Nokia LogoManager 1.2.8

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Nokia LogoManager 1.2.8

Type : LogoManager for Nokia Phones
Protection : Serial ... Packed file
Tech : RunTime Patching

Crack :

Looking at the section in PE editor shows that this file is packed.Not packed with ASProtect .. as early versions where.So we will unpack this baby.Make "in1" & "in2" section flags = E0000020.Now SICE will break at entry point.Now just few lines down and look for POPAD

0047FC3B POPAD = 61 OFFSET = 3103B - FOUND IN PACKED EXE :) PLACE FOR OUR CODE
0047FC3C JMP 00439906 = E9 C5 9C FB FF - AFTER UNPACKING IS DONE JMP TO OEP

So we will have to dump it here .. it is "now or never"

So make ... 0047FC3C JMP EIP = EB FE .... Come out of SICE and Dump full module using PEditor.
Now use PEditor and make EP = 39906 .. i.e OEP - Image Base

Now our dumped file works fine and we can use Win32DASM .... and search for nag strings.A quick look shows that this program is using one or more flags set.Searching through flag we can find an important place where these flags are set ...

0042B909 CALL [ECX+08]
0042B90C MOV ECX,[EBP-1C]
0042B90F CMP ECX,EBX ---> MAKE ECX = 01
0042B911 MOV [004601F8],ECX ... FLAG SET
0042B917 JZ 0042B936
..............................
0042B91E MOV DWORD PTR[00459284],EAX --- IT SHOULD BE = 01
0042B923 MOV DWORD PTR[00452064],EBX --- IT SHOULD BE = 00
0042B929 MOV DWORD PTR[00462000],EAX --- IT SHOULD BE = 01

Now we found out flags.Now put :

BPMB 00459284 W
BPMB 00452064 W
BPMB 00462000 W

This will lead us to where program resets our flags :).Following code can be found.

0040BCA2 CMP [EBP-04],EBX
0040BCA5 SETZAL
0040BCA8 MOV [00452064],EAX = A3 64 20 45 00 --- BAD BOY
...................................
0040ADC2 CMP [EBP-04],EBX
0040ADC5 SETZAL
0040ADC8 MOV [00452064],EAX = A3 64 20 45 00 --- BAD BOY

Now program works well and but "About" Box doesn't show that it is registered.This can be easily traced.

0040BF1E CALL 409ED1
0040BF23 TEST EAX,EAX .... MAKE EAX = 01
0040BF25 JZ 40BF6F ....... BAD BOY

Run time Patch

Now our patch should look like this :

0042B909 CALL [ECX+08]
0042B90C XOR ECX,ECX = 33 C9 OFFSET = 2B90C
0042B90E INC ECX = 41
0042B90F CMP ECX,EBX = 3B CB

0040BF1E CALL 409ED1
0040BF23 INC EAX = 40 OFFSET = BF23
0040BF24 NOP = 90
0040BF25 NOP = 90
0040BF26 NOP = 90

Also disable instructions at address : 0040ADC8 OFFSET = ADC8& 0040BCA8 OFFSET = BCA8

This can be done easily inside our unpacked file ... but to distribute crack ... we will have to use runtime patching as our real file is packed file.Our attack point will be after the program unpacks itself i.e at 0047FC3C --- OFFSET = 3103C --- INSIDE PACKED FILE.It can be seen that there is enough space to write our code.

Run Time Patch Code :

0047FC3B POPAD = 61 OFFSET = 3103B
0047FC3C MOV DWORD PTR[0042B90C],3B41C933 = C7050CB9420033C9413B
0047FC46 MOV DWORD PTR[0040BF23],90909040 = C70523BF400040909090
0047FC50 MOV DWORD PTR[0040ADC8],90909090 = C705C8AD400090909090
0047FC5A MOV BYTE PTR[0040ADCC],90 = C605CCAD400090
0047FC61 MOV DWORD PTR[0040BCA8],90909090 = C705A8BC400090909090
0047FC6B MOV BYTE PTR[0040BCAC],90 = C605ACBC400090
0047FC72 JMP 00439906 = E9 8F 9C FB FF ... PATCH OVER ..JUMP BACK TO OEP HEE ...