Cracking Unlocker for newbyes
("Defeating Lame Commercial Protection Schemes")
(2 November 1997)
Courtesy of Fravia's page
of reverse engineering
Well, inside Softice, type "stack" and then hit enter to
see a reference to unlocker... well deserved 'most stupid protection'
award for an
unlocker! This kind of protections should 'defend' the poor (mostly russian)
shareware authors that have fallen in the hands of the "unbox.com" crooks!
A stupid unlocker! I can't believe it: remember the old (yet really difficult)
Instant access unlocking scheme? Look at this crap! An evident case of decadence
of many 'Unlock' protection schemes...
+DataPimp style and approach are
so basic that this
essay could also be very useful for all NEWBYES in SOFTICE reversing.
Pasted below is a Essay on Unlocker, the protection found on all the
software at www.unboxed.com, This explains how to crack it.
This is probably a good example of ready made (stupid) protection
-= +DataPimp =-
(c) +DataPimp 1997. All rights reversed
(Defeating Lame Commercial Protection Schemes)
by -= +DataPimp =-
Unlocker is probably a well known security program, it allows
a user to download the full version of software and then install it.
All they have to do is call with the "Challenge Code" and "Wallet"
and boom enter the unlock code and you have the full version of software
unlocked on your hard drive..
Ok, now first things first, go to www.unboxed.com and download
any software you choose. Then after you do that you can run the program
and choose "Unlock Now". Once you do that you will see an edit field for
enter an "Unlock Password" and "Challenge Code". Now our "tactic" for
case is that we are going to "see" the push to the stack, "track" it and
"crack" the jump. This I beleive should be a prospect for the most
stupid protection scheme. Due that the "validation" of the entered code is
a simple easily crack conditional jump.
Ok now run the program you downloaded, and choose "Unlock Now".
Once you have done that hit (Control-D) and in the command window
for Soft-Ice we are going to prepare to "intercept" a windows
message, "Gaudiest" to be exact.
I tried "GetWindowText" and "GetWindowTextA" but these API were not
the culprits in this case. Ok now to properly trap the "Gaudiest"
function for the edit box we do the following, we need to get the
hWnd ID for the correct edit box. To do that we type "Hwnd unlocker"
you will see all the id's for the program.
Now once you have done that the first edit box that you see in the
list is the culprit. We are now going to set a breakpoint on that
"Gaudiest" function. Ok, type "bmsg hwndID wm_GetText"
The wm obviously meaning "WindowsMessage".
Ok now that you have done that, we are now going to get out of
winice by hitting (Control-D) and we are now going to click the
"unlock" command button. Ok now the program should break
when you click the button. OK now in the command window of winice type
"stack" and then hit enter to you see a reference to unlocker,
there should only be one reference. Once you have found that reference
write it down.
Ok, now that you have down that clear your original breakpoint by
typing "bc 0".
Now set a new breakpoint on the address that you got from looking what
was recently pushed on the stack.
Ok now you "bpx address" for me it would be "bpx 2247:14B3".
Ok, Now get out of Soft-Ice again via (Control-D) and
then click the "Unlock" button again, it will break, ok now you will hit
"F-10" to step through the program code line by line you will
eventually see a "jnz 151F" about two lines down from a call to a
function, could this be any more obvious?
Why -as +ORC wrote- don't they just put a big neon green sign that
says "HEY THE PROTECTION IS RIGHT HERE PATCH ME!!!" with blinking
lights and all the effects that would point to it?
Ok, hit "F10" down so the "jnz 151F" is highlighted.
Now once you have down that, in the winice command window
type "a address", the address is where the jnz command is, it's off
to the left.
Now type "jmp 151F" for the new command there and hit "enter" and then
"enter" again. Then all you have to do is hit "F5" and you should see a
screen that tells you that it was unlocked properly. Some people have
been kind enough to point out to me the fact that this does not work on
the older unboxed software, the program that I used for this example is
called ConfigSafe, So I would say that this will only work on the newer
stuff. I would also like to point out the fact that it could work on
future or other versions in the past, the thing is that you will just
have to look for the jump a little farther down, this is just an
example, you may have to look at it yourself.
I hope this helped some people,
Greetz to everyone in: #cracking4newbies,#fleet and #natosites
Until Next Time,
-= +DataPimp =-
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Back to Project 7 ("Most stupid protection")
Is reverse engineering legal?