500!$5dc,-(A7) ;wowowow... here is our
Bad_Guy ResID
00007dfe 4e4f
TRAP #15
00007e00 a192
DC.W sysTrapFrmAlert ;display
the Alert Form
00007e02 544f
ADDQ.W #2,A7
00007e04 3f2dfeb2
L1178 MOVE.W -334(A5),-(A7) ;keep on
normal execution
00007e08 4e4f
TRAP #15
00007e0a a19e
DC.W sysTrapFrmReturnToForm
As you can see, the names of the sysTraps are meaningful enough for
us to understand them. With our search for 05DC, we have landed right in
the protection routine. We don't even need to understand EVERY instruction;
a global view is more than enough for now. We'll spend more time on this
protection at the end of this essay : we'll program a key generator for
Currency Calculator.
What we have to patch is quite obvious : just put a No OPeration (NOP)
at 00007DCC which will force the program to go to Good_Guy. Same scheme
as always...
Now we have a big problem : we all know that on our beloved PC's the
opcode of NOP is 90h. What is the opcode of NOP on the M68000 ? We can
try to make a string search for NOP on the dead listing of CURRCAL1.PRC,
but no NOP is found. A good solution (if, like me, you cannot afford buying
a 70$ book containing all the M68000 opcodes) is to use Pila, the Pilot
Assembler. Just put a NOP somewhere in the sample file, assemble and then
disassemble with PilDis to find the opcode. I know that this technique
is not so smart but it works fine though. We discover that NOP is 4E71h
(yes Sir, 2 bytes).
The crack is finished. Use Hacker's View to replace the 6620h at 00007DCC
with 4E71h. Load the cracked app from the emulator and enter anything in
the fields. It works quite well. Zero-character strings are not accepted
and will refuse you the registration. Don't patch the checks for null pointers
at 00007DA4 and 00007DAA as it would crash your Pilot badly (this is "normal"
as the called API cannot handle empty strings).
Note that your registration will not be kept in memory if you EXIT
the emulator just after registering. You have to run another program in
order to keep the memory as changed. I suppose that this is due to the
fact that you cannot EXIT a real Pilot (this would be equal to a cold reset
and the memory wouldn't be kept either). On the real Pilot, you just press
the green button to turn it off, which doesn't throw away the changes that
might have occurred inside the memory.
Now you can also patch CURRCAL2.PRC. You have to put the NOP at the
offset 00004BE0.
Ok, let's move on to another target. I chose TealPaint 2.20 from
TealPoint Software. This is an excellent drawing program (at least on the
Pilot). TealPoint Software distribute many other applications like TealDoc
or TealEcho. They seem to make a big business out of Pilot apps. That's
why we'll crack TealPaint and that's why I encourage you to crack all other
TealPoint apps, like I already did myself...
Once again, you may not find exactly the same version at PilotGear,
but you can handle the offset changes. The important thing is to UNDERSTAND
what happens inside the target.
Here we go : run the target and a nag-screen will appear just after
you have entered a database name. Now you can press the Register button
to see what happens. The registration process uses your HotSync ID as User
Name and you have to enter the corresponding key. So boring...
Let's get the ResID of the Alert Form that contains "Make sure your
HotSync ID matches the one in your Registration message" that is displayed
after you have entered a bad key.
We can now use PRC2BIN and PilDis on TEALPNT.PRC. We find our Bad_Guy
string in TALT07D1.BIN and you'll notice that TALT07D2.BIN contains "Thank
You, Registration key accepted". Browsing ALL resource files is often helpful
and not so time-consuming.
A string search for our ResID (07D1) in the disassembled file TEALPNT.PRC.s
gives us only one occurrence in the code area at 000050CC which is directly
followed by a call to sysTrapFrmAlert :
000050b6 528b
L293 ADDQ.L #1,A3
000050b8 0c130020
CMPI.B #32!$20,(A3)
000050bc 6ef8
BGT L293
000050be 16bc0000
MOVE.B #0,(A3)
000050c2 4eba0026
JSR L296
;call to L296
000050c6 4a00
TST.B D0
;D0=0 ?
000050c8 6700000e
BEQ L294
;if yes, branch to Good_Guy
000050cc 3f3c07d1
MOVE.W #2001!$7d1,-(A7) ;Bad_Guy
000050d0 4e4f
TRAP #15
000050d2 a192
DC.W sysTrapFrmAlert ;display
the Bad_Guy Alert Form
000050d4 548f
ADDQ.L #2,A7
000050d6 600a
BRA L295
;jump over Good_Guy
000050d8 3f3c07d2
L294 MOVE.W #2002!$7d2,-(A7) ;Good_Guy
000050dc 4e4f
TRAP #15
000050de a192
DC.W sysTrapFrmAlert ;display
the "Thank You..." Alert Form
000050e0 548f
ADDQ.L #2,A7
000050e2 4cdf1cf8
L295 MOVEM.L (A7)+,D3-D7/A2-A4 ;pop registers
000050e6 4e5e
UNLK A6
;remove the stack frame
000050e8 4e75
RTS
;return to the caller
This seems to be easy... let's replace the BEQ at 000050C8 by a BRA
and the program will unconditionally branch to Good_Guy. This time, no
need to assemble a BRA like we did with NOP. There are many BRA's in the
program. Watch at offset 000050D6 : BRA is 60h plus the displacement (here
0Ah to reach L295). We have two possibilities : either replace the 67h
at offset 000050C8 with 60h and it will make a far jump to L294 or put
a 600Eh at the same offset to make a short jump. Both work fine.
Now you can reload the patched version of TEALPNT.PRC into your Palm
emulator and try it. Press the Register button, enter something in the
Key field, press OK and we can see that our crack works fine. Now run another
program to force TealPaint to quit. Rerun TealPaint and... bad thing, the
nag-screen is still here. Our crack is not so good. Why ? Because the key
is checked each time the program executes. We only forced it to display
the "Thank You ..." form, but now we must crack the check for the nag-screen.
What happens just before the TST, at 000050C2 ? The program makes a
Jump to SubRoutine (i.e. a call to a procedure). We can assume that this
procedure must return 0 in D0 if we want the BEQ to branch to Good_Guy.
If the nag-screen is still displayed, that's because there is certainly
another call to this subroutine somewhere else in the code. A search for
L296 gives us :
0000438c 4eba0d5c
L243 JSR L296
;call the registration check
00004390 1b400536
MOVE.B D0,1334(A5) ;store D0 in a variable
00004394 4a2d0536
TST.B 1334(A5) ;test the variable
for 0
00004398 670000c0
BEQ L246
;jump over the nag-screen display routine if D0=0
Now we can be sure that the procedure must return 0 in D0. Let's have
a look at this famous L296 :
000050ea 4e560000
L296 LINK A6,#0
000050ee 48e71f38
MOVEM.L D3-D7/A2-A4,-(A7)
000050f2 486d090f
PEA 2319(A5)
000050f6 4eba008c
JSR L297
000050fa 588f
ADDQ.L #4,A7
000050fc 3f3c0004
MOVE.W #4,-(A7)
00005100 2f3c00005673
MOVE.L #22131!$5673,-(A7)
00005106 2f3c00001234
MOVE.L #4660!$1234,-(A7)
0000510c 486d090f
PEA 2319(A5)
00005110 4eba009e
JSR L298
00005114 4fef000e
LEA 14(A7),A7
00005118 2800
MOVE.L D0,D4
0000511a c8bc00003f3f
AND.L D4,#16191!$3f3f
00005120 45ed0568
LEA 1384(A5),A2
00005124 2f0a
MOVE.L A2,-(A7)
00005126 4e4f
TRAP #15
00005128 a0c7
DC.W sysTrapStrLen
0000512a 588f
ADDQ.L #4,A7
0000512c 264a
MOVEA.L A2,A3
0000512e d7c0
ADDA.L D0,A3
00005130 528b
ADDQ.L #1,A3
00005132 3f3c0005
MOVE.W #5,-(A7)
00005136 2f3c0000e113
MOVE.L #57619!$e113,-(A7)
0000513c 2f3c0000f985
MOVE.L #63877!$f985,-(A7)
00005142 2f0a
MOVE.L A2,-(A7)
00005144 4eba006a
JSR L298
00005148 4fef000e
LEA 14(A7),A7
0000514c c0bc0000003f
AND.L #63!$3f,D0
00005152 e188
LSL.L #8,D0
00005154 2600
MOVE.L D0,D3
00005156 3f3c0005
MOVE.W #5,-(A7)
0000515a 2f3c0000e113
MOVE.L #57619!$e113,-(A7)
00005160 2f3c0000f985
MOVE.L #63877!$f985,-(A7)
00005166 2f0b
MOVE.L A3,-(A7)
00005168 4eba0046
JSR L298
0000516c 4fef000e
LEA 14(A7),A7
00005170 c0bc0000003f
AND.L #63!$3f,D0
00005176 8083
OR.L D3,D0
00005178 b084
CMP.L D4,D0
;compare D4 and D0
0000517a 56c0
SNE D0
;if (D0=D4) then D0:=0; if (D0/=D4) then D0=FFh
0000517c 4cdf1cf8
MOVEM.L (A7)+,D3-D7/A2-A4
00005180 4e5e
UNLK A6
00005182 4e75
RTS
Again, we don't need to understand every instruction. This procedure
is quite complex (some JSR's, ...). We know it must return 0 in D0, so
we can reverse it. We begin at the end and watch what happens with D0.
The key to our problem seems to be located at 0000517A. We can put 0 in
D0 ourselves with the instruction : MOVE.B #0, D0 . We use a MOVE.B as
only a byte is tested for zero at 00004394 and 000050C6. Assemble this
instruction, disassemble it and you'll find the opcode 103C0000h . As it
takes 4 bytes, we can put it at 00005178 which will overwrite the CMP and
the SNE.
The crack works fine now and there is no nag-screen anymore, even before
we have entered a registration key... this behavior was expected as we
patched the subroutine that is used for all checks to the key.
If you disassemble TealDoc, you'll see that its protection routine
is almost the same as TealPaint's. I hope that someone will fancy writing
a generic patcher for all TealPoint apps, all versions. This may involve
writing a heuristic searcher to find and patch the protection part even
if it has been slightly changed through different versions. This would
be an excellent exercise.
Ok, we've seen enough easy protections. Our new target, PAL 1.31,
doesn't have a "ready-to-crack" registration routine. PAL is a nice applications
launcher that allows you to categorize your apps (even though the new Palm
OS 3.0 would have the same feature built-in). At the bottom of the screen,
the date blinks with an "UNREGISTERED" message. If it doesn't blink, click
on the locker, turn on the Pilot with the green button and then it will
blink.
What do we want to do ? Of course, you could put your handle instead
of the "UNREGISTERED" message and it would be nice, but what we want is
that the date stops blinking. We have no idea of which API could be used
to display this string. As Palm programs are quite small, we can try a
"brute" technique that is to perform a string search for "sysTrap". I told
you it was brute... This way, we'll get ALL API calls that the program
makes. It won't take you more than five minutes to browse all these calls,
and you'll learn much.
I experienced some problems when disassembling PAL.PRC with PilDis.
Some parts of the code area that are important to our cracking purpose
were not correctly disassembled. Therefore you should use the M68K Disassembler
for this target.
The disassembly done, let's browse the sysTrap calls. At the beginning
you'll find many memory related sysTraps that are unuseful to us. A bit
further, at 00000E8A, we land on a sysTrapTimeToAscii followed by a sysTrapWinEraseRectangle
and a sysTrapWinDrawChars :
00000e84 e188
LSL.L #8,D0
00000e86 2f00
MOVE.L D0,-(A7)
00000e88 4e4f
TRAP #15
00000e8a a268
sysTrapTimeToAscii ;convert the
current time to ASCII chars
00000e8c 4fef000c
LEA 12(A7),A7
00000e90 48780000
PEA $0000.W
00000e94 486f0038
PEA 56(A7)
00000e98 4e4f
TRAP #15
00000e9a a219
sysTrapWinEraseRectangle ;erase a rectangle part of the screen
00000e9c 504f
ADDQ.W #8,A7
00000e9e 2f3c004b0000 MOVE.L #4915200!$4b0000,-(A7)
00000ea4 486f0024
PEA 36(A7)
00000ea8 4e4f
TRAP #15
00000eaa a0c7
sysTrapStrLen
;get the length of the time string
00000eac 584f
ADDQ.W #4,A7
00000eae 7200
MOVEQ #0,D1
00000eb0 3200
MOVE.W D0,D1
00000eb2 7010
MOVEQ #16,D0
00000eb4 e1a9
LSL.L D0,D1
00000eb6 0041002c
ORI.W #44!$2c,D1
00000eba 2f01
MOVE.L D1,-(A7)
00000ebc 486f0028
PEA 40(A7)
00000ec0 4e4f
TRAP #15
00000ec2 a220
sysTrapWinDrawChars ;draw the chars
of the time string on the screen
Doesn't it look like a time-display routine ? We can assume that the
same routine must exist for the date and for the "UNREGISTERED" message.
Let's keep on our search. At 00000EFA we have the sysTrapDateToAscii
we were waiting for, and it is also followed by the same display API. Now
we know that the display of the "UNREGISTERED" string should be made through
sysTrapWinDrawChars.
The search for sysTrapWinDrawChars gives quite a lot of occurrences.
This time, you really have to feel the code, unlike with our previous
targets.
If you're an experienced cracker, you'll notice that only one occurrence
of sysTrapWinDrawChars corresponds with the pattern above :
00001df0 4feffff4
L63 LEA -12(A7),A7
00001df4 3f7c00040004
MOVE.W #4,4(A7)
00001dfa 3f7c008a0006
MOVE.W #138!$8a,6(A7)
00001e00 3f7c00490008
MOVE.W #73!$49,8(A7)
00001e06 3f7c000b000a
MOVE.W #11!$b,10(A7)
00001e0c 2f3c01000000
MOVE.L #16777216!$1000000,-(A7)
00001e12 4e4f
TRAP #15
00001e14 a164
sysTrapFntSetFont
00001e16 584f
ADDQ.W #4,A7
00001e18 3f400002
MOVE.W D0,2(A7)
00001e1c 48780000
PEA $0000.W
00001e20 486f0008
PEA 8(A7)
00001e24 4e4f
TRAP #15
00001e26 a219
sysTrapWinEraseRectangle
00001e28 504f
ADDQ.W #8,A7
00001e2a 2f3c00890000
MOVE.L #8978432!$890000,-(A7)
00001e30 2f3c000c0005
MOVE.L #786437!$c0005,-(A7)
00001e36 486dff18
PEA -232(A5)
00001e3a 4e4f
TRAP #15
00001e3c a220
sysTrapWinDrawChars
00001e3e 4fef000c
LEA 12(A7),A7
00001e42 7000
MOVEQ #0,D0
00001e44 302f0002
MOVE.W 2(A7),D0
00001e48 7218
MOVEQ #24,D1
00001e4a e3a8
LSL.L D1,D0
00001e4c 2f00
MOVE.L D0,-(A7)
00001e4e 4e4f
TRAP #15
00001e50 a164
sysTrapFntSetFont
00001e52 4fef0010
LEA 16(A7),A7
00001e56 4e75
RTS
It's quite difficult to find the pointer to "UNREGISTERED" that must
be passed to sysTrapWinDrawChars. I suppose that the PEA -232(A5) (Push
Effective Address) does the trick. Anyway, now we have 2 solutions, either
we prevent the call to L63 which is done at 0000307A, either we return
from the procedure just after it has been called, that means we put a RTS
intruction (ReTurn from Subroutine) at L63.
The opcode of RTS is 4E75h. We put it at 00001DF0 and we're done. The
babe is perfectly cracked.
I must tell you that it took me about 30 minutes to figure out where
was hidden the display of "UNREGISTERED" among the multiple calls to sysTrapWinDrawChars,
but the first routine I patched was the right one; no luck here. I consider
this as a hard crack for the pilot. Usually you can get through the protection
in 5-10 minutes. I hope that now that I've written this essay some Pilot
programmers will try making more funny protection (encrypted code would
be MUCH fun). Maybe that one day Aladdin will make a PalmHASP... we can
still dream.
Anyway, I think that now you've seen most techniques usable on the Pilot
with only a dead listing approach. If you think that you've had enough
for now, you can stop reading and begin you first Pilot crack, but if you're
interested in understanding the M68000 assembler a bit better, there is
still something funny we can do : a key generator. Therefore we'll get
back to Currency Calculator. We'll write our own key gen using Java.
Why Java ? It's portable Sir. It might be run on a PC as well as on a Mac
or even on a Pilot ;) I'm not a Java guru at all, so please don't criticize
my code too much; it runs and that's more than enough for me !
I will explain only succinctly the boring parts of the key gen process,
as you are all able to figure out what I did.
Here is the protection part of CURRCAL1.PRC again :
00007d8a 2c48
L1174 MOVEA.L A0,A6
00007d8c 2f0c
MOVE.L A4,-(A7)
00007d8e 4e4f
TRAP #15
00007d90 a139
DC.W sysTrapFldGetTextPtr ;get a pointer on the first text
field (User Name)
00007d92 2808
MOVE.L A0,D4
00007d94 2444
MOVEA.L D4,A2
00007d96 2f0e
MOVE.L A6,-(A7)
00007d98 4e4f
TRAP #15
00007d9a a139
DC.W sysTrapFldGetTextPtr ;get a pointer on the second text
field (Reg. Num.)
00007d9c 2a08
MOVE.L A0,D5
00007d9e 4a84
TST.L D4
;first text field pointer = null ?
00007da0 4fef000c
LEA 12(A7),A7
00007da4 6748
BEQ L1177
;if yes, branch to Bad_Guy
00007da6 4a85
TST.L D5
;second text field pointer = null ?
00007da8 6610
BNE L1176
;if no, calculate the right Reg. Num.
00007daa 6042
BRA L1177
;if yes, branch to Bad_Guy
00007dac 1012
L1175 MOVE.B (A2),D0
;calculate the right Reg. Num. from the User Name
00007dae 4880
EXT.W D0
00007db0 d046
ADD.W D6,D0
00007db2 064004a3
ADDI.W #1187!$4a3,D0
00007db6 3c00
MOVE.W D0,D6
00007db8 528a
ADDQ.L #1,A2
00007dba 4a12
L1176 TST.B (A2)
;ASCIIZ string : did we reach the 00h
00007dbc 66ee
BNE L1175
;loop while not end of User Name string
00007dbe 2f05
MOVE.L D5,-(A7)
00007dc0 4e4f
TRAP #15
00007dc2 a0ce
DC.W sysTrapStrAToI ;convert
the entered Reg. Num. to Integer
00007dc4 7200
MOVEQ #0,D1
00007dc6 3206
MOVE.W D6,D1
00007dc8 b280
CMP.L D0,D1
;are the calculated and the entered Reg. Nums equal ?
00007dca 584f
ADDQ.W #4,A7
00007dcc 6620
BNE L1177
;no, then branch to Bad_Guy
Everything happens in L1175. From 00007D94 we know that A2 points to
the beginning of the User Name string. Each character will be loaded into
D0 (at 00007DAC) and D0 will be extended to a word. Then, D6 (which contains
a number calculated previously) is added to D0, 04A3h (=1187d) is also
added to D0 and D0 is copied to D6. The same algorithm is applied to each
character of the User Name. Here is the code explained line by line :
00007dac 1012
L1175 MOVE.B (A2),D0
;copy one character of the User Name to D0 (BYTE PTR)
00007dae 4880
EXT.W D0
;extend D0 to a word
00007db0 d046
ADD.W D6,D0
;add D6 to D0 (WORD PTR)
00007db2 064004a3
ADDI.W #1187!$4a3,D0 ;add 04A3h
to D0 (ADD Immediate value)
00007db6 3c00
MOVE.W D0,D6
;copy D0 to D6
00007db8 528a
ADDQ.L #1,A2
;inc A2
00007dba 4a12
L1176 TST.B (A2)
;did we reach the end of the User Name string ?
00007dbc 66ee
BNE L1175
;if no, then loop back to L1175
A good question that you might ask is : what is the value of D6 at the
beginning of the loop. Reversing the whole thing shows that at 00007C8A
D6 is initialized to 0. Now everything is ok to make our key generator.
Here is the Java code that I've written :
import java.awt.*;
import java.applet.*;
import java.lang.*;
public class CurrCalcKeyGen extends Applet
{
Font font;
Panel ThePanel = new Panel();
TextField UserNameField = new TextField(30);
String Generated = "";
public void init()
{
setBackground(Color.white);
ThePanel.add(new Label("User
Name : ", Label.RIGHT));
ThePanel.add(UserNameField);
add(ThePanel);
add(new Button("Generate
The Registration Number"));
resize(400, 170);
}
public boolean action(Event
evt, Object arg)
{
int GeneratedRegNum=0;
String UserName = UserNameField.getText();
if (UserName.length()==0)
{
Generated="Maybe you should enter something...";
}
else
{
for (int i=0;i<UserName.length();i++)
GeneratedRegNum+=UserName.charAt(i)+1187;
Generated="Your registration number is : "+GeneratedRegNum;
}
repaint();
return true;
}
public void paint (Graphics
g)
{
g.setColor(Color.blue);
font=new Font("TimesRoman", Font.BOLD, 20);
g.setFont(font);
g.drawString(Generated, 50, 100);
g.setColor(Color.black);
font=new Font("TimesRoman", Font.BOLD, 10);
g.setFont(font);
g.drawString("Written by TeK", 300, 140);
}
}
I think that there is nothing more to explain. That's quite easy. You
can click here to view this code in action.
The generator works fine, but you may experience problems if you use weird
characters in the User Name (like accents). The Pilot character set is
definatelly not the Unicode used by Java.
Furthermore, the registration number is a WORD. If your User Name contains
more than 50-55 chars, the Reg. Num. may get bigger than 65535 and what
happens then ? Well, it should come back to zero... but our Java key gen
will not. As you can see, not all of what I call "limit cases" are treated
here, but the key generator will work if it's used normally. The zero-char
string case has been treated.
I tried to give you a wide range of the possibilities you have when
cracking on the PalmPilot. As you have seen, the protections are easy to
defeat as long as you have some slight knowledge of the M68000 assembler.
Now you should all be able to crack almost any Palm app. The dead list
approach we used is not the only one. There are good Pilot debuggers out
there, but I'm not sure that you'll crack much quicker with them. Another
very good way to crack Pilot apps that I've experienced is the on-Pilot
cracking. There is an excellent program called Insider that allows you
to twiddle with the Pilot's memory and to disassemble the code on-the-fly.
This is not a debugger; just a disassembler and patcher. Insider is shareware
and you'll have to pay it to disassemble programs (the Disassemble routine
doesn't seem to be in the code of the shareware version... don't even think
of cracking it :). You can find it at PilotGear.
You'll find many sharewares out there which will display a nag-screen
when you launch them. Usually the nag-display routine is located at the
very beginning of the program. Pilot apps are quite linear as they are
mostly programmed using assembler or C. This means that there is quite
a good proximity between the procedure and its caller. This fact is not
universal, but it may help you to crack some targets (like PAL) which need
a good feeling of the code. The same property is usually applicable to
HLL's where encapsulation is a proof of a well programmed (and easily crackable
:) application, but this is not the subject of this essay.
If you have found some errata in this essay, if you have something
interesting to tell me, if you think my english sucks (and I know it does),
if you wanna trade some bootlegs or if you have found a target that uses
the Aladdin PCS protection scheme, you can contact me at : tek@bootlegs.ml.org
Here are some quick greets and thanks :
Satan & Iridium : thanx for bringing me this new target platform
and testing my cracks on the real "thing" !
Roady : now that I kicked the dongle and you fed Spectra with some
DEADBEEF, let's do the FLEXlm... (after a little StarCraft :)
Fravia+ : great page. What about creating a new project for alternative
cracking (other platforms, other languages, script cracking, ...)
Spice Boys : I hope that your design will kick ass !
"La culture ne s'hérite pas, elle se conquiert."
André Malraux
You will find an exhaustive list of all Pilot sysTraps in the file
PILOT.INC of the ASDK
package. Here are some system traps that you may want to pinpoint in your
dead listing (they are often used in protection schemes) :
sysTrapDateDaysToDate
sysTrapDateToDays
sysTrapDateSecondsToDate
sysTrapDateToAscii
sysTrapDayOfMonth
sysTrapDayOfWeek
sysTrapDaysInMonth
sysTrapFldCopy
sysTrapFldCut
sysTrapFldDrawField
sysTrapFldEraseField
sysTrapFldGetTextPtr
sysTrapFldGetSelection
sysTrapFldGetTextLength
sysTrapFldGetTextHandle
sysTrapFldSetMaxChars
sysTrapFrmAlert
sysTrapFrmCustomAlert
sysTrapFrmHelp
sysTrapFrmDrawForm
sysTrapFrmEraseForm
sysTrapScrInit
sysTrapScrCopyRectangle
sysTrapScrDrawChars
sysTrapStrCopy
sysTrapStrCat
sysTrapStrLen
sysTrapStrCompare
sysTrapStrCaselessCompare
sysTrapStrIToA
sysTrapStrAToI
sysTrapStrIToH
sysTrapStrChr
sysTrapStrStr
sysTrapStrToLower
sysTrapSysRandom
sysTrapSysTimerRead
sysTrapTimeToAscii
sysTrapTimGetSeconds
sysTrapTimGetTicks
sysTrapTimSecondsToDateTime
sysTrapTimDateTimeToSeconds
sysTrapTimSleep
sysTrapTimWake
sysTrapWinCreateWindow
sysTrapWinDeleteWindow
sysTrapWinInitializeWindow
sysTrapWinAddWindow
sysTrapWinRemoveWindow
sysTrapWinCopyRectangle
sysTrapWinDrawRectangle
sysTrapWinEraseRectangle
sysTrapWinDrawChars
sysTrapWinEraseChars
I wont even bother explaining you that you should BUY this target program
if you intend to use it for a longer period than the allowed one. Should
you want to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll find it on most Warez sites, complete and already
regged, farewell.
You are deep inside fravia's page of reverse engineering, choose
your way out:
+HCU papers
homepage links search_forms +ORC students'
essays academy
database
reality
cracking how
to search javascript
wars
tools anonymity
academy cocktails antismut
CGI-scripts mail_fravia+
Is
reverse engineering legal?