Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Hardcoded md5 serial number crack (https://forum.exetools.com/showthread.php?t=20256)

TmC 09-15-2022 05:13

Hardcoded md5 serial number crack
 
Good evening to all of you!

I am currently trying to crack a program that can be registered with a pre-defined set of serial numbers, hardcoded into the application as a big set of md5 hashes (the serial number format is !!!!-!!!!-!!!!-!!!! where ! can be anything in ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789)

I am sorry I can't share the program since it contains recognisable data.

I am currently trying two ways:

1. I extracted all serial number hashes, and currently running a generator that randomises numbers between 1 and 36 and then takes from the allowed char set the corresponding value and forms a random serial number, then convert to md5 and check if hash is in the list. if not, discard and try a new one. The program has been running for 4 hours and not a single valid serial number has appeared

2. I built a program to generate all possible combinations of serial numbers, both clean and as md5values. In 4 hours of runtime, I completed the last four !!!!, but the remaining !!!!-!!!!-!!!! still has to come and I suspect it will run for long.

Since none of the methods appear to yield a result in a reasonable time, does any of you have any suggestion to speed up the process?

Might the CUDA toolkit be of any help?

I also thought about rainbow tables, but they tend to be more useful for words, rather than for serial numbers. I know they are pre computed and that a serial number is just a defined series of char...but don't know if rainbow tables for serial numbers exist.

Thanks to anyone.

aijundi 09-15-2022 13:21

Unfortunately, neither way will yield any results. You have a 16 character serial with 36 character charset, that is 36^16 combinations, almost 8*10^24.

Assuming you crack trillions of passwords per second, it will take thousands of years to go through all these combinations.

If you still want to try cracking the hashes, then use a tool called hashcat, making a program yourself will most likely be very slow compared to it.

LaDidi 09-15-2022 13:54

@TmC :
Calculate MD5 with your serial.
Change one MD5 hash with this one.
That's all.

foosaa 09-15-2022 15:46

Quote:

Originally Posted by LaDidi (Post 126024)
@TmC :
Calculate MD5 with your serial.
Change one MD5 hash with this one.
That's all.

Yes. This is the simplest attack you could do. Don't worry about cracking the hash. Attack the hash by replacing one the existing hash with a known hash.

If you find the location of the predefined hashes in the program, create a new MD5 hash of any string (say blablabla) and replace one of the hashes in the existing predefined hashes with the created hash and you are done. It should work unless there are any other checks that are based on the serial number.

If you would like to share the executable privately for patching, let me know and I'll see if I can help to patch it.

TmC 09-15-2022 17:55

Quote:

Originally Posted by foosaa (Post 126026)
It should work unless there are any other checks that are based on the serial number.

There is no problem with patching the program. (inlining rather than patching, since it is part of a suite that has also a hardware part and the hardware is checking for program integrity at startup).

Unfortunately, the serial is checked also when requesting updates through the update routine, and even patching the program wont pass the server check.

The serial is passed in cleartext so a patch that simply gives one random hash to check does not work.

TmC 09-15-2022 18:56

Quote:

Originally Posted by aijundi (Post 126023)
If you still want to try cracking the hashes, then use a tool called hashcat, making a program yourself will most likely be very slow compared to it.

Do you know if it is possible to supply a mask for the well known parts while letting the program generate unknown ones?

aijundi 09-15-2022 19:53

Quote:

Originally Posted by TmC (Post 126029)
Do you know if it is possible to supply a mask for the well known parts while letting the program generate unknown ones?

Yes it is possible

traf0 09-16-2022 02:41

Quote:

Originally Posted by TmC (Post 126029)
Do you know if it is possible to supply a mask for the well known parts while letting the program generate unknown ones?

Great tutorial how to perform mask attack using hashcat
Code:

https://www.4armed.com/blog/perform-mask-attack-hashcat/

TempoMat 09-16-2022 04:55

Quote:

Originally Posted by aijundi (Post 126023)
Unfortunately, neither way will yield any results. You have a 16 character serial with 36 character charset, that is 36^16 combinations, almost 8*10^24.

hashcat, making a program yourself will most likely be very slow compared to it.

Sholdn't the number of conbinations be 36^19, if the password format ist given as !!!!-!!!!-!!!!-!!!!?
Or are the 3 dashes removed from the password before the MD5 Hash.

@TmC: Can you share the extracted MD5 Hashes?
Just a dumb question: Are the MD5 init variables the standard ones?

aijundi 09-16-2022 05:43

Quote:

Originally Posted by TempoMat (Post 126035)
Sholdn't the number of conbinations be 36^19, if the password format ist given as !!!!-!!!!-!!!!-!!!!?
Or are the 3 dashes removed from the password before the MD5 Hash.

I have no idea if they are removed or not, but they either never change or removed, which in both cases leaves 16 variable characters.

TmC 09-16-2022 06:06

Quote:

Originally Posted by TempoMat (Post 126035)
Sholdn't the number of conbinations be 36^19, if the password format ist given as !!!!-!!!!-!!!!-!!!!?
Or are the 3 dashes removed from the password before the MD5 Hash.

The 3 dashes are always there, they are known chars.

Quote:

Originally Posted by TempoMat (Post 126035)
Just a dumb question: Are the MD5 init variables the standard ones?

Don't understand

Jupiter 09-16-2022 16:09

MD5 collisions
 
When I saw title of this thread ("Hardcoded md5 serial number crack") my first thought was "COLLISIONS". But no one mentioned MD5 collisions yet.

It's better to threat serial number as bytes (not as text) to successfully implement an attack.

You can find appropriate MD5 collision sources at GitHub, for example:
MD5 collision

Quote:

Originally Posted by TmC (Post 126037)
Don't understand

May be he means MD5 initial values from reference implementation.

TmC 09-16-2022 16:30

Quote:

Originally Posted by Jupiter (Post 126039)
When I saw title of this thread ("Hardcoded md5 serial number crack") my first thought was "COLLISIONS". But no one mentioned MD5 collisions yet.

It's better to threat serial number as bytes (not as text) to successfully implement an attack.

You can find appropriate MD5 collision sources at GitHub, for example:
MD5 collision



May be he means MD5 initial values from reference implementation.

They are plain MD5 textual hashes like MD5(Serial) = Hash

aijundi 09-16-2022 17:23

Perhaps you can check this and do something similar

foosaa 09-16-2022 17:56

Quote:

Originally Posted by TmC (Post 126028)
There is no problem with patching the program. (inlining rather than patching, since it is part of a suite that has also a hardware part and the hardware is checking for program integrity at startup).

Unfortunately, the serial is checked also when requesting updates through the update routine, and even patching the program wont pass the server check.

The serial is passed in cleartext so a patch that simply gives one random hash to check does not work.

Yup. Thought so. Would you mind sharing the program name in a PM? Thanks.


All times are GMT +8. The time now is 09:12.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX