Hey Folks,

After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.

The application is protected by Themida which is in my view the leading protector on the market currently (yes better than execryptor).

The unlocker has Ring0 protection, Emulated API's, Resource Encryption + Lots more fun and games.

Now onto what I have found so far.

The GUI stuff:
set 1 0
set 5 ffffffff
set 2 0
set 6 000000
set 4 000000
progressbar 0 239 0 255 ffffff 100 0
shmsg 0 0 " . : | Wizard Unlock | : ."
info 1
shmsg 3 0 " ..detecting device.."
set 32 2
info 0
shmsg 4 0 " >>> Wizard found"


Is plain to see, but the evil work is well tucked away in a procedure which is pushed onto the VirtualMachine.
So I still need to fish that out (loooonnnng task)...

However the very most interesting part (I find) is the existance of a ROM inside the unlocker.

Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.

Download:
http://rapidshare.com/files/12763879/_00CC0000.mem

For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S

The following tools are also 'picked up':
Filenames:

PORTMON.exe
SnoopyPro.exe
Device Monitor.exe
Window Titles:
Portmon Class
SnoopyPro
USB Monitor
Device Monitor

Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.

Since he has NO terms about his programs what so ever then there is no legal problems with what I am doing to his application.

He is probably too scared of HTC anyway, since he is decompiling their firmwares in order to make the product. (Which is outlawed in HTC's terms)


Anyway....

Watch this space :)

Very interesting, would information gathered from the Wizard unlocker lead to cracking the Treo 750 unlocker? Or any other phone that imei-check supports for that matter?

After a long weekend of reversing I am about 95% done in reversing IMEI-CHECK's unlocker for the Wizard.
Great, will you disclose your findings? there was an earlier post about the unlocker for G4 wizards, here (see comment #36):
http://forum.xda-developers.com/showthread.php?t=284312

However the very most interesting part (I find) is the existance of a ROM inside the unlocker.

Now I am not sure if this is the bootloader/gsm rom however it certainly seems VERY interesting that it is included.
It seems that this is the patched SPL that is flashed on the first unlocking step, it is modified so that when it is told to flash an splash screen, it flashes the security area, overwriting the CID.

For those who wish to analyse it and let me know which it is and if anything has been altered.
It might well just be standard, who knows :S
I will load it at IDA and compare with a normal wizard SPL...


Serious Serious Kudos to the developer, Very impressive work indeed!
By making this, he has almost made himself a license to print cash.

Yes, the imei-check guys are doing great job with their unlockers... similar method is used in artemis unlocker too. They load a modified SPL in RAM and jump to its physical address from WinCE, this modified SPL shows the DOC ID in help of "set" command and allows flashing unsigned code, then they use obtained DOC ID info to patch the security area by sending a "fake" splash screen, same as in wizard unlocker.

Watch this space :)
I will ;)

phoa not much point in me continuing!
You've got the whole lot there!

I'm a lover not a coder, I simply reverse in order to help others succeed.

Since you have all important info anyway, Not really going to be of much help here :(

P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......

phoa not much point in me continuing!
You've got the whole lot there!
Well I didn't want to discourage you on continuing the reversing process, I just pointed you to the thread where we discussed about the unlocking method a while ago...

I admire the fact that you reached that far only disassembling / debugging the binary, what we actually did to have the full process was capturing it with USB monitor; the unlocker can be tricked if you run the usb monitor process as one user, ant the unlocker as a different user, but imei-check seem to have corrected this 'bug' in newer unlockers.


Since you have all important info anyway, Not really going to be of much help here :(
We don't have _all_ the important info, we have the commands that the unlocker sends to the bootloader, but the data sent to flash the security area is actually different in every phone, so flashing what is sent in one phone to another phone will actually brick it.

I think it can be helpful if you manage to reverse the algorithm that the unlocker uses to generate the code which is flashed on the security area, this can't be done capturing usb traffic, this has to be reversed from the binary, and Themida is not easy to break as you sure have noticed :)

P.S do you have any sigs for IDA or any scripts?
I dont like having to sift through manually as binary file......
No sorry, i don't have any... I am not very used to IDA, started using it few months ago and still learning new things about it everytime I start it :)

Ah cool I will look into it a bit further :D
(Need to get a friend to code a tool to remove the junk code)
e.g
PUSH EAX
PUSH EDX
MOV EAX,2282
INC EAX
DEC EDX
POP EDX
POP EAX

Since it is popping those registers off the stack, its actually altered nothing :)

Themida is a cow, Because my friend didnt manage to make a start on the junk code remover (and I didnt realise there was a virtualised function) I just did each Import by hand (approx 4 hours lol)
Also rebuilt the OEP by hand too, not too hard since it was VC++6.

I have a G4 which I have unlocked with Imei-Calc (thus I have the key file, which I *think* might decrypt parts of the program, or possibly is part of an encrypted rom.)

3 Last things:

1. Can the G3/G4 chip be worked out by IMEI, i.e IMEI represents a date and the chips were only used after a certain date? or is this tool generic for G3/G4 ?

2. Do you have an SPL for 2.08.10

3. How can I dump my SPL (bearing in mind my only minisd has a full backup of my rom, Just in case crossbow gets a little ugly for my liking)


Ohh one last thing, kbdus.dll on Crossbow.....Is there a kbduk.dll as far as you know?
My Wizard has british keyboard and all the chars are shifted +1..... :(
Thats my next major task I think before continuing on this thing :P


Btw, To use the usb logger on newer versions of IMEI-CALC, just rename the exe and change the class name :P

Hi..Answer on the "Last Three Things"
1.) No one cannot identify G3/G4 with imei.If u lok carefully the place below yr battery u will find a"G4" written besides yr imei no.In G3, nothing is written.The most commeon way is to check IPL/SPL .001 in the end is G4.

2) Take a ROM which has 2.08 SPL. and use typho5.exe to dismantle the ROM parts.If ROM is release recently then you will find IPL/SPL for G3/G4 both.Chek the threads here..

3) As such crossbow ROM has no IPL/SPL..if u know what ROM u were using prior to that, u can apply above to dump yr ipl SPL..secondly you can do this with awizard1.3 beta.

I hope this helps