|
#1
|
|||
|
|||
Hardcoded md5 serial number crack
Good evening to all of you!
I am currently trying to crack a program that can be registered with a pre-defined set of serial numbers, hardcoded into the application as a big set of md5 hashes (the serial number format is !!!!-!!!!-!!!!-!!!! where ! can be anything in ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789) I am sorry I can't share the program since it contains recognisable data. I am currently trying two ways: 1. I extracted all serial number hashes, and currently running a generator that randomises numbers between 1 and 36 and then takes from the allowed char set the corresponding value and forms a random serial number, then convert to md5 and check if hash is in the list. if not, discard and try a new one. The program has been running for 4 hours and not a single valid serial number has appeared 2. I built a program to generate all possible combinations of serial numbers, both clean and as md5values. In 4 hours of runtime, I completed the last four !!!!, but the remaining !!!!-!!!!-!!!! still has to come and I suspect it will run for long. Since none of the methods appear to yield a result in a reasonable time, does any of you have any suggestion to speed up the process? Might the CUDA toolkit be of any help? I also thought about rainbow tables, but they tend to be more useful for words, rather than for serial numbers. I know they are pre computed and that a serial number is just a defined series of char...but don't know if rainbow tables for serial numbers exist. Thanks to anyone. |
#2
|
|||
|
|||
Unfortunately, neither way will yield any results. You have a 16 character serial with 36 character charset, that is 36^16 combinations, almost 8*10^24.
Assuming you crack trillions of passwords per second, it will take thousands of years to go through all these combinations. If you still want to try cracking the hashes, then use a tool called hashcat, making a program yourself will most likely be very slow compared to it. |
#3
|
|||
|
|||
Quote:
|
#4
|
|||
|
|||
Yes it is possible
|
#5
|
|||
|
|||
Quote:
Code:
https://www.4armed.com/blog/perform-mask-attack-hashcat/ |
#6
|
|||
|
|||
Quote:
Or are the 3 dashes removed from the password before the MD5 Hash. @TmC: Can you share the extracted MD5 Hashes? Just a dumb question: Are the MD5 init variables the standard ones? |
#7
|
|||
|
|||
I have no idea if they are removed or not, but they either never change or removed, which in both cases leaves 16 variable characters.
|
#8
|
|||
|
|||
Quote:
Don't understand |
#9
|
||||
|
||||
MD5 collisions
When I saw title of this thread ("Hardcoded md5 serial number crack") my first thought was "COLLISIONS". But no one mentioned MD5 collisions yet.
It's better to threat serial number as bytes (not as text) to successfully implement an attack. You can find appropriate MD5 collision sources at GitHub, for example: MD5 collision May be he means MD5 initial values from reference implementation.
__________________
EnJoy! |
#10
|
|||
|
|||
Quote:
|
#11
|
|||
|
|||
Quote:
0x67452301, 0xEFCDAB89, 0x98BADCFE and 0x10325476. I have for instance seen at least a program using the following chaining values instead 0X1234567, 0X89ABCDEF, 0XBA98FEDC and 0X76504321 |
#12
|
|||
|
|||
Nope. They are inserted as plain string (e.g. 9a4df789abe345a902971c9826734ed1). What you type is md5ed as a string and the two are compared. If the md5 value is found in the list, then what you typed is valid.
|
#13
|
|||
|
|||
@TmC :
Calculate MD5 with your serial. Change one MD5 hash with this one. That's all. |
#14
|
|||
|
|||
Quote:
If you find the location of the predefined hashes in the program, create a new MD5 hash of any string (say blablabla) and replace one of the hashes in the existing predefined hashes with the created hash and you are done. It should work unless there are any other checks that are based on the serial number. If you would like to share the executable privately for patching, let me know and I'll see if I can help to patch it. |
#15
|
|||
|
|||
Quote:
Unfortunately, the serial is checked also when requesting updates through the update routine, and even patching the program wont pass the server check. The serial is passed in cleartext so a patch that simply gives one random hash to check does not work. Last edited by TmC; 09-15-2022 at 18:04. |
Thread Tools | |
Display Modes | |
|
|