You know what, I decided to to give you some of my knowledge since I was (you complete this sentence lol). I will try to keep this simple cause I do not want to complicate you. I was not a symbian cracker since there was no symbian OS back there but cracking is applicable to everything. It is only a peice of code you play with. I must warn you this is not step by step cracking tutorial. What I teach you here is how to start cracking ok???

cracking you reverse engineer the executable file (APP file in this case) and modify it to meet your evil needs. What the heck is reverse engineering you ask??? Reverse engineering is transforming the (APP or
whatever) file to assembly language in order to:

1. Understand it and transform back to HHL (high level language e.g. C++).
2. Just modify it at assembly level (if you are a devoloper, you are probably fixing some bugs but if you are cracker you would be cracking it).

Some of the crackers use a very simple way to crack (fix what ever you call it ) the file requires registration, which is nooping method.
what do you mean by NOOPing you ask??? NO OP (NO OPeration), it's an assembly instruction means do nothing. you use that to replace some instruction (in simple words to replace the instruction responsible for handing you to the block of code that tells you: YOU HAVE ENTERED A NASTY REGISTRATION NUMBER after you do lol).

for ex. (I will use a SIMPLE example not in assembly)
compare good_registration_number with input_registration_number
jump to nasty_block_of_code if they are not equal----
display you are great for buying this ugly software,,,,|
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,|
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,|
.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,|
exit program,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,|
------------------------------------------------------------------|
|
|--nasty_block_of_code:
display YOU HAVE ENTERED A NASTY REGISTRATION NUMBER
display you are nasty boy do not do it again

(i have used ,,,, as fill-in only so consider it spaces )

what you do is the following:

compare good_registration_number with input_registration_number
NOOP (nothing remember???)
display you are great for buying this ugly software
.
.
.
exit program

nasty_block_of_code:
display YOU HAVE ENTERED A NASTY REGISTRATION NUMBER
display you are nasty boy do not do it again

So you are great for buying this ugly software always because you will never go nasty_block_of_code.

Im sorry for making this childish lol but actually, in assembly you have to use jmp je mov etc (remember I want this to be simple).

This works for many applications. There other ways too, etc. inversing the jump instructions.

replacing:
jump to nasty_block_of_code if they are not equal
with
jump to nasty_block_of_code if they are equal

If you have done this and there is one of the least luckiest persons in the whole world got the

good_registration_number then he will be a nasty boy , you get the picture.

when I say instruction I mean a line of assembly code (in HLL we say statement). Reverse engineering is machine dependant meaning it depends on you machine (more specific, your CPU: Central Processing Unit, the processor ).

For most of machines you disassemble (transform from machine language to assembly language) to Intel set of instructions. That is not the case for symbian APP file since you disassemble to ARM set of instructions. You will find such similarity between them (Intel and ARM) cause assembly in general deal with the hardware.

In order to change the BAD line of code you do not want, you have to have a hex editor (at least in my time). You first disassemble the file and get the address (the nasty addess ) you want to fix and you then enter it in the hex editor and do the required change. When you are cracking PC files (your computer not your cell phone) you have to know about protection routines employed in the file. Protection routines are block of code that are used to protect the program from nasty people (the crackers). In cell phone cracking you have less protection routines since devolopers have to consider the memory and storage limitation.

Im going to tell you what is required for you to start cracking:
1. Learn some high level language (i suggest C++) and master the part concerning loops and jumps.
2. After you have done first requirement you need to know how the PC works (CPU and Memory).
3. If you have done two, then you know about the registers (i won't tell you about this cause I want you to know it yourself but I will give you a hint: Register=Variables in HLL).
4. You have to study assembly language (intel set of instructions I suggest).
5. If you reached here then you must know about the jumps and mov instructions and yeah base conversions (to be able to convert between binary, decimal and hexdecimal).
6. Study the ARM set of instructions (if you have done 4 theb this is a peice of cake).

Now I will tell you the programs you will use in cracking:
1. UnmakeSIS (to unpack the sis EPOC Package into files and get the APP file)
2. Makesis (to repack to sis after modifying the APP file).
3. IDA Pro disassembler (to disassembe the APP file of course).
4. Any Hex editor (to do modifications to the APP file).

I heard that the new version of IDA will allow you to change the code so probably you won't need the Hex editor.

I know that these requirements seems way too long but you will find easy if you have some free time. If you love the tech world you would learn faster, believe me. Some people will tell you to skip some of these steps
but believe me you have to go throught those steps.

I do not want this mini-tutorial to get so huge so I have to end it here.

-----------------------------------------------------------------------------------------------

I hope I gave you anything new. Good Luck on your journey .

Last I would like to say:
1. I did not teach you anything.
2. Im not a cracker.
3. I do even know what PC means, WHERE AM I??? lol

you understand

Peace.



http://iphone-forum.org/viewtopic.php?t=40342

proudly presents

-------------------------------------------------------------------------

Cracking SymbianWare Stacker v2.02

A newbie tutorial by atzplzw

Version 1.2


Tools:
------
IDA Pro v4.04 or higher, I use ver 4.30
Hex Editor, I prefer WinHex


Target:
-------
SymbianWare Stacker v2.02

"Stacker is a fully automatized and reliable compression system for your Nokia 7650.
Stacker doubles the size of your entire drives and works invisible behind the scene.
When you start an application it becomes decompressed in background automatically
and it becomes compressed again when you close it."

Copied from www.symbianware.com (slidely edited)


Recommended:
------------
A little knowledge in ARM assembler... (www.arm.com)
If not, at least you have to know how to use IDA and a Hex Editor and how to transfer
files between the PC and the Nokia 7650.


Warning:
--------
This is my first tutorial and also english is not my native language. I hope that
you will understand what is meant and shit on the grammar...

Also this is not a tutorial for beginners in computing. I'll not explain where to
get the tools nor will I answer any questions regarding this by email. Any other
questions are welcome!!
Also if you don't know what assembler is STOP now!!!!


Introduction:
-------------
I have choosen SymbianWare Stacker because it's really easy to understand and to
crack. In my opinion all SymbianWare progs are easy to crack. You may find it
difficult in the beginning, but it isn't.

Also (till now, all) SymbianWare progs are compiled with full ARM instructions set
and not in ARM Thumb mode.



Here we go:
-----------
First, of course, run the app. Look at the nag screen. Test all things.
After that...

Open stacker.app in the Hex Editor and look through the wired numbers and ascii
letters. In the first line at offset 0x10 you will find "EPOC" which means that
this is an EPOC file for use with the Symbian OS.

Scroll down and you will find some Unicode strings between offset 0x76C0 and
0x7FA0.

What do we read here?? Isn't it the text from the About Box and other Messages?
Yes, it is.

Now we take a closer look at offset 0x7F18:

00007F18 U.n.r.e.g.i.s.t.e.r.e.d.!. .T.r.i.a.l. .i.s. .o.v.e.r....... ....... .d.
00007F60 a.y.s. .l.e.f.t. .t.o. .e.x.p.i.r.e.....U.n.r.e.g.i.s.t.e.r.e.d.


Woohh! We found the text of the nag box when the app is started. Write this offset
down and go fast to IDA...


Open stacker.app. It suggests that it is a EPOC file as we already found out.
Mark Load resources. And press OK! Now you will be informed that the ARM processor
has two instruction sets but this is irrelevant for now.

Now IDA presents you the disassembled ARM instruction code. You may also turn on
Options/General/Auto Comments for better understanding of the code...
For those of you who are not familiar with IDA it is important to know that in the
status line at the bottom the offset is displayed. (tooltip: Current position in
the input file, means offset)

Now scroll all the way down until you will find the offset we wrote down. IDA
displays this mess:

.text:10007E9C dword_0_10007E9C DCD 0x6E0055, 0x650072, 0x690067, 0x740073,
.text:10007E9C 0x720065, 0x640065 ; DATA XREF: .text:10005830
.text:10007E9C DCD 0x200021, 0x720054, 0x610069, 0x20006C, 0x730069,
.text:10007E9C DCD 0x6F0020, 0x650076, 0x2E0072, 0
.text:10007ED8 dword_0_10007ED8 DCD 0xA0020, 0 ; DATA XREF: .text:100058A4


Now just right click on a number, choose Undefine and your mind will be cleared up:


.text:10007E9C unk_0_10007E9C DCB 0x55 ; U ; DATA XREF: .text:10005830o
.text:10007E9D DCB 0 ;
.text:10007E9E DCB 0x6E ; n
.text:10007E9F DCB 0 ;
.text:10007EA0 DCB 0x72 ; r
.text:10007EA1 DCB 0 ;
.text:10007EA2 DCB 0x65 ; e
.text:10007EA3 DCB 0 ;
.text:10007EA4 DCB 0x67 ; g
.text:10007EA5 DCB 0 ;
.text:10007EA6 DCB 0x69 ; i
.text:10007EA7 DCB 0 ;
.text:10007EA8 DCB 0x73 ; s
.text:10007EA9 DCB 0 ;
.text:10007EAA DCB 0x74 ; t
.text:10007EAB DCB 0 ;
.text:10007EAC DCB 0x65 ; e
.text:10007EAD DCB 0 ;
.text:10007EAE DCB 0x72 ; r
.text:10007EAF DCB 0 ;
.text:10007EB0 DCB 0x65 ; e
.text:10007EB1 DCB 0 ;
.text:10007EB2 DCB 0x64 ; d
.text:10007EB3 DCB 0 ;
.text:10007EB4 DCB 0x21 ; !
.text:10007EB5 DCB 0 ;
...............................................(shortend)



The Unicode string we saw in the Hex Editor, right? Now we want to know when the
string is used in the code. So right click on "DATA XREF: .text:10005830o",
choose Jump to cross reference and click OK. You will land here:

.text:10005830 off_0_10005830 DCD loc_0_10007E9C ; DATA XREF: .text:1000580Cr


Do it again, right click on "DATA XREF: .text:1000580Cr", choose Jump to cross
reference and click OK. Finally you arrive in the code:

.text:1000580C LDR R1, =dword_0_10007E9C ; Load from Memory


LDR is the instruction to load the string from memory. This string is displayed
afterwards. But we don't want to see it because it's so annoying.
So we scroll a little bit up and look at the code. What did it before?


.text:100057BC BL sub_0_1000538C ; Branch with Link
.text:100057C0 CMP R0, #0 ; Set cond. codes on Op1 - Op2
.text:100057C4 BNE loc_0_100058B0 ; Branch <<<<<<<
.text:100057C8 MOV R0, R4 ; Rd = Op2
.text:100057CC BL loc_0_100054C4 ; Branch with Link
.text:100057D0 SUBS R7, R0, #0 ; Rd = Op1 - Op2
.text:100057D4 BEQ loc_0_10005834 ; Branch <<<<<<<
.text:100057D8 BL loc_0_10006168 ; Branch with Link
.text:100057DC LDR R1, =0x5BED5021 ; Load from Memory
.text:100057E0 LDR R2, =0x5BED5020 ; Load from Memory
.text:100057E4 BL loc_0_100064A8 ; Branch with Link
.text:100057E8 MOV R0, R4 ; Rd = Op2
.text:100057EC BL loc_0_10005230 ; Branch with Link
.text:100057F0 MOV R0, R4 ; Rd = Op2
.text:100057F4 BL sub_0_1000538C ; Branch with Link
.text:100057F8 CMP R0, #0 ; Set cond. codes on Op1 - Op2
.text:100057FC BNE loc_0_100058B4 ; Branch <<<<<<<
.text:10005800 BL loc_0_10006168 ; Branch with Link
.text:10005804 MOV R4, R0 ; Rd = Op2
.text:10005808 ADD R0, SP, #0x20 ; Rd = Op1 + Op2
.text:1000580C LDR R1, =dword_0_10007E9C ; Load from Memory <--- Stupid String
.text:10005810 BL loc_0_10005B48 ; Branch with Link


As you see from the code snip there are three conditional branches to avoid that
the string is loaded. I marked them with <<<<<<<. For me it seems that the prog is
testing if we registered it and if not it loads the string "unregistered".

Now we are on the move: It is clear that we have to examine the BL's before the
branches. Why? I'll explain the code:


.text:100057BC BL sub_0_1000538C ; Branch with Link

A branch (call) to another function. (BL's always return back to the next instruction)
Also they may give results in one or more of the registers back.

.text:100057C0 CMP R0, #0 ; Set cond. codes on Op1 - Op2

The register R0 is compared with 0 (null).

.text:100057C4 BNE loc_0_100058B0 ; Branch if not equal

If R0 is not 0 the branch is taken, if R0 is 0 nothing happens.



So we have to ensure that the result from the functions call (BL) is not 0. Then the
branch is taken and we have a registered prog.

If you are with me you will now have a good question! Which of the three branches with
the BL's before the string we will exam?
In reality you will have to exam all three and look at the code. But I will just
explain the first, because that's the right one...

OK. Let's start with the one at .text:100057C4! Right click on BL sub_0_1000538C,
choose jump immediate and you will see that:



.text:1000538C ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:1000538C
.text:1000538C sub_0_1000538C ; CODE XREF: sub_0_100003F8+480p
.text:1000538C ; sub_0_100050CC+188p ...
.text:1000538C STMFD SP!, {R4,LR} ; Store Block to Memory
.text:10005390 SUB SP, SP, #8 ; Rd = Op1 - Op2
.text:10005394 MOV R4, R0 ; Rd = Op2
.text:10005398 LDR R3, [R4,#0xF8] ; Load from Memory
.text:1000539C CMP R3, #0 ; Set cond. codes on Op1 - Op2
.text:100053A0 BEQ loc_0_100053C4 ; Branch
.text:100053A4 MOV R0, SP ; Rd = Op2
.text:100053A8 LDR R1, =dword_0_10007D64 ; Load from Memory
.text:100053AC BL loc_0_10005B48 ; Branch with Link
.text:100053B0 MOV R0, R4 ; Rd = Op2
.text:100053B4 MOV R1, SP ; Rd = Op2
.text:100053B8 BL loc_0_10005C48 ; Branch with Link
.text:100053BC CMP R0, #0 ; Set cond. codes on Op1 - Op2
.text:100053C0 BNE loc_0_100053D0 ; Branch
.text:100053C4
.text:100053C4 loc_0_100053C4 ; CODE XREF: sub_0_1000538C+14j
.text:100053C4 MOV R0, #0 ; Rd = Op2
.text:100053C8 B loc_0_100053EC ; Branch
.text:100053C8 ; ---------------------------------------------------------------------------
.text:100053CC off_0_100053CC DCD dword_0_10007D64 ; DATA XREF: sub_0_1000538C+1Cr
.text:100053D0 ; ---------------------------------------------------------------------------
.text:100053D0
.text:100053D0 loc_0_100053D0 ; CODE XREF: sub_0_1000538C+34j
.text:100053D0 MOV R0, R4 ; Rd = Op2
.text:100053D4 MOV R1, R4 ; Rd = Op2
.text:100053D8 BL sub_0_100050CC ; Branch with Link
.text:100053DC LDR R3, [R4,#0xF8] ; Load from Memory
.text:100053E0 CMP R0, R3 ; Set cond. codes on Op1 - Op2
.text:100053E4 MOVNE R0, #0 ; Rd = Op2
.text:100053E8 MOVEQ R0, #1 ; Rd = Op2
.text:100053EC
.text:100053EC loc_0_100053EC ; CODE XREF: sub_0_1000538C+3Cj
.text:100053EC ADD SP, SP, #8 ; Rd = Op1 + Op2
.text:100053F0 LDMFD SP!, {R4,LR} ; Load Block from Memory
.text:100053F4 BX LR ; Branch to/from Thumb mode


This is our function. Here it is decided if the prog is registered or not. Also there
are several Code XREFs in the first line which means that this function can be or is
called more than once.

Now remember: 0 is not registered, not equal 0 is registered. So lets see when another
number then 0 is put in register R0. Found it?

.text:100053E8 MOVEQ R0, #1 ; move if equal

If the cmp instruction before this move is equal a 1 is put in R0.


But we have also two instructions where 0 is put in R0.

.text:100053C4 MOV R0, #0 ; move
.text:100053E4 MOVNE R0, #0 ; move if not equal


What should we do? When you look at the code flow you'll also notice that there are two
way's to get to the end. One is over this location

.text:100053C4 loc_0_100053C4 ; CODE XREF: sub_0_1000538C+14j


the other over this

.text:100053D0 loc_0_100053D0 ; CODE XREF: sub_0_1000538C+34j


It is decided on runtime which way to get. One is always taken!! The other not!! And we
can't decide what the prog does here. So let's make up our mind and think, think, think!

We need a strait way to the end and also there has to be a 1 in register R0. Let's do it
this way:

Change

.text:100053A0 BEQ loc_0_100053C4 ; Branch if equal

to

.text:100053A0 B loc_0_100053C4 ; Branch always

so that this branch is always taken. And change

.text:100053C4 MOV R0, #0 ; R0 = 0

to

.text:100053C4 MOV R0, #1 ; R0 = 1

so that 1 is moved into register R0!


The flow of our code would now be

.text:1000538C ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:1000538C
.text:1000538C
.text:1000538C sub_0_1000538C ; CODE XREF: sub_0_100003F8+480p
.text:1000538C ; sub_0_100050C8+18Cp ...
.text:1000538C STMFD SP!, {R4,LR} ;
.text:10005390 SUB SP, SP, #8 ;
.text:10005394 MOV R4, R0 ;
.text:10005398 LDR R3, [R4,#0xF8] ;
.text:1000539C CMP R3, #0 ;
.text:100053A0 B loc_0_100053C4 ; Branch always <<<<<<< Changed
.text:100053A4 ; ---------------------------------------------------------------------------
.text:100053A4 MOV R0, SP ; .............All
.text:100053A8 LDR R1, =dword_0_10007D64 ; .......these
.text:100053AC BL loc_0_10005B48 ; .............instructions
.text:100053B0 MOV R0, R4 ; .............are
.text:100053B4 MOV R1, SP ; .............never
.text:100053B8 BL loc_0_10005C48 ; .............executed!!!
.text:100053BC CMP R0, #0 ; .............
.text:100053C0 BNE loc_0_100053D0 ; .............
.text:100053C4
.text:100053C4 loc_0_100053C4 ; CODE XREF: sub_0_1000538C+14j
.text:100053C4 MOV R0, #1 ; move R0 = 1 <<<<<<<< Changed
.text:100053C8 B loc_0_100053EC ;
.text:100053C8 ; ---------------------------------------------------------------------------
.text:100053CC off_0_100053CC DCD dword_0_10007D64 ; DATA XREF: sub_0_1000538C+1Cr
.text:100053D0 ; ---------------------------------------------------------------------------
.text:100053D0
.text:100053D0 loc_0_100053D0 ; CODE XREF: sub_0_1000538C+34j
.text:100053D0 MOV R0, R4 ; .............
.text:100053D4 MOV R1, R4 ; .............
.text:100053D8 BL loc_0_100050CC ; .............These
.text:100053DC LDR R3, [R4,#0xF8] ; .............also!
.text:100053E0 CMP R0, R3 ; .............
.text:100053E4 MOVNE R0, #0 ; .............
.text:100053E8 MOVEQ R0, #1 ; .............
.text:100053EC
.text:100053EC loc_0_100053EC ; CODE XREF: sub_0_1000538C+3Cj
.text:100053EC ADD SP, SP, #8 ;
.text:100053F0 LDMFD SP!, {R4,LR} ;
.text:100053F4 BX LR ; back



We are nearly finished to crack this one! We have decided what to change. Now write the
offsets from the two instructions down.
The first one (branch) is at 0x541C, the second (move) is at 0x5440.

Go to the Hex Editor and look at the first offset:

0000541C 07 00 00 0A ã.... <<< this is the branch if equal instruction

change 0A to EA

0000541C 07 00 00 EA ã...ê <<< this means branch always


The second instruction we have to change is at

00005440 00 00 A0 E3 ..*ã <<< move R0, 0

change first 00 to 01

00005440 01 00 A0 E3 ..*ã <<< move R0, 1


YeaaHH! We got it!!!!!
Send the file to your phone and you have a registered Stacker!!!


Conclusion:
-----------
Not as easy as you and I thought?? I'm really surprised how long this tut has become.
And I feel a little bit uncertain. Did you understand all things? All clear?

Hope so! Please msg me if not!

Believe me, this was one of the easiest targets you'll find in your career..

Enjoy your work and search for the next target!!!


regards
[email protected]

Cracking www.Cellsoft.com - Cellpoker v1.02

Written by +Phantasm


Firstly, id like to say a big thankyou to atzplzw, for his Stacker v2.02 tutorial!
Without it, I would still be waiting for somebody else to crack this app.
Alot of this tutorial was taken directly from his original document to save time.


Tools:
------
IDA Pro v4.04 or higher, I use the Advanced Ver but the normal would do also
Hex Editor, I prefer WinHex


Target:
-------
Cellpoker

"CellPoker is a networked multi-player poker game for the Nokia 7650. The game can be played as multiplayer over Bluetooth or single player mode..."

Copied from www.cellsoft.com


Recommended:
------------
A little knowledge on Reversing PC/Windows applications........
If not, at least you have to know how to use a Hex Editor and how to transfer
files between the PC and the Nokia 7650.
Reading atzplzw tutorial before this one......


Warning:
--------
This is not a tutorial for beginners in computing. I'll not explain where to
get the tools. I will try answer any questions on the Nokiafree.org forum.
Also if you don't know what assembler is STOP now!!!!


Introduction:
-------------
I choose Cellpoker because it's actually a good Nokia 7650 game.
It's not the easiest program to crack, but a good target following on from
atzplzw original tutorial.


Here we go:
-----------
First, of course, run the app. Look at the nag screen. Test all things.
After that...

Open poker.app in the Hex Editor and look through the wierd numbers and ascii
letters. In the first line at offset 0x10 you will find "EPOC" which means that
this is an EPOC file for use with the Symbian OS.

Scroll down and you will find some semi readble strings between offset 0x1B0C0
and 0x1CA70.

What do we read here?? Isn't it the text from the game?
Yes, it is.

Now we take a closer look at offset 0x1C934:

01C920 ····w·i·n···w·i·n···C·e·l·l·P·o·k·e·r· ·d·e·m·o·:···D·a·y·s· ·l·
01C960 e·f·t· ·····N·o· ·s·a·v·e·d· ·g·a·m·e···C·e·l·l·P·o·k·e·r· ·d·e·
01C9A0 m·o·············7·······mr··············.·······C·:·\·s·y·s·t·e·


Woohh! We found the text of the nag box when the app is started.
Write this offset down and startup IDA...


Open poker.app. It suggests that it is a EPOC file as we already found out.
Mark Load resources. And press OK! Now you will be informed that the ARM processor
has two instruction sets but this is irrelevant for now.

Now IDA presents you the disassembled ARM instruction code. You may also turn on
Options/General/Auto Comments for better understanding of the code...
For those of you who are not familiar with IDA it is important to know that in the
status line at the bottom the offset is displayed. (tooltip: Current position in
the input file, means offset)

Now scroll all the way down until you will find the offset we wrote down. IDA
displays this mess:

.text:1001C8B8 dword_0_1001C8B8 DCD 0x650043, 0x6C006C, 0x6F0050, 0x65006B, 0x200072, 0x650064
.text:1001C8B8 ; DATA XREF: sub_0_1000EC6C+148o
.text:1001C8B8 DCD 0x6F006D, 0x3A


Now just right click on a number, choose Undefine and your mind will be cleared up:


.text:1001C8B8 unk_0_1001C8B8 DCB 0x43 ; C ; DATA XREF: sub_0_1000EC6C+148o
.text:1001C8B9 DCB 0 ;
.text:1001C8BA DCB 0x65 ; e
.text:1001C8BB DCB 0 ;
.text:1001C8BC DCB 0x6C ; l
.text:1001C8BD DCB 0 ;
.text:1001C8BE DCB 0x6C ; l
.text:1001C8BF DCB 0 ;
.text:1001C8C0 DCB 0x50 ; P
.text:1001C8C1 DCB 0 ;
.text:1001C8C2 DCB 0x6F ; o
.text:1001C8C3 DCB 0 ;
.text:1001C8C4 DCB 0x6B ; k
.text:1001C8C5 DCB 0 ;
.text:1001C8C6 DCB 0x65 ; e
.text:1001C8C7 DCB 0 ;
.text:1001C8C8 DCB 0x72 ; r
.text:1001C8C9 DCB 0 ;
.text:1001C8CA DCB 0x20 ;
.text:1001C8CB DCB 0 ;
.text:1001C8CC DCB 0x64 ; d
.text:1001C8CD DCB 0 ;
.text:1001C8CE DCB 0x65 ; e
.text:1001C8CF DCB 0 ;
.text:1001C8D0 DCB 0x6D ; m
.text:1001C8D1 DCB 0 ;
.text:1001C8D2 DCB 0x6F ; o
.text:1001C8D3 DCB 0 ;
.text:1001C8D4 DCB 0x3A ; :
.text:1001C8D5 DCB 0 ;
.text:1001C8D6 DCB 0 ;
.text:1001C8D7 DCB 0 ;
...............................................(shortend)



The string we saw in the Hex Editor, right? Now we want to know when the
string is used in the code. So right click on "DATA XREF: sub_0_1000EC6C+148o",
choose Jump to cross reference and click OK. You will land here:

text:1000EDB4 off_0_1000EDB4 DCD loc_0_1001C8B8 ; DATA XREF: sub_0_1000EC6C+BCr


Do it again, right click on "DATA XREF: sub_0_1000EC6C+BCr", choose Jump to cross
reference and click OK. Finally you arrive in the code:

.text:1000ED28 LDR R1, =loc_0_1001C8B8 ; Load from Memory


LDR is the instruction to load the string from memory. This string is displayed
afterwards. But we don't want to see it because it's so annoying.
So we scroll a little bit up and look at the code.


.text:1000EC6C sub_0_1000EC6C ; CODE XREF: sub_0_1000EBF8+64p
.text:1000EC6C STMFD SP!, {R4-R7,LR} ; Store Block to Memory
.text:1000EC70 SUB SP, SP, #0xC0 ; Rd = Op1 - Op2
.text:1000EC74 MOV R6, R0 ; Rd = Op2
.text:1000EC78 LDR R0, [R6,#0x17C] ; Load from Memory
.text:1000EC7C CMP R0, #0 ; Set cond. codes on Op1 - Op2 <<<<<<<<<<
.text:1000EC80 LDRNE R3, [R0] ; Load from Memory
.text:1000EC84 MOVNE R1, #3 ; Rd = Op2
.text:1000EC88 LDRNE R12, [R3,#8] ; Load from Memory
.text:1000EC8C MOVNE LR, PC ; Rd = Op2
.text:1000EC90 TEQNEP PC, R12,LSL PC ; Set cond. codes on Op1 ^ Op2
.text:1000EC94 MOV R5, #0 ; Rd = Op2
.text:1000EC98 STR R5, [R6,#0x17C] ; Store to Memory
.text:1000EC9C ADD R7, R6, #0x180 ; Rd = Op1 + Op2
.text:1000ECA0 MOV R0, #0x88 ; Rd = Op2
.text:1000ECA4 BL loc_0_100164D8 ; Branch with Link
.text:1000ECA8 SUBS R4, R0, #0 ; Rd = Op1 - Op2
.text:1000ECAC BEQ loc_0_1000ECFC ; Branch <<<<<<<<<<



What we are looking for is "CMP" compares i.e. Compare Todays Date with Expiry Date etc..
And BEQ/BNE... conditional branches.
(BEQ/BNE/BHI/B... are like PC JMP's (JZ,JNZ,JBE...) opcodes...)

I marked them with <<<<<<<. Is the program testing it's expiry and if not it loads the string "Cell Poker: Days Left XX" message.


Now we are on the move: What we have to try, is altering the branches to see if we can get the program to run longer than the expiry....

If you are still with me you will now have a good question!
- Which of the branches before the string we will exam?
In reality you will have to exam all of them!


For the purposes of this tutorial I will show you how to change one and test it...

OK. Let's start with the one at .text:1000ECAC!
Now write the offsets of the BEQ instructions down. Note: 0xED28.

Shutdown IDA (don't save), then goto the Hex Editor and look at the first offset:

0000ED28 12 00 00 0A ?.... <<< this is the branch if equal instruction

change 0A to EA

0000ED28 12 00 00 EA ?...ê <<< this means branch always

Save it, relauch IDA and check your BEQ has changed to a B. Yes, then upload the POKER.APP
to your phone and test it. Did it work No, Crash!!!! Ok, it's the wrong jump.
- Restore the original working copy of the poker.app

After testing a couple of branches, It still doesn't work.....we think all is lost...


No, lets follow the code back....
At the top of the piece of code that load's the "CellPoker Demo:" text, there is a "XREF"

.text:1000ECFC loc_0_1000ECFC ; CODE XREF: sub_0_1000EC6C+40j <<<<<<
.
.
.
.
.
.text:1000ED28 LDR R1, =dword_0_1001C8B8 ; Load from Memory

Right click on "CODE XREF: sub_0_1000EC6C+40j",
choose Jump to cross reference and click OK. You will land here:

.text:1000ECAC BEQ loc_0_1000ECFC ; Branch

Now this is the one we have already modified.....so let's find another

So goto the top of that text block until you find the XREF again:

text:1000EC6C sub_0_1000EC6C ; CODE XREF: sub_0_1000EBF8+64p


Right click on "CODE XREF: ......", choose Jump to cross reference and click OK.
You will land here:

.text:1000EC5C BL sub_0_1000EC6C ; Branch with Link

Now what you will need to do, is keep testing (Change "BL" to: "B" or "NOP"), util somthing happens.

Finally after 5 Xref jumps, and changing code, your notice the nag goes away!!!!!

.text:1000EAE8 BL sub_0_1000EBF8 ; Branch with Link


Good? - No, even though the nag has gone away, after some testing the program still expires
after ten days has past. Time to re-look at the code. Remeber after NOP'ing the fith XREF
the NAG went away... have a look at the code a couple of lines above:

.text:1000EADC CMP R0, #9 ; Set cond. codes on Op1 - Op2 <<<<<<
.text:1000EAE0 BHI loc_0_1000EB44 ; Branch <<<<<
.text:1000EAE4 MOV R0, R6 ; Rd = Op2
.text:1000EAE8 BL sub_0_1000EBF8 ; Branch with Link

Why would the program check to see if R0 = 9? Thats right, after ten days (0=Day1, 9=Day10)
Branch if higher than 9 (days) would be true!



Ok, so lets NOP this out as well. Note the offset: EB5c

Shutdown IDA (don't save), then goto the Hex Editor and look at the first offset:

0000EB5C 17 00 00 8A ?.... <<< this is the branch if higher instruction

change to:

0000EB5c 12 00 00 EA ...áß <<< this means mov r0,r0 or NOP


Send the poker.app to your phone and you have a No Nag, No Expiry!!!


Conclusion:
-----------
Not as easy as you and I thought?? I'm really surprised on the lenght of this tut .

Believe me, this isn't one of the easiest targets you'll find, but worth studying..

Enjoy!

+Phantasm