Log in

View Full Version : A little trouble generating serials for an application


ratshasa
March 3rd, 2013, 11:19
Hello! I'm having some trouble generating valid serial numbers for an application and I hope someone here can shed some light on the whole thing.

As per the FAQ, here is the relevant info:

1. What is the problem....

A while ago, some developer released version 1.0 of some application, protected by a serial check routine. I was able to understand the algorithm used to validate serial numbers and create a serial generator for that application.

Now, the same developer released an update for that application which requires a new serial number. That validation routine is the same as before, except for an extra step. I was able to create a new, working serial generator, but I am unsure if it's actually as good as it can be.

2. What is the protection.....

Custom-made serial number check.

3. What tools are you using....

The application is written in Python and I was able to decompile it using a tool called uncompyle2.

4. What tutorials have you read....

Some tutorials on Python programming and a few more on decompiling applications made in Python.

5. Show your output listing WITH comments....

I'm not entirely sure what output I should list here, so I'll try to explain how the serial check routine works in the updated version of the application, keeping it as generic as possible.

First of all, as I mentioned previously, it simply does the same check as in the initial version, 1.0 (that was simple to understand). Then comes the extra step, which goes like this:

1. it takes the name of the application and calculates it's SHA1 hash;
2. it takes that hash and converts it from base 16 to base 10 (I'm not sure if I'm explaining this operation correctly, English is not my native tongue, but I can give an example if needed);
3. it stores the remainder (let's call it R1) of the division between the result from the previous step and a number (constant integer), let's call it X;
4. it takes the entered serial number and calculates it's SHA1 hash;
5. it takes that hash and converts it from base 16 to base 10;
6. it stores the remainder (let's call it R2) of the division between the result from the previous step and X (the constant);
7. it checks if the two remainders, R1 and R2, are equal;
8. if R1 = R2, then the serial number is considered valid.

To generate valid serials for the new version of the application, I create random serials which are valid for the initial version and do the calculations mentioned in the list above again and again, until I get a serial that works.

Basically, I now cannot constantly create valid serials for the updated application like I did before. I have to create many serials and do the calculations on them until I find ones that are valid.

6. NOW ask your question....

Is my method of generating valid serials for the new version of the application the most efficient one? Or is there a correlation between the SHA1 hashes, the conversion from base 16 to base 10 and the remainders, which I'm not seeing? Does the developer generate valid serials in the same way, or does him/her have a different method, which constantly yields valid serial numbers?

If needed, I can explain the serial check routine more thoroughly.

Thanks!

0xD1
March 3rd, 2013, 13:55
Brute-force is the correct approach. You can optimize the check for a valid hash, but it mostly comes down to generating hashes as fast as possible by threading and/or offloading to GPU.

disavowed
March 4th, 2013, 09:19
Quote:
[Originally Posted by ratshasa;94347]Does the developer generate valid serials in the same way

Yep.

ratshasa
March 6th, 2013, 04:46
Ok, then I guess I will try to optimize my serial generation and validation algorithms as much as possible. Thanks for the input!