 It was okay being able to set a private password, which of course can be bypassed. It was okay not to offer encryption in the memo pad, not to put a password on any of your memos. They really haven't changed things, so a lot of third party applications have come about that allow you to encrypt and set your PalmPilot so it's more secure. For the last three years, different groups have not changed the security of the PalmPilots, but have kind of brought the software to a different audience of people, maybe including you guys. And the first thing I've asked when I've given this talk before, or talked to people before, is if you guys have your beam, your infrared beam set to on, does everyone have it set to on by default or is it off? Okay, let's check real quickly right now. So you go in your PalmPilot and go into preferences, and inside preferences in the general preferences. You'll find at the bottom it says your beam received is either on or off. I always leave mine set to off, which kind of sounds anti-social to a lot of people because it means I don't get all the little business cards, you know, and the little programs. I've got six different memo pads, sketching programs, things like that. I recommend turning it to off, and that's kind of the first step because that's an automatic way for people to be able to send you applications. So you're saying, oh, well, when they send me the application right now, I get to choose whether or not I want to use it. Well, if anyone's sat through any of the other talks, people know about buffer overflows and how you can send commands to the TCPIP stack, and then maybe it fails, but it actually executes the command. We're going to go into it later. I'm going to show you guys the schematic and how it works, but the infrared channel is just a TCPIP stack. It's just as acceptable to buffer overflows, just as acceptable to sending information, and it's only probably a week or two weeks before someone realizes that you can reset one bit and get people to automatically accept an application, the infrared. So what I'm going to talk about today is an educational talk. That's always the disclaimer at the beginning of it. I want you guys to know that as we step through it towards the end of the class, we're going to be looking at some code from a commercial application, and I only show you this so you can kind of understand a little bit of the background about the differences between the way a Palm Pilot executes a program and works and the way a Windows program, for example, works, or a Linux program. With 6 million users, like I mentioned before, most people say, why would you exploit? Why would you even try to protect your Palm Pilot? Well, I know you guys out there have your phone numbers in it, and we're thinking that if people get a list of your phone numbers, that's not going to be that big of a deal. Well, maybe that won't be that big of a deal that they can know who your friends are, know whom the people are that you associate with. But what about those passwords that you might have stored in that memo pad file that's marked private, for example? Anyone can sit a Palm Pilot down if they have a HotSync cradle and you can go get one for $19 from good guys, put it in their computer and a HotSync, then your information is on their computer. That's it. There's no password. There's nothing you can do. That information is completely public inside of your application and where the Palm Pilot stores its databases. There are different input-output options for the Palm. With the 3X and above you have the inferred port. We're going to go over that. We're going to go over the HotSync port, which is really just a serial port, a DB9 port. And also, we're going to go over some techniques that we can use to actually go and look inside and look how your Palm Pilot protects your information. This is Palm Data Security, not Windows 2000, also if anyone's in here for that adventure. Why exploit and protect Palm Pilots? Exploit Palm Pilots because Palm users still have a false sense of security and because of the device simplicity. For the first, according to Palm, for the first 600,000 users, those are the people that were adopters of the Newton, people who actually use old devices that offered handwriting recognition, let you store your information, let you use a keyboard with it, these things. So where are the experts, maybe, among the PDA category? Now with Microsoft moving into it with Windows CE, of course, there's a lot of different competitors for it. But the Palm Pilot still outsells the CE machine by, I think the last factor is six to one. So this is the predominant platform. And because of that, you have people using it like the person I saw best by the other day, who walked in and said, oh, can I get a Palm? And the guy's like, yeah, you want to go ahead and get the 5XE? And he's thinking commission on the side. You know, he's thinking, go ahead and get the 5XE. And they go, oh, that's great. I'm going to store in there all my birthdays. I'm going to store in there all my important numbers. And I'm thinking, wow, you're taking this around with you everywhere. So you've got all your important information with you right there in your pocket. And the one time that you leave it sitting there in the restaurant, and that person goes, and they know your maiden name because you have your mom's name in there. So they know all your information. Also going to exploit it because the developers don't put time into their protection. This is a really sensitive area. The Palm Pilot community has, at last count, over 70,000 developers of applications. That's people all over the world. It's a really simple platform to write for. It's a really transparent platform to write for. It's kind of like a whole language developed around forms. It's kind of like HTML forms in its most basic sense. And because of that, everyone develops with it. You can get free development kits. You can get Darren Messina's free alternative development kit. You can get a lot of information on 3Com's website about the software. One particular example that I always cite is there's this company named Standalone. I don't know if anyone has super names on their computer. They have a workout track or a casino. This company, Standalone, makes good applications. And they made three of them. And then they decided that they were going to go buy other people's applications and bring them in under the Standalone banner. Well, people really like super names because it takes your address book and it organizes it into tabs. And you can set up different groups. And you can set up different things. Well, the program costs $20. And as we know, just like Linux and everything else, people want free. People want free software. Because 75% of the Palm Pilot software is free and only 25% of it is commercial applications, this eventually found its way to someone who wanted to look inside of it and make super names free. Well, Standalone became really upset at the whole developers' community and they threatened to pull all of their applications at this issue. What they didn't tell you is their protection inside of the application was as simple as check register key. It says that in the middle of their code, check register key. They made no reasonable effort to protect their application. They took it for granted that everyone was a simple user or that everyone didn't want to level of protection. Well, unfortunately, we store all of our names inside super names. So they also have a section that's marked check password. And you can patch one byte of that password and you hot sync and you replace the version of super names that's in your computer and you can view every single private record in the program. They've made no reasonable effort to try to protect it. The last part is we have to protect our own Palm Pilots. It's not going to seem like a big deal yet, maybe. Maybe everyone's gotten that application that turns all your Palm Pilot characters into elite characters, fills it with the Es and the Threes and the Fours and that's probably the first example of someone taking advantage of the simplicity of the Palm platform. So I think it's important to understand that in addition to exploiting it, one of the main goals is to try to get people to protect their applications. Has anyone in here played or seen the Game Boy emulator Liberty for the Palm Pilot? Okay, that's an example of an application that's protected very heavily. We're going to go into that later with respect to the author. We're going to go into that later, but I'm also going to talk about how there needs to be a balance between the protection that you use in a Palm Pilot and the simplicity we expect from the applications that we use. Your Palm Pilot's serial port here is a lot like your computer's serial port. It's 3.3 volts, it's low power, it's DB9, standard RS232. This presentation will be available online, by the way, but you can see a link here. This is a really great technical link on the layout of the Palm Pilot. I know it might be hard to see from the back there, but basically you have one pin that's responsible for hot syncing, and actually that will turn on the device too. So when you make external devices like, I don't know if anyone has the Palm Pilot foldable keyboard here or the Go type, that's what they do. They send a signal to pin four, they turn on your Palm Pilot and it's ready to go. Once you're in the hot sync, once you have it on and once you have it in a cradle, or any kind of DB9 RS232 device, it can completely control your Palm Pilot. It can reset it, which it can use by sending an on off to pin seven, and they can also transfer information back and they have three different methods to do it. They can do it with standard Palm Pilot hot syncing, you can do it with a direct data stream to the Palm Pilot and to the computer, or you can do it with a custom conduit and we'll go a little bit into that. The second option you have is an IRDA port. It uses a modified TCPIP stack. It reacts to many common TCPIP commands, you can set up sessions, you can set up streams of information, it uses a standard TCPIP header, and it lets you communicate very effectively. Of course your beam bit and less be set to on, which is a lock on your Palm Pilot. What 3Com didn't plan for, and this is another example of how as the platform grew, they didn't enhance the security of the Palm Pilot, is that again, it's one single byte inside of your application that's on or off that allows you to beam. So they thought that they could lock people out of beam and copyrighted information. It definitely gives a false sense of security to the developers. You can do a standard buffer overflow. If you guys want to see more details of it over at this website, you'll get to see the operating system interacts here with the upper layer API, and you get to go through the application and it works with the user and here's the driver mode. Palm Pilots use a virtual driver system, but it's tied to the serial port. So basically if you write a driver for the Palm Pilot to drive the keyboard, if you drive a modem, if you have a minstrel, if you have something else, it actually interacts just like it's a serial port. You need to emulate the serial port inside of the driver. Some of the techniques that we can use to protect our Palm Pilot include some operating system level tricks that you can use, some attacks against applications, and we're gonna go over some future ideas for exploit, because I think probably, and I'm just gonna venture to guess, that in the next six months, you're gonna see a major Palm Pilot Trojan horse, most likely that's passed to the Palm Pilot because it's open right now. Once it hits 10 million users, and 10 million users who are walking around at the local restaurants, beaming everyone their business cards, it's gonna seem like a good option for someone to write this code, and to understand how the Palm Pilot works is gonna help you protect yourself and others against it. This is the new Palm logo. The operating system processes applications in a very specific manner. All developers are tied to making their applications work the exact same way. It is a main event loop inside of it. It parses every time you choose from the menu, every time you choose from a button. It's all coded as strings, and it's all hard coded in the application. You also have system shortcuts, which can redirect your beam and can set up debug modes, and there's some notorious hacks into it that lets you see and dump the registers live while you're using it. There's one key one, actually. We're gonna go over a method to redirect your infrared out through your serial port. So basically you can learn about how that application sends itself over the modified TCPIP stack. You can dump it to a file, you can look at the entire session, and you can see how the infrared ports works. Palm Pilot has limited, I'm sorry, 3Com, or Palm now, has limited developers' information on the infrared port because they actually used an implementation from a third-party company. And this third-party company, they've been around for, I'd say, eight years, and this stack technology they use in the infrared port is about probably about four to five years old, so it predates the 3X pretty significantly. And we're also gonna get into, in this section, some of the applications that let you view your databases, let you view the status of your databases, and let you look inside the registers and memory parts of your palm. Should I yell real loud to wake people up? All right, Palm Pilots, how the operating system processes your application. All Palm apps save their state. They actually have what 3Com calls a static state, which means that at every point the application progresses. It has a pointer in memory to pick up exactly where it is. It also doesn't run background processes, so you don't really have a multi-tasking operating system, which means that your Palm Pilot's very stable, actually, since it's not trying to do a lot of stuff with the Dragon Ball processor. Hackmaster is an exception. Does anyone have Hackmaster hacks on their computer, like being added and those kinds of things that you have? The way they get around it is, we're gonna go into it a little bit, but every Palm Pilot application works through something called system traps. And each system trap can be mapped just like the Windows API. You can actually hook into every single one of them. So that's what the Hackmasters do is they hook into each of those system traps. When we talk about best practices, we're gonna talk about why leaving your Hackmaster extensions probably not the best idea, because 3Com never really intended for anyone to patch their own system traps. It's just that need arose, especially for modifying the little pen keyboard that you have and doing spell check and those types of things. It's actually really, really dangerous on a Palm Pilot, because the Hackmaster runs inside your ROM and can run inside your RAM and kernel space, actually. As opposed to other operating systems that take the API and run it on top of the kernel, not like Windows, but more like Windows 2000. Technically, one app is running at a time in the Palm Pilot. The memory's initialized at start, and it stays allocated until your soft reset. That means that if you've used your Palm Pilot for three weeks now, and you keep switching back and forth from applications, and you wrote this, and you've deleted this, and you've set this up, if you wrote it three weeks later, use an application like Insider to look inside the memory inside your Palm Pilot, all your information, your state, is still in there. That's something that you don't have in the Windows environment, because basically when you shut down and restart, everything's gone and starts again. Or if you're forced to shut down and restart. Palm Pilot supports hidden Windows, which can exchange information with on-screen. Not a lot of developers know this, but there's a few developers out there who've used this, which is a great way to protect your information. Because actually, everything we see is a form on-screen, and you can create off-screen alerts and forms, the pop-ups and the static pieces of static input that you see on your screen. You can actually use, for example, your register, when you register your Palm Pilot application, will you stand alone for an example? In the latest version of their protection, they got somewhat wise to the fact that they had documented in their source code their entire protection scheme. Now they use a method where they write some of the information to an off-screen window that you can't see when you do your registration. It actually contains the hash for, if you use a special command, you can see the hot sync ID turned into hex, which is what they use to generate your unique code. There are several shortcuts. Everyone knows the shortcut stroke looks like an L, a lowercase L, plus dot, and these commands. These commands were used by 3Com support to let you actually debug programs and things that are going on inside your Palm Pilot, or your Palm. If you use dot i, it starts your beam receive. That's automatic. It doesn't matter whether your beam receive is on. It doesn't matter whether it's off. It just starts it. And basically it sends a flow of any information you want out through your Palm Pilot. If you use dot s with the shortcut stroke, you get to redirect your beaming to a serial port. This is actually a really interesting use, I think, of the Palm. You stick it in your hot sync cradle. You use dot s to redirect your beaming to your serial port, and you can view what applications are beaming in and out. For example, I don't know. They would play IR chess here, or any of the great IR games that you have battleship stuff. One experiment that I did was to set my beam to my serial port and then read the information that it was sending back via IR. And actually to show you an example of a little bit of, I would say laziness maybe with the Palm Pilot developers, every single time that you send something via IR, it resinks and sends all your registration information to the other person. Basically it shares and encrypted back and forth between the program. It's a nice program, though. Dot t is an IR loopback. This was used so that you can actually record the information that's being shot out of your IR port back inside your Palm Pilot. Dot one is a debug mode. It lets you go in and view the registers of your Palm Pilot. It's not very robust. It was mostly intended to find out what the last error message was by 3Com support. Dot two is open the serial port in debug mode. And this is really, really interesting and really useful. There's no documentation on this one. The reason is, when the first Palm Pilot was released, 3Com told everyone, this is for hot syncing. That's all this does. And then we realized there are all these great peripherals that you can add on to it. You can put your Modemite, you can put your GSM on it. You can put the new GoVox voice recorder on it. So they didn't actually document it as well as they should have. So what happened was, Landware, the company that makes the Go-type keyboard, decided to use this shortcut and read the information from the serial port and watch the communication of it because they had the hardware specs. They didn't have the software communication specs. So I don't think 3Com intended for someone that was a commercial developer to actually hack their own Palm Pilot, but it happened. Dot 3 is to disable the auto off. I actually really like that one because it really makes me angry when I'm taking notes. All of a sudden the thing turns off. Yeah, it turns on automatically, but then I gotta get the shortcut out and get my stylus out. You also have Dot 4. Dot 4 flashes your username and unique number inside your Palm Pilot. This one's a little dangerous. This one actually gets rid of your Palm Pilot's username, which is a randomly assigned name, and also some random numbers in there. Basically, when you do that, your Palm Pilot can't identify itself and you're gonna have to do a hard reset. Dot 5 removes your user configuration, your hot sync. The Palm Pilot registry is called savepreferences.pdb. It's a database. It's not encrypted. It doesn't have any special information in it, except that it contains most of your shareware, usernames, and passwords. They use. It's bad to reset your user configuration and your hot sync ID. Basically, when you use this trick and you re-sync your Palm, everything comes out in duplicate because it doesn't know what your record is. This is another example of War 3.com. Actually, I think they were hedging their bets. They wanna make the hot sync application quick and easy to use. When in truth, what they ended up doing with it is making it very poorly unrobust. So there's a program called Backup Buddy that lets you back up all your databases and everything. That kind of takes advantage of the fact that the Palm Pilot hot sync is a little bit simplistic. Dot 6 displays your ROM date. Very, very cool. Go into Best Buy sometimes and run a few dot 6 shortcuts on the things. You'll find out how old their inventory is. Dot 7 lets you toggle your battery meter. Even though 3.com said that they weren't going to allow you to use actual rechargeable batteries with the Palm Pilot, a lot of us do. I used to. One thing that you should do if you do is use the dot 7 shortcut because it will change your battery meter to reflect the fact that you have rechargeables. And it will more accurately reflect the state of your battery. Every Palm Pilot program is a dot PRC file. So you see those things running around. You see every application uses a Palm resource file to run itself. It's a collection of forms, which for example, the form in your date book is the listing of the lines in your current appointment information. It uses alerts, which is when it pops up and says you have to register this shareware application. It uses strings, which you can actually hard code inside the application. A lot of developers who are using an assembly language at about 80% are. Place a lot of strings within their application, such as a check register key. The Palm Pilot uses a Dragon Ball processor. It's a Motorola M68K processor. It's the same one that was in your Commodore 64, just modified for power consumption. Loft offers a Dragon Balls app to view your M68K registers. That's what it's called. It's a very clever name with a Z. And it actually lets you look inside of all the registers inside your Palm Pilot while it's running. It's actually really useful because an application like Afterburner, which is a Palm accelerator and overclocking application. The developer of it used this to actually go inside and look at why is the application was crashing so often and I find it much more stable. What you can use it for is to see exactly what's going on in that slow program. I don't know if anyone uses Daybook 4, but I assume almost everyone uses the Daybook alternative. That application is so slow and so sloth-like because of its programming that you can actually go in and see what it's doing. Basically every two lines of code, it's making a direct memory call. There's a program by Sylvain Boulue, I think, called Insider. This program actually lets you view your memory location inside your Palm Pilot. It lets you disassemble inside your Palm Pilot. It lets you copy sections of memory from your Palm Pilot, both live and in storage. This is a really amazing application. It's free unless you get the pro version. To get the pro version costs you about, I think it's about $59. I don't have the pro version. I use the regular version. There's also a program called Palm Disassembler. You can get these programs from Palm Gear, of course. It actually lets you disassemble your Palm Pilot applications in memory. I think probably the best way that you can learn programming if anyone wants to be a Palm Pilot developer because it's a great community of people developing applications is to actually use the Palm Disassembler to look inside. The only weakness of it is it doesn't let you view the system traps, which are something else that you have to contend with when you're programming for the Palm Pilot. Next section's on application attacks. By attack, I don't mean guy beating up the application, taking advantage of it, you know, blue hair running around. What I mean is actually looking at the way the Palm Pilot runs and the way a program runs. This is the Palm Disassembler program that I talked about before. This is live on your Palm Pilot. You can actually see the code that each application is running in here. Your user interface is a physical layer. It's what you see in front of your Palm screen. When you turn it on, every app is made it performs, which is your input section. Alerts, which is your pop-up section. And strings, which is your text section. When the resources are extracted, you get these little binary files and they're actually in plain text. So you can actually view the resources that each Palm Pilot application uses. If you have TF or if you have F, you've extracted a form. If you have A, you've extracted an alert. If you have STR, you've extracted a string. The rest are all code segments. Most Palm Pilot programs and most Palm Pilot developers use two code segments. They use the application initialization segment and then they'll run all of their main events in their main programming author. You also have stylish actions. So in addition to all the resources that we see, you also have your stylish actions, your button actions, and your keyboard input. That's actually the digital keyboard, not actually the go type there that I'm referring to. So all those methods together let you interact with the forms and that's what it is. It isn't an application that's running all the time and using up memory and using resources. That's why I like the Palm Pilot because it's basic and straightforward and lets you do what you want to do. The M68K processor is Motorola's processor. You have two versions. You have the Dragon Ball and you have the Dragon Ball EZ which is in the Palm 3X and the Palm 5X and 5XE. It's pretty simple but we'll go over it. Basically everything in the application works linearly. It goes from beginning to end. It has a few sub-routines that it uses. Most programs run in a straight line fashion. So the way they get around, did you do it right or did you do it wrong is with simple instructions that you might, if you've done any assembly language program, you recognize. These are the Palm Pilot op codes, the equivalents of branch all the time, which is op code 60, B and E, branch if not equal, which is op code 66, branch of equal, which is 67, branch of greater than and branch of less than. And then DeBuffer, 3Com released a Palm Debugger and then they made it so that Code Warrior, one of the major development platforms of the Palm Pilot, could then continue the development of the Debugger and they kind of left it in a state where it only has information up to version 3.0 and 3.1 of the operating system. So someone developed and named it after his dog, this program called DeBuffer, which is a full featured debugging application for your Palm Pilot. This application uses a system trap, 4E48, that was reserved as unused by 3Com to actually control the execution of the program. That'll come into play a little bit later when we're talking about liberty and how they protect their application. A few other op codes, instead of Seq, set of equal, you set to 50, automatically sets it to any number you want. You also have NOP, which is 4E71, which is no op, which is a no instruction. You also have RTS, which is return. Every Palm Pilot subroutine has to follow the exact same specification. It starts with the link, it starts with reading the memory in, processes it and it has to return it in one register. D, zero. Just like when you're using 16-bit Windows applications, actually. Clear is, I'm sorry, yes. Clear equals 42, which lets you reset memory locations. And move number one or move number zero is move queue number zero, move queue number one, seven zero and zero one. It's a two byte operation code. All your Palm Pilot applications work with system traps. This is the API, it's transparent to the application. It doesn't know, of course, whether it's calling a patched section of it, whether it's calling a hacked section of it, or what you're doing. This is how you can extend the usefulness of your Palm Pilot. System trap, DLK, get sync info. That's what it's called. Anyone could run this, there's no restrictions on it. Anyone can view all of your hot sync information. That's how an application that's a shareware will often get your hot sync ID. There's two other methods to do it. They require memlocks and they require you to lock the memory or they require you to read the default database in your Palm Pilot. Thus far, no developer has begun to use that, although that would be a better protection method for your application. System trap, STR, compare. That's pretty straightforward. Compare two strings together in your Palm Pilot, return the result, are they equal or are they not equal? It usually will end a key routine from an actual shareware developer. The shareware community, like I mentioned, is really robust. There's 70,000 shareware developers. And companies like Standalone, Landware, I Am Big Software that creates action names and also creates the All Money application. They actually, to give you an example, let's use DateBook. DateBook is, I think the latest version is like 380k and your Palm Pilot has in it, if you have the five, if you have the five rather, because it's really cool looking, you have two megs of memory in it, of RAM. So that takes up one quarter of your memory. That's because they've left in there their old string compares and old data and old code inside of your application because it's too much of a pain to read for Palm Pilot sometimes. Apparently, for about, probably 20% of the applications out there, they'd run much faster if they went in and dug out that old code. You also have, which is the closest a Palm Pilot has to an encrypted string, which is CRC16CalcBlock. It calculates a 16-bit CRC of information and memory. This is smarter than this for a developer to use if you want to use it. This is a one-to-one comparison. Most people don't know that CRC16Calc returns the result, not only of the 16-bit CRC, but also the result of the comparison of the two pieces of information, which is a really important distinction between itself and string compare, and it's a different way to check your applications if you're a developer. Since the Palm Pilot came out, there have been free tools that let you assemble and disassemble code for your Palm Pilot. One of the most popular is Pilot Disassembler. It's very quick and thorough. It has some switches, and it runs in DOS, and I'm gonna show you an example of it in a little bit. It's very, very fast. It's very functional. It lets you look at what's going on inside of a Palm Pilot application. You also have PRC2BIN, which takes all Palm Pilot resources, dumps them into the binary files and lets you look at the forms and the elements of your application. And then you have my favorite program, UltraEdit, which is this fantastic editor that lets you view things in Hex or in plain text mode. That's at ultraedit.com. I get nothing, I wear, you know, their name on my shirt, whatever. They don't give me anything. This is the most amazing thing that was written for the Palm Pilot world that wasn't written by 3Com. The Palm Pilot OS emulator lets you emulate your Palm Pilot on your PC. Some people may know about this, some people don't. This is a great way, actually, to test programs to see if it's gonna crash your current configuration. What you do is you run the emulator and you seed it with a ROM for your different operating systems. You get this off 3Com's development site, which is palmos.com slash dev. It lets you use your Palm 3 ROM, your Palm 3X, the different versions of your operating system, basically, and test how the application's gonna run on it. You can set your hot sync ID in it, which I think is actually really neat to see if your program's gonna crash because it has some kind of obscure characters, capital's numbers, letters, and your hot sync ID. Comes with a ROM extract utility, or you can find ROMs on the internet. And it lets you research and test your applications. So in the example of Liberty, you're supposed to run all your games on this before your entire Palm Pilot crashes. We're gonna go into a simple protection, an application called Launchom. Launchom is a demoware. It lets you demo your applications for 15 days. It's a special screen. It changes basically your view of your operating system. It's got nice tabs and you organize your applications. You've got a trash can. You've got all these great different resources. It's one of the most expensive, it's by a company called Syn Solutions, and they actually charge a lot for their shareware. I don't know how you guys feel, but when you buy your Palm Pilot and you get it online, it's like 150 bucks for your Palm Pilot now. It's respectable that the development time they've put into making an application like this, other than the fact that this is based on a freeware application, this particular program, actually goes into creating new versions of the program. And I think it's important to always keep in mind that if you're going to develop a Palm Pilot application, that you should make sure to make it reasonable for the community of users out there who rely on it every day. So we're gonna go over how this application protects itself. Why don't you guys go ahead and, if you're taking notes, take down the right section of the screen and the discovery section of the screen, because I'm gonna be switching back and forth inside of my computer. The first part of understanding the protection of Palm Pilot programs is to understand the intent of the developer. If you are a developer, I think demoware is a good idea, but the only true protection that you're gonna have for your program and all the time and effort you put into writing your program is to actually make it feature limited and not include the features in the program, because the truth is that a simple alert that anyone can see that says demo is something that people can take advantage of. And when you put all that time and effort into programming application, and it's protected in a simplistic way, you're not gonna see the benefits of all your work. Okay, the first step is, we'll start up the Palm Pilot operating system emulator here. The Palm Pilot emulator looks like this. You start it up, it asks you if you wanna stick it on your start menu, which is fancy and nice. You get to create a new session in it. You choose the device you want to emulate. In this case, we'll do the Palm 3, because it doesn't make you go through your graffiti sync when you start it. We're gonna choose a generic skin for it, and we're gonna choose to use two megs of memory for it. You choose a ROM file, one that you've extracted off of your Palm Pilot. And you start up the emulator. That looks familiar. It looks exactly like your Palm Pilot. It acts exactly like your Palm Pilot. And if you notice, the beat just sets off by default. Okay, we're gonna load in the application. The way you load an application is you right click on the interface. You install an application database. And we're gonna go ahead and install a version of Launchem by Sync Solutions. All right, the application is loaded much quicker than hot syncing. You use this interface just like you use your Palm Pilot. Your arrow is your stylus, and you can interact with the direct. So you can see Launchem's over here. Launchem is an editor. When you start Launchem, it says, welcome to your Launchem demo. If you like Launchem, you can purchase it at Synergy Solutions website, synsolutions.com. Unfortunately, one thing that I didn't realize is because this is a demo, you actually have to delete the application, which deletes your preferences for it when you buy it and then reinstall it. It's actually a very frustrating solution for a lot of people. You can set it to be your default Launcher. So that's it. During the discovery phase of understanding how the application protects itself, we found out that a nag flashes welcome to demo at startup. The about says demo. So you can see that by going to the about of the application. It's just like you're running it on your Palm Pilot. It says demo across the top right there. And that's what we figured out it uses to protect itself. Now, this is actually a very basic protection. I really want everyone to understand before I begin this part that this is a really good application and it's worth buying even though it's a little bit expensive. However, I think it should be protected much more strongly because it's a very good application. So after you've looked at that, you go inside of the method of it. And the method we're gonna use is to disassemble it. We're gonna use the Palm Pilot Disassembly Program. It's a DOS application. So we run the DOS and hope that the computer doesn't crash. You'll see the directory of information here. I've got the tools dis, which is Palm Pilot Disassembly and PRC to bin and I've got high note launch them and my walkthroughs for this. You run DOS and you run question mark. Oh, there we go. Actually you run it without the question mark and you can look at all the command line options for it. It has help. It lets you set the offset you disassemble by and it lets you set the instructions you use. You can use a custom traps file to view the system traps, but mostly it just works by doing dis in the application's name. And because they're very tiny programs on the Palm Pilot, it actually works rather quickly. Yeah, see it's working really quickly. It's the quality of windows right here. There you go. All right. Treating all that sophisticated code. Well, that's working. We'll go back to this side of things. Oh, there we go. It's done. Okay, so we're left with the disassembled code in this directory that we can look at. That's the source file right here. Now we're going to go into the method that you would use to view this application's code. The first thing is you have to take a Palm Pilot application divided into its resources. So you go ahead and go back to your MS-DOS prompt and use PRC2 bin, which lets you separate out the resources that you see in your Palm Pilot and you use launch them. And it just extracts an entire text file of all the resources inside your palms. So now you can see we have here alerts in this section. We have bitmaps in this section and then we also have forms and strings that make up the application. So what you would normally do in this application is you'd search it for the form that's your bout. The bout nag is number 270. Everything in the Palm Pilot is very specific, very documented, very viewable and very public, which makes an easy platform to learn to program on. So we'll look at alert number 270 here, which is this one at the top. We'll use UltraEdit, highly recommended. And we'll see that this is exactly what we saw on our screen. Launch them demo, welcome to the demo of launch them. If you like launch them, you can purchase it at Send Solutions. That's the way the Palm Pilot works. Everything's embedded in the PRC file and everything can be extracted. In the interest of time, you search the application for that. The application, you can actually see that it occurs at address 376A. You can actually see that it shows the form and it uses a knit form to display the about. It actually displays the alert in the same manner. And you can skip the nag and you could modify one byte to do that. This is a good commercial application like I emphasized. That's very simple protection for your Palm Pilot. There's an intermediate protection for your Palm Pilot. I'll also point this out as an example. High Note uses a great protection scheme. It doesn't slow down your Palm Pilot. It doesn't slow down application. It uses a three section key and it not only checks it during the registration, it also checks it midway through using the program and forbids you from using it. If there's not the letter H at this one particular place inside your code. That to me is a good example of the balance between the sophistication of the protection and the simplicity of the protection and the fact that we like our programs to run quickly. It's by a company called Cyclos. It's a great application. It's all alternative to brain farce. It lets you put text and pictures into the same outlines that you do. It has a nag. It asks you to register. If you register bad, it tells you invalid entry. It has the invalid entry alert inside of it. It also has a form that you see at startup and it also has a registration form. Like I mentioned, this is a very smart protection. You take your key in and about eight lines later, it says, oh, CRC16 calc block. Let's see if the two codes match. It says yes. It's only actually checking the first segment of your code until later when you try to run the program and it actually checks the second segment. It won't let you create any new items if your code's not proper. So basically, in terms of preventing people from cracking the application and matching the security and the functionality of shareware with it, this actually is a good protection because people think they've patched it. Suddenly the thing doesn't work. They think it's ruined. It's quite effective to obfuscate actually your code and the intent of it. I wanna go over protection ideas. There's a trade-off between complexity and speed which I've been talking about. Palm Pilot programs need good protection. They don't need protection like Liberty is which actually prevents you from running the program at its peak need. To give you an example of the way Liberty, the Palm Pilot Gameboy emulator is protected, it uses seven code segments. It uses four encrypted segments. It encrypts it against its own key database. And then just to prevent you from doing what we've just done up here on screen and disassembling it, it actually uses an illegal instruction by 3Com, a two-byte instruction to prevent you from disassembling it. But it uses it 1,100 times inside of its code. So you can imagine the heft that it's added to the application and to the actual function of it. Future exploits for the Palm Pilot, things to watch out for. This is very, this is nice. This is from the 3Com website. I thought it was good because it's like we've all graduated. People will exploit conduits. Anyone can write a conduit. A conduit sits in your hot sink and it coordinates data from your Palm Pilot to any executable, anything. You can write any executable. If you use Pocket Quicken or if you use Ultrasoft Money, that's what it does. Puts a custom conduit in there when you hot sink your Palm Pilot, transfers that information to its executable and it writes it to a database. In the case of Ultrasoft Money, writes it to your Microsoft Money database. Conduit is an executable that translates or alters Palm databases during hot sink. It can, when you install a conduit, it doesn't ask you. Conduits are DLL files, they're hooked into your hot sink. It adds the DLL to your Palm directory and makes a registry entry and uses what's called the Notifier DLL for conflict resolution. This is required by 3Com. This is where it actually is actually really weak in that anyone can reset the Notifier DLL part of a conduit to make it do anything that it wants. You can take that information, you could dump it out to CSPIP, you could put an email in someone's directory that sends all of your Palm Pilot information to someone. It can interact at the system level of Windows. So you can make it execute a visual basic script every time you start up your Internet Explorer window. It's dangerous. There's absolutely zero way to protect against it other than being diligent. We'll talk about that real quick. Write contents to a network location for monitoring. Second idea is Trojans. Your Palm Pilot, we all love the applications, they're all free. Palm users will load almost anything if it's free on their Palm Pilots. Little dancing bugs and taxi cabs and everything else you can imagine. If you've hacked master on your machine, every time you reset your Palm Pilot, it reloads all your hacks. And everything hooks in at the system level. So basically if you hot sync and you tell the Palm Pilot that it needs to reset after hot sync and then you reset it, whatever you've just put in is loaded in your Palm and working at the system level. You can alter the built-in database types which is published in the SDK. And you could put custom keys in there to track information that people don't see because the PDB files are only viewable by the exact routine inside the PRC file. So you could store anything you want in there. That's a great idea if you guys want to really protect your information is to write raw data to a PDB database. And you could store your data in someone else's Palm. Every database is linked by a creator ID. Every time you synchronize, every piece of information is shared with the hot sync application. So you can grab a creator ID off another application, put it on your custom database, write anything you want to that database. When you synchronize next time, it will be available to you on the computer. These are how you protect yourself. Turn your beam off. It's not gonna happen now. It may not happen next month, but it will happen soon. That's how we'll take advantage of that. And you can imagine walking around DEFCON and walking around, all of a sudden every Palm Pilot's are being reset. Some guy's kind of hiding his face in the corner. Monitor your hot sync log. All you have to do to monitor your hot sync log is go to, I won't be able to get it up with the presentation, is to right click on your hot sync and say view log. Make sure that nothing's being installed in your directory. You could test your applications by using it on the Palm emulator. Anyone can get that. Go to three cum site, search for POSC. Now you should check your hot sync properties for custom, for rogue conduits. Conduits, again, can pass any information anywhere. They pass to a Windows executable. In the future, you're going to see Palm viruses, which will actually be Trojans and which will be taking information and transporting around using conduits and using the hot sync vulnerabilities. Symantec has a Palm virus protection that they were supposed to release a month ago. I've seen a beta of it, it's not out yet, but it's really nice. It lets you actually watch what's being hot synced back and forth between your Palm and lets you authorize conduits that are to be hot synced. If you want to write up some of the programs we've talked about, like pilot disassembler, which is a free disassembler, is available here at this website. Thank you guys very, very much for sitting in this. I want to take a question for about three minutes. If anyone has any, and go over some of the different Palm aspects. Yes, sir. This will be emailed to dark tangent afterwards. It will be on the DEF CON site and it will also be here later this evening. So you'll be able to get it tomorrow morning if you want to get it. Yes. I recommend using a program called JAWS memo. It's 4,096 bit encryption. I also, I tend to be, and Bruce Schneider talked the other day, a fan of blowfish encryption. And you can use, what's the name of the application? Oh, crypt pad, which actually is an encrypted memo pad that uses blowfish encryption. Both of them are really good. Don't choose something like SAM, which is by a Swedish developer. It can use up to like a one bit key. So you're thinking, oh, I want one byte to protect my information. I recommend something stronger, like the blowfish encryption. Any other questions? All right, thank you guys very, very much and have a good day. Look for the information up there. Thank you.