Hi,
Can someone assist me with how i might go about decompiling or viewing a dll, making changes to it and recompiling it? What tools can i use to do this?

I have tried copying some of the dlls from my device over to my local pc, however most of the time i get an "access violation" message.

Further, i realize i can use idlasm to disassemble .net files, but it seems most of the more interesting dlls and files may be standard c dlls. How can i take a look at the code in these and modify if wanted?

thanks much.

farseer: what level of experience do you have?

V

I'd like to think i am decent developer, but that may be in my own mind :)
However, i do not do a lot of "hacking", i.e., have not had the need to do much reverse engineering. I have been coding ground up apps for over 10 years however, uisng C++, Java, C#, VB, etc. You name the language, and i've probably done something in it :).

farseer: what level of experience do you have?

V

was that the wrong answer?

I'd like to think i am decent developer, but that may be in my own mind :)
However, i do not do a lot of "hacking", i.e., have not had the need to do much reverse engineering. I have been coding ground up apps for over 10 years however, uisng C++, Java, C#, VB, etc. You name the language, and i've probably done something in it :).

farseer: what level of experience do you have?

V

The correct answer should be "I know ARM assembler language, the structure of Win32 PE files, I know what is XIP DLL and why I cannot modify them directly, and I have read the WM5 source code".
In this case the process is simple - you decompile a DLL with IDA (www.datarescue.com), find the place you need, modify the code to suit your needs - and that is all. In most cases there is not enough place in DLL for your code, so you need to use virus-like techniques, my prefered method is to patch the code so that it loads my DLL and run it instead of original code. Or use some other hooking methods so that my code is executed instead of original.

Ah, thanks much, this was helpful. I do have a few follow up questions:

1. Is "Arm assembler" different than standard assembler? If so, any suggested readings?
2. There are some dlls that cannot be copied to my local pc (i get an access violation i believe). How does one extract an image of such dlls?
3. Where is the WM5 source code? and why would i need to read this to be able to hack/patch dlls?

thanks again.

The correct answer should be "I know ARM assembler language, the structure of Win32 PE files, I know what is XIP DLL and why I cannot modify them directly, and I have read the WM5 source code".
In this case the process is simple - you decompile a DLL with IDA (www.datarescue.com), find the place you need, modify the code to suit your needs - and that is all. In most cases there is not enough place in DLL for your code, so you need to use virus-like techniques, my prefered method is to patch the code so that it loads my DLL and run it instead of original code. Or use some other hooking methods so that my code is executed instead of original.

Hi farseer!

I am nowhere near the level of mamaich or vijay555 but I have some experience in this and I believe I can give you some basic answers:

1. ARM is a different architecture then x86 processors and the assembler is different to accommodate it. There are some basic similarities like mov add and such, but even the registers are different (R0 - R15 if I am not mistaken). Sorry, I don't know any books on it, but if you google you will quickly find the list of commands with basic explanation.

2. Since the OS is in ROM you can't just copy and paste it's DLLs and EXEs. Look for ROM dumping tools on this forum, or already extracted images on the ftp. Keep in mind MS did some tricks to save memory and make it harder to get at the files, so like mamaich said, you need to learn about XIP and the ROM structure in general to understand whats going on.

3. Hmm... MS does have a program for sharing most of WM source code, but it's not for common people like us. (check out their site to see what I mean) I suspect there are other sources of getting the parts necessary to understand DLL hooking, but I have no idea what they might be.

Well that's my two cents until an expert can answer you. Hope this helps.

farseer: you gave a perfectly good answer IMHO, just needed to get an idea of what level to pitch a response without talking up or down to you!

It's well documented that I'm a self confessed newb to c++, and would say that your programming skills should certainly hold you in good stead. However, having a good knowledge of the Win32 API is certainly beneficial.

For decompiling, basically IDA. There is an IDA demo available on their website that should get you going, it's pretty much 100% functional other then it won't save, and closes itself (or crashes itself) after a reasonable, random period of time. IDA is "the daddy" for pretty much all mainstream reversing, although you could write your own decompiler/debugger.

Recompiling - that's a toughy. IDA won't permit recompiling on ARM AFAIK.
You'll have to hexedit into the target and patch directly. Otherwise you get into the exciting world of code injection, hooking etc, as Mamaich says.
For that area, read everything he's ever written, before you start reversing :)
Oh, and a helpful hint to all. Don't just read what Mamaich's written on this board, his posts on other boards are even more useful!

It's worth getting a good familiarity with reversing on x86 first, get used to how IDA works etc (and Soft Ice is very useful to give a good insight into x86, although AFAIK it's not available for WinCE). ARM assembler is different, but just grab a list of the opcodes and read through a few CPU developers' guides (online).

There are a number of tutorials on reversing ARM stuff online. In the usual places for that kind of stuff.

For getting access to the ROM files, easiest way is to grab a rom update file and decrypt it. Mamaich is once again your man, his romtools do the job. He also has a "live" rom grabber, that'll grab all the files/modules out of your running phone for your perusal.

Platform Builder is available free to give you (some) WinCE source code. Not all, but enough to give you years worth of reading.

V

Thanks all...very kind of you to respond in such detail. I look forward to dabbling a bit with IDA and some of mamaich tools. I suppose the first order of business is to do a lil more research and then just dive in! It's been a while since i wrote any assembly code (not since college!), but i am a bit excited at having an excuse to do so again.

thanks again.

Just remember that unless you really luck out and the developer left the symbol table intact, you're going to end up with garbage for the names of variables and subroutines.

I hate reading decompiled code.