Help with generating serial
Hi guys,
I'm currently working on a piece of software and it is driving me crazy. I am able to 'register/activate' it by fudging all of the jumps at the serial key checker. However, I cannot for the life of me figure out the routine that actually creates the serial numbers.. Would any of you like to check this out and possibly give me an idea of how to do it? I don't really want the company looking this direction by mentioning the name of it, but here is the link to the installer. (It's used for Nissan cars) Link to the software: Code:
https://nisscan.com/NDSI/index.php?content=download Code:
Private Sub btnUnlock_Click() '53DC71 |
Hello,
try to look at loc_0052cf95 maybe this is what you looking for |
Hi Xobor,
I appreciate your help with this! What made you look at that address? It's almost the very first thing that's done right after the entry point - I don't see anything about activation or registration? Sorry, I'm not the greatest with this stuff yet, but am learning! |
Hello
in this function application reads ActivKey from registry and does some checks it came interesting to me best regards |
It seems Proc_23_0_565AB7 is calculating something relevant. What does the decompilation show for that part?
|
Quote:
|
Hi,
The procedure to generate the RegistrationCode aka RegCode in the version 1.63 with modified date 13.05.2013 is as follows: Code:
1. Generate 16 radom numbers of base 256=Res1 From my investigation so far, I could not find the RegName and Email(no syntax check) been used or referenced anywhere during the check of the activation key. They are however mandatory and the user will be promted to fill the corresponding empty field(s) before the RegistrationCode will be generated. Anyways, the ActivationKey does the same thing but with Key="Tomasz" instead of "Lilys". It should be noted however that both the initial 16 RadomNumbers(Res1) and the VolumeID (Res2) are in the resulted Regcode and are thus used to generate the ActivationKey, so that the 3 compares it does after decoding and decrypting the ActivationKey will match the original values. Regards, TemPoMat PS: If I have time I will try to write a Keygen for it |
Quote:
3. ConcatSeveralStrings("*",Res2,"#")=Res3 just a note, the volume serial number is in number format, not hex format |
Quote:
and for the 2.Step it would have been clearer if I had written it as: 2. Hex2SignedDec(VolumeInfoA("C:\"))=Res2 |
1 Attachment(s)
The Activation Key is calculated as follows:
Code:
1. AK1 = the 16 RandomBytes from Res1 3. ConcatSeveralStrings("*", Res2 ,"#")=Res3 Cheers |
Actually, "#" and "*" to be removed to create Activation Code.
Code:
string pass_1 = "?????"; |
Thank you, everyone, for helping me out with this.
I will have some free time on Thursday night to check it out again, with all of your notes by my side! I appreciate all of you :) @raduga_fb - is there a certain module that you used when using RC4? Visual Studio only has RC2 by default, from what I can remember. |
RC4
Code:
public class RC4 |
Hi @raduga_fb
I really appreciate all of the help you've given me! I compiled the code that you have given me, but am still receiving an error message stating that the activation key is incorrect. Here is a screenshot of the source, the activation code generated and the error on activation: https://f0il.com/datascan.png Am I doing something wrong in all of that? I'm still trying to wrap my head around how you figured all of this out in the first place lol sorry for my ignorance! |
:) You need to eat much more bread.
Who said that pass_1 & pass_2 should be name & email? They are already mentioned above. string pass_1 = "?????" <- 5 digits = Li*** string pass_2 = "??????" <- 6 digits = To**** |
I did some tests on step 2 with different values for the VolumInfoA
2. AK2 = the Hex2SignedDec(VolumeInfoA("C:\")) from Res2 and found out that if the value of the VolumeSerialNumber is positive i.e. below 0x80000000 then the converted value has a space(0x20) instead of "+" before it. Final thing to note is that the RegCode should always be generated on the target computer. Then the 3 checks the program does are all related to the result from Step2 First it gets the Hex2SignedDec(VoluemInfoA("C:\")=>VolumeSerialNum then decrypts the RegCode and the ActivKey and final does the following comparisons: Is VolumeSerialNum=Res2 from decrypted RegCode? Is VolumeSerialNum=AK2 from the decrypted ActivKey? Is Res2=AK2? |
Quote:
Ahhh, okay, that worked! I do need much more knowledge with encryption and decryption. I am reading lots of material about the subjects, and am rewriting your code by hand on paper to try to understand the flow a little better :) I did receive an error on a second test machine about the Registration Code not being a valid Base64 string, but I'll cross that bridge later. Thank you again for all of your help, I haven't ever put much effort into reversing keys! :) Quote:
I am studying over everything that everyone has told me and am not going to give up on it! Thank you so much |
Actually the RegCode is useless for generating a working key. also check 3 is redundant. is only checking if the VolumeSerialNum from RES2 is the same VolumeSerialNum from AK2. If check 1 & 2 pass, 3 has no choice but to pass
|
Quote:
Quote:
A Keygen can for instance have the option for the user to enter a Regcode (Registation code) from a different machine and generate the corresponding ActivKey (Activation Key). Also just for a gemmick, it could include options to decode the RegCode and ActiveKey to compare the RandomBytes and the VolumeSerialNum. |
Quote:
Any random bytes will work so they do not need to be extracted as the program decrypts the decoded bytes using the first 16 bytes as the key. Code:
var_2C = Proc_23_0_565AB7(Mid(var_3C, 17, Len(var_3C)), Mid(var_3C, 1, 16), 0) for example... using 0123456789ABCDEFFEDCBA9876543210 as the random bytes / key and using *-91511383# from the first post, this key should work for that computer ts3Huirg1Olt00VIn78ZgsVes7y8VZqw1Q== |
Quote:
Meaning that the key is valid if and only if the Regcode is replaced with a newly generated one with your sample random bytes. The VolumeSerialNum is for sure the only part that is always the same on a target machine but every newly generated RegCode will have a different random bytes which are used in the ActivKey generation as well. Therefore using different random bytes as in your key with the initial RegCode from post #1 will fail. As a prove, deleting the string value for RegCode in the registry location: example Code:
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\NDataScan\Activation] I assume this is one of the reasons it is doing the 3 checks. |
It will work regardless. I've tried it, using my own volume serial of course.
There is does no check against the random bytes. Code:
var_8020 = GetVolumeInformation("C:\", String$(256, False), 255, global_005C507C, global_005C5084, global_005C5080, String$(256, False), 255) Code:
var_2C = Proc_23_0_565AB7(Mid(var_3C, 17, Len(var_3C)), Mid(var_3C, 1, 16), 0) Code:
var_8050 = Proc_23_0_565AB7(Proc_24_1_56681B(GetSetting("NDataScan", "Activation", "RegCode", 10), var_CC, 80020004h), "Lilys", var_C4) Code:
If CBool((var_2C = var_34) And (var_2C = Str(global_005C507C)) And (var_34 = Str(global_005C507C))) Then compare the decoded VolumeSerial# from our input with the decoded VolumeSerial# from registry, less the left and right chars. check 2 -> var_2C = Str(global_005C507C) compare the decoded VolumeSerial# from our input with the GetVolumeInformation VolumeSerial# check 3 -> var_34 = Str(global_005C507C) decoded VolumeSerial# from registry, less the left and right chars with the GetVolumeInformation VolumeSerial# as i said before, check 3 is redundant. It will always pass as the program generated it . |
Quote:
That is because the random bytes used to encrypt the VolumeSerialNum in the 1.encryption are in themselves included in each case in the 2.encryption leading to the final RegCode and the ActivKey respectively. Therefore an ActivKey generated with the same VolumeSerialNum of a target machine will work regardless of the RegCode. Quote:
|
All times are GMT +8. The time now is 06:50. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX