+HCU snippets
courtesy of fravia's page of reverse engineering
15 June 1998
Frog's Print
The SIMLOCK saga (Nokia's stupidity)
"According to me, if these idiots from Nokia had written their exe file,
and applied the dongle wrapper BEFORE packing the file, Simlck would be quite
harder (yet not impossible) to crack."
Nôtre cher mâitre Frog's print is back again with another small masterpiece.
Since this is NOT material for beginners, you should make the (small) effort to
understand the context yourselves... (yes, it's part of an +HCU 1998 seminar...
you will have the privilege of seeing a small snippet of our 'real' work here:
if you want to join, just solve the STRAINER for 1999)
I believe you will enjoy this small essay (Nokia's people
probably will NOT :-)
...I read them and saw a lot of things going on about... SIMLOCK ! ;)
I thought you cracked it, but according to what I read, you were
stuck and/or gave up.
As I said I cracked it before it was introduced to +you here,
so here are below *ALL* I can tell you about this soft!
Let's go:
//////////////////// The Simlock Affair //////////////////////////
>One possible attack could be to put our hands on other software using
>this dongle (one was mentioned in Frogs Print essay, BTW his address
Zer0+:
I thing you are talking about Ai Damage. However, this soft needs
a dongle driver (dk2win32.dll/dk2wn95.386) which should be loaded
in order to run the soft (device=C:\AIDAMGE\DK2WN95.386 in your
'system.ini' file). Simlock doesn't need any external driver as it
has its own routines to check for the dongle (like most DOS dongles
I described in my essay).
> In light of this, I would be fascinated to hear how
> Frog's Print did it (presumably without the dongle). Perhaps
> the pkunlite method really works, in which case, these people
> would be the biggest idiots in the world.
Quine:
you are right, these people ARE the biggest idiots in the world!
> I might be wrong but I don't think Frog's Print solved this riddle,
> probably he was talking about a different program called Simlock too
+Aitor:
No, it's the same. We are all talking about SIMLCK Plus Operator V1.50
by Nokia Mobile Phones.
For information, this file was sent to me around January 98 by
someone who told me he was unable to crack it. I cracked it and found
the protection so lame that I quickly threw it away and tried to
forget it.
Simlock is an "unlocker" for cellular phones, you know those stupid
machines that fit in the pocket of million of poor slaves that don't
even know what is to be free, to be able to take few hours off and
to go the closest pub and restfully, drink a pint of Leffe
(cheers Fravia ;) without being disturbed every five minutes by their
boss (I almost forgot the meaning of this word..) calling them.
Anyway, upon your request, here is my "Simlock quick assault"
(all you need is a good unpacker and HexWorkshop) :
The first thing to do is to have a look at the simlck.exe file
with HexWorkShop:
-You'll see that it has been packed with PKLite.
-at the end of the file you'll find the only 3 string datas refs
available:
1/Deskey not found
2/Incorrect DOS version
3/Checking security
OK, the programmer could be a real +coder and could have written
his own packer and then added the PKLite header to his file to
fool us (I did it, a long time ago).
But he could be just plain stupid as well. Usually, to avoid a
waste of time, I always start with the 2nd approach ;)
My first try was to use Sourcer7 as this nice tool has got its own
powerful unpacker but it locked up my PC. So I used UnPKLite
from Clive Turvey the author of Windows Source.
This guy is great and his soft is really brillant.
BTW, he wrote on his home page (http://www.tbcnet.com/~clive):
"Fravia's site might also convince you that there are plenty of
people who can quickly break any protection scheme you can contrive
and that you would be better served writing cheap, bug free
freewares" .
Clever +programmer ;)
UnPKLite will unpack Simlck.exe and it gives a 145Kb file.
The file will not run under Win95 and WinNT 4.0 (memory error message)
or will crash your PC under DOS (for the same reason) but
that's not a problem. We'll fix that later.
Now if you look through the file with HexWorkShop again you'll
notice that:
-it seems well unpacked as NEW string datas (menus, messages..)
appear in the ASCII window (nothing seem to be missing)
-strangely, the "Deskey not found"... messages displayed in the
packed file are no longer present.
I had the feeling that:
1/ the programmer wrote his program (*without* any dongle protection)
2/ he packed it (*definitely* with PKLIte)
3/ he used some kind of ready_to_use dongle protection: a wrapper
that seems to have modified the file just a little and attached
the dongle protection at the end of the file (+/- like a virus).
When I wrote my dongle essay I visited all dongle manufacturers
home pages and, as far as I can remember, Deskey have got a
wrapper. I couldn't get it so I don't know how it works (but
they are proud of it).
4/ It seems that UnPKlite unpacked the file and simply got rid of the
dongle wrapper as this extra code was applied after the file has
been packed and then, it was simply ignored (and rejected) by UNPKLite.
Memory Error Message:
As said, the unpacked simlock.exe returned a 'not enough memory to run'
error message.
Do you remember your old DOS lessons ? :(
A DOS exe file has got 2 important values inside its header:
0x0ah (word): minimum memory needed (in paragraphs, NOT in bytes)
0x0ch (word): maximum memory needed ( "" "" "" )
******************************************
Little reminder:
-To get the program size in paragraphs do:
=> Program_Size_In_Bytes / 16 (decimal)
( or, for a TSR => mov cl,4 ; shr program_size_in_bytes, cl)
-To get the program size in bytes do:
=> Convert to Dec and then : Program_size_in_paragraphs * 16
******************************************
Usually the maximum memory required is set to 0xFFFF by the
compiler. That's about 1Mb memory and though it's close to twice more
than the available DOS memory, it just means 'give the maximum you can'.
If you look at the unpacked simlock.exe file you'll see that the
minimum memory needed (which, btw, IS DISPLAYED by UnPKLite during
the unpacking process...!! ) is set to 0xE0B9 paragraphs so that's
about 900Kb ! Even if you free some more memory on your PC, you
will NEVER be able to run it.
The header of the original simlck.exe shows that it requires about
75kb of memory to run.
So you just have to fix the unpacked file header, and change the
0xE0B9 value to a more serious value like, let's say, 0x2500 (150Kb)
or the same as the original file (it works, I tested it under DOS
and WIN95 but I couldn't test it under NT 4.0 as I wrote a
password_on_boot protection for my PC which crashed my NT4 :-(
=>Now simlck.exe is cracked :))
The first time I ran the original simlock.exe it created a dk2.cfg
file in the same directory which contains infos about your dongle
version, // port ID...
Simlock will ALWAYS create this file if it cannot find it.
But if you erase it and now run the cracked simlock.exe you'll
see that it will no longer create this file, and will NEVER look for
it (check with FileMon or a BPINT) ! Funny isn't it?
And finally if you run the cracked simlock, it will display an error
message but it has NOTHING to see with the dongle (it's looking for a
cellular phone stuff). All you have to do is to look through the file
with HexWorkShop again and you'll see the command line arguments needed
to run the program.
Example:
type "SIMLCK.EXE -?" and you'll get:
**********************************************************************
SIMLCK Plus Operator V1.50 (c) 1997 Nokia Mobile Phones
simlck [Ln... [msin] [gid1] [gid2]] [Un[+|-]] [A:ac] [C:n] [L:n]
[-I] [-S] [-Q] [-Y] [-?]
Parameters :
Ln Lock to close. Where n is a value in the range of 1 through 4.
msin Only if lock 4 is closed. The subscriber specific part of the IMSI.
gid1 Only if lock 2 is closed. The first byte of the GID1 (hex).
gid2 Only if lock 3 is closed. The first byte of the GID2 (hex).
Un Userlock toggle. Where n is a value in the range of 1 through 4.
Switches :
A:ac Operator Access Class. Valid values 0, 11 trough 15.
C:n COM port for phone. Default is C:1. Valid values for n 1,2,3 and 4.
L:n LPT port for PKD-1DC. Default is L:1. Valid values for n, 1 and 2.
-I Information, displays lock information. -I overrides the -Q switch.
-S Save, save commandline parameters to SIMLOCK.DAT file
-Q Quiet, doesn't display any lock information.
-Y Yes, assumes yes on set locks query.
-? Displays commandline help screen.
**************************************************************************
You can of course re-pack (with PKLite) Simlck in which case you'll get
a 70Kb file instead of the 80Kb original file.
Well, that's all I know about this stupid file.
Does it help? Let me know.
Frog's Print
PS_1: I am really wondering why doesn't V Communications use Clive Turvey's
talents for their unpacker as Sourcer 7 'unpack.exe' file reports that
simlck.exe is NOT a packed file ! :-(
PS-2: According to me, if these idiots from Nokia had written their exe file,
and applied the dongle wrapper BEFORE packing the file, Simlck would be quite
harder (yet not impossible) to crack. :-o
******** End *******
+HCU snippets
homepage
links
anonymity
+ORC
students' essays
academy database
antismut
tools
bots & agents reversing
cocktails
javascript wars
search_forms
mail_fravia
Is reverse engineering illegal?