NoExec Long live the Borg

Unlocking the ESET unlocker

ESET Antivirus (a.k.a. NOD32) in corporate environments is usually extremely annoying, since it pesters the user with useless popups, prevents downloading of useful programs, breaks SSL connections, etc. Its settings are password-protected, accessible only to sysadmins — good luck getting through that wall. Of course, it is possible to simply uninstall the antivirus via some convoluted process (if one has administrative access, which is not a given), but we don’t look for easy paths.

ESET password prompt

How does one get around that password prompt? Luckily, ESET provides an Unlock Utility that provides you with an ID that you need to submit to their Customer Care, and get back an email with the code, or something equally silly. Anyway, let’s get around that inconvenience, especially considering that the email will most likely go to your corporate support.

Opening the executable in a debugger or a disassembler, we see that the ID is generated from some machine-specific information, some of which is hashed using a custom hash function. That same function is later (not shown in the screenshot below) used to compute the resulting code for the ID, comparing the result with the code input by the user.

IDA: Main procedure

At this stage we could easily circumvent the check, or create a patch — but let’s go further, and take a closer look at the hash function. It receives the ID both as a 32-bit integer seed, and as a decimal string, producing another 32-bit integer (the code) by doing arithmetic and bitwise manipulations on string characters, also indexing into 1KB block of data (256 32-bit words).

IDA: Hash procedure

The process is not too complex; here is a Java program doing the same. We put the code back into the unlocker, and voila:

ESET unlock tool

Guy Gelber, our cyber program student in Ashdod campus, has developed a keygen GUI (the executable is here). Patching functionality seems problematic (I got a registry error from the unlocker when I tried that), but fixing the issue should be easy enough.

Incidentally, the algorithm is a standard table-based implementation of CRC32:

long id = 1234567890;
byte[] idBytes = (id+"").getBytes();
Checksum csum = new CRC32();
Field seed = CRC32.class.getDeclaredField("crc");
seed.set(csum, (int)id);
csum.update(idBytes, 0, idBytes.length);
System.out.println("CODE: " + csum.getValue());

All ESET settings are now accessible.

ESET Remote Administrator

ESET Live Grid