Resourcer 2.5 Introduction Here's my second attempt to write something like an essay on BeOS reversing. Resourcer 2.5 is a 15$ shareware which enables you to edit resources and attributes contained in applications,for example: icons,filetypes,and more. You can get it on Bebits,here. Resourcer comes with a BEIDE project to write addons,so I hope someone will be kind enough to write some addon to disassemble code.(mac users,this should remind you of something :) ) Tools Required Your favourite text editor (as usual) dasm, the Linux disassembler by SiuL+Hacky (get it here) Your favourite HEX editor (as usual) (for example,BVI,which you can get here.) So what's the problem? Start the app: you have 30 launches before getting a nice message box with "enter reg code" or "quit". If we check /boot/var/tmp,we notice each time we start thee app,a file is created:tmpresfilex. (x gets incremented eaxh time you start it) So first try,we delete the 30 files we should have here and restart the app. Nothing.This doesn't work,we still have the "enter reg code" messagebox. So it has to do with /boot/home/config/Settings? Neither (Resourcer doesn't create a settings folder). Damn.Let's disassemble it. Inside the assembly I assume res.txt the text file containing the disassembly. A grep on "reg" gives us: $ grep reg res.txt 0000e9d4 g F .text 00000df6 registration__Fv 00000000 F *UND* 00000059 __deregister_frame_info 0000e4c4 g F .text 00000227 regcode__Fv 00000000 F *UND* 0000004a __register_frame_info 00000000 DF *UND* 00000059 __deregister_frame_info 00000000 DF *UND* 0000004a __register_frame_info 0000e9d4 g DF .text 00000df6 registration__Fv 0000e4c4 g DF .text 00000227 regcode__Fv And the whole listing for the functions "Registration" and "Regcode". At least we know where to look. The "registration" function looks like: ---- Function : registration__Fv ---- Referenced from call at 0000e446 ; 0000e9d4 push %ebp [...] 0000e9e0 call 0000e9e5 Referenced from call at 0000e9e0 ; [...] 0000eb4c lea 0x0(%esi,1),%esi Referenced from jump at 0000f42b ; 0000eb50 call 0000c19c <._init+0xa27> Referenced from jump at 0000eb49 ; 0000eb55 push %eax 0000eb56 call 0000ca7c <._init+0x1307> 0000eb5b add $0x4,%esp 0000eb5e test %eax,%eax 0000eb60 jne 0000f3c9 Reference to function : regcode__Fv 0000eb66 call 0000e4c4 [...] 0000eb83 push %edx Reference to function : checkcode__Fll Uh,this one looks quite interesting. This means a function "checkcode" is fired when you enter the regcode. Having a look at the function "checkcode": ---- Function : checkcode__Fll ---- Referenced from call at 0000eb84 ; 0000ecad ; 0000ee3d ; 0000eef4 ; 0000f01d ; 0000f1cf ; 0000f2fd ; 0000e6ec push %ebp [...] 0000e9d2 ret 0000e9d3 nop ---- Function : registration__Fv ---- It ends in e9d3,which is quite long. It probably computes the code you give with the code the app gives you (see messagebox). If I was a XOR,addict, I would have try to write a keygen :) Anyway,my method for this kinda scheme is to start from the end of the function,and change any suspicial "jump". In e9c1 we have: 0000e9c1 je 0000e9c7 Let's patch it in a lovely jne: Open up HEX editor (bvi for example): Type: g e9c1 r 75 And your're done replacing the je (HEX code 74) in jne (HEX code 75). Now launch patched Resourcer,enter any code and it's registered. Conclusion Now a question should buzz you ears: how do the app knows it's registered,since there's no file? Answer: open up a terminal on Resourcer directory and do a: $cmp -l Resourcer ResourcerPatched You'll have a bunch of differences. Means the app modified its own resources once registered.