Cracking Unlocker for newbyes
("Defeating Lame Commercial Protection Schemes")
STUPID

by +DataPimp

(2 November 1997)

Courtesy of fravia's page of reverse engineering

Well, inside Softice, type "stack" and then hit enter to see a reference to unlocker... well deserved 'most stupid protection' award for an unlocker! This kind of protections should 'defend' the poor (mostly russian) shareware authors that have fallen in the hands of the "unbox.com" crooks! A stupid unlocker! I can't believe it: remember the old (yet really difficult) Instant access unlocking scheme? Look at this crap! An evident case of decadence of many 'Unlock' protection schemes...
+DataPimp style and approach are so basic that this essay could also be very useful for all NEWBYES in SOFTICE reversing. 
Pasted below is a Essay on Unlocker, the protection found on all the 
software at www.unboxed.com, This explains how to crack it.
This is probably a good example of ready made (stupid) protection 
scheme.

-= +DataPimp =-



				   Cracking Unlocker
		    (Defeating Lame Commercial Protection Schemes)

				    by -= +DataPimp =-

	Unlocker is probably a well known security program, it allows 
a user to download the full version of software and then install it. 
All they have to do is call with the "Challenge Code" and "Wallet"
and boom enter the unlock code and you have the full version of software
unlocked on your hard drive..
	Ok, now first things first, go to www.unboxed.com and download 
any software you choose. Then after you do that you can run the program 
and choose "Unlock Now". Once you do that you will see an edit field for
enter an "Unlock Password" and "Challenge Code". Now our "tactic" for 
this
case is that we are going to "see" the push to the stack, "track" it and
"crack" the jump. This I beleive should be a prospect for the most 
stupid protection scheme. Due that the "validation" of the entered code is 
a simple easily crack conditional jump. 
Ok now run the program you downloaded, and choose "Unlock Now". 
Once you have done that hit (Control-D) and in the command window 
for Soft-Ice we are going to prepare to "intercept" a windows
message, "Gaudiest" to be exact. 
I tried "GetWindowText" and "GetWindowTextA" but these API were not 
the culprits in this case. Ok now to properly trap the "Gaudiest" 
function for the edit box we do the following, we need to get the
hWnd ID for the correct edit box. To do that we type "Hwnd unlocker" 
you will see all the id's for the program. 
Now once you have done that the first edit box that you see in the 
list is the culprit. We are now going to set a breakpoint on that 
"Gaudiest" function. Ok, type "bmsg hwndID wm_GetText"
The wm obviously meaning "WindowsMessage". 
Ok now that you have done that, we are now going to get out of 
winice by hitting (Control-D) and we are now going to click the 
"unlock" command button. Ok now the program should break 
when you click the button. OK now in the command window of winice type
"stack" and then hit enter to you see a reference to unlocker, 
there should only be one reference. Once you have found that reference 
write it down. 
Ok, now that you have down that clear your original breakpoint by 
typing "bc 0". 
Now set a new breakpoint on the address that you got from looking what 
was recently pushed on the stack. 
Ok now you "bpx address" for me it would be "bpx 2247:14B3". 
Ok, Now get out of Soft-Ice again via (Control-D) and 
then click the "Unlock" button again, it will break, ok now you will hit 
"F-10" to step through the program code line by line you will 
eventually see a "jnz 151F" about two lines down from a call to a 
function, could this be any more obvious? 
Why -as +ORC wrote- don't they just put a big neon green sign that 
says "HEY THE PROTECTION IS RIGHT HERE PATCH ME!!!" with blinking 
lights and all the effects that would point to it? 
Ok, hit "F10" down so the "jnz 151F" is highlighted. 
Now once you have down that, in the winice command window 
type "a address", the address is where the jnz command is, it's off 
to the left. 
Now type "jmp 151F" for the new command there and hit "enter" and then 
"enter" again. Then all you have to do is hit "F5" and you should see a 
screen that tells you that it was unlocked properly. Some people have 
been kind enough to point out to me the fact that this does not work on 
the older unboxed software, the program that I used for this example is 
called ConfigSafe, So I would say that this will only work on the newer 
stuff. I would also like to point out the fact that it could work on 
future or other versions in the past, the thing is that you will just 
have to look for the jump a little farther down, this is just an 
example, you may have to look at it yourself. 

I  hope this helped some people, 

P.S. 
Greetz to everyone in: #cracking4newbies,#fleet and #natosites	


Until Next Time,
-= +DataPimp =-
DataPimp@hotmail.com
(c) +DataPimp 1997. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 7 ("Most stupid protection")
> redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?