Hi,

I'm new here and I wan't 100% sure where to post this but I read a few topics and this question seemed to fit best here.

My goal was to reverse the code and prove that it is possible for me to generate a valid key from the name and serial number entered. Sort of like a keygen in a manner, but I can assure that this has nothing to do with 'warez' or super-leet hackers. If I wanted to bypass this authorization I could do so in a heartbeat, or at least a JNZ.

I'll explain what the program does and why I'm getting hung up.

The user is asked for 3 items, a 12 digit serial number, a name, and a 16 digit key (The program treats all the letters and numbers as ASCII bytes). This info is then taken into a function where it is all compiled into an 8 byte code. Here comes the tricky part, this 8 byte is then taken into a function where it is used to generate a 16 byte key. This key is compared directly to the original key entered. If they match alls well, if not then it fails.

So,

MakeCoefficient (Name,Serial,Key) = CoeffCode

if (GenerateCompareKey(Coeff) == Key)
VALID
else
NOT VALID

The problem I am having is how to reverse this. I can't start with the 8 byte number because that is changed with whatever key I enter. I can not start with the final code generated because it is supposed to exactly match the key entered. The serial and name will only give me 2 of the 3 parts I need. Of course a brute force method is not even close to reasonable.

Its odd enough to me that the function is taking in 3 elements, generating a result that then generates 1 of the original elements.

I'm confused :( I can't really get my head around the algoritm to do this.

Anyone have any advice ?

hi este!

sorry i don't have an answer, but rather some questions and maybe an idea...

i was wondering if i could take a look at the binary you're studying?

i'd also like to know how the user is supplied with the 12-digit serial number and 16-digit key. i'm guessing the serial number is generated first by the author, then the user provides his/her name to the author, and with the username and serial number the author generates the 16-digit key in such a way that allows MakeCoefficient's output to derive the same 16-digit key when passed through the GenerateCompareKey function.

do you know what numbers/letters are valid for the 12-digit serial number and 16-digit key? (eg only hex numbers 0-9 A-F ?)

i think studying the innards of the GenerateCompareKey function would help understand the nature of the 16-digit key, ie knowing how the 16-byte value is derived from the 8-byte code (MakeCoefficient's output).

i'm very interested in knowing how this works! :)

Awesome, its damn good to find people that are at least interested..... all the irc crypto rooms are packed with people who know nothing... its odd.

Ok. I was a little breif on parts b/c I didn't know if anyone would be interested, soooo....


The rules are as follows:



All data is pulled and processed as ASCII bytes.

Key *:

- Must fill all 16 spaces
- No Zeros
- AlphaNumeric
- '-' get filtered out (Install Program adds them in as a reference)
- All letters are converted to UPPERcase
? Special Chars Unknown,
- No reordering or transposing


Serial :

- All letters are converted to lowercase (valid serials don't have any regardless)
- No checking for vaild serials seems to be going on, allows any entry


Name/Company Name:

- Spaces and '@' are filtered out, all letters changed to lowercase
- No change is made to other special !#$%^&*()_-+=[]\{|}:;"'<>,./? chars


Constant Code : (This seems to be the 'table' the final key check (MagicCode is pulled from)

- 32 byte code - "CDRA XNST W54B H6Y9 Z7EF GIKL M231 PU8V"
- Constant, Pulled from file, NOT Based on Serial, CO, or KEY
- Header seems to be ignored, but odd that it says "EncodePNDproducts..." (Bad Programming?)


MagicCode:

- Derived from ConstCode :
- 16 Bytes
- Based on / Changes with Name, Serial Number, and KEY (key is odd, so long as key starts with AC)
- Matched 1 for 1 to KEY for sucessfull validation (90% certain, i have the asm code for it, does one little funny thing at the end)



- Magic Code Examples

Company Serial *KEY * MagicCode
TEST *117100011711 4444-4444-4444-4444 ACCHKBUNUDRPVDG2 <- Random on restart
TEST *117100011711 5555-5555-5555-5555 ACCHKBUNUDRPVDG2
TEST *117100011711 ACCH-KBUN-UDRP-VDG2 ACCCFXS7YS8SW25M <- True Key Format
TEST *117100011711 XCCH-KBUN-UDRP-VDG2 ACCHKBUNUDRPVDG2 * *
TEST *117100011711 XCCH-KBUN-UDRP-VDGX ACCHKBUNUDRPVDG2 * *
XXXX *117100011711 4444-4444-4444-4444 ACCWGITR6TPVTFBF
TEST *017100011710 4444-4444-4444-4444 ACCZVP2DT33SX7VV

*for some reason I can not explain all the codes generated start with 'ACC'


Now, some specifics about the order in which this is done,

It seems the the coefficient number is just a intermdiate 8 byte number that is put in the MagicCode function that really pulls 1 of 32 bytes from ConstantCode (kind of a table). Now, something to note is that when this is done, its done per byte. I need to exaimine a little further as I dont think its 1 byte of Coeff makes 2 of Magic Code, but it does go in order, it might be 4 of Coeff in a FIFO pile that rotates new bytes in as old go out type of thing, I'll document that today.

Right there as it makes MagicCode byte by byte maybe I could reverse and figure out some way to make smaller brute force chunks ?

I don't know, I just confuse myself.... Any thoughts? I can post the ASM for these parts but I don't know if it would help since there isn't much stack data

Crap. Just ran Draca.exe (first Crypto Analyzer that came up in google). This is what I got.


analyzing... done

results:
* Blowfish - 100%

total 1 algorithm(s) recognized


I'm not sure if the Serial+Name+Key part is Blowfish or maybe the Coeff to Magic Key ?

Does that mean I'm screwed or better off know that I know its method and can maybe pull all the data to re-create its end result ?

Here are some code bits i've been dealing with. I know its mostly useless with out the stacks or really just even outside of softice but I figured maybe someone might see somthing that I missed (likely)

I posted some code and realized as I was doing it one of the functions was the Blowfish Encrypt routine.

So now I know that my code is using Blowfish.

I have all 4 S-Boxes and the PI array (which gets modified from the standard one pulled from the dll)

I'm working through the blowfish code now, but while I'm doing it I still just can't get my head around one thing.

Knowing now that something is being Blowfish encrypted. How is it possible to combine a Serial, Name and Key (probably in BF), take the result and then use it to generate a MagicCode that is 'supposed' to match the key ?!

I'm like 1/16 into the blowfish routine so I'm not even sure exactly where my data is added in yet,

Just thought maybe someone would have a conceptual idea as to what they could be doing.