OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: July 2, 2008 17:31 CDT by petroleum .

We all can point to the wonderful literature that's currently available for reverse engineering on x86/amd/64x etc etc.. But can anyone here point to some nice literature on reversing or hacking about inside mobile devices. That is to say ARM architecture on Win mobile 5/6 and Symbian OS, and possibly extending that to iPhone etc.

It'd be really nice to set up a reversing platform for these platforms. Questions such as "how do i set it up? how do i capture various protocols from devices? How does one extract drivers for analysis? etc. etc.

All responses would be welcome and appreciated.

Soul12		July 2, 2008 23:45.59 CDT
http://www.metasploit.com/blog/#blog-6 metasploit has (4 articles) i think about reversing on the iphone

MohammadHosein		July 3, 2008 01:17.32 CDT
anybody ever seen a successful remote attack against Symbian documented somewhere ?

dennis		July 3, 2008 03:20.56 CDT
> petroleum: But can anyone here point to some nice literature on reversing or hacking about inside mobile devices. That is to say ARM architecture on Win mobile 5/6 and Symbian OS, and possibly extending that to iPhone etc. phrack #64 had a nice article on "hacking windows ce".

itsme		July 3, 2008 07:35.25 CDT
check out my tool collection - also known as 'itsutils' tools to interact with a live windows ce device: http://www.xs4all.nl/~itsme/projects/xda/tools.html tools to manipulate romimages: http://www.xs4all.nl/~itsme/projects/xda/nbftools.html idc scripts to aid reversing wince stuff: http://www.xs4all.nl/~itsme/projects/ida/idcscripts.html willem

petroleum		July 3, 2008 12:58.32 CDT
Ok, just to be clear on terminology.. when you say WinCE you do mean the winCE family? this would include incarnations of Windows Mobile (5 and 6) etc? I've read the Iphone one today, it's pretty interesting. The symbian one i'll check out now and see what info i can glean from it. And all others I am in your debt. Thank you for the replies.. im looking into them all. Please feel free to add more sources of information to this thread, any info given is much appreciated :) thanks

itsme		July 3, 2008 15:05.26 CDT
windows ce internals have remained largely the same, from windowsce 3.x, 4.x, and 5.x corresponding to pocketpc2002, 2003, windowsmobile 2003, wm2005 and wm6.x windowsce 6.x is very different, but i have not yet seen a phone that comes with it.

weiss		July 15, 2008 20:45.25 CDT
To everyone interested in Symbian OS reversing, ARTeam have done exceptional work in this area and i would highly recommend you check them out. http://arteam.accessroot.com/

ef		November 27, 2008 04:06.05 CST
the site seem at the moment down, but a mirror exists. http://xchg.info/ARTeam/Tutorials/ they did an excellent work on symbian but also on iPhone. Really interesting reading, i recommend it too.

carib		May 6, 2009 03:24.05 CDT
> phrack #64 had a nice article on \"hacking windows ce\". Thanks for the pointers. Quick question regarding the PEB-like structure (KDataStruct). The article says it is mapped somewhere at the end of the address space. I assume it is accesible via user-mode of course... I scanned all pages from 0xF0000000 to 0xFFFFF000 but they're all inaccessible. Anybody has an idea?

carib		May 6, 2009 03:31.48 CDT
Other quick question regarding this piece of code: LDREQ R3, =0xF000F7F8 MOVEQ R1, R8 MOVEQ R0, #0x42 MOVEQ LR, PC BXEQ R3 According to http://nah6.com/~itsme/cvs-xdadevtools/ida/idcscripts/kernel-structs.idc this would be a SH_CURPROC_TerminateProcess syscall. However, VirtualQuery fails on this page. Then, how come the program could end up executing any code there? Or would it simply trigger an exception, then the kernel would check that R3 is 0xF000F7F8 and make the syscall? This looks strange to me sine there are regular means to make interrupt calls on the ARM.

itsme		May 6, 2009 06:06.30 CDT
well, that is how it works, the invalid page handler checks if the address falls into f0000000-f0010000 and executes the corresponding registered systemcall handler. you can use my pmemmap tool to get an overview of what virtual addresses are mapped. for instance on my htc startrek this results in: v80000000-84000000 -> p00000000-04000000 4000000 v8a100000-8a500000 -> p13c00000-14000000 400000 v8c000000-90000000 -> p10000000-14000000 4000000 v90000000-90100000 -> p20000000-20100000 100000 v98000000-98100000 -> pfff00000-00000000 100000 v98100000-98200000 -> p04000000-04100000 100000 v98400000-98500000 -> p06000000-06100000 100000 v98500000-98600000 -> p08000000-08100000 100000 v98600000-98700000 -> p40000000-40100000 100000 vf0000000-f0100000 -> p00000000-00100000 100000 vfffd0000-fffd4000 -> p102c0000-102c4000 4000 vffff0000-ffff1000 -> p102c4000-102c5000 1000 vffffc000-ffffd000 -> p102c5000-102c6000 1000 you can use phandle -k to print the KData struct or use pmemdump 0xffffc800 to get a hexdump phandle, pmemdump and pmemmap can be downloaded from my itsutils page

carib		May 6, 2009 09:24.42 CDT
Thanks for the reply! Your tools may save me a lot of time. Are there any official way to read ROM files (like coredll.dll). Like, get admin rights and simply dump the file.

itsme		May 6, 2009 10:22.38 CDT
that depends on your phone, there are 2 basic ways: 1) decode the update package - usually this contains a .nbh file, which can be decoded using nbh2dbh + dbhdecode 2) read it from flash - most likely pdocread will help you here. there are many options to choose from, depending which phone exactly you have. once you have the os image, you can extract files from it using dumpxip.pl and rdmsflsh.pl

carib		May 6, 2009 11:48.55 CDT
Thanks. I'm working with the Microsoft Virtual Machine right now, the image I'm using being a Win CE v5. I used ROMextractor to get the coredll.dll. I'm pretty sure it simply reads whatever it can from its own process image and rebuild the PE header... but that's enough for now. I'll check out how to dump the VM image ROM later on.

carib		May 6, 2009 11:50.22 CDT
Do you know any freeware or commercial WinCE/ARM packer (except for UPX...)? Nicolas Brulez did not mention which one he's reversing on this talk: http://video.google.com/videoplay?docid=-7250563451745837774.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit