#1
|
|||
|
|||
Help with generating serial
Hi guys,
I'm currently working on a piece of software and it is driving me crazy. I am able to 'register/activate' it by fudging all of the jumps at the serial key checker. However, I cannot for the life of me figure out the routine that actually creates the serial numbers.. Would any of you like to check this out and possibly give me an idea of how to do it? I don't really want the company looking this direction by mentioning the name of it, but here is the link to the installer. (It's used for Nissan cars) Link to the software: Code:
https://nisscan.com/NDSI/index.php?content=download Code:
Private Sub btnUnlock_Click() '53DC71 Dim var_10C As Variant Dim var_114 As TextBox loc_0053DCC6: On Error GoTo loc_0053E93B loc_0053DCFB: var_40 = frmActivate.txtActivKey.Text loc_0053DD03: var_110 = var_40 loc_0053DD70: If (var_40 = global_00425534) + 1 Then loc_0053DD7E: var_40 = "Please enter Activation Key" loc_0053DDA1: var_44 = Proc_15_1_52D634(&HCB) loc_0053DE08: MsgBox(var_44, 0, 10, var_80, 10) loc_0053DE41: Else loc_0053DEE3: var_8020 = GetVolumeInformation("C:\", String$(256, False), 255, global_005C507C, global_005C5084, global_005C5080, String$(256, False), 255) loc_0053DEFB: var_8028 = var_44 loc_0053DF08: var_802C = var_48 loc_0053DF13: global_005C5088 = var_8020 loc_0053DF46: var_114 = frmActivate.txtActivKey loc_0053DF7C: var_40 = frmActivate.txtActivKey.Text loc_0053DF84: var_110 = var_40 loc_0053E003: var_114.Text = CStr(Trim(var_40)) loc_0053E00B: var_118 = var_114 loc_0053E0A0: var_40 = frmActivate.txtActivKey.Text loc_0053E0A8: var_110 = var_40 loc_0053E13E: var_3C = Proc_23_0_565AB7(Proc_24_1_56681B("Tomasz", "Tomasz", 1), "Tomasz", Me) loc_0053E212: var_2C = Proc_23_0_565AB7(Mid(var_3C, 17, Len(var_3C)), Mid(var_3C, 1, 16), 0) loc_0053E2A7: var_8050 = Proc_23_0_565AB7(Proc_24_1_56681B(GetSetting("NDataScan", "Activation", "RegCode", 10), var_CC, 80020004h), "Lilys", var_C4) loc_0053E2B1: var_3C = var_8050 loc_0053E37A: var_34 = Proc_23_0_565AB7(Mid(var_3C, 17, Len(var_3C)), Mid(var_3C, 1, 16), 0) loc_0053E3DC: var_34 = Left(var_34, Len(var_34)(-1)) loc_0053E42C: var_34 = Right(var_34, Len(var_34)(-1)) loc_0053E530: If CBool((var_2C = var_34) And (var_2C = Str(global_005C507C)) And (var_34 = Str(global_005C507C))) Then loc_0053E53E: var_40 = "NDSI has been sucessfully activated. Please restart NDSI." loc_0053E5C8: MsgBox(Proc_15_1_52D634(&HCC), 0, 10, var_80, 10) loc_0053E614: var_10C = frmActivate.btnUnlock loc_0053E62A: var_10C.Enabled = False loc_0053E632: var_110 = var_10C loc_0053E68B: var_10C = frmActivate.txtRegCode loc_0053E6A1: var_10C.Enabled = False loc_0053E6A9: var_110 = var_10C loc_0053E702: var_10C = frmActivate.txtActivKey loc_0053E718: var_10C.Enabled = False loc_0053E720: var_110 = var_10C loc_0053E779: var_10C = frmActivate.lblNotice loc_0053E78F: var_10C.Enabled = False loc_0053E797: var_110 = var_10C loc_0053E808: var_40 = frmActivate.txtActivKey.Text loc_0053E810: var_110 = var_40 loc_0053E85B: SaveSetting("NDataScan", "Activation", "ActivKey", var_40) loc_0053E875: Else loc_0053E87D: var_40 = "You have entered wrong activation details. Please try again." loc_0053E907: MsgBox(Proc_15_1_52D634(&HCD), 0, 10, 10, 10) loc_0053E93B: End If loc_0053E93B: End If loc_0053E93B: Exit Sub loc_0053E945: GoTo loc_0053E9A2 loc_0053E9A1: Exit Sub loc_0053E9A2: ' Referenced from: 0053E945 End Sub |
#2
|
|||
|
|||
Hello,
try to look at loc_0052cf95 maybe this is what you looking for |
The Following User Says Thank You to xobor For This Useful Post: | ||
foil (12-16-2021) |
#3
|
|||
|
|||
Hi Xobor,
I appreciate your help with this! What made you look at that address? It's almost the very first thing that's done right after the entry point - I don't see anything about activation or registration? Sorry, I'm not the greatest with this stuff yet, but am learning! |
#4
|
|||
|
|||
Hello
in this function application reads ActivKey from registry and does some checks it came interesting to me best regards |
#5
|
|||
|
|||
It seems Proc_23_0_565AB7 is calculating something relevant. What does the decompilation show for that part?
|
#6
|
|||
|
|||
not quite. And that string is unique to your computer. so you have to find out how it is generated.
|
The Following User Says Thank You to T-rad For This Useful Post: | ||
foil (12-22-2021) |
#7
|
|||
|
|||
Hi,
The procedure to generate the RegistrationCode aka RegCode in the version 1.63 with modified date 13.05.2013 is as follows: Code:
1. Generate 16 radom numbers of base 256=Res1 2. SignedDec(VolumeInfoA("C:\"))=Res2 3. ConcatSeveralStrings("*",Res1,"#")=Res3 4. RC4_Encrypt(Key=Res1,Res3)=Res4 5. Concat(Res1,Res4)=Res5 6. RC4_Encrypt(Key="Lilys", Res5)=Res6 7. byteArrayToBase64(Res6)= RegCode From my investigation so far, I could not find the RegName and Email(no syntax check) been used or referenced anywhere during the check of the activation key. They are however mandatory and the user will be promted to fill the corresponding empty field(s) before the RegistrationCode will be generated. Anyways, the ActivationKey does the same thing but with Key="Tomasz" instead of "Lilys". It should be noted however that both the initial 16 RadomNumbers(Res1) and the VolumeID (Res2) are in the resulted Regcode and are thus used to generate the ActivationKey, so that the 3 compares it does after decoding and decrypting the ActivationKey will match the original values. Regards, TemPoMat PS: If I have time I will try to write a Keygen for it Last edited by TempoMat; 12-20-2021 at 14:09. Reason: Step 2 is SignedDec and not UnsignedDec |
#8
|
|||
|
|||
Quote:
3. ConcatSeveralStrings("*",Res2,"#")=Res3 just a note, the volume serial number is in number format, not hex format |
#9
|
|||
|
|||
Quote:
and for the 2.Step it would have been clearer if I had written it as: 2. Hex2SignedDec(VolumeInfoA("C:\"))=Res2 |
The Following User Says Thank You to TempoMat For This Useful Post: | ||
foil (12-22-2021) |
#10
|
|||
|
|||
The Activation Key is calculated as follows:
Code:
1. AK1 = the 16 RandomBytes from Res1 2. AK2 = the Hex2SignedDec(VolumeInfoA("C:\")) from Res2 3. AK3 = RC4_Encrypt(Key=AK1, Data=AK2) 4. AK4 = ConCat(AK1,AK3) 5. AK5 = RC4_Encrypt(Key="Tomasz", Data=AK4) 6. ActivKey = byteArrayToBase64(AK5) 3. ConcatSeveralStrings("*", Res2 ,"#")=Res3 Cheers |
#11
|
|||
|
|||
Actually, "#" and "*" to be removed to create Activation Code.
Code:
string pass_1 = "?????"; byte[] pass_1_b = Encoding.ASCII.GetBytes(pass_1); string pass_2 = "??????"; byte[] pass_2_b = Encoding.ASCII.GetBytes(pass_2); byte[] hexData = Convert.FromBase64String(Registratin_Code); byte[] z1 = RC4.Decrypt(pass_1_b, hexData); byte[] pass_3_b = new byte[16]; Buffer.BlockCopy(z1, 0, pass_3_b, 0, 16); byte[] z5 = new byte[z1.Length - 16]; Buffer.BlockCopy(z1, 16, z5, 0, z1.Length - 16); byte[] z3 = RC4.Decrypt(pass_3_b, z5); string z3_str = BitConverter.ToString(z3).Replace("-", ""); string z4 = Encoding.ASCII.GetString(z3); //************************************************************ string girdi = z4.Replace("#", "").Replace("*", ""); byte[] girdi_b = Encoding.ASCII.GetBytes(girdi); byte[] x1 = RC4.Encrypt(pass_3_b, girdi_b); byte[] x2 = new byte[x1.Length + 16]; Buffer.BlockCopy(pass_3_b, 0, x2, 0, 16); Buffer.BlockCopy(x1, 0, x2, 16, x1.Length); byte[] x3 = RC4.Encrypt(pass_2_b, x2); //************************************************************ string Activation_Code = Convert.ToBase64String(x3); |
#12
|
|||
|
|||
Thank you, everyone, for helping me out with this.
I will have some free time on Thursday night to check it out again, with all of your notes by my side! I appreciate all of you @raduga_fb - is there a certain module that you used when using RC4? Visual Studio only has RC2 by default, from what I can remember. Last edited by foil; 12-22-2021 at 04:27. |
#13
|
|||
|
|||
RC4
Code:
public class RC4 { public static byte[] Encrypt(byte[] pwd, byte[] data) { int a, i, j, k, tmp; int[] key, box; byte[] cipher; key = new int[256]; box = new int[256]; cipher = new byte[data.Length]; for (i = 0; i < 256; i++) { key[i] = pwd[i % pwd.Length]; box[i] = i; } for (j = i = 0; i < 256; i++) { j = (j + box[i] + key[i]) % 256; tmp = box[i]; box[i] = box[j]; box[j] = tmp; } for (a = j = i = 0; i < data.Length; i++) { a++; a %= 256; j += box[a]; j %= 256; tmp = box[a]; box[a] = box[j]; box[j] = tmp; k = box[((box[a] + box[j]) % 256)]; cipher[i] = (byte)(data[i] ^ k); } return cipher; } public static byte[] Decrypt(byte[] pwd, byte[] data) { return Encrypt(pwd, data); } } |
The Following User Gave Reputation+1 to raduga_fb For This Useful Post: | ||
niculaita (12-23-2021) |
#14
|
|||
|
|||
Hi @raduga_fb
I really appreciate all of the help you've given me! I compiled the code that you have given me, but am still receiving an error message stating that the activation key is incorrect. Here is a screenshot of the source, the activation code generated and the error on activation: https://f0il.com/datascan.png Am I doing something wrong in all of that? I'm still trying to wrap my head around how you figured all of this out in the first place lol sorry for my ignorance! |
#15
|
|||
|
|||
You need to eat much more bread.
Who said that pass_1 & pass_2 should be name & email? They are already mentioned above. string pass_1 = "?????" <- 5 digits = Li*** string pass_2 = "??????" <- 6 digits = To**** |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Can the bit0 mask in port 0x21 stop generating int 0x08? | BlackWhite | General Discussion | 0 | 03-19-2021 22:53 |