Mike Chen, creator of Weblock Pro, claims it is impossible to unlock (or ‘un-lock’, as he spells it), but it is in fact so trivial even Internet Explorer users can do it in seconds (most other browsers contain a ‘view generated content’ option that makes it even easier). Shown below are the methods used in Mozilla and Internet Explorer to unlock/hack/crack a site ‘protected’ by Weblock Pro.
Why Weblock Pro?
I have targetted Weblock Pro in particular because Weblock Pro spam was sent to the SETI@home message boards. Weblock Pro is representative of the current state-of-the-art in HTML code hiding, so users of other systems should not think this document does not apply to them.
I’ve received e-mails from angry users of Weblock Pro — they claim this page is illegal and helps ‘hackers’ (they mean ‘crackers’, of course). There is nothing illegal in this page, and the techniques described are well known to crackers, so removing it would have no effect, other than to give a false sense of security to those considering buying Weblock Pro. I have in fact received one e-mail from someone considering buying Weblock Pro, thanking me for showing him it is not secure (I did reply that no code hiding techniques are effective, but I don’t know whether he took that advice).
The method — Mozilla version
Users of the excellent Mozilla Firefox browser can view the page source easily. Just open the DOM Inspector (in the Tools menu), right-click on the HTML node (the one with the triangle next to it), choose ‘Copy XML’ and paste the code into your favourite text editor.
The method — Internet Explorer version
1) First save the page. You should do this by viewing the source code, then saving this code (do not use the save option in the File menu, as Internet Explorer will make a mess of the code). Weblock Pro disables this feature in some browsers, in this case you must first turn off Javascript, refresh the page and then you can save it. Internet Explorer users can turn off Javascript through the menu option ‘Tools/Internet Options…’, clicking on the ‘Security’ tab, clicking on ‘Internet’, clicking on ‘Custon Level…’ and selecting ‘Disable’ under ‘Scripting/Active Scripting’.
2) Open the saved page in a text editor (Windows users should use Notepad). A line near the top will start:
<SCRIPT language=javascript>eval(Note: in newer versions of Weblock Pro this line and eight lines around it are shifted right by 150 spaces, in a feeble attempt to defeat crackers. So if you can’t find a line starting with the text above, scroll right a bit and try again.
Between the > and the eval..., insert the text document.writeln(‘<plaintext>’); (make sure you put the semicolon at the end). This gives you a line starting:
<SCRIPT language=javascript>document.writeln('<plaintext>');eval3) Save the page (make sure it still has the .htm or .html extension). Load it in your web browser — you will be able to see the code.
Further reading
I have written a page on the problems with HTML code hiding techniques.