papers
+HCU snippets
courtesy of reverser's page of reverse engineering
15 June 1998
Frog's Print
The SIMLOCK saga (Nokia's stupidity)

"According to me, if these idiots from Nokia had written their exe file, and applied the dongle wrapper BEFORE packing the file, Simlck would be quite harder (yet not impossible) to crack."
Nôtre cher mâitre Frog's print is back again with another small masterpiece. Since this is NOT material for beginners, you should make the (small) effort to understand the context yourselves... (yes, it's part of an +HCU 1998 seminar... you will have the privilege of seeing a small snippet of our 'real' work here: if you want to join, just solve the STRAINER for 1999)
I believe you will enjoy this small essay (Nokia's people probably will NOT :-)


...I read them and saw a lot of things going on about... SIMLOCK ! ;)
I thought you cracked it, but according to what I read, you were 
stuck and/or gave up.

As I said I cracked it before it was introduced to +you here,
so here are below *ALL* I can tell you about this soft!

Let's go:

//////////////////// The Simlock Affair //////////////////////////

>One possible attack could be to put our hands on other software using
>this dongle (one was mentioned in Frogs Print essay, BTW his address

Zer0+:
I thing you are talking about Ai Damage. However, this soft needs
a dongle driver (dk2win32.dll/dk2wn95.386) which should be loaded
in order to run the soft (device=C:\AIDAMGE\DK2WN95.386 in your
'system.ini' file). Simlock doesn't need any external driver as it
has its own routines to check for the dongle (like most DOS dongles
I described in my essay).


> In light of this, I would be fascinated to hear how
> Frog's Print did it (presumably without the dongle).  Perhaps 
> the pkunlite method really works, in which case, these people 
> would be the biggest idiots in the world.

Quine: 
you are right, these people ARE the biggest idiots in the world!


> I might be wrong but I don't think Frog's Print solved this riddle,
> probably he was talking about a different program called Simlock too

+Aitor: 
No, it's the same. We are all talking about SIMLCK Plus Operator V1.50 
by Nokia Mobile Phones.
For information, this file was sent to me around January 98 by 
someone who told me he was unable to crack it. I cracked it and found
the protection so lame that I quickly threw it away and tried to
forget it.
Simlock is an "unlocker" for cellular phones, you know those stupid
machines that fit in the pocket of million of poor slaves that don't
even know what is to be free, to be able to take few hours off and
to go the closest pub and restfully, drink a pint of Leffe 
(cheers Reverser ;) without being disturbed every five minutes by their
boss (I almost forgot the meaning of this word..) calling them.


Anyway, upon your request, here is my "Simlock quick assault" 
(all you need is a good unpacker and HexWorkshop) :

The first thing to do is to have a look at the simlck.exe file 
with HexWorkShop:
-You'll see that it has been packed with PKLite.
-at the end of the file you'll find the only 3 string datas refs 
available: 
1/Deskey not found
2/Incorrect DOS version
3/Checking security

OK, the programmer could be a real +coder and could have written 
his own packer and then added the PKLite header to his file to 
fool us (I did it, a long time ago). 
But he could be just plain stupid as well. Usually, to avoid a 
waste of time, I always start with the 2nd approach ;)

My first try was to use Sourcer7 as this nice tool has got its own 
powerful unpacker but it locked up my PC. So I used UnPKLite 
from Clive Turvey the author of Windows Source. 
This guy is great and his soft is really brillant. 
BTW, he wrote on his home page (http://www.tbcnet.com/~clive):
"Reverser's site might also convince you that there are plenty of 
people who can quickly break any protection scheme you can contrive 
and that you would be better served writing cheap, bug free 
freewares" . 
Clever +programmer ;)

UnPKLite will unpack Simlck.exe and it gives a 145Kb file.
The file will not run under Win95 and WinNT 4.0 (memory error message)
or will crash your PC under DOS (for the same reason) but 
that's not a problem. We'll fix that later.
Now if you look through the file with HexWorkShop again you'll 
notice that:
-it seems well unpacked as NEW string datas (menus, messages..) 
appear in the ASCII window (nothing seem to be missing)
-strangely, the "Deskey not found"... messages displayed in the 
packed file are no longer present.

I had the feeling that:
1/ the programmer wrote his program (*without* any dongle protection)
2/ he packed it (*definitely* with PKLIte)
3/ he used some kind of ready_to_use dongle protection: a wrapper 
that seems to have modified the file just a little and attached
the dongle protection at the end of the file (+/- like a virus).
When I wrote my dongle essay I visited all dongle manufacturers 
home pages and, as far as I can remember, Deskey have got a 
wrapper. I couldn't get it so I don't know how it works (but
they are proud of it).
4/ It seems that UnPKlite unpacked the file and simply got rid of the 
dongle wrapper as this extra code was applied after the file has 
been packed and then, it was simply ignored (and rejected) by UNPKLite.

Memory Error Message:
As said, the unpacked simlock.exe returned a 'not enough memory to run'
error message.
Do you remember your old DOS lessons ? :(
A DOS exe file has got 2 important values inside its header:
0x0ah (word): minimum memory needed (in paragraphs, NOT in bytes)
0x0ch (word): maximum memory needed ( ""    ""         ""       )
******************************************
Little reminder:
-To get the program size in paragraphs do:
=> Program_Size_In_Bytes / 16 (decimal)
 ( or, for a TSR => mov cl,4 ; shr program_size_in_bytes, cl)
-To get the program size in bytes do:
=> Convert to Dec and then : Program_size_in_paragraphs * 16  
******************************************

Usually the maximum memory required is set to 0xFFFF by the 
compiler. That's about 1Mb memory and though it's close to twice more
than the available DOS memory, it just means 'give the maximum you can'.
If you look at the unpacked simlock.exe file you'll see that the 
minimum memory needed (which, btw, IS DISPLAYED by UnPKLite during 
the unpacking process...!! ) is set to 0xE0B9 paragraphs so that's 
about 900Kb ! Even if you free some more memory on your PC, you 
will NEVER be able to run it.
The header of the original simlck.exe shows that it requires about 
75kb of memory to run.
So you just have to fix the unpacked file header, and change the 
0xE0B9 value to a more serious value like, let's say, 0x2500 (150Kb) 
or the same as the original file (it works, I tested it under DOS 
and WIN95 but I couldn't test it under NT 4.0 as I wrote a 
password_on_boot protection for my PC which crashed my NT4  :-(

=>Now simlck.exe is cracked :))

The first time I ran the original simlock.exe it created a dk2.cfg
file in the same directory which contains infos about your dongle
version, // port ID...
Simlock will ALWAYS create this file if it cannot find it.
But if you erase it and now run the cracked simlock.exe you'll
see that it will no longer create this file, and will NEVER look for 
it (check with FileMon or a BPINT) ! Funny isn't it?

And finally if you run the cracked simlock, it will display an error 
message but it has NOTHING to see with the dongle (it's looking for a 
cellular phone stuff). All you have to do is to look through the file 
with HexWorkShop again and you'll see the command line arguments needed
to run the program.
Example:
type "SIMLCK.EXE -?" and you'll get:
**********************************************************************
SIMLCK Plus Operator V1.50 (c) 1997 Nokia Mobile Phones

simlck [Ln... [msin] [gid1] [gid2]] [Un[+|-]] [A:ac] [C:n] [L:n]
       [-I] [-S] [-Q] [-Y] [-?]

Parameters :
    Ln    Lock to close. Where n is a value in the range of 1 through 4.
    msin  Only if lock 4 is closed. The subscriber specific part of the IMSI.
    gid1  Only if lock 2 is closed. The first byte of the GID1 (hex).
    gid2  Only if lock 3 is closed. The first byte of the GID2 (hex).
    Un    Userlock toggle. Where n is a value in the range of 1 through 4.

Switches :
    A:ac  Operator Access Class. Valid values 0, 11 trough 15.
    C:n   COM port for phone. Default is C:1. Valid values for n 1,2,3 and 4.
    L:n   LPT port for PKD-1DC. Default is L:1. Valid values for n, 1 and 2.
    -I    Information, displays lock information. -I overrides the -Q switch.
    -S    Save, save commandline parameters to SIMLOCK.DAT file
    -Q    Quiet, doesn't display any lock information.
    -Y    Yes, assumes yes on set locks query.
    -?    Displays commandline help screen.
**************************************************************************

You can of course re-pack (with PKLite) Simlck in which case you'll get
a 70Kb file instead of the 80Kb original file.



Well, that's all I know about this stupid file.

Does it help? Let me know.

Frog's Print

PS_1: I am really wondering why doesn't V Communications use Clive Turvey's
talents for their unpacker as Sourcer 7 'unpack.exe' file reports that
simlck.exe is NOT a packed file ! :-(

PS-2: According to me, if these idiots from Nokia had written their exe file,
and applied the dongle wrapper BEFORE packing the file, Simlck would be quite
harder (yet not impossible) to crack. :-o

******** End *******

snippets
+HCU snippets
redhomepage red links red anonymity red+ORC redstudents' essays redacademy database
redantismut redtools redbots & agents reversing redcocktails redjavascript wars redsearch_forms redmail_reverser
redIs reverse engineering illegal?