November 30, 2006
Quickly, as I have promised I am publishing a template for 010 Editor. I like the 010 because it allows quickly create “C” like data structures and apply them to a binary file. The result is a nice looking and easy to navigate data structures tree, the different structures highlighted by different colors, fast access to all data fields and posibility to view instantly data in the different formats – hex, numeric, text, and etc.
Copy and save the template inside of the 010 template folder, you may need to change file extenion to “bt”, although I think it is not necessary. Then run the template against your COD file and enjoy.
Please note 1. Some COD files are not exactly COD files, but two o more COD files zipped together. In this case you need decompress them first using Winrar or similar tool.
Please note 2. I was able to identify more data structures, but particular fields inside of data structure still need to be resolved. I am going to do that soon.
Please note 3. Any help and advice are always welcome.
November 29, 2006
You must be noticed that I was absent for quite a long period of time. Well, nothing serious I have had some more important things to do, but it is over and I am here again. What are my plans? Finish COD work, article about funny stuff with Pointsec for Windows Mobile …
November 29, 2006
Answering the questions regarding reverse of COD files. COD file is a result of conversion of a normal java application. RIM provides a special tool which allows to do that – rapc.exe. The first thing you can notice about this tool is that it contains two parts – rapc.exe and rapc.jar. The first part seems to be a simple wraper around jar file which looks like a main code repository. But quick look on rapc.jar brings you a bad news – it is obfuscated by RetroGuard. Well, nobody expected that it would be easy. But an old trick with RetroGuard still works fine. The result of deobfuscation is still far away from a normal java source code but it gives us a nice starting point – unique identifiers for functions, variables and constants. The next magic word is Refactoring. It is probably the most boring and in the same time interesting part of the process. At this stage we are looking for any clue inside of the code – memory references, constants, application messages, and etc. Once a clue is found we slowly progress forward from this point trying to trace all usage of discovered constant or function, replacing non-sense identifiers to functional ones. Imagine yorself to be a kind of Sherlock Holmes investigating a difficult case. Lucky for us RIM left a lot of clues inside.
Generally that is it. If you want details about reverse-engineering of java application you can check this link.