Related
Hi,
Can someone assist me with how i might go about decompiling or viewing a dll, making changes to it and recompiling it? What tools can i use to do this?
I have tried copying some of the dlls from my device over to my local pc, however most of the time i get an "access violation" message.
Further, i realize i can use idlasm to disassemble .net files, but it seems most of the more interesting dlls and files may be standard c dlls. How can i take a look at the code in these and modify if wanted?
thanks much.
farseer: what level of experience do you have?
V
I'd like to think i am decent developer, but that may be in my own mind
However, i do not do a lot of "hacking", i.e., have not had the need to do much reverse engineering. I have been coding ground up apps for over 10 years however, uisng C++, Java, C#, VB, etc. You name the language, and i've probably done something in it .
vijay555 said:
farseer: what level of experience do you have?
V
Click to expand...
Click to collapse
was that the wrong answer?
farseer said:
I'd like to think i am decent developer, but that may be in my own mind
However, i do not do a lot of "hacking", i.e., have not had the need to do much reverse engineering. I have been coding ground up apps for over 10 years however, uisng C++, Java, C#, VB, etc. You name the language, and i've probably done something in it .
vijay555 said:
farseer: what level of experience do you have?
V
Click to expand...
Click to collapse
Click to expand...
Click to collapse
The correct answer should be "I know ARM assembler language, the structure of Win32 PE files, I know what is XIP DLL and why I cannot modify them directly, and I have read the WM5 source code".
In this case the process is simple - you decompile a DLL with IDA (www.datarescue.com), find the place you need, modify the code to suit your needs - and that is all. In most cases there is not enough place in DLL for your code, so you need to use virus-like techniques, my prefered method is to patch the code so that it loads my DLL and run it instead of original code. Or use some other hooking methods so that my code is executed instead of original.
Ah, thanks much, this was helpful. I do have a few follow up questions:
1. Is "Arm assembler" different than standard assembler? If so, any suggested readings?
2. There are some dlls that cannot be copied to my local pc (i get an access violation i believe). How does one extract an image of such dlls?
3. Where is the WM5 source code? and why would i need to read this to be able to hack/patch dlls?
thanks again.
mamaich said:
The correct answer should be "I know ARM assembler language, the structure of Win32 PE files, I know what is XIP DLL and why I cannot modify them directly, and I have read the WM5 source code".
In this case the process is simple - you decompile a DLL with IDA (www.datarescue.com), find the place you need, modify the code to suit your needs - and that is all. In most cases there is not enough place in DLL for your code, so you need to use virus-like techniques, my prefered method is to patch the code so that it loads my DLL and run it instead of original code. Or use some other hooking methods so that my code is executed instead of original.
Click to expand...
Click to collapse
Hi farseer!
I am nowhere near the level of mamaich or vijay555 but I have some experience in this and I believe I can give you some basic answers:
1. ARM is a different architecture then x86 processors and the assembler is different to accommodate it. There are some basic similarities like mov add and such, but even the registers are different (R0 - R15 if I am not mistaken). Sorry, I don't know any books on it, but if you google you will quickly find the list of commands with basic explanation.
2. Since the OS is in ROM you can't just copy and paste it's DLLs and EXEs. Look for ROM dumping tools on this forum, or already extracted images on the ftp. Keep in mind MS did some tricks to save memory and make it harder to get at the files, so like mamaich said, you need to learn about XIP and the ROM structure in general to understand whats going on.
3. Hmm... MS does have a program for sharing most of WM source code, but it's not for common people like us. (check out their site to see what I mean) I suspect there are other sources of getting the parts necessary to understand DLL hooking, but I have no idea what they might be.
Well that's my two cents until an expert can answer you. Hope this helps.
farseer: you gave a perfectly good answer IMHO, just needed to get an idea of what level to pitch a response without talking up or down to you!
It's well documented that I'm a self confessed newb to c++, and would say that your programming skills should certainly hold you in good stead. However, having a good knowledge of the Win32 API is certainly beneficial.
For decompiling, basically IDA. There is an IDA demo available on their website that should get you going, it's pretty much 100% functional other then it won't save, and closes itself (or crashes itself) after a reasonable, random period of time. IDA is "the daddy" for pretty much all mainstream reversing, although you could write your own decompiler/debugger.
Recompiling - that's a toughy. IDA won't permit recompiling on ARM AFAIK.
You'll have to hexedit into the target and patch directly. Otherwise you get into the exciting world of code injection, hooking etc, as Mamaich says.
For that area, read everything he's ever written, before you start reversing
Oh, and a helpful hint to all. Don't just read what Mamaich's written on this board, his posts on other boards are even more useful!
It's worth getting a good familiarity with reversing on x86 first, get used to how IDA works etc (and Soft Ice is very useful to give a good insight into x86, although AFAIK it's not available for WinCE). ARM assembler is different, but just grab a list of the opcodes and read through a few CPU developers' guides (online).
There are a number of tutorials on reversing ARM stuff online. In the usual places for that kind of stuff.
For getting access to the ROM files, easiest way is to grab a rom update file and decrypt it. Mamaich is once again your man, his romtools do the job. He also has a "live" rom grabber, that'll grab all the files/modules out of your running phone for your perusal.
Platform Builder is available free to give you (some) WinCE source code. Not all, but enough to give you years worth of reading.
V
Thanks all...very kind of you to respond in such detail. I look forward to dabbling a bit with IDA and some of mamaich tools. I suppose the first order of business is to do a lil more research and then just dive in! It's been a while since i wrote any assembly code (not since college!), but i am a bit excited at having an excuse to do so again.
thanks again.
Just remember that unless you really luck out and the developer left the symbol table intact, you're going to end up with garbage for the names of variables and subroutines.
I hate reading decompiled code.
Ok so I have been missing around with an app. and found out that its setup.dll on install adds a shortcut in the programs menu and messes with the default today items settings. I have used ResHacker to look @ it but it doesnt seem to show the shortcut or anything else, it simply has the EULA accept info as far as I see with ResHacker. So my question is, is there a way to stop it from doing so? Would I need to just try and create my own Setup.dll for it? Or is there a better dll editor?
Thanks for any help,
Mike
No such thing as "DLL editor". Resource hacker only shoes resources, that is dialogs bitmaps icons and any text the writer chose to put in a string table so it would be easily changed. I guess the shortcut is hard-coded.
Now I am not sure what your background in programing is, so don't be offended if this explanation is too basic.
DLL is basically a program, only it isn't started by itself but called by another program.
You could try removing it from the CAB all together, but it could be performing other functions critical to program installation. You would need to know about them and be able to code in c / c++ to write a replacement.
There is a powerful disassembler called IDA for ARM code but you need to know assembler on a good level to do anything with it.
Thanks so much for the reply. Well im not that new to .cabs, roms, and what not but c+ or c# im a complete n00b. Didnt know there wasnt a dll editor, my mistake. You learn something new everyday. That being said...I removed it before posting and should have said that. This setup.dll is needed and wont work without it. But I figured what you said a new one would probably be the only way. But you mention disassembler....so since im new which would u suggest would be easier? I do have the tools to write one....but i dont have anything for the disassembler method.
Thanks,
Mike
Writing an app is much easier than disassembling one, since reading assembler is no joy (at leas for normal and semi normal people, some consider it their second / first language).
But like I wrote before you face one basic problem: What is it that this DLL does that the program won't run without?
If you know that, writing a new one will not be a problem. People on the forum could help you with the C++ code if you have basic knowledge of the language. C# won't work for this.
be aware that the dll that dose the installation is normally stored in the windows directory for performing the uninstallation at a later time. Modifying it could prevent propper removal of the program.
If the shortcut is hard coded into the dll it is probably visible as readable text in the dll (as long as the author did not try to obfuscate it). If so you may be able to just replace the string. I gave it a try on a similar dll but just editing the text screws up the dll. Someone else may be able to tell how to do it properly (please).
I think I figured out what the issue was and why it wouldnt work without the setup.dll. Its just a reg edit that the setup.dll does and thats what was missing when its removed. When I added it to the .cab everything worked smoothly! Thanks for the replys guys and I appreciate the help! BTW thanks for being so nice about it levenum. I would have responded sooner just been busy.
~Mike
Most of us are already aware that PPC and smartphone edition are similar enough to be mostly compatible in their apps across the platforms.
That is, with enough coaxing and the help of input simulators like SPHelper, I've managed to run almost any Pocket PC app on a smartphone device.
Well, until now.
I've officialy run into my first brick wall of sorts, and I'm hoping someone here can shed some light onto the situation.
Since the MS implementation of A2DP has quality issues, I'm trying to run MSI Blueplayer app ( found at http://cweb.msi.com.tw/program/support/download/dld/spt_dld_detail.php?UID=619&kind=8) on a smartphone.
Analyzing the cab, I extracted 4 .dll's that go in the \windows dir (msibtstk.dll, msibtapi.dll, CHS.dll and TW.dll), and two .exe program files that go in program files\msi\blueplayer (STLoader.exe, and MPOBCE.exe).
Now, normally its as simple as running the .exe, at least it always has been in the past.
However, every time I hit MPOBCE.exe, all I get is:
"Alert
Can't find MPOBCE or one of its components. Make sure the path and filename are correct and that all the required libraries are available."
Just to control this experiment, I copied the exact same files over to a PPC device and ran it to find that it DOES work.
Now, I've never encountered PPC specific code before- in fact, I didn't even know such a thing was possible. Has anyone see/heard of this sort of thing before?
Can someone help me take this apart and find out what makes it work on a PPC only? Perhaps a PPC-specific path (if there is such a thing)?
At this point, as much as I'd like to get this working, I'm just as much intellectually curious as to what would cause a program to only operate on a PPC installation.
Hello Dishe.
Your problem is simple: Certain DLLs that come built in Pocket PC version of windows mobile do not exist in the Smartphone version. An example is MFC DLLs.
What you need to do is get hold of 'dependency walker' which is a neat little app that MS incorporated in to VS 6 (though I understand it was written by an independent developer and should be available separately).
It will show you exactly which DLL files each exe is linked to. You then have to get a good copy (from a ROM dump) of the needed DLL and put it in windows directory.
Hope this helps.
That's a great idea. Thanks! I never heard of the dependency walker before, but it sounds like a perfect tool for this. I'll have to check it out on my office computer (I don't have VS 6 at home).
I wont be back in my office until wed., so if anyone had a bit of spare time, I'll attach the files here for someone to examine.
If anyone wants to look into it and tell me what dll's are required, I can get ahold of them from a healthy Pocket PC image.
Thanks!
This zip file has the two .exe's contained in the installation. I think only mpobce.exe is complaining about missing components, though.
Oops, apparently I should have checked first...
Dependency Walker is a free app. I downloaded it and tried it out.
It lists a bunch of .dll's, most of which I had on smartphone.
However, the two missing ones are:
mfcce300.dll
olece300.dll
Now, I'm not exactly sure what these do, so I need to look into it some more. Does anyone have any clue what these are for? If I copy them from a Pocket PC, will they operate on a smartphone?
Hi Dishe.
I guess I should have been more clear: Dependency Walker was written as freeware by an independent developer, but M$ liked it so much they decided to grab it for VS.
Any way, mfcce300.dll is MFC version for PPC (if you are not familiar with MFC, it's a collection of "ready code" that simplifies writing apps in c++)
It comes built in for PPCs but not for smartphones for some reason. If you have a good dump check that DLL with dep. walker as well, I am pretty sure it is linked to a few others.
olece300.dll - is a COM support dll. I won't even go there because I really hate COM (that's Component Object Model, not com port) and I am really not sure my self what the DLL does.
If you do get a good version of those two you should be able to get the app running.
levenum said:
Hi Dishe.
I guess I should have been more clear: Dependency Walker was written as freeware by an independent developer, but M$ liked it so much they decided to grab it for VS.
Any way, mfcce300.dll is MFC version for PPC (if you are not familiar with MFC, it's a collection of "ready code" that simplifies writing apps in c++)
It comes built in for PPCs but not for smartphones for some reason. If you have a good dump check that DLL with dep. walker as well, I am pretty sure it is linked to a few others.
olece300.dll - is a COM support dll. I won't even go there because I really hate COM (that's Component Object Model, not com port) and I am really not sure my self what the DLL does.
If you do get a good version of those two you should be able to get the app running.
Click to expand...
Click to collapse
Thanks for the help, I'm realizing there's a lot more to this I should have known before embarking on such a task. I've never had such a problem doing this before, I guess MFC isn't so popular!
Anyway, I need a good ROM dump, I haven't been able to aquire one. In the mean time I tried some files I found searching google... didn't expect it to work, but tried it anyway. Still complained of missing files- you're right, I'll bet MFC is calling more dll's as well that I need.
Perhaps there's hope...
You were right... I just needed more .dlls!
I found a whole series of .dlls required by mfcce300.dll that my smartphone was missing, so I put them all in the program directory and it opened!
Problem is, its not so stable... the files were pulled from a ce.net-4.1 set of files since I don't have access to a wm5 rom image.
One more thong I should have thought about earlier:
Some COM dlls, maybe even olece300.dll have a function called DllRegisterServer that writes them to registry as COM provider (under HKCR\CLSID).
Check to see if I am right using Dep. Walker and if so try to get regsvr32.exe or something similar for the PPC. (On a PC you use regsvr32 somedll.dll to register a COM server)
This may help with stability issue.
yes, but based on a flexible set of methods
-Using RIL (GSMTestMode)
-Using RIL_GetCellTower
-Using RIL Notifications
-Using RIL (fieldtest) -> reply structure has to be found
-Using offset method (few structures included)
-Using COM port
The project is based on:
-cellguardian.dll and cellguardian.xml : How to get CELLID on devices
-cell2latlon.dll and cellDb.xml : Calculate lat/lon using CELLID
-gsmcelluloz.exe : the main exe
-gsmcellulozCF.exe : the same, as PoC, in CF, but very simple
http://usuc.dyndns.org/tv/gsm/gsmcelluloz/
DEBUG mode creates a lot of log in \Temp
The device method configuration is in a file called "cellGuardian.xml"
Offset version works only with the "ALL" parameter (I don't know what defines the offset, which component version?)
Many things should be incomplete (like documentations )
Here is a google map (result from logging) made using a GSMTestode compatible device:
http://usuc.dyndns.org/tv/gsm/releve_poly.php
I'll write a quick documentation on how using cellguardian.dll (the brain from the cellid-getting), and cellguardian.xml.
I'm also working in antenna position interpolation but it's an harder process... (for now the cell2latlon works but uses a very simple barycentric algorithm)
Sample walk:
http://usuc.dyndns.org/tv/gsm/testParcours.php
Have fun, I hope to have some fieldtest compatible device log in order to decrypt the structure
If your device is still not working... Tell me!
The source will be released as soon as the modaco challenge will be finished (I hope to win a device with cellguardian.dll... or a sticker )
Did not work for me Tornado with Crossbow-Rom, i think you may ask maniac for the Offsets, he created CellProfileSwitcher, an very useful SmartPhoneTool with a huge list of compatible devices.
In Combination with your Tool it may be useful to create my own "CellMap", to see my Homezone or some other kind of zones, switched by CPS,yea.
But the Screenshots looks nice,...
Thank your for another nice way to waste my time with my lovely Phone,hehe...but i need the offsets...dont know how...
Have you tried "Find offset" in the 8FFB0000-8FFC0000 range?
8FDC0000-8FDD0000
8F1D0000-8F1E0000
8A3B0000-8A3C0000
8A4B0000-8A4C0000
8C0D0000-8C0E0000
Are other possible ranges.
The result will be contained in a file located on \Temp
Possible structures (if you define your configuration in cellguardian.xml)
TORNADO
TYPHOON
IPAQ
MPX220
WIZARD
Offset method will be activated once you'll have removed other options (COMPORT...) from the config file.
Remember that as long as I don't know what defines the offset, the only version that works is "ALL". This field will be used once I'll be quite sure the component version defines really the offset.
I hope to improve it, but also to let a chance to the user to configure it by himself.
Quick help page
I made a quick help page to help ppl finding the offset until I find some cleaner way to find it...
http://usuc.dyndns.org/tv/gsm/help/
After this, just modify \Program Files\cellguardian.xml
and replace
<device name="HTC Tornado">
<OEMID>Qtek 8310</OEMID>
<method type="RILHTC1"></method>
<method type="RILTOWER"></method>
<method type="COMPORT"><port>COM9:</port></method>
</device>
Click to expand...
Click to collapse
by
<device name="HTC Tornado">
<OEMID>Qtek 8310</OEMID>
<method type="OFFSET">
<offset version="ALL" structure="TORNADO">YOUROFFSET</offset>
</method>
</device>
Click to expand...
Click to collapse
Where YOUROFFSET is the offset you found (try the adresse ranges I suggested above)
Let me be your tester
Hello!
I have found your excellent project and I am going to test it and share with you results. My phone is smartphone - HTC S310 (know also as HTC Oxygene, SPV C100).
When I am launching the application I get error:
Cannot load \Program Files\GSMCelluloz\CellGuardian.dll:0x7e126
Is your app suitable for smartphones? I have downloaded the
GSMCelluloz_SP5_R.CAB.
Maybe I should use:
GSMCelluloz_WM5_R.CAB?
What offsets sould I put to test my phone and which method?
Best greetings and congratulations for your job!
RA
Solved
abramq said:
When I am launching the application I get error:
Cannot load \Program Files\GSMCelluloz\CellGuardian.dll:0x7e126
Click to expand...
Click to collapse
Hi again!
The problem was because I've installed app on card, not on device memory.
Cell searching works excellent, on my phone works GSMTestMode method (I am going to find out the differences between methods, but don't know where).
By the way - user interface for smartphone (non-touch display) looks like not fnished - 'backspace' keys doesn't work and it is difficult to leave edit mode too.
Will test it more and make some enhancement
Best greetings and please keep working
JA
P.S.
What Compact Framework needs the CellulozCF? I have the 2.0 and the app doesn't work (I get the unexpected error: Microsoft.AGI.CommonMISC.HandleAr() in System.Windows.Forms.Control._InitInstance.
I think the best cell id application from all times ever would be that which can change phone profile depending from location. I saw someone here is trying to do it, but will not be free, so no use. An app like that will eclipse all other... it will be like the next step in mobile evolution. Probably japanese already have it.
You are outDated...this idea is really old...lookat maniacs Homepage;
Maniacs SmartPhoneTools
...but for now not useable on devices without TiOmapProcessor
But PhoneAlarm by PocketMax supports different [email protected],too.. but cost money and hard to configure,no learningfunction,no neighbourcells and you have to add every Cell one by one...
but youre right,too; Actions by Locations are always missed in Apps with Notifications or ProfileChangingFunction.
I searched and got nothing in the forum about homebrew, so i figured i'd ask about it. Is it possible for us with this phone to do any of the homebrew stuff out there? I have been without my laptop so cannot really try anything yet, but I see articles about little apps and aesthetic changes people are doing to their Samsung and HTC wp7 phones and i want in on it too.
I loved that homebrew community when i had my Palm Pre back in the day and had it hacked to my liking. I really hope we can do this with our phones too. I have looked into it a little but, but i don't think the guys who have done the unlocking and developing for wp7 have used, tried or have access to our phone. I really hope I'm wrong and just haven't had any luck searching for answers, but so far i haven't really found anything specifically stating whether anything works on the DVP yet.
If they have, could someone point me in the right direction and i'll continue learning on my own? If not, then i hope we can some day.
Thanks for any help y'all can provide.
I'm looking to attack this problem from the other end. I'm the developer of one of those "little apps" you mentioned; specifically the one that lets you change the Search function in IE (when you hit the Search button or mis-type a URL).
I'm working with a homebrew library that more-or-less handles HTC, Samsung, and LG, but completely doesn't support Dell. I'd like to get it working with Dell so that
A) You all can use my app
B) More homebrew apps can be written for the DVP
Some questions that I have (answers to any are appreciated):
How can I programmatically identify a Dell phone? (On an HTC, you can check for HKLM\Software\HTC in the registry.)
Does anybody have ProvisionXML working on the Venue Pro yet? (This is a really handy way to make changes to the OS.)
Does anybody have a way to get access to the file system, even read-only, on the Venue Pro?
Thanks a bunch. In the meantime (and possibly helpful to this cause) there's a homebrew project called "Functional Webserver" in the WP7 Hacking forum. It should work on Dell phones (I think) and means you should have at least Socket (networking) APIs. It also gives (read-only) access to the \Windows directory, which may be very useful for getting other stuff...
GoodDayToDie said:
I'm looking to attack this problem from the other end. I'm the developer of one of those "little apps" you mentioned; specifically the one that lets you change the Search function in IE (when you hit the Search button or mis-type a URL).
I'm working with a homebrew library that more-or-less handles HTC, Samsung, and LG, but completely doesn't support Dell. I'd like to get it working with Dell so that
A) You all can use my app
B) More homebrew apps can be written for the DVP
Some questions that I have (answers to any are appreciated):
How can I programmatically identify a Dell phone? (On an HTC, you can check for HKLM\Software\HTC in the registry.)
Does anybody have ProvisionXML working on the Venue Pro yet? (This is a really handy way to make changes to the OS.)
Does anybody have a way to get access to the file system, even read-only, on the Venue Pro?
Thanks a bunch. In the meantime (and possibly helpful to this cause) there's a homebrew project called "Functional Webserver" in the WP7 Hacking forum. It should work on Dell phones (I think) and means you should have at least Socket (networking) APIs. It also gives (read-only) access to the \Windows directory, which may be very useful for getting other stuff...
Click to expand...
Click to collapse
I would like to submit my services to help you get that information... However, I'm not really sure how to get that to you. If you'd be happy to lay out directions so I can get you that information, I'll happily do it on my Dell Venue Pro.
Thanks for the help!
@nabiscuit Thanks for the offer. The first step is making sure your phone is developer-unlocked, so you can side-load (install directly, not from Marketplace) XAP application packages. All homebrew apps are distributed in this way. The official way to do this is to have a Microsoft developer account (http://create.msdn.com/) although for the next few weeks ChevronWP7 should also work.
For the first question, try installing a Registry Viewer or Registry Editor app - there are a number of them available, both on this site and on TouchXperience (I like the TouchXperience one a lot). Go poke around for anything that looks like a distinctive registry key or value. The most likely place is under HKLM. You could also just do a registry search (the better apps have at least some capability for such searches) for "Dell" as *anything* with that string is probably distinctive.
For the second, it will take access to native code. Using the "Functional Webserver" app you can download some file from the phone's /Windows directory. Checking them for useful COM exports would be helpful, although I'm not the person to ask about doing that - I can do NT drivers and I can do managed code, but COM is not my thing. Try asking for help with this in the general Windows Phone 7 Development and Hacking forum (http://forum.xda-developers.com/forumdisplay.php?f=606).
For the third question, I could actually whip up a small app that *might* work already. You could also try Advanced Explorer (XDA) or TouchXplorer (TouchXperience) although I don't think either is guaranteed to work outside of HTC phones. If you're willing to try running an app that will check for read and write in a number of harmless parts of the file system, I can code one up for you to run and report results back.
Thanks again!
I'd love to get some homebrew development going, is there anything I can do to help?
Try getting in touch with notebookgrail (http://forum.xda-developers.com/member.php?u=3174632) as he seems to be pulling apart the DVP native libraries and finding lots of cool stuff to do with their COM interfaces. I don't know if he has registry write yet - one of the core functions that a lot of homebrew apps want - but if so I can work on getting it integrated into a nice cross-device library for writing apps which (should... grrr Samsung) work on any phone.
GoodDayToDie said:
Try getting in touch with jessej (http://forum.xda-developers.com/member.php?u=3220709) as he seems to be pulling apart the DVP native libraries and finding lots of cool stuff to do with their COM interfaces. I don't know if he has registry write yet - one of the core functions that a lot of homebrew apps want - but if so I can work on getting it integrated into a nice cross-device library for writing apps which (should... grrr Samsung) work on any phone.
Click to expand...
Click to collapse
Did u mean to point it to me as i was the one who did pull apart the native libs.?
If not, sorry for the intrusion.
Yes, send your request to notebookgrail. I am not on his level for development purposes. But I do appreciate the comment.
Whoops, sorry about that notebookgrail! I must have looked at a response instead of the OP by accident. I've fixed my post above. Thanks a bunch for the work you've done. Any word on registry writing?
any progress?