#1
|
|||
|
|||
Easy keygen targets with pep
I started recently trying my hands on some programs I had downloaded back in the early 2000 when I started with RCE.
So a few days ago I installed programs from Jaibosoft and to my surprise they were all with a long list of hardcoded 8 digit serials. So boring I thought. However two of these programs (Outbreak with 500 and Astute DIB with 1030 hardcoded serials) had SHA1 hash algorithm implemented instead of the bare 8 digit serials. The interesting thing is that the hardcoded serials are of 32 Chars or 128 Bits (16 Bytes) which should mean an MD5 Hash instead of 160 Bites (20 Bytes) or 40 Chars for SHA1 hashes. As the programs first check whether the entered 8 chars for the serial are digits between 0…9, it looked at the first glance that keygenning aka brute forcing them could be the solution. This turns out not be feasible then the hardcoded serials as already stated above are actually SHA1 Hashes with the last 8 chars (4 Bytes) truncated. The serial checking algorithm is as follows: 1. Check if chars of entered serial are digits 2. SHA1(Entered serial) 3. Compare first 32 Chars of the result under 2. with the hardcoded serials and set good/bad guy flag if a match is found or not. Patching is not an issue here at all as I was only interested in a keygen. Then the number of possible SHA1 hashes to generate and then compare with the hardcoded serials will be nPr (permuting the number of subsets of 8 from 10 digits that can be created and can include the same digits in different orders) would have the following combinations: Code:
P(n,r)=P(10,8) = 10! ÷ (10-8)! = 1814400 |
#2
|
|||
|
|||
Update
Well I managed to do it.
It was in the end easier than I thought, due to the fact that only numeric string were hashed. The solution was: Code:
For i=11000000 to 99999999 res=SHA1(i) for j=1 to lenHashTable if res=HashTable(j) Write2File (i=HashTable(i) end if next j Append2HashedFile (res) next i Every 500000 SHA1 hashes generated was saved to a file was which had a size of approx. 27,34 MB. PS: The start value was chosen to be 11000000 because the range from 10000000 to 10999999 was used in the testing of the program which yielded no collision with the hardcoded hashes. |
The Following User Says Thank You to TempoMat For This Useful Post: | ||
tonyweb (03-17-2019) |
Thread Tools | |
Display Modes | |
|
|