Cracking Unlocker for newbyes
("Defeating Lame Commercial Protection Schemes")
STUPID

by +DataPimp

(2 November 1997)


Courtesy of fravia's page of reverse engineering

Well, inside Softice, type "stack" and then hit enter to see a reference to unlocker... well deserved 'most stupid protection' award for an unlocker! This kind of protections should 'defend' the poor (mostly russian) shareware authors that have fallen in the hands of the "unbox.com" crooks! A stupid unlocker! I can't believe it: remember the old (yet really difficult) Instant access unlocking scheme? Look at this crap! An evident case of decadence of many 'Unlock' protection schemes...
+DataPimp style and approach are so basic that this essay could also be very useful for all NEWBYES in SOFTICE reversing.

Pasted below is a Essay on Unlocker, the protection found on all the 
software at www.unboxed.com, This explains how to crack it.
This is probably a good example of ready made (stupid) protection 
scheme.

-= +DataPimp =-


Cracking Unlocker (Defeating Lame Commercial Protection Schemes) by -= +DataPimp =- Unlocker is probably a well known security program, it allows a user to download the full version of software and then install it. All they have to do is call with the "Challenge Code" and "Wallet" and boom enter the unlock code and you have the full version of software unlocked on your hard drive.. Ok, now first things first, go to www.unboxed.com and download any software you choose. Then after you do that you can run the program and choose "Unlock Now". Once you do that you will see an edit field for enter an "Unlock Password" and "Challenge Code". Now our "tactic" for this case is that we are going to "see" the push to the stack, "track" it and "crack" the jump. This I beleive should be a prospect for the most stupid protection scheme. Due that the "validation" of the entered code is a simple easily crack conditional jump. Ok now run the program you downloaded, and choose "Unlock Now". Once you have done that hit (Control-D) and in the command window for Soft-Ice we are going to prepare to "intercept" a windows message, "Gaudiest" to be exact. I tried "GetWindowText" and "GetWindowTextA" but these API were not the culprits in this case. Ok now to properly trap the "Gaudiest" function for the edit box we do the following, we need to get the hWnd ID for the correct edit box. To do that we type "Hwnd unlocker" you will see all the id's for the program. Now once you have done that the first edit box that you see in the list is the culprit. We are now going to set a breakpoint on that "Gaudiest" function. Ok, type "bmsg hwndID wm_GetText" The wm obviously meaning "WindowsMessage". Ok now that you have done that, we are now going to get out of winice by hitting (Control-D) and we are now going to click the "unlock" command button. Ok now the program should break when you click the button. OK now in the command window of winice type "stack" and then hit enter to you see a reference to unlocker, there should only be one reference. Once you have found that reference write it down. Ok, now that you have down that clear your original breakpoint by typing "bc 0". Now set a new breakpoint on the address that you got from looking what was recently pushed on the stack. Ok now you "bpx address" for me it would be "bpx 2247:14B3". Ok, Now get out of Soft-Ice again via (Control-D) and then click the "Unlock" button again, it will break, ok now you will hit "F-10" to step through the program code line by line you will eventually see a "jnz 151F" about two lines down from a call to a function, could this be any more obvious? Why -as +ORC wrote- don't they just put a big neon green sign that says "HEY THE PROTECTION IS RIGHT HERE PATCH ME!!!" with blinking lights and all the effects that would point to it? Ok, hit "F10" down so the "jnz 151F" is highlighted. Now once you have down that, in the winice command window type "a address", the address is where the jnz command is, it's off to the left. Now type "jmp 151F" for the new command there and hit "enter" and then "enter" again. Then all you have to do is hit "F5" and you should see a screen that tells you that it was unlocked properly. Some people have been kind enough to point out to me the fact that this does not work on the older unboxed software, the program that I used for this example is called ConfigSafe, So I would say that this will only work on the newer stuff. I would also like to point out the fact that it could work on future or other versions in the past, the thing is that you will just have to look for the jump a little farther down, this is just an example, you may have to look at it yourself. I hope this helped some people, P.S. Greetz to everyone in: #cracking4newbies,#fleet and #natosites Until Next Time, -= +DataPimp =- DataPimp@hotmail.com
(c) +DataPimp 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 7 ("Most stupid protection")
> redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?