Palm Os 12 Convert Serial Fishing

Date

by epokh

  

22/12/2005

UIC's Home Page

Published by Quequero

If u point the finger to the star u can't see the whole universe.

Thanx Epolpa!

Feel the vibration!

....
Home page : http://www.epokh.org
E-mail: matrix.epokh@gmail.com
IRC: #epokh.org@azzurra.net | Skype:matrix.epokh

....

Level

( )NewBies (X)Intermediate ( )Advanced ( )Master

  
 

Introduction
In this tutorial we will find the serial key for the registration code of the program. The reader must know some basic principle of 68K asm code.

Used Tools

Just some healthy pure reversing no debugging!!!!
Ida 4.8
Palm Os Emulator
 
 

The program

The target program is 12 Convert.

About 12 Convert

12 Convert is a 68K application for Palm Os useful for any kind of unit conversions.

Essay

1-2-Convert! offers a 30-days trial period, during which you may use and distribute the program freely. After expiry of the period, the program will refuse to work. The registration key has to be entered by pressing the 'Enter Key'-button in the About-box of 1-2-Convert!. If the trial period is already expired, you will be asked to enter the key on start of 1-2-Convert!.
This is the about form:


and this is the registration form:
So now we know what we have to find in the program.
Let's open Ida and disasm the .prc file, be sure to tell Ida that is a Palm Os 68k Application!
The first thing we can notice is that the code is not obfuscated because, as we can see in the windows function, the function name are self explaining.
This lack of security will help us to search for the serial very easily (we'll talk about that later).
We are searching for the 2 forms in the picture so take a look to the Strings Window: the binary file is divided into sections, so now we need some information about the structure of a .prc file:
  • code: the code section of the program
  • data: the data section of the program, allocated and unallocated structure are here
    In our case the data section contains the constant for the unit conversion.
    • The other are the form resources that we resume in this table:

    Table—Table Resource (tTBL)
    Form—Form Resource (tFRM)
    Alert dialog— Alert Resource (Talt)
    Bitmap—Form Bitmap Resource (tFBM)
    Button—Button Resource (tBTN)
    Check box—Check Box Resource (tCBX)
    Field—Field Resource (tFLD)
    Gadget (custom object) — Gadget Resource (tGDT)
    Shift indicator — Shift Indicator Resource (tGSI)
    Label—Label Resource (tLBL)
    List—List Resource (tLST)
    Popup trigger—Popup Trigger Resource (tPUT)
    Push button—Push Button Resource (tPBN)
    Repeating button—Repeating Button Resource (tREP)
    Scrollbar—Scroll Bar Resource (tSCL)
    Selector trigger—Selector Trigger Resource (tSLT)
    Button—Button Resource (tBTN)

    I colored in blue the kind of resources present in our application.
    We can search for the two target form in the string window.
    The about form is associated to this resource:

    tFRM0578:0000008C 0000000D C 1-2-Convert!
    tFRM0578:000000B0 00000012 C 1-2-Convert! v1.2
    tFRM0578:000000D0 0000001E C http://members.chello.at/lelo
    tFRM0578:000000FC 00000016 C 2001 Lelo Productions
    tFRM0578:00000140 00000016 C 30 days trial version
    tFRM0578:00000164 00000010 C please register
    tFRM0578:00000188 0000000A C Enter Key

    The registration form is here:
    tFRM05DC:00000068 0000000D C Registration
    tFRM05DC:000000C4 00000005 C Key:

    Taking a look to the other resource about form we can discover other interesting forms:

    The registered form:
    tFRM044C:00000080 0000000D C 1-2-Convert!
    tFRM044C:000000A4 00000012 C 1-2-Convert! v1.2
    tFRM044C:000000C4 0000001E C http://members.chello.at/lelo
    tFRM044C:000000F0 00000016 C 2001 Lelo Productions
    tFRM044C:00000134 00000013 C registered version

    We want this be activated!!!!!

    The trial expired form (after the 30 days)
    tFRM0514:0000006E 00000016 C Trial Period Expired!
    tFRM0514:00000092 0000001F C http://members.teleweb.at/lelo
    tFRM0514:000000C0 00000014 C Please register at:
    tFRM0514:000000E8 0000000A C Enter Key
    tFRM0514:00000106 00000006 C Close

    After 30 days this is the expired form:


    tFRM04B0:0000006E 0000000E C Trial Version
    tFRM04B0:0000008A 0000001F C http://members.teleweb.at/lelo
    tFRM04B0:000000B8 00000014 C Please register at:
    tFRM04B0:000000E0 0000000A C Enter Key
    tFRM04B0:000000FE 00000006 C Close

    The valid key registration form:
    Talt044C:00000008 0000000A C Thank you
    Talt044C:00000012 0000001A C Registration successful.\n

    We want to see this!!

    The incorrect key registration form:
    Talt03E8:0000000E 0000000E C Incorrect key
    Talt0708:00000008 00000006 C Error

    That is:


    The menu resources are only of 2 kind:

    The menu bar (MBAR)
    pull-down menu (MENU)

    So for example the menu of the program is this:

    MBAR03E8:0000007C 00000005 C Edit
    MBAR03E8:00000081 00000005 C Copy
    MBAR03E8:00000086 00000006 C Paste
    MBAR03E8:0000008C 00000008 C Options
    MBAR03E8:00000094 00000013 C About 1-2-Convert!


    After this brief overview about the GUI resources of the prc binary format, we must talk about the code execution of a typical 68K Application.
    The entry point of a 68K Application is the function called:

    UInt32 PilotMain(UInt16 cmd, MemPtr cmdPBP, UInt16 launchFlags)

    Parameters

    cmd
    The launch code to which your application is to respond.
    cmdPBP
    A pointer to a structure containing any launch-command-specific parameters, or NULL if the launch code has none. See the description of each launch code for a description of the parameter structure that accompanies it, if any.
    launchFlags
    Flags that indicate whether your application's global variables are available, whether your application is now the active application, whether it already was the active application, and so on.

    Returns

    Return errNone if your application processed the launch code successfully, or an appropriate error code if there was a problem. When another application invokes your application using SysAppLaunch(), this value is returned to the caller.

     

    Basically any 68k application will call this function from the main function:

    UInt32 PilotMain(UInt16 cmd, MemPtr cmdPBP, UInt16 launchFlags)
    {
    Err error = errNone;
    switch (cmd) {
    case sysAppLaunchCmdNormalLaunch:
    if ((error = AppStart()) == 0) {
    AppEventLoop();
    AppStop();
    }
    break;
    default:
    break;
    }

    return error;
    }

    So as we can see from the entry point of the program:



    There are the 3 function we was expected to find!
    It's important to say that the StartApplication and StopApplication depends from application to application:
    usually SatartApplication make form init and StopApplication make form closing.
    The event loop instead is quite standard and the typical control flow is the following:



    As we can see the event loop is managed in the same way in the application:



    The question now is: where is the serial we are searching for?
    The application will make the registration check in the StartApplication function: we know that for sure because when the day are finished, the main form will not be activated (remember the expired date form)!
    Infact we are lucky because in the StartApplication function we can see a clear control:



    Now examine the flux diagram of this section code:



    There are 2 key functions:

  • CheckRegistration: it check if the trial period is expired
    •
  • EnterRegistration: it's the function that show the form and check if the serial is valid or not

    • Infact in the EnterRegistration routine:
  • code0001:00001246 move.w #$5DC,-(sp)
  • code0001:0000124A systrap FrmInitForm()


    • The move instruction load the address of the the registration form, so we are in the correct function!
    The diagram is self explaining:


    As we can see the program compare through the MatchString (red function) subroutine the serial submitted by the user with the string (green label):
    2G568F227B.


    So now we have a registered program!!!
     
                                                                                                                     ..::EPOKH::..

    Final notes


    The reader could try to patch the .prc file to test his ability, I will give some suggestion to patch the program.
    First check the xref to the call CheckRegistration:
    j StartApplication+110 beq loc_65AA
    Down j StartApplication+152 bcc loc_65AA
    Down j StartApplication+208 beq.s loc_65AA

    here the right places to modify because we have to jump directly to the loc_65EE.
    code0001:000064AC beq loc_65AA <-- ops we have to nop here!!
    code0001:000064B0 moveq #0,d0
    code0001:000064B2 bra loc_65EE <--- wanted jump

    I think I gave more tips than needed. In the folder the reader could find also the patched version of 12Convert, called 12ConvertPatch.

    P.S.
    Happy Xmas to all reverser, hackers. I hope S. Klaus will take some new script to all the lamer around the net.

    Disclaimer

    Vorrei ricordare che il software va comprato e  non rubato, dovete registrare il vostro prodotto dopo il periodo di valutazione. Non mi ritengo responsabile per eventuali danni causati al vostro computer determinati dall'uso improprio di questo tutorial. Questo documento è stato scritto per invogliare il consumatore a registrare legalmente i propri programmi, e non a fargli fare uso dei tantissimi file crack presenti in rete, infatti tale documento aiuta a comprendere lo sforzo che ogni sviluppatore ha dovuto portare avanti per fornire ai rispettivi consumatori i migliori prodotti possibili.

    Reversiamo al solo scopo informativo e per migliorare la nostra conoscenza del linguaggio Assembly.