 All right, thank you for coming to this presentation and better reverse engineering cracking mobile binaries In short, I'll be showing you how to crack a mobile binary or an exe on the pocket PC platform Although it is targeted more for the Microsoft side of things the information I am presenting is is also geared toward the ARM processor, which is multi platform and multi device So you can use some of this knowledge with other things too before I actually get started Have some swag to give away And this is kind of a self-promotional thing too. I co-authored this if you don't win you can buy it available As I look around This isn't as black of a crowd with the shirts as I expected I've heard this referred to as a little pit by some people with the number of black shirts in here Anyway, I want to give this first book to the person wearing the brightest most obnoxious shirt And I think I can spot him from here the tie-dye man right here. So I'll give you the first one Second one picking on another stereotype. Most of us are probably 35 or under So I want to give this to the oldest person in the crowd. So is there anybody 65 or older? Is anybody gonna admit to 55 or older come on up come on up Very good, I want to be coming to Def Con at your age Now the third one is kind of funny because I received two of these in the mail a couple weeks ago I don't know why they sent me to this is in traditional Chinese I can't read one of them. So why they sent me to is beyond me. Does anybody know traditional Chinese? Come on up. It's yours And if you haven't seen one of these yet, you probably haven't been in a talk Let's see. I'll just give it to the first person who can make it. Okay. Come on up He's coming behind you man. He beat you get started on this Who am I? What am I doing here? How many people got their way paid? Yeah, I had to basically come up here and speak get my way paid so For the rest of you This is one way to get a free free ticket to Def Con if you can find a company to sponsor you and air scanner is a company that sponsored me they do mobile security software and if you forget there are little logos in the upper left-hand corner of every slide So I don't think you'll forget very easily. Anyway, I have always been attracted to reverse engineering Since I was a kid at the toaster and remote control cars and whatever else I'm sure many of you can share that. It's that same kind of feeling To me, it's a tool not a weapon and then with computers. It's all about knowing your computer. So This is why I targeted this particular subject There is a darker side to reverse engineering. Most of us are familiar with cracking software Pay your programmers Especially in the US programmers are already seeing a lot of their jobs outsourced so they see them They're losing money That's about all I'll say Have to cover the legal issues. This is reverse engineering and in some cons contents. It's illegal I'll just read this verbatim. No person shall circumvent a technological measure that effectively controls access to a work protected under this title And this title is the law it just pertains to that basically means you can't Be scrambled a scrambled work decrypt and encrypted work Otherwise attempt to avoid bypass remove deactivate or impair a technological measure without the authority of the copyright owner I don't want anybody here getting arrested. So I made my own little serial program validator It's on this disc. At least it should be you can reverse that I give you my authority and I give you the permission to do So that's out of the way What not effective? Yeah Take questions again. Anyway, I got me one. This is it takes 50 minutes I am going to show a serial protection I'm going to show that basically you want to program your stuff, right? If you program it simply and you look at it at the upper level languages and you think your serial protection is secure You're probably misled because at the bottom level and you're doing with a assembler. It's probably going to be flawed Most serial protections are flawed Okay, now get into it. I'm gonna skip these because I don't have time There are some memory issues if you own one of these devices and you ever let the power run out on it You'll know that you probably lost all your files except for the stuff stored on the compact flash That's because it's stored in RAM. We all know RAM needs power to survive the OS files are stored on the ROM So they don't get lost There's a unique Issue with the way the files are on here the OS files are executable in place So that means they don't need to be dumped the RAM to run so it saves your RAM resources Unless they're compressed then they have to be decompressed to the RAM which adds a little kind of an issue when you're debugging software Because you can't debug it straight from the RAM something to keep in mind We won't really see that here, but if you move on and run with this keep that in mind Moving on there are some prerequisites to Being able to reverse engineer you got to understand where assembly fits in the broad scheme of things that it's a lower level Language, it's not an upper level language It's simply one step up from the machine code the binary that the actual processor reads It's a way for us humans to understand it more easily. You got to understand the conversions between hex to binary ASCII the decimal Enough said there. I hope you all know that or at least are able to figure that out However, the ARM processor has a lot of specifics in it that you do need to understand That is the registers and the op codes and how the registers work and what the op codes are and how they work And we're going to be covering some of those here not all of them because there'd be more time than I'm allotted To start the registers there are 37 total registers and the registers are used by the processor So it doesn't have to keep dumping writing back and forth and RAM. It basically speeds the process up Now the register purpose changes depending on mode. You'll read about this. This is more of an upper level thing However, there are some registers that we need to definitely pay attention to Register 15 is the program counter and this is important to watch because it lets you know where in the program you are actually executing at Register 14 is the link register and that's if a program's executing through and needs to go to subroutine It'll continue executing but it has to know where to bounce back and that's what the link register for it points back To where you need to continue executing it Register 13 points to the stack now the stack most of you are probably familiar with the idea of a stack It simply is used to hold the temporary values and the variables that are used by your program including Register values when a subroutine is called those values will have to be put aside so the subroutine can then use the registers How the stack is used there are four registers 31 through 28 which are used as status flags and these control how your program flows We'll get into that more in particular if you're starting out You need to pay a lot of attention to register 31 and register 30 and these are used to The register 31 is a negative or is the less than so these these status flags can mean more than one thing And it's a you got to keep that in mind as you're watching the program execute What am I actually using this status flag for at this point? And you'll understand as we get into how the status flags work and and we'll show this The same thing about register 30 and this is a little bit confusing if you're new at this because if a value is 0 And it's checked the 0 flag will be updated to 1 if the value is equal. It'll be updated to 1 so Basically, just watch how the 0 is working. You might kind of get confused of a 0 Then it should be 0 and it's not really works that way Here is a screenshot of The register window and the Microsoft debugger which I will show you I just want you to see how these while we're talking about registers You have registered 0 through register 12 that are listed as they are now the stack pointer is register 13 link register 14 program counter is 15 Here you can also see the the negative The status flags basically right listed here Jumping on to the opcodes now I'm going to touch on like eight of them or something like that that we'll be using The first one is the move opcode It simply moves a value from a register into another register or from a hard-coded Value in the program into a register and if you note over here on the right where the the hex is I included that so you can Kind of get a feeling for You have to pay a lot of attention to detail when you're working with this because this if you want to change of value You have to make sure that you that you pay attention to all the characters in your hex The compare opcode this again It'll just compare a value and a register to it so do another register or a hard-coded value to a register and again I included the hex just so you can see that there's just a slight variation between the two But it makes a big difference if you forget that your program and you try and change something in your program You probably get confused. You'll forget what you changed and then you might as a start over All right status flags talked a little bit about this here You can see how the status flags work. I have the compare status flag Compare opcode comparing r1 to r0 now the negative the end of status flag is updated according to which value is greater Obviously if r0 is greater in r1 then the status like will remain zero If it's if r1 is greater than r0 the status flag will be updated to one the Z status flag with the compare opcode Basically looks and see if the values are the same The result determines whether or not the Z is set to one or the Z is set to zero and a carry kind of works opposite of the negative Now if you note down here at the moves that s if you're familiar with x80 60 bugging that does not mean move string That means perform the move and then update the status flag and Here the same thing with the ans opcode Basically when the flags are updated they're updated based on the result and value Now in the case of the move both values are going to be the same So it doesn't only make a difference which value to use and the ans opcode if you use art Well, if you and r1 and ff together then r0 is where the resultant value is written to Your your status flags are updated based on that value in r0 Here you can see how it works. The C status flag isn't really updated with these two Here are a list. This is a good reference You need to be familiar with at least recognizing what they are and how they control the program flow Here's a list of all the status flags Primarily we'll be looking at the equal not equal and greater than and less than pretty straightforward. Most people understand basic math Moving on now the status flags are used by the opcodes to determine program flow Now here I have the branch opcode which Runs down through a program if the branch opcode is in there. It'll bounce it out to another Address the branch of the link is used for subroutines if you bounce it run that program through the program You have a subroutine it bounces out and then it bounces back now The branch will only be executed in the case of the branch equal if the Z status flag is updated to one and The not equal if the Z status flag is updated to zero so you can see here again I listed a part of the hex that you can see that changes The load register and store register these two are used to write values either to the memory from a register or pull memory Into a register and well the load loads of value From the memory into the register and the store stores it into memory Here you can see Variations and how it's used there are numerous ways that that they can be combined and values can be added Registers can be added. It can be stored back to a cell for not stored back to a cell This is kind of like a second level if you want to continue and we're looking at reverse engineering However at the bottom here the load multiple and the store multiple they are used when you Particularly when there's a subroutine called they said the program executes down through The subroutine is called out the values in the main program that are being used have to be stored on the stack And that's what this is used for you'll see this a lot And it's important to recognize you because that means there's probably a subroutine being called and The load will then load the values back off the stack into your registers again And I'll talk about logical shift right logical shift left These are just used to move basically it moves it the binary value of or the binary representation padded left or right with zeros They can be you can also have arithmetic which will keep your your your sign bit Which keeps things flowing right? This is kind of a second level. We won't use it here But it's important to be able to recognize what they're used for if you see them Now there are three main tools that we use for reverse engineering the hex editor disassembler and debugger The hex editor basically is just used to look at a file in hex and you can then update that file with the values that you need to Make it do what you want it to do. I use ultra edit 32 in this demonstration You're probably all familiar with the hex editor and you probably have your own preference This one just works in Windows and works in the presentation this assembler This converts your program file into its assembly code so you can actually understand what's going on and you can you can basically read it I use IDA pro there again. There's numerous ones, but IDA is pretty much the industry recognized especially with people like us Then the debugger now the debugger you don't really have too much choice especially on the Windows platform However, Microsoft does provide a free debugger Which is nice of them if you use one of these devices You probably are familiar with the active sync and connecting up to your laptop or whatever with a USB connection You can debug over USB, but it's painstakingly slow. You will crawl and you get frustrated I recommend that you connect it up with a regular wire network or a wireless network I wasn't going to use wireless here because well, I don't want to get kicked off my own wireless demonstration So I have a crossover cable plug right into my computer full 10 megabit connection It's works beautifully and it's practically instantaneous debugging So you will need a program called pocket hosts for this which is basically just a host file for the pocket PC platform Okay, now I debated whether or not to use two laptops at this point But I went with one so we can see the screens. I'm going to jump out at this point we're going to go into IDA and we're going to load the file in and Before you do anything any reversing you have to have the actual executable file on your local computer So you can't reverse it directly from here As easily IDA has a special well It works better as a Reverser than the debugger although you can reverse with a debugger. It's kind of difficult to follow. What's going on sometimes? So when we pull when we load up IDA We need a place to hook into the program We got to figure out where it's going or what it's doing and and Basically try and find some place that we can just figure out what's going on and there are some options The more you do this the more you learn to recognize what these these functions are for and how they're used One of the primary ones that are used in serial protection is the string compare because it basically compares a serial string with another serial string This is one of the biggest taboos that you should not do is use a string compare, but people are still doing it You can also use a message box because what's the first thing that happens if you enter the wrong serial string It's going to get a message box saying you entered a wrong serial string And that's it's just another way to hook right into the program and figure out what's going on Let's see. I'm gonna escape out of here Jumping IDA Here you can see the best way to do this is with the names window now I Know my string compares right here and IDA makes it really easy. It points right to the address All I have to do is double-click on it, and I'm right there Close this window. Let's see open up this Go to this nest screen. This is an illustration of what you do not do I Give you one guess what what these functions will actually point you to a Registration check perhaps or maybe an invalid registration So if you're programming you you kind of want to I mean Obscurity is not a security, but if you don't want to make it too easy. Don't use something obvious like this Here is a screenshot of IDA, and this is where we're at in the program You can see the circle points. They this is where it references it to inside the program If there are two points of reference like the function is used twice It will have two listings if there are three or more It will have a dot-dot-dot you simply click on it and it'll open up a nice window You can find the point you want to go to and you double-click it again, and you're there You may have to hunt and peck for a while before you find the place that you actually are looking for for our illustration though we are We only have one so here we are This is the point in our program that our serial check is being performed I'm going to start up here at the top back over here The point of program this is the code that we're looking at I don't know if any of you have laptops and you're falling along But if you did then you can see this or if you go through the presentation later You can see this is the entire basically the serial validation check that we're looking at Now I use IDA One important thing to keep in mind. Well a tip for you is if you're using IDA pro less than four point five You'll have some issues trying to figure out what's going on because your your function calls will be labeled with some really cryptic stuff like mce300 underscore 2445 You kind of have to figure out what's going on and how it's being used and it can get frustrating Now data worm if you're familiar with him He does a lot of work with reversing and he actually came up with the IDT files that Convert those cryptic into something you can understand and he has them available at his website And I hear by giving him a public Note of gratitude because he helped save me a lot of time working out some of what was going on Jump back over to here Here is the program You can see right here. We're setting up some strings and we're starting to load some values into the string now because this is a simple illustration My serial number is not really hidden here. It is one two three four five six seven eight Now I kind of start out giving you it but it it shows you that we're working toward a goal now This is a really sloppy code because but it still happens quite a lot where the serial number is actually included right in the program You can see it in the hex editor We have another string being loaded. This is correct serial number Thanks for registering there it is right in memory and that happens a lot that happens More often than it doesn't Incorrect serial number please contact technical support and we have a final value right here being loaded into the register and Correct serial number holy cow that says please Verify something another Incorrect serial number, please verify. It was typed correctly So we have two incorrect messages and a correct message and our serial are loaded into the memory and placed on the stack Now at this point Many of you might update I mean you might recognize this update data if you program in C plus plus It's it's the the function that basically loads of value on the screen into your program for so you can use it Now at this point we're going to jump into the debugger side of it because this was at the point where we want to see What's going on? So I'm in the bed of the visual C plus plus may open up my file Here it is serial.exe It's open now as we Get in here. The first thing you're going to want to do is Again copy the file over to your PC if you haven't already done so and you're going to hit F11 and this basically just Prompts the debugger to go to the first line of execution in the program And you're going to want to set break points break points are very handy because especially if you're in a huge program with like Thousands and tens of thousands of lines of code do you want to be able to stop it at a point where you under where you know What's going on? Now we already determined an idea that we want to stop it right here So I'm going to stop it at 1 1 2 8 0 and you can see another little tip is that you see 0 0 0 1 1 2 8 Oh, it's because it doesn't it's an absolute Relative address not using a base address So you need to keep that in mind because in your debugger you're going to have we hit F11 and it goes through a bunch of Connections la la la la it'll ask you for some DLLs if you have a more complex program and It'll also take about 30 seconds longer if you're using USB connection Right here. You can see back on the addressing We have an 18 and this is just because it is the absolute address is looking at a real address inside the program Now I'm going to set my it's already pretty much set up all F9. It's already set. It's already checked I'm ready to go it okay Let me take a moment talk about these screens here These are probably the two of your gonna be your best buddies This one shows you the register values that are currently in use and this one shows you the memory address that You can then look up and see what's going on in your memory Back to IEA sorry back to a back to our program. Let me Hit F5 the break point set and I expected to actually break and It did well actually know the program is running now This debugger includes a really nice tool that you can see what's going on on my pocket PC So you don't get kept in the dark. Here's what my serial program looks like now. I'm going to enter a value. I hit submit and Again, I'll update the screen so you can follow along Here we go. This is the serial number. I entered if I have no clue what it is I'm just going to enter a value and see what happens my break point is hit and it stops the program Here we are at 1 1 2 8 8 if we look in IDA 1 1 2 8 8 is the update data So let's start at that point and watch and see what happens in the program And I move step by step you hit F11 and this will just move it to the next line of code And it's it's the best way to work through a program one thing I should also mention is you can see I hope that these are red if it's red then the value has just been changed It's another important thing to keep an eye on so you can watch and see what's going on I'm going to hit F11 here, and it's going to load a value Right into R1 the register one now you can take this value Copy that here job right in your memory Hit enter and there we go My serial number is in the memory as part of the program is being used and we're watching what's going on Now here at the next line Basically what we're having is a string comparison checking the value of R0 Which let me hit F11 it's checking the value of R0 with the value 8 Now anybody give me a guess what the value and register zero is is yell it out It's the length of our string four characters. You have four character string right here All right, so we can see a little bit. What's going on and you'll get the idea. What's going on here More you work with it Here we have a compare opcode we talked about this it compares the value in our zero with the hard code of value of number eight Our zero is four eight is eight if we hit F11 our flags down here should be updated accordingly Which is not equal so our zero status flag is updated to the not equal status and it's less than so our negative Status flag will be updated to one. I'll hit F11 and you can see that that is what actually happened. I hope Now we have a branch of less than and a branch of greater than now The condition is met with a less than so if I hit F11 it should bypass the rest of my serial validation And I'm just gonna hit F5 here And I'm gonna update the screen and you can see that it Give us an error message right off the bat. So it's not long enough. Something's going on Let's go back into the program and start again now We know we want to come down to this point to compare and a nice thing about a debugger is you can change the values in your register So you can change the flow of the program as it is executing It's a very useful tool to try and figure out how a program works I'm going to change this value to eight So now we have our zero equal to eight the value eight being compared it's going to come out in our favor I hit F11 you can see the equal status flag is set So these next two lines of code are going to be jumped right over now We have another load register and this is loading a value into our zero from the stack. I Hit art that I hit the F11 and I check my memory One two three four five six seven eight so Here's our value even if I didn't catch it in the IDA I can now catch it there's my serial number It's right in memory Now this next line to a four just so you can see what's going on is Right here. This is our string compare one one two a four. I hit F11 And you can see that our status flags are updated now one equals fail zero equals one in this case here We have a value another Memory value one one two two so it's part of our serial number If you work through this enough you would see that this r1 equals the address of the character that failed and Then our two equals the character that did fail and our three equals a character It should have been this is why you don't use a string compare in any kind of serial check because I could simply work through this One character at a time learning the serial number as I went and simply loop through it And I have the serial number then it ends up on deluxe cereals or something like that and everybody has a serial number Moving on We overwrite our two with a zero now we're moving our zero value Which is the one is the status that was passed back from the string compare into our three But we're updating the status flag after we do this and this is going to control the rest of our programs flow. I Hit F11 you can see that The status value is one so the zero's flag is set to zero because it did not equal zero and the negative left alone Now the next two lines of code here are interesting because if you look at them You can see that regardless of what happens the value one or zero is going to end up in our zero Now we got to work through it figure out. What is controlling the program flow and why this this r0 is so important We hit F11 F11 again. You can see now that r0 is used in the and Instruction FF is being ended with the value in our zero which in this case is zero So if it fails if the string compare fails the value zero will end up in our zero That has ended up that value that result ends up in our three our three equals zero the status flags are updated because of that little S on the end to update the status flag Hit F11 again Now it's doing a load if the non-equal status is set Our status flag is set because the equal status flag is set so it's going to bypass this line and hit F11 Hit F5 just for convenience sake Update the screen and we now we have a different error message So it looks like if we enter the wrong length serial number We get one error message if we enter the wrong serial number and it's the right length We get a different error message It's adding a little bit of variation in the program Okay, hit submit now we're back in the beginning of the program again now I'm going to jump immediately down to compare Except this time I'm going to show you something else that we can do I'm going to let the compare update the status flags with the the failed Basically, it's going to say less than so I can overwrite these status flags, too I write my negative status flag Overwrite my zero status flag now. I have an equal status So the next line of code executes is going to look at these status flags and go oh, it's equal I don't need to execute hit F11 hit F11 and you can see it didn't jump So again, I just redirected the program flow on the fly I'm going to bounce down to this point as I discussed the value in our zero controls What's going to happen here at the ands instruction? so Since our zero I don't want it to equal zero I want it to equal one because I want FF to be added the One and then the result in value one be written in the R3 the status flags we updated based on the one value I Hit F11 and that happens now the non-equal status is set So I know that this the value on the stack is going to be loaded into R1. I Hit F11 again. Let's see what R1. Well, you know, I'll just hit a five and you can see what R1 says Correct serial number. Thank you for registering. So I just manually bypassed my serial check I could stop here if if I was just want to do it for myself But now comes the point of a cracker where they're going to write a program and they're just going to automate this Or they're just going to patch the program in the first place and this distribute that as the patched Serial check so you don't they basically will bypass it. So Let me see where I'm at here. Quick catch you up Here we do this is slides talking about what we just went through The first crack I'm just labeling it the slight of hand because we're just going to trick the program into believing something That's not true and you can see that back in the compare In Ida right here And we're right in this line. We're comparing a value. Now. How can we make this permanently in our favor? Well? R0 R0 correct. Here you go. Come up and get a CD And I have a couple more things up here too if you do answer Right R0 R0 so you're comparing a value with itself. It's always going to be in our favor Now I already highlighted this particular point of the code right here. I know you can't answer again I'm only giving you one thing We know that the value R0 if it's a zero will end up Basically controlling the program in against our favor at this point. I'm sorry if it's a one it will control the program against our favor at this point, so We want to control This value right here. We want one to be moved into R0 and It's moved in here, and it can be moved in here if we simply change this value to a one So to do that a start with the compare we need to load up our hex editor Here's a serial program load it up and I'll check it Page down now the point in Ida idea that we need to go to 294 this is the address in IDA now in the file itself it points to a different location This is a current position in the input file, and this is the value We actually need to this is the address line. We need to locate so at 694 We need to change this compare from R0 I mean from a 8 to an R0 and also change that one last hex character on the end because now we're moving a Register into a register not a hard-coded into a register They open up alter edit, and I think it was 694 694 is this line right here. You can see 8 once you get familiar with how they assembly I mean how the hex where it looks you'll you can kind of even figure you read through a program like this But 8's moved into R0, and this is to compare so we need to change this 8 to a 0 And we need to change the fact that it's moving a hard-coded value into a register from a register into a register So that's a one I take care of our first point come down to this point of program 2b4 We want to make this a one so at 2b4 or 6b4 right at this point this is a The move not equal make this value one File save as I say this is serial number two. I'm a serial number one it save Copy it from my local file directory to do Over to the start menu on my pocket PC Open it up on my pocket PC. So you know you know I'm not full of crap hit submit and Update the screen No serial number entered. Thank you for registering. So here's one way that you can crack a program now Just like there are many ways to program There are many ways that many weaknesses in a program that can be exploited and I'm going to show you a couple more Right here we have to compare we already looked at that how about these two lines right here Let's simply overwrite those lines. So we don't have to worry about what happens to compare when we jump I'm going to jump back into this point Here you updated the hex. This is kind of like a slide. You're basically not ping it You're basically putting a non-operation in there. However, there is no knob Instruction in the on yarn processor. You have to kind of do a virtual knob. So to do that We simply just move a value into a self move a register value into itself It won't do anything it will won't update the status flags. It's the perfect way to do it Just for curiosity, I put the 9-0 in there to see what happened because that's how you do a knob on x86 and it came up with Probably the opposite of a knob You mull all all's s blah blah blah and that basically stands for an unsigned multiple long if the LS status flag is set And then it updates the status flags with the result and value not a knob So what do we have to do? Here we are we're gonna we're gonna overwrite These values right here with our basically our virtual knob So I'm gonna jump over to my hex editor. I'm gonna go to that point in a program Which is 298 and that's six nine eight and Right here. We are these two lines right here need to be changed. I'm gonna make this a zero one one zero a zero e one and Next line same thing one zero a zero e one Now I still need to patch this point down here So I need to still need to go to six B four and change this zero to a one Six B. Ah crud. You know what I got to start with a fresh one Six nine four here we go zero one one zero a zero e one zero one one zero a Zero e one come down to six B four and change this value right here to a one file save as seal number two save Copy it from our local over to our other side and somebody's car alarms going off Update the screen so you can see it worked here. We are seal number two. Thank you for registering Third one. I'm gonna show you since this the rest of these have been kind of like After the fact so if we could actually find the correct seal number before and and use it for our validation Without knowing it that'd be a really handy. It's kind of preventive maintenance So you don't have to patch anything else and you can do that because right here at the the string compare we know that a correct seal is loaded into our zero and Okay, so here we are we know our correct seal is loaded into our zero We know our value is loaded into our one So why don't we just take this value or out the stack and load it right into the register one? That'll save us all the trouble of trying to patch anything because we'll have the correct seal and we're right from the get-go To do that that's at six eight C Open up my blank zero again jump down to six eight C Right here. We are now we're loading the value C Into our loading it from our stack pointer and now this is register for I'm changing to the stack pointer or the rent the yeah, the stack pointer, which is actually a 13 and that's represented by hex character D. So you have to change two characters Hit file save as seal number three save From local Update the screen and there we go three different ways to crack the program in what a whole ten minutes I'm gonna jump back to my slides now Catch us up Here is the actual code that I used and I just included this so you can understand what not to do The string is simply dumped into a string character the serial number is dumped into a Variable and so are the error messages the update date is performed like we saw and we have a little get length And it just basically compares that value to eight and that compare Instruction where we're comparing our zero to eight the correct incorrect message length boxes shown If the serial is at least eight characters is then validated and you have another Set of in a box boxes that are shown depending what you entered There are again the tools that we need to use are the disassembler the bugger and hex out of there You got an understanding arm processor and the op codes or registers and to reverse it You got to find a point in you got to be able to watch the execution figure out What's going on and then patch it if you prefer it now? There's been on this it's not always something like cracking a program earlier this week. I wanted to use my Terminal services client on my Dell and I wanted to connect to a port other than a default 3 3 8 9 if you ever looked That up on the internet. I don't know if anybody ever cared You can't supposedly do it and I'm like that's bogus I got to be able to do it So I went in I found a point in the program where 3 3 8 9 is actually hard-coded into the terminal services client I changed it to the port I wanted to at which point I then discovered that the program actually writes a register key in and then Through that it's just as simple as adding a register key into into your pocket PC and you can connect to any port It's undocumented. I haven't found any other place in line. It can dump be done But you can use reverse engineering for things like that make a program better Change something that you don't like get rid of timers get rid of various things that you may not like to see in a program Um Lots of sites and not a whole lot, but there are several sites out there chaos net is one of the It's more of the the cracking side of things, but that's usually where Technology is is innovated and people start figuring stuff out is if they're the hackers They they get a lot of the stuff moving data worm again He is he's got a lot of information and he did the IDT files, so he knows this stuff The third line here This is a great PDF if you want a great intro and an understanding of how the opcodes work Read this PDF because it has a lot of valid information in it The rest of these are at various importance the arm ref that PDF That's a great reference sheet that gives you a list of the opcodes and some of their hex comparisons and so on and of course arm has a lot of manuals and air scanner Anyway, I guess I am done early I'm opposed to tell you that You have to clear out because the next line is already really long and that's really all I have to say If you have questions, I'm gonna go out by the pool so the next crowd can get in here a while So thank you for your time