Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 12-24-2021, 06:03
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 86
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 18 Posts
TempoMat Reputation: 6
I did some tests on step 2 with different values for the VolumInfoA
2. AK2 = the Hex2SignedDec(VolumeInfoA("C:\")) from Res2
and found out that if the value of the VolumeSerialNumber is positive i.e. below 0x80000000 then the converted value has a space(0x20) instead of "+" before it.

Final thing to note is that the RegCode should always be generated on the target computer. Then the 3 checks the program does are all related to the result from Step2

First it gets the Hex2SignedDec(VoluemInfoA("C:\")=>VolumeSerialNum then decrypts the RegCode and the ActivKey and final does the following comparisons:

Is VolumeSerialNum=Res2 from decrypted RegCode?
Is VolumeSerialNum=AK2 from the decrypted ActivKey?
Is Res2=AK2?
Reply With Quote
  #17  
Old 12-24-2021, 06:39
foil foil is offline
Friend
 
Join Date: Feb 2017
Location: 0xFFFFFFFF
Posts: 17
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 18
Thanks Rcvd at 7 Times in 7 Posts
foil Reputation: 0
Quote:
Originally Posted by raduga_fb View Post
You need to eat much more bread.

Who said that pass_1 & pass_2 should be name & email? They are already mentioned above.

string pass_1 = "?????" <- 5 digits = Li***

string pass_2 = "??????" <- 6 digits = To****
Hi @raduga_fb
Ahhh, okay, that worked! I do need much more knowledge with encryption and decryption. I am reading lots of material about the subjects, and am rewriting your code by hand on paper to try to understand the flow a little better

I did receive an error on a second test machine about the Registration Code not being a valid Base64 string, but I'll cross that bridge later.

Thank you again for all of your help, I haven't ever put much effort into reversing keys!

Quote:
Originally Posted by TempoMat View Post
I did some tests on step 2 with different values for the VolumInfoA
2. AK2 = the Hex2SignedDec(VolumeInfoA("C:\")) from Res2
and found out that if the value of the VolumeSerialNumber is positive i.e. below 0x80000000 then the converted value has a space(0x20) instead of "+" before it.

Final thing to note is that the RegCode should always be generated on the target computer. Then the 3 checks the program does are all related to the result from Step2

First it gets the Hex2SignedDec(VoluemInfoA("C:\")=>VolumeSerialNum then decrypts the RegCode and the ActivKey and final does the following comparisons:

Is VolumeSerialNum=Res2 from decrypted RegCode?
Is VolumeSerialNum=AK2 from the decrypted ActivKey?
Is Res2=AK2?
I appreciate all of your help as well, @TempoMat !
I am studying over everything that everyone has told me and am not going to give up on it! Thank you so much
Reply With Quote
  #18  
Old 12-25-2021, 15:47
T-rad T-rad is offline
Friend
 
Join Date: May 2016
Posts: 18
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 19 Times in 12 Posts
T-rad Reputation: 0
Actually the RegCode is useless for generating a working key. also check 3 is redundant. is only checking if the VolumeSerialNum from RES2 is the same VolumeSerialNum from AK2. If check 1 & 2 pass, 3 has no choice but to pass
Reply With Quote
  #19  
Old 12-26-2021, 21:30
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 86
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 18 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by T-rad View Post
... also check 3 is redundant. is only checking if the VolumeSerialNum from RES2 is the same VolumeSerialNum from AK2. If check 1 & 2 pass, 3 has no choice but to pass
I agree with you. Maybe the programmer/vendor is paranoid.

Quote:
Originally Posted by T-rad View Post
Actually the RegCode is useless for generating a working key....
Not for the programmer/vendor, then he will need the RegCode in order to extract from it the RandomBytes and the VolumeSerialNum to generate the corresponding correct key for the registrant.

A Keygen can for instance have the option for the user to enter a Regcode (Registation code) from a different machine and generate the corresponding ActivKey (Activation Key).
Also just for a gemmick, it could include options to decode the RegCode and ActiveKey to compare the RandomBytes and the VolumeSerialNum.
Reply With Quote
  #20  
Old 12-27-2021, 04:36
T-rad T-rad is offline
Friend
 
Join Date: May 2016
Posts: 18
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 19 Times in 12 Posts
T-rad Reputation: 0
Quote:
Not for the programmer/vendor, then he will need the RegCode in order to extract from it the RandomBytes and the VolumeSerialNum to generate the corresponding correct key for the registrant.
not exactly, the vendor just requires the VolumeSerialNumber, the rest is just for show.
Any random bytes will work so they do not need to be extracted as the program decrypts the decoded bytes using the first 16 bytes as the key.

Code:
var_2C = Proc_23_0_565AB7(Mid(var_3C, 17, Len(var_3C)), Mid(var_3C, 1, 16), 0)
= RC4(data, key)

for example... using 0123456789ABCDEFFEDCBA9876543210 as the random bytes / key and using *-91511383# from the first post, this key should work for that computer

ts3Huirg1Olt00VIn78ZgsVes7y8VZqw1Q==
Reply With Quote
  #21  
Old 12-27-2021, 21:11
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 86
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 18 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by T-rad View Post
for example... using 0123456789ABCDEFFEDCBA9876543210 as the random bytes / key and using *-91511383# from the first post, this key should work for that computer

ts3Huirg1Olt00VIn78ZgsVes7y8VZqw1Q==
Your key in itself is correct but it will only be accepted if the same random bytes are used for the generation of the RegCode as well.
Meaning that the key is valid if and only if the Regcode is replaced with a newly generated one with your sample random bytes.

The VolumeSerialNum is for sure the only part that is always the same on a target machine but every newly generated RegCode will have a different random bytes which are used in the ActivKey generation as well.

Therefore using different random bytes as in your key with the initial RegCode from post #1 will fail.

As a prove, deleting the string value for RegCode in the registry location: example
Code:
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\NDataScan\Activation]
"Name"="TemPoMat"
"Email"="TemPoMat"
"RegCode"="GIv/lhuqYNCUTPZfPgYG3rM5EtzvsurmsyLeOB0"
"ActivKey"="mP1y4G/RxxQvtIPpV8ZAI/yGoab2NnDSgZWT"
will result in a new RegCode been generated with the same VolumeSerialNum but different random bytes upon re-registration.

I assume this is one of the reasons it is doing the 3 checks.
Reply With Quote
  #22  
Old 12-27-2021, 23:22
T-rad T-rad is offline
Friend
 
Join Date: May 2016
Posts: 18
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 19 Times in 12 Posts
T-rad Reputation: 0
It will work regardless. I've tried it, using my own volume serial of course.

There is does no check against the random bytes.

Code:
var_8020 = GetVolumeInformation("C:\", String$(256, False), 255, global_005C507C, global_005C5084, global_005C5080, String$(256, False), 255)
global_005C507C = VolumeSerial#


Code:
var_2C = Proc_23_0_565AB7(Mid(var_3C, 17, Len(var_3C)), Mid(var_3C, 1, 16), 0)
var_2C = decoded VolumeSerial# from our input



Code:
var_8050 = Proc_23_0_565AB7(Proc_24_1_56681B(GetSetting("NDataScan", "Activation", "RegCode", 10), var_CC, 80020004h), "Lilys", var_C4)
var_3C = var_8050
var_34 = Proc_23_0_565AB7(Mid(var_3C, 17, Len(var_3C)), Mid(var_3C, 1, 16), 0)
var_34 = Left(var_34, Len(var_34)(-1))
var_34 = Right(var_34, Len(var_34)(-1))
var_34 = decoded VolumeSerial# from registry, less the left and right chars

Code:
If CBool((var_2C = var_34) And (var_2C = Str(global_005C507C)) And (var_34 = Str(global_005C507C))) Then
var_40 = "NDSI has been sucessfully activated. Please restart NDSI."
check 1. -> var_2C = var_34
compare the decoded VolumeSerial# from our input with the decoded VolumeSerial# from registry, less the left and right chars.

check 2 -> var_2C = Str(global_005C507C)
compare the decoded VolumeSerial# from our input with the GetVolumeInformation VolumeSerial#

check 3 -> var_34 = Str(global_005C507C)
decoded VolumeSerial# from registry, less the left and right chars with the GetVolumeInformation VolumeSerial#


as i said before, check 3 is redundant. It will always pass as the program generated it .
Reply With Quote
The Following User Says Thank You to T-rad For This Useful Post:
niculaita (12-28-2021)
  #23  
Old 12-29-2021, 20:37
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 86
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 18 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by T-rad View Post
It will work regardless. I've tried it, using my own volume serial of course.

There is does no check against the random bytes.
Correct.
That is because the random bytes used to encrypt the VolumeSerialNum in the 1.encryption are in themselves included in each case in the 2.encryption leading to the final RegCode and the ActivKey respectively.

Therefore an ActivKey generated with the same VolumeSerialNum of a target machine will work regardless of the RegCode.

Quote:
Originally Posted by T-rad View Post
as i said before, check 3 is redundant. It will always pass as the program generated it .
This is a valid point.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can the bit0 mask in port 0x21 stop generating int 0x08? BlackWhite General Discussion 0 03-19-2021 22:53


All times are GMT +8. The time now is 12:04.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )