itsme's Blog

filip

itsme — Mon, 16 Jun 2008 14:47:00 GMT

wednesday june, 11th 2008, our second son, filip was born.

this is big brother now:

itsutils

itsme — Sun, 01 Jun 2008 21:56:00 GMT

itsutils is a set of tools that make life of the windows ce hacker easier. for instance, with pmemdump you can inspect the memory of the kernel or running processes.
with 'psetmem' you can modify memory
with pregutl you can read or change the devices register.
with pmemmap you can get a quick overview of what physical memory is mapped where.
with pps you can get a list of processes, threads or modules.
with pdocread, pdocwrite you can read disk-on-chip flash chips.
with psdread, psdwrite you can read/write sdcards.
with ppostmsg you can send windows messages to windows, or list all windows on the device.

memdump, setmem, regutl, postmsg, sdread and sdwrite are win32 versions of these tools that do the same thing on your normal windows machine.

other tools: prapi, to change settings using the configapi, like certificates, registrykeys, metabase entries.

pget, pput, pdel, pdir, pmkdir can be used to copy from/to, delete, list files, or create directories.

prun and pkill can be used to start or stop processes
preboot remotely reboots your device.

then there is dump, which is a universal hexdump tool.
this is all described on this page. you can leave remarks here on this blog.

IDA Perl Scripting

itsme — Sun, 01 Jun 2008 13:16:00 GMT

i created a plugin for ida (the interactive disassembler), which allows you to script ida in perl. the current api is identical to the ida idc scripting language. current features:

api identical to the IDC scripting language.
printing to STDOUT, is redirected to the ida message window
you can choose to create a new perl instance for every script you want to run, or to reuse the last interpreter.
every database can have some 'autorun' code, which is executed everytime you start ida, for instance to add hotkeys specific to this database.
perl syntax errors are printed in the ida message window

todo:

create 'import idc' function, which can convert idc scripts to perl.
create better ui to manage scripts.
create method of interacting with IDA/IDAPerl from an externally running perl script
add support for the complete IDA api.
hook ida notification points
make scripts interruptable

see this page on my site, or this openrce forum

strange byte sequence in arm binaries

itsme — Fri, 21 Mar 2008 22:17:00 GMT

00000000 00004033 00444101 09401050 00004005 00534c01 09401050 00002078
00534c01 802910ec 0000c0f0 00534b01 812910ec 00000000 00545204 813910ec
0000900b 00545204 813910ec 0000d0c9 00545204 813910ec 0000e04c 00545204
13001186 000050ba 004c4404 0020100b 0000a0cc 00474e05 905010b7 00006008
00433306 920010b7 00000476 00433306

these 0x90 bytes ( or 0x24 dwords ) occur often in windows ce arm binaries

does anyone know what it is for?
my guess is that it is some kind of padding between static data sections of different modules.

another one is

85E0B100 11D104FA A000DAB7 D64803C9

that also seems to occur in many binaries without obvious reason.

igorsk found out that the first block is defined in halether.h - EdbgVendorIds

starting to use xs4all's blogging service

itsme — Wed, 12 Mar 2008 09:33:00 GMT

hope to post more often than i used to update my static homepage