Reversing Key using pattern

I have a device that uses feature codes to turn on/off features. It is system serial# specific.

I have a list of valid codes based on serial#'s... so I thought I'd see if I could find a pattern. Well I did for the one I tried. And I can create valid keys for that feature. However I would like to try to figure out the algorithm as there are over 30 features and that would take forever to manually decipher. This is probably more in line with cryptography than cracking.

Does anyone have information that may help me discover the algorithm based on pattern recognition? The license keys are 12 chars only from back in the early 1990's.

Thanks,

P.S. My guess is that they are using a lookup table. If this number = x then lookup and use k, etc. But not 100%. Program is not MS-DOS/WIN based so no debugger.

Quote:

Originally Posted by Maltese

P.S. My guess is that they are using a lookup table. If this number = x then lookup and use k, etc. But not 100%. Program is not MS-DOS/WIN based so no debugger.

For what cpu is this program ?

Lynx OS is the operating system which is an off-shot of Unix. Not sure on the CPU exactly. Possibly made by Motorola. They used Sun Microsystems in their facility.

from back of 90'... hm, 68k ? no way to disasm the program ?

Apparently there is a debugger with LynxOS on the trial CD. I will have to re-install it and check that out.... I do not have documentation. It's not like a windows debugger...think DOS-like.

check here: h!!p://www.gnu.org/software/gdb/documentation/

[DARKER]

There is no generic information that may help you discover the algorithm based on pattern recognition because there can be millions of possibilities how to do it ... Best way is try reverse original app. First analyze compiled language then try find some disassembler or debugger ...
Or if you have a lot of keys you can try analyze what is changing with specific feature.

I have decoded 3 feature keys using patterns alone. It's not very complex, but now it's a pain for the feature I'm working on now.

As an example I have provided 3 legitimate codes used to reverse the pattern.

System Serial# = 50000, Legitimate license code = aMrNvhKz6pR3
System Serial# = 50217, Legitimate license code = aMvRwDKzEhO3
System Serial# = 65218, Legitimate license code = MAzPvwoNMlR-

Now let's pick a random serial number between 50000 & 65000: 54222

Here is this features reversal to get to generate the licensed code.

1st digit in serial number determines 1st digit in licensed code:

5xxxx = a
6xxxx = M


2nd digit of Licensed code is determined by the 1st 2 digits in serial Number:

50xxx = M
51xxx = 6
52xxx = U
53xxx = E
54xxx = Q
55xxx = A
56xxx = Y
57xxx = I
58xxx = unknown - no data
59xxx = 8

60xxx = M
61xxx = 6
62xxx = U
63xxx = E
64xxx = Q
65xxx = A


3rd digit of serial# (only) determines 3rd digit in licensed code

xx0xx r
xx1xx z
xx2xx v
xx3xx 3
xx4xx t
xx5xx 1
xx6xx x
xx7xx 5
xx8xx q
xx9xx y


4th digit of serial# (only) determines 4th digit in licensed code

xxx0x = N
xxx1x = R
xxx2x = P
xxx3x = T
xxx4x = M
xxx5x = Q
xxx6x = O
xxx7x = S
xxx8x = N
xxx9x = R


5th digit of serial# (only) determines 5th digit in licensed code

xxxx0 = v
xxxx1 = x
xxxx2 = u
xxxx3 = w
xxxx4 = v
xxxx5 = x
xxxx6 = u
xxxx7 = w
xxxx8 = v
xxxx9 = x


For 6th digit of license code, use chart below:

If serial# starts with 5, use:

Look at last number (of serial) and match with chart:

0 = h
1 = h
2 = h
3 = h
4 = D
5 = D
6 = D
7 = D
8 = x
9 = x

If serial# starts with 6, use:

Look at the last number (of serial) and match with chart:

0 = g
1 = g
2 = g
3 = g
4 = C
5 = C
6 = C
7 = C
8 = w
9 = w


For 7th digit of license code, use chart below:

If serial# starts with 5, 7th pos = K
If serial# starts with 6, 7th pos = o



For 8th digit of license code, use chart below:

Look at last 4 of serial# (ignore the last 3). Using the first number, use the chart below:

0xxx = z
1xxx = V
2xxx = j
3xxx = F
4xxx = r
5xxx = N
6xxx = b
7xxx = 7
8xxx = unknown - no data
9xxx = Z



For 9th digit of license code, use chart below:

Look at last 3 of serial# (ignore the last 2). Using the first number, use the chart below:

0xx = 6
1xx = M
2xx = E
3xx = U
4xx = A
5xx = Q
6xx = I
7xx = Y
8xx = 8
9xx = O


For 10th digit of license code:

Look @ last 2 digits of serial#. Use the chart as follows for 10th digit:

00-09 = p
10-19 = h
20-29 = l
30-39 = d
40-49 = n
50-59 = f
60-69 = j
70-79 = b
80-89 = o
90-99 = g



For License positions 11 + 12, use the following:

If serial Number starts with 5

ends in 0: R3
ends in 1: N3
ends in 2: T3
ends in 3: P3
ends in 4: Q3
ends in 5: M3
ends in 6: S3
ends in 7: O3
ends in 8: RZ
ends in 9: NZ

If serial Number starts with 6

ends in 0: R4
ends in 1: N4
ends in 2: T4
ends in 3: P4
ends in 4: Q4
ends in 5: M4
ends in 6: S4
ends in 7: O4
ends in 8: R-
ends in 9: N-


The generated license code is: aQvPuhKrElT3

I looks like basic look-up and arithmetic. The program is however changing the algorithm so you can't repeat for each feature.

I was hoping for a Uber secret program to help out. To save time of course.

I have attached a file containing almost a 1000 legitimate pass codes to try reverse.

1) License position 1:
If the serial# starts with 5xxxx, the license char 1 = d
If the serial# starts with 6xxxx, the license char 1 = P

2) License position 2:
Partially determined by 2nd char in serial#
a) x0xxx = B or 7
b) x1xxx = N or R
c) x2xxx = F or J
d) x3xxx = V or Z
e) x4xxx = B or 7
f) x5xxx = N or R
g) x6xxx = F or J
h) x7xxx = V or Z
i) x8xxx = B or 7
j) x9xxx = T or P

Still not sure what determines which

3) License position 8:
Similar to position 2 except characters differ.
a) x0xxx = H or 9
b) x1xxx = l or d
c) x2xxx = X or P
d) x3xxx = t or 1
e) x4xxx = H or 9
f) x5xxx = l or d
g) x6xxx = X or P
h) x7xxx = t or 1
i) x8xxx = H or 9
j) x9xxx = p or h

4) License Position 11:
Based solely on the last digit of the serial#
0 = N
1 = R
2 = P
3 = T
4 = M
5 = Q
6 = O
7 = S
8 = N
9 = R

5) License position 12 (last char):
Is based on if the serial starts with 5xxxx or 6xxxx.
If serial starts with 5xxxx, then it's one of 4 chars:
a) z
b) v
c) N
d) r

If serial starts with 6xxxx, then it's one of 4 chars:
a) 0
b) s
c) W
d) O

Still not sure what determines it.

Any help would be appreciated.

[Git]

What is the Feature number for these :

System Serial# = 50000, Legitimate license code = aMrNvhKz6pR3
System Serial# = 50217, Legitimate license code = aMvRwDKzEhO3
System Serial# = 65218, Legitimate license code = MAzPvwoNMlR-

Do you have a list of Feature numbers/codes?. Are there exactly 30 or are there more than 32 Features?. Also, what is the range of the serial number?

Git

Serials are around the range of: 50,000 to 65,000.

There are different features. Not sure how many there are exactly. And not all serials have the same features enabled.

Does anyone have access to a program for analyzing patterns? I've decoded a few more (different ones), still not the 2nd one listed above in this thread.