Hi,

I'm new here and I wan't 100% sure where to post this but I read a few topics and this question seemed to fit best here.

My goal was to reverse the code and prove that it is possible for me to generate a valid key from the name and serial number entered. Sort of like a keygen in a manner, but I can assure that this has nothing to do with 'warez' or super-leet hackers. If I wanted to bypass this authorization I could do so in a heartbeat, or at least a JNZ.

I'll explain what the program does and why I'm getting hung up.

The user is asked for 3 items, a 12 digit serial number, a name, and a 16 digit key (The program treats all the letters and numbers as ASCII bytes). This info is then taken into a function where it is all compiled into an 8 byte code. Here comes the tricky part, this 8 byte is then taken into a function where it is used to generate a 16 byte key. This key is compared directly to the original key entered. If they match alls well, if not then it fails.

So,

MakeCoefficient (Name,Serial,Key) = CoeffCode

if (GenerateCompareKey(Coeff) == Key)
VALID
else
NOT VALID

The problem I am having is how to reverse this. I can't start with the 8 byte number because that is changed with whatever key I enter. I can not start with the final code generated because it is supposed to exactly match the key entered. The serial and name will only give me 2 of the 3 parts I need. Of course a brute force method is not even close to reasonable.

Its odd enough to me that the function is taking in 3 elements, generating a result that then generates 1 of the original elements.

I'm confused I can't really get my head around the algoritm to do this.

Anyone have any advice ?

You have to examine the algorithm of the function that operates on the serial, the name, and the key.

You're right. I just figured out how to get softice to search for that so I'll have that worked through today.

Its hard to find people that know what they are talking about

Glad I found this place, was going insane.

I'll work it over and post what I find.

Crap. Just ran Draca.exe (first Crypto Analyzer that came up in google)



I'm not sure if this means the serial+key+name part is BF, or maybe the 8 byte Coeff to Magic code is ???

Does that mean I'm screwed or better off know that I know its method and can maybe pull all the data to re-create its end result ?

Those crypto analyzers are usually not very exact. And also, even if Blowfish code is present inside the program, it does not necessarily have to be used in the part of the program you're analyzing (or even at all).

Last but not least, just because someone uses a fancy algorithm doesn't mean they have a friggin' clue what they're doing. You must analyze what the code is doing to begin with. Then when you know what it does and how you want to modify/reverse/exploit it, you can worry about the exact details of how it does it.

Yea, I thought about that too.

At least if it IS being used somewhere in my part of the code then it should be rather crackable since I have all the data they are using. I would think anyway.

I'm going to go further into the part of the code that combines serial, name, and key, I have all the filtering, function the magic code is being made, and the one that it is compared to the original key but I should check more into where exactly the Coeff number is being made. I have documented it ofcourse, but I probably skipped over it since I didn't reconize what it was doing.

I'll post here with the result

I traced down the creation of my coefficent. I had already logged all this code but skimmed over it since I didn't know what it did,

I posted some code and realized as I was doing it one of the functions was the Blowfish Encrypt routine.

So now I know that my code is using Blowfish.

I have all 4 S-Boxes and the PI array (which gets modified from the standard one pulled from the dll)

I'm working through the blowfish code now, but while I'm doing it I still just can't get my head around one thing.

Knowing now that something is being Blowfish encrypted. How is it possible to combine a Serial, Name and Key (probably in BF), take the result and then use it to generate a MagicCode that is 'supposed' to match the key ?!

I'm like 1/16 into the blowfish routine so I'm not even sure exactly where my data is added in yet,

Just thought maybe someone would have a conceptual idea as to what they could be doing.

Block cryptos (like e.g. Blowfish) can very easily be used as hash-functions, which is one very likely method. For example, append all the data to be hashed, encrypt it block by block and then xor all the blocks, and there you have your "magic code".

Also, you should really try to rip the crypto code if it's a long (non-standard) algo, and instead focus on how the crypto is used if you want to crack/reverse it.

I scanned over all the code and peiced togather a solid understanding of what the yare doing.

Started a thread here. Along with my idea on how to exploit a weakness in it.

http://www.woodmann.com/forum/showthread.php?t=7702

The short version is they take serial and name factor it down to 3 bytes, take key and factor it (one way) down to 3, then add 2 constants to make 8 bytes. Cipher that then apply that to a 32 digit string of letter as minilook up table, well its a little bit more complex then that, but the 16 byte answer makes the key. It boggles the hell out of me.

But the point at which the factor it down to 8 bytes, 3 of which are the only unknowns seems like the best point of attack. I don't 'want' to brute force it, but hell its GOT to get done Plus there are more then a few working keys per serial and name combo so i'de be nice to collect them all....

So, exactly what kind of attack/goal are you aiming at? Patching it, fishing a serial or completely keygenning it?

Full Key gen would be cool. Although its such a backwater program I'm working that its REALLY doubtfull I'de ever come in contact with another human being that knew of or needed it.

Worst case I need to pull all the valid codes per given name/serial number, then there are some requisits that will narrow that lot down. That part is easy tho.

This is my first attempt into REing a program, I think I'm pretty good at it for my first attempt This program is def. harder then I expected. But I think I might take on some other projects if I ever get the time.