NetPenguin 1.3 Introduction Please not that this is my first attempt to write an essay about reverse engeneering on BEOS R4.5.x For now there haven't been much essays written about BeOS reversing, and I hope there will be more in the future.The BeOS is a very nice OS (media-oriented), which come bundled with standard UNIX tools. This is important, because we'll make use of tools writen for Linux platforms in order to reverse. NetPenguin is a graphical FTP client which is fast and multithreaded. You can get the 1.3 version (which is not the latest) on http://www.desertnights.com . Tools Required Your favourite text editor (StyledEdit ? PE ? VI ?) dasm, the Linux disassembler by SiuL+Hacky : you can get it here. (requires Perl) (I modified this version assuming Perl is in /boot/home/config/bin/perl) BVI , the Binary Visual Editor (or any other good Hex editor you may have) You can get it here. Get them and put them in your PATH. I hear : "what about DiskProbe?" I say : doesn't do hex string search. (too bad) Background If you start NetPenguin, all works.Good.But 1 month after it says 30 days limit excedded or something like that,please register,etc. A quick look in /boot/home/config/settings show us that NetPenguin has created a folder called _LP_x-zeid-NetPenguin.2 files inside: settings,shortcuts. So you guess first start date is written in the settings file? I think so. What happen if we delete the settings file (or even the entire folder) and restart the app? No more register message, but we lost settings. For now,what we're looking for is obviously a date check. On the way Let's disassemble it : dasm NetPenguin np.txt (usage : dasm appname textfilename) You'll get a big text file from here (around 6 meg) Now try to extract what you want from it: $grep date np.txt Loaded of Update functions,invalidate,etc. That's not what ze're looking for. What about time? $grep time np.txt Aaah,much more interesting. A lot of time functions, but without address. (haven't any clue about it.I asked SiuL+Hacky, and it may be a problem with objdump which is not the same as the linux one.And i can't remember which options i modified to make it work) We can use grep to have more info (lines before and after the time functions): $grep -1 time np.txt The first one looks quite interesting: 000410d8 g DF .text 0000006e GetInt32__FP13PreferenceSetPcl 00000000 DF *UND* 00000028 time 00041148 g DF .text 00000045 SaveInt32__FP13PreferenceSetPcl Apparently, GetInt32__FP13PreferenceSetPcl reads from preferences,I guess that's the settings file in /boot/home/config/settings/_LP_x-zeid-NetPenguin After that,it tests if the app is registered,and if it's not,calls a time function compare time saved in settings with system date and: SaveInt32__FP13PreferenceSetPcl will save the result of the comparison in the settings file. The goal is now to find where the test is in the GetInt32__FP13PreferenceSetPcl function. We have the address for GetInt32__FP13PreferenceSetPcl, so we go to 000410d8 call: Find GetInt32__FP13PreferenceSetPcl with a text editor: That's it: (I added comments with function calls) Reference to function : GetInt32__FP13PreferenceSetPcl 0x0002c2b6 call 0x000410d8 0x0002c2bb mov %eax,0xfffffe08(%ebp) 0x0002c2c1 add $0xc,%esp 0x0002c2c4 test %eax,%eax 0x0002c2c6 jne 0x0002c2e2 -->if not registered,go to test time (apparently) 0x0002c2c8 push $0x0 0x0002c2ca call 0x0002a64c 0x0002c2cf mov %eax,0xfffffe08(%ebp) 0x0002c2d5 push %eax 0x0002c2d6 push %edi 0x0002c2d7 push %esi Reference to function : SaveInt32__FP13PreferenceSetPcl 0x0002c2d8 call 0x00041148 0x0002c2dd add $0x10,%esp 0x0002c2e0 jmp 0x0002c302 So if we could modify the test in 0x0002c2c6 (jne,jump if not equal), we won't go thru the time test. Patching Now,open up NetPenguin with an hex editor (assuming bvi) Note:bvi is like VI, but with hex capabilities. (get the docs on the BVI site:http://bvi.linuxbox.com/) $bvi NetPenguin Now type g And type HEX address where you want to go: 2c2c6 Cursor is on 75 (HEX code for jne) Now type r (replace single byte) And type 74 (HEX code for je, whiich is the opposite of jne) Assumig you're over the 30 days trial (if not,change your date settings in Preferences),you can launch NetPenguin and get the full version working. Conclusion In this essay we didn't make use of db and bdb,the debuggers included in BeOS.I think these tools are quite interesting,and useful in other essays. I hope somebody will be able to fix the UND problem with the DASM scipt. (ie: finding the good objdump options).Anyway,this tool is the best tool for reversing on BeOS. Don't use these techniques to steal software, because it will prevent them from writing new stuff. If you use it,buy it. This is for educational purpose only. Back to BeOS Reversing main page