Figure Analysis of one function with new IDS
But how to create those IDS files I had to create on my own using the idsutils for IDA and the following procedure with a little of automation . 1. Download the Symbian SDK from the Nokia site for example from 3 2. Download ActivePerl and install it, as requested to install the SDK see the readme inside 4. Go to the and copy all the .lib files A mirror is also available at 7.0 S60 LIB files.rar 5. Launch on any of it the lib files the program ar2idt.exe or use an automation tool like for...
References
Due to the extremely vanishing nature of most of the links some have been found by only thanks to Alexa -http www.alexa.com - and WayBack Machine Internet Archive -http www.archive.org I mirrored on our web site some information and tools. 1 Alexander Thoukydides, SIS File Format, 2 Nokia Symbian SDK, and sdks listings index.html 3 Nokia S60 Platform SDKs for Symbian OS, for C , 4 SISView, 5 SYMBFS - Symbian Filesystem plugin for Total Commander, mirrored here SymbFSPlg0nly04.zip 6 UnmakeSIS,...
The Symbian Scene and Binary Diffing Suite
I was really wondering since the first steps into the Symbian world why there is a so urgent lack of tutorials, groups' sites and reversing forums. I had, and indeed still have, a great difficulty finding tools and tutorials. Most of the things I found were not in English or I had to use the WayBack Internet Machine to find them, because the sites were disappeared. Also usual forums such as Exetools, Woodmann, doesn't have that much. After having scanned the network the best way I found to...
Other Useful Tools
There are other tools which are useful to understand how the program works. Resource Decompiler. The only two efficient tools I ever seen are Phantasm ERL 10 and RSC Editor by P_Jack 11 which can decompile the .rsc files ERL anyway incorrectly manage control characters . The output you would get with ERL is a text file with a list of strings and references like the following taken from one of the applications later examined, SpriteBackup ResNr ResHex ResourceID ResType 1 1h 8F6F001 Unknown...
Tools to Extract SIS files
SisView 4 is a freeware plug-in created for the shareware program Total Commander. This tool allows you to view the contents of any .sis file just like any other normal archive. SYMBFS - Symbian Filesystem plugin for Total Commander 5 , which allows direct browsing from Total Commander the file system of a Nokia phone connected with BlueTooth Serial Port Profile . This gives great freedom searching the right programs and uploading patched applications on your device for real testing. Note that...
Improving the IDA Analysis adding missing IDS
Unfortunately IDA, doesn't have all the SymbianOS system libraries signatures. Then the analysis done is not complete because it lacks of several system calls to APIs. For example this is what we get with the CrackMe I release contemporarily with this tutorial 30 . It is using the AVKON libraries, which is the most important library offering APIs for creation of dialogbox, listbox, messagbox and so on I will explain more about this later on. Now concentrate on the different analysis results we...
Trying out a first patch
The first idea I thought was to force the program not to raise the exception. I know it-s not a good idea, because the exception is just the last step of a checking process, but I want to describe it here because it helps in my opinion to understand the way of cracking of java applications. We already identified the place where the IllegalArgumentException is raised it's inside the file l.java throw new IllegalArgumentException Word not found s ai 0 i amp 0x7ff gt gt gt 3 What we want to do is...
Figure efd command line help
Note an important note on the ids created for this tutorial. Nokia is used to add and remove some imports name and assign previous ordinals to new methods on different releases of the SDK. So it might happen actually it happens that you find an ordinal assigned to method A into a version of the SDK libraries and then the same ordinal assigned to method B into the following version. This makes IDS less useful because IDA only read and applies the information into the IDS files, without any...
SIS File Structure
Whatever tool you will use you will find into a SIS archive these information. Supports Series 60 version info. Files to Run while install. The language and app's UID is contained into the SIS header, which is composed of two lines as follows For example an amp EN says that the language is English - strictly speaking UK English. A few of the other languages are PO Portuguese, NO Norwegian, FR French, SP Spanish, GE German, RU Russian, IT Italian, DU Dutch, SW Swedish, DA Danish, FI Finnish 5...
Symbian Scene
These are some wondering I thought about the Symbian scene, and are based on my experience. I think that the lack of information about this world is tied to different factors you have limited instruments to reverse applications essentially only dead listings , the ARM assembler is quite difficult to read, there are several small applications, often quite frequently updated, the operative system often change and not all the Symbian versions are binary compatible, there are a lot of wannabees...
Strings analysis of Symbian programs with IDA
Symbian uses a strings format strings in Symbian are called descriptors which includes the length byte as a header. Then by default IDA is not able to identify them it uses the C null terminated strings format by default . Strings have foreword bytes reporting the length. For example, as we also see later in Section application SpriteBackup, this is a string into the SpriteBackup program .text 100104 80 . text 10010490 . text 10 0104A0 . text 100104B0 . text 100104C0 46 49 74 00 69 00 6F 00 6E...
How to crack this nut
Load the app into IDA and tell it to also load the resources, then select Ok to the warning eventually might appear as following ARM AND THUMB MODE SWITCH INSTRUCTIONS This processor has two instruction encodings ARM and THUMB. IDA allows to specify the encoding mode for every single instruction. For this IDA uses a virtual register T. It its value is zero, then the ARM mode is used, otherwise the THUMB mode is used. Vou can change the value of the register T using the 'change segment register...
Using desquirr decompiler
Desquirr is a decompiler wrote for IDA as part of a doctoral thesis and released for free as an IDA plugin. It simply decompiles the piece of code selected or the routine under the cursor. It supports both Intel and ARM assembler so it can be used for normal PC programs and for ARM based programs Windows Mobile or Symbian . The quality of decompilation is not so excellent or so high level, as a consequence its usefulness for a CISC mgchine like the Intel processors is limited, but for more...
ARM Assembler
ARM processors are RISC CPUs, a Reduced Instruction Set CPU this means beside a lot of other things that there are few assembler instructions and a lot of registers. This definitely means that the ASM is much more complex than the normal x86 assembler. Anyway the assembler is the same of the WinCE PPC tutorials you might find around, because even those platforms run on ARM processors. I partially wrote a tutorial at 19 reporting some basic information about this different assembler. Beside this...
Reversing the first application SpriteBackup
I think that the moment has come to get down and dirty with a real application. You should know enough to understand the following explanations. The first application is a commercial application that has been included here due to the simple protection used. Moreover when you start playing with your phone the better thing is to start doing regular backups, and this application saved my phone a lot of times - URL Note if your phone gets messed up and completely blocked use this resetting...