|
Author |
Message |
Guest
|
 Posted: Sun Apr
03, 2005 5:09 pm Post
subject: BINK Resource fields in pidgen.dll |
|
|
Hi crackware2k,
1.
Do you know what the big chunk of binary values refers to in
BINK resource? There're two different set of BINK.
I
read that it is use for Product Key verification and is an
elliptic curve digital crypto signature.
How to
extract the p, q, k, a, b x, y etc.. from the BINK?
2.
What are the hidden APIs in pidgen.dll and mso.dll that can be
call by a external program. I'm looking for the full C
function prototype of each APIs so that it can be use
externally.
Thks. |
|
 |
crackware2k
Site Admin
Joined: 23 Dec 2004
Posts: 183
Location:
Germany
|
| Posted: Mon Apr
04, 2005 12:38 am
Post subject: |
|
|
1. At the end I've attached
my (unedited)notes about the CDKEY. These 'big chunk of binary
values' are actually only 4 very big values/number. I guess
that gap fill with zeros was formally for the privatekey
(bigIntegervalue)
The big integernumbers are a,b,x... -
Although I don't like math that much I send about 2 days on
this ECC-topic a really nice site on that topic is this:
http://www.certicom.com/index.php?action=ecc_tutorial,home
test were the java-applet's to play around with the ECC's
yourself.
To create an keygen the ECC-problem is not
that important.
It's should be possible to buteforce a
suite CDKey in a reasonable time if you tolerate some
'random-value-parts' in the productID.
The CDKEY
contains of two parts:
'ClearTextProductionID' and
'ParamForECC-Check'
From the
ParamForECC-Check+BINKdata a value is calculated.
This
value is binarycompared with ClearTextProductionID and if it
match the CDKey is valid.
So if you use some random
values for ParamForECC let it calcuated and now write the
result over the ClearTextProductionID you have a valid
(binary) CDKey.
The only problem this that CDKey is
that the ProductID is completely random but the good news is
that only the first 3 digis ('-BBB-' part)matters for
selection eval/retail or cooper the rest of 6 digits are
arbitrary.
Also these 3digis don't need to be a certain
number - they only need to be inside some desire range.
->Now have a look at the DPC-Viewer (and it's source) for
more about that ranges.
This will allow you to quickly
find a suitable CDKey without many tries.
2. I
can't give you all call-specs you will need.
Have a look
the WPA-debugsymbols I published and workout the call specs
you need your own with ollydbg.
If you need help enable
RemoteDesktop and send me a message to show you how to do.
Note: For the above describe keygen it will be
necessary to patch those file in memory or on disk before
calling.
...and what do you expect from calling
mso.dll exports?
CDKEY-into.txt:
| Code: |
The CDKEY
If you leave out the dash it's simply a number with the base 24 over this
"BCDFGHJKMPQRTVWXY2346789" 'alphabet'.
(You calculate its value in the same way you do with hexa, or octal numbers)
So this value is stored(encryped) in the DigitialProductID
640 699 coperated
119 OEM
337 359 Tablet
005 119 Eval
100
Let's start with this CDKey:
4DRDD-V6DQX-87PC9-WCQWK-9JQFF
The dash are only for a better reading:
4DRDDV6DQX87PC9WCQWK9JQFF
now it's simply a number with the base 24 over this
"BCDFGHJKMPQRTVWXY2346789" 'alphabet'.
For sure you know that decimalnumber have the base 10 over the alphabet
"012346789".
and you should also know Hexadecimalnumber with base 16 over the alphabet
"012346789ABCDEF".
If you want to convert the Hex number B05 in a Dec you calc it this way:
Base:16
Place 2 1
0
HexDigit 'B' '0' '5'
Decvalue 12 0
5
0xB05= 12*16^2 + 12*16^1 + 5*16^0 = 3072 + 192 + 12 =
2821
With the 24-base it's the same:
Place 0 0 00000 0 001111 1 11 1 111222
Place 0 1 23456 7 890123 4 56 7 890123
Digtits B C DFGHJ K MPQRTV W XY 2 346789
'CW2K' = 01*24^3 + 14*24^2 + 17*24^1 + 07*24^0 = 13824 + 1152 + 41 + 7 = 22303
The only problem is that you fast get very big number with you
can't handle with normal Integer or 64-bit-Long types for your
programming language. You have to create your own 'type' and write
including function to add or multiply with that
(or you use a library / include from the internet to do that)...
back to the subject
Let's convert the CDKey to hex:
4DRDDV6DQX87PC9WCQWK9JQFF
4E827 06817AD1 30BECF1A 02004ACB ...about 16 Byte or more exactly 114bit
Since this number is little endian the first 31 bit are
02004ACB (to delete the first bit take the first hexdigit and calc:
'0' AND 7=0)
55375-016-7867894-22084
25477798373966031612895443732679371
1001110100000100111000001101000000101111010110100010011000010111110110011110001101000000010000000000100101011001011
4DRDD-V6DQX-87PC9-WCQWK-9JQFF
DPCDLL.DLL
#123 ValidateDigitalPid (DigitalPID)
CRC32 Check of DigitalPID
Validate binary CDKEY inside DigitalPID
#125 CheckCDKey (szCDKEY)
Divide binary CDKEY into
31(1f) Bits
CDKEY_PID_Part (fix)
88(53) Bits
Rest which is
28(1c) Bits
length given by BINK
55(37) Bits
length given by BINK
-------------
114(72) bits
Get BINK_ID from DigitalPid and try to load this BINK
{error3}
ShortSigServerVerifySig( BINK, CDKEY_PID_Part, 4, CDKEY_Sig_Part )
PlausibleKey
checks integrity and CRC
convert_external_key_to_internal(BINK,OUT)
unpack_signature(RemainBitsFromCDKEY,BitSize,BitSize)
D88(53) Bits
Rest which is
28(1c) Bits
length given by BINK
55(37) Bits
length given by BINK
ecdig_affine_exponentiation
ecdig_affine_exponentiation
ecdig_affine_addition
ecdig_to_dwords
ShortSigHash
[cmpData]
The Elliptic Curve
y= x + ax + b (mod p)
The Elliptic Curve Discrete Logarithm Problem
In the multiplicative group Zp*, the discrete logarithm problem is:
given elements r and q of the group, and a prime p,
find a number k
such that r = qk mod p.
If the elliptic curve groups is described using multiplicative notation,
then the elliptic curve discrete logarithm problem is:
given points P and Q in the group,
find a number that Pk = Q;
k is called the discrete logarithm of Q to the base P.
When the elliptic curve group is described using additive
notation,
the elliptic curve discrete logarithm problem is:
given points P and Q in the group,
find a number k
such that Pk = Q
The Elliptic Curve
y= x + ax + b (mod p)
y + xy = x + ax + b
a value param1 for EC
b value param2 for EC
p value bitwidth
P (or G) 2
values StartPoint (x,y)
Q (or K) 2
values DestPoint (x,y)
k (private key) value Secret; Q
<= P*k
1. H = SHA-1(5D CDK_OS Family,CDK_Hash, CDK_prefix, 00 00) the total length is
11 byte.
H is 160-bit long, and we only need the first 2 words.
Right lift H's second word by 2 bits.
E.g. if SHA-1() returns FE DC BA 98 76 54 32 10,
H= FE DC BA 98 1D 95 0C 04.
2. point R(rx,ry)= CDK_Signature * (CDK_Signature*BINK_G +
H*BINK_K) (mod BINK_p)
y
= x *
( x*a + H*b)
(mod BINK_p)
y = x
+ ax + b (mod p)
3. result = SHA-1(79 OS Family, rx, ry)
the total input length = 1+2+64*2=131 bytes.
4. compare Hash and result
if identical, the key is valid.
;SETUPP.INI
[Pid]
ExtraData=616A6265797767697A77591DC43DBA
Pid=55375 000
^^^^^ ^^^
SITE RPC
Winnt32u.dll!GetSourceInstallType(x)
Dosnet.inf
[Miscellaneous]
ProductType = 5; valid 0..6
;0 XP Professional
;1 Whisler Server
;2 Whisler Advanced Server
;3 Whisler Datacenter Server
;4 XP Home
;5 Whisler Blade Server
;6 Not Defined
Exports, PIDGen.dll
Ordinal Address Name
00000001 5A7C1BF2 PIDGenA
;Call i_PidGen
00000002 5A7C1C5B PIDGenW
;->PIDGenA
00000003 5A7C1C2D PIDGenSimpA ;Call
i_PidGen
00000004 5A7C1DE1 PIDGenSimpW
;->PIDGenSimpA
00000005 5A7C1E0F SetupPIDGenA
;->PIDGenA
00000006 5A7C1E54 SetupPIDGenW
;->PIDGenW
6#SetupPIDGenW(x,x,x,x,x,x,x)
1 Pid30Text
"12345-67890-ABCDE-FGHIJ-KLMNO"
2 _Pid30Rpc "000" or "270" or
"OEM" "69763" ...
3 GetStockKeepingUnit(x,x,x) "1797XYZZY" or
"C11-00027"...
4 _isupgrade 1 if _CdType==1
5 _ProductId20FromProductId30
6 _DigitalProductId 400h or 100h
returns ptr for _DigitalProductId
7 Retval
-%s or 0h should return 0
SetupPIDGenW
If Pid30Text==0 then Pid30Text="R7MPM-R36DT-F38FC-RPPCX-XJG7M"
14 0
13 Retval
12 0
11 _DigitalProductId
10 _ProductId20FromProductId30 ;unistring 19 bytelong
9 _isupgrade
8 0
7 0
6 0
5 0 ;unistring 19 bytelong
4 0 ;unistring 5 bytelong
3 GetStockKeepingUnit ;should be<>0
2 _Pid30Rpc ;should be<>0 only
checked if _isupgrade==0
1 Pid30Text ;should be<>0
call PIDGenW ;If eax==0 ->
Error
PIDGenW
If Pid30Text==0 then Err 57
If _isupgrade==0 then
if _Pid30Rpc==0 then err 57
endif
UnicodeToAcci(Pid30Text,1E)
UnicodeToAcci(_Pid30Rpc,06)
UnicodeToAcci(GetStockKeepingUnit,20)
UnicodeToAcci(Arg.4, 05)
UnicodeToAcci(Arg.5, 19)
15 Pid30Text
14 _Pid30Rpc
13 GetStockKeepingUnit
12 0 (locals)
11 0 (Arg4 ? Locals)
10 0x0
9 6
8 7
7 8
6 9
5 ?
4 11
3 12
2 Retval
1 14
CALL PIDGenA()
PIDGenA
Call stack of main thread
Address Stack Procedure / arguments
Called from
Frame
0006D674 5A7C1C24 <PIDGen.SimplePidG>
PIDGen.PIDGenA+2D 0006D670
0006D678 0006D71C Arg1 = 0006D71C ASCII
"X3WJB-3B2BH
0006D67C 0006D774 Arg2 = 0006D774 ASCII "55375"
0006D680 0006D6FC Arg3 = 0006D6FC ASCII
"1797XYZZY"
0006D684 00000000 Arg4 = 00000000
0006D688 00000000 Arg5 = 00000000
0006D68C 00000000 Arg6 = 00000000
0006D690 5A7C80E0 Arg7 = 5A7C80E0
0006D694 0000002C Arg8 = 0000002C
0006D698 00000000 Arg9 = 00000000
0006D69C 0006D73C Arg10 = 0006D73C
0006D6B4 5A7C1DAD PIDGen.PIDGenA
PIDGen.PIDGenW+14D 0006D6B0
0006D6B8 0006D71C Arg1 = 0006D71C ASCII
"X3WJB-3B2BH
0006D6BC 0006D774 Arg2 = 0006D774 ASCII "55375"
0006D6C0 0006D6FC Arg3 = 0006D6FC ASCII
"1797XYZZY"
0006D6C4 00000000 Arg4 = 00000000
0006D6C8 00000000 Arg5 = 00000000
0006D6CC 00000000 Arg6 = 00000000
0006D6D0 00000000 Arg7 = 00000000
0006D6D4 00000000 Arg8 = 00000000
0006D6D8 00000000 Arg9 = 00000000
0006D6DC 0006D73C Arg10 = 0006D73C
0006D6E0 0006DA00 Arg11 = 0006DA00
0006D6E4 00000000 Arg12 = 00000000
0006D6E8 0006E034 Arg13 = 0006E034
0006D6EC 00000000 Arg14 = 00000000
0006D78C 5A7C1E99 PIDGen.PIDGenW
PIDGen.SetupPIDGenW+40 0006D788
0006D790 0006DE00 Arg1 = 0006DE00
0006D794 5A5540FC Arg2 = 5A5540FC
0006D798 0006E008 Arg3 = 0006E008
0006D79C 00000000 Arg4 = 00000000
0006D7A0 00000000 Arg5 = 00000000
0006D7A4 00000000 Arg6 = 00000000
0006D7A8 00000000 Arg7 = 00000000
0006D7AC 00000000 Arg8 = 00000000
0006D7B0 00000000 Arg9 = 00000000
0006D7B4 0006D7F8 Arg10 = 0006D7F8
0006D7B8 0006DA00 Arg11 = 0006DA00
0006D7BC 00000000 Arg12 = 00000000
0006D7C0 0006E034 Arg13 = 0006E034
0006D7C4 00000000 Arg14 = 00000000
0006D7CC 5A523183 <JMP.&PIDGen.#6>
WINNT32U.5A52317E 0006D7C8
0006E020 5A523A41 WINNT32U.5A52309F
WINNT32U.5A523A3C
0006E01C
0006E084 77D18709 Includes WINNT32U.5A523A41
USER32.77D18706
0006E080
0006E0B0 77D187EB ? USER32.77D186E1
USER32.77D187E6
0006E0AC
0006E118 77D1C00E ? USER32.77D18734
USER32.77D1C009
Call stack of main thread
Procedure / arguments
Called from
<PIDGen.SimplePidG>
PIDGen.PIDGenA+2D
Out
Arg1 = 0006D71C ASCII "X3WJB-3B2BH-3MPM6-8F6GR-X9HBJ"
Result 31 bit
Arg2 = 0006D774 ASCII "55375"
Arg3 = 0006D6FC ASCII "1797XYZZY"
Arg4 = 00000000
date (Year)
Arg5 = 00000000
Arg6 = 00000000
Result last bit
Arg7 = 5A7C80E0
Arg8 = 0000002C
Arg9 = 00000000 Create OEM-number if 1
Arg10 = 0006D73C Ptr OEM-number
Arg11 = 0006DA00
Arg12 = 00000000
Result 31 bit as Value
Arg13 = 0006E034
Result last bit as Value
Arg14 = 00000000
1 if 100.000 < Result < 1.000.000
Result 31 bit Example:
00CCAAA3 => 13413027
186A0 100.000
0F4240 1.000.000
EDX=00064D63
1B6B0B00 460.000.000
PIDGen.PIDGenA
PIDGen.PIDGenW+14D
Arg1 = 0006D71C ASCII "X3WJB-3B2BH-3MPM6-8F6GR-X9HBJ"
Arg2 = 0006D774 ASCII "55375"
Arg3 = 0006D6FC ASCII "1797XYZZY"
Arg4 = 00000000
Arg5 = 00000000
Arg6 = 00000000
Arg7 = 00000000
Arg8 = 00000000
Arg9 = 00000000
Arg10 = 0006D73C
Arg11 = 0006DA00
Arg12 = 00000000
Arg13 = 0006E034
Arg14 = 00000000
PIDGen.PIDGenW
PIDGen.SetupPIDGenW+40
Arg1 = 0006DE00
Arg2 = 5A5540FC
Arg3 = 0006E008
Arg4 = 00000000
Arg5 = 00000000
Arg6 = 00000000
Arg7 = 00000000
Arg8 = 00000000
Arg9 = 00000000
Arg10 = 0006D7F8
Arg11 = 0006DA00
Arg12 = 00000000
Arg13 = 0006E034
Arg14 = 00000000
<JMP.&PIDGen.#6>
WINNT32U.5A52317E
WINNT32U.5A52309F
WINNT32U.5A523A3C
Includes WINNT32U.5A523A41
USER32.77D18706
Arg16 alway 0
Arg15 -
Arg14 - ;Retval
Arg13 *9
Arg12 *8
Arg11 *7 ;_DigitalProductId
Arg10 *6 ;Must be 0
Arg9 *5
Arg8 -
Arg7 -
Arg6 - ; 0 =Simple PIDGEN
Arg5 - ;18 Byte String...
uk_19_byte_atring *4 ;4 Byte String or Nullstring or
NULL allow
GetStockKeepingUnit *3
_Pid30Rpc *2
Pid30Text *1
CALL <_i_Pidgen>
;Ret EAX==1 -> Error
count '-' in Pid30Text ->Should be 4
Getlen(Pid30Text) ->should be 1E
if 1e-4 != 19 then ->error_4
GetStockKeepingUnit==0 -> error_5
len(GetStockKeepingUnit) > 10 -> error_6
Arg10!=0 -> error_7
_DigitalProductId==0 -> error_8
Size(_DigitalProductId)<=a4 -> error_9
if arg.9!=0 then
_Pid30Rpc==0 -> error_10
len(_Pid30Rpc)!=5 -> error_11
...
_DigitalProductId=0
If Arg6==0 call simplePIDGEN
PUSH 10
;
LEA EAX, [LOCAL.15]
;
PUSH EAX
;
PUSH [ARG.5]
;
PUSH [ARG.7]
;*
PUSH [ARG.6]
;*
PUSH [ARG.1]
; |Arg1
CALL 5E18148D
; \PIDGen.5E18148D
WUAUENG.DLL and IUENGINE.DLL
licdll!227->licdll!229( lpszIVLK_GetEncPID)
Arg9==0 -> arg.6=1 else arg.6=0
ARG.6=ARG.6+2
0123456789abcdef0123456789abcd=1D (24+4+1 Letters)
MC4XX-TH97K-4Q93Q-H8983-RBKFD. ;CD-KEY
0123456789abcdef0123456789=19 (24+1 Letters)
MC4XXTH97K4Q93QH8983RBKFD. ;CD-KEY without dashs:
4 bit*24 letters = 96 bit / 8 = 12 Byte
5 Bit*24 letters = 120 bit / 8 = 15 byte
0123456789abcdef012345678=18 (23+1 Letters)
BCDFGHJKMPQRTVWXY2346789.
B 0 00000 T
C 01100 18 11000
C 1 00001 V
D 01101 19 11001
D 2 00010 W
E 01110 1A 11010
F 3 00011 X
F 01111 1B 11011
G 4 00100 Y
10 10000 1C 11100
H 5 00101 2
11 10001 1D 11101
J 6 00110 3 12
10010 1E 11110
K 7 00111 4 13
10011 1F 11111
M 8 01000 6 14
10100
P 9 01001 7 15
10101
Q A 01010 8 16
10110
R B 01011 9 17
10111
4 D
R D D
V 6DQX87PC9WCQWK9JQFF
13 2
B 2 2
D ~
10011 10001 01011 00010 00010 01101 ~
100111000101011000100001001101~
1001 1100 0101 0110 0010 0001 0011 01~
9 C 5
6 2 1 3
1 2 3 4 5
4 8 12 16 20
5 10 15 20
31bit: Hash
12bit: OS Family
62bit: Signature
9bit: Prefix
114Bit / 8 = 14Byte (0C+2Byte+2Bit)
64559910
8 BC 1E 3E F9 01 E1 D2 6C 15 D0 40 00
31(1f) Bits Hash
28(1c) Bits
55(37) Bits
-----------
114 Bits
1.(a,55bit,37,out,R,p,aRp,c)
2.(a,28bit,28,out,R,p,aRp,c)
3.<ec_1>,<EC_28_bit>,out,<PIDGen.R>,<PIDGen.p>,<aRp>,c
ShortSigKeySizes are 5c(92) and 16c(364)
ecdig_affine_exponentiation(a,R,p,out)
ecdig_affine_exponentiation(b,R,p,out)
$ ==> >766CC00A .lv
$+4 >8784862E .?????
$+8 >61953F47 G?.a
$+C >00000042 B...
http://www.hot.ee/windowsxp/keygenVLK/
0006E444 02004ACB Part1 617D9E34
(6)17D9E34 Unp.Sig
0006E448 30BECF1A
0D02F5A2 D02F5A2 6
0006E44C 06817AD1
0009D04E 001D04E 0
0006E450 0004E827
Hash( 02004ACB ) =>17D9E34
01002565 % 0F4240
=
16.786.789 % 1.000.000 = 16
16=270?
M C
4 X X
T H97K4Q93QH8983RBKFD
8 1
13 F F
C ~
01000 00001 10011 01111 01111 01100 ~
010000000110011011110111101100
0100 0000 0110 0110 1111 0111 1011 00
4 0 6
6 F 7 B
-------------------------------------------
55375-016-7867894-22084
D84F- 0F- X-16???
^^
Checkdigit
786789 =>7+8+6+7+8+9= 45
45 mod 7 = 3 (0..6)
(7867890-3)+7=4
0->7
1->6
2->5
3->4
4->3
5->2
6->1
22*2=>44 =>2C
DPC_BINK's
$ == 00000028 00000029 0000002C*
0000002D* BINK_ID
$+4 0000016C 0000016C 0000016C
0000016C Size (Keylen:5c)
$+8 00000007 00000007 00000007
00000007 Fix
$+C DEA3315A 3DC1018C FDF3EB2C
1E808A91 32bit CheckSUM
$+10 0130DFAE 0130DFAE 0130DFAE
0130DFAE FixDate >2002
$+14 0000000C 0000000C 0000000C
0000000C (max 32)
$+18 0000001C 0000001C 0000001C
0000001C =28 Bit CDKey 1 +1f>>5=
1c+37=53
$+1C 00000037 00000037 00000037
00000037 =55 Bit (max 64 bit)
$+20 62D1FFF1 C4CE3041 1D8C9B71
300DE481 Block1 (2c)
$+24 9DA30D75 80C421B5 8BE8C302
B531BAE7
$+28 5DC08539 56044C78 36991CE6
852DD8A5
$+2C 9426DB78 9F8FCFD8 211D6C5D
51EA8E87
$+30 801D7747 66CA118A 31DC8D60
7A4808E0
$+34 9BD15778 20A817C9 72EE0406
2744B04D
$+38 BDE7CB0A 94C334AE 58037B80
CF830A14
$+3C 2824DCA5 3C8C4423 56B99C66
46FE0BBD
$+40 B1D06EF6 3BF533EC 1A25D4B7
B07B8826
$+44 F85D1EE8 6AE6D6E7 D2E3DB51
9C29A6F3
$+48 06B66885 D2482726 6AF9F2F1
B49B5E22
$+4C CA953A06 8811D822 9E9C1B12
DFB971F2
$+50 00000001 00000001 00000001
00000001 Block2(60)
$+54 00000000 00000000 00000000
00000000
$+58 00000000 00000000 00000000
00000000
$+5C 00000000 00000000 00000000
00000000
$+60 00000000 00000000 00000000
00000000
$+64 00000000 00000000 00000000
00000000
$+68 00000000 00000000 00000000
00000000
$+6C 00000000 00000000 00000000
00000000
$+70 00000000 00000000 00000000
00000000
$+74 00000000 00000000 00000000
00000000
$+78 00000000 00000000 00000000
00000000
$+7C 00000000 00000000 00000000
00000000
$+80 00000000 00000000 00000000
00000000
$+84 00000000 00000000 00000000
00000000
$+88 00000000 00000000 00000000
00000000
$+8C 00000000 00000000 00000000
00000000
$+90 00000000 00000000 00000000
00000000
$+94 00000000 00000000 00000000
00000000
$+98 00000000 00000000 00000000
00000000
$+9C 00000000 00000000 00000000
00000000
$+A0 00000000 00000000 00000000
00000000
$+A4 00000000 00000000 00000000
00000000
$+A8 00000000 00000000 00000000
00000000
$+AC 00000000 00000000 00000000
00000000
$+B0 35B39D3B B0976EC8 0DA43B7F
3F08F695 Block3(60)
$+B4 21CE0846 847B4930 7C857910
7905B73B
$+B8 1E9AA3D6
FF66F406 225BB8A7
$+BC D90CB9E8
53FCE1B0 862EC56C
BEED350E 8776DF2A
3CC5801A
Block4(60)
BINK
Resource_1 Resource_2
$ ==> >00000056 V...
>00000057 W... ;Index
$+4 >000001E4 .. >000001E4
.. ;Size
$+8 >00000009 .... >00000009
....
$+C >E1C56557 We >F933CECD
3
$+10 >01317CC4 |1 >01317CC4 |1
;->2002-04-20 Check value
$+14 >00000010 ... >00000010
...
$+18 >0000001F ... >0000001F
...
$+1C >0000003E >... >0000003E
>...
$+20 >0000000A .... >0000000A
....
$+24 >00000014 ... >00000014
...
$+28 >D320FDB9 >BD344479
yD4 ;Block_p size:
1f
$+2C >EE14A70A . >A872E459
Yr
$+30 >D81D13DA >046524F2 $e
$+34 >6B416634 4fAk >E5905805
X
$+38 >BFB71AF9 ? >4CFCEE53
SL
$+3C >62525DD1 ]Rb >7471094C
L.qt
$+40 >85D0A6CF Ϧ. >BFECF198
~
$+44 >B86E928D 'n >C14DC216
M
$+48 >2CE64781 G, >7938FA7E
~8y
$+4C >64A3E12D -d >915C2A56
V*\'
$+50 >8DF39777 w- >43A57D19
}C
$+54 >56672F03 /gV >C402D8C4
$+58 >6CEF1C45 E l >335BBF1D
[3
$+5C >D6B9ED66 f >ACC569EF
iŬ
$+60 >6A859387 ?".j >512B5D55
U]+Q
$+64 >C173DB1B s >E7153CF2 <
$+68 >00000001 ... >00000001
... ;Block_2
size:
$+6C >00000000 .... >00000000
....
$+70 >00000000 .... >00000000
....
$+74 >00000000 .... >00000000
....
$+78 >00000000 .... >00000000
....
$+7C >00000000 .... >00000000
....
$+80 >00000000 .... >00000000
....
$+84 >00000000 .... >00000000
....
$+88 >00000000 .... >00000000
....
$+8C >00000000 .... >00000000
....
$+90 >00000000 .... >00000000
....
$+94 >00000000 .... >00000000
....
$+98 >00000000 .... >00000000
....
$+9C >00000000 .... >00000000
....
$+A0 >00000000 .... >00000000
....
$+A4 >00000000 .... >00000000
....
$+A8 >00000000 .... >00000000
....
$+AC >00000000 .... >00000000
....
$+B0 >00000000 .... >00000000
....
$+B4 >00000000 .... >00000000
....
$+B8 >00000000 .... >00000000
....
$+BC >00000000 .... >00000000
....
$+C0 >00000000 .... >00000000
....
$+C4 >00000000 .... >00000000
....
$+C8 >00000000 .... >00000000
....
$+CC >00000000 .... >00000000
....
$+D0 >00000000 .... >00000000
....
$+D4 >00000000 .... >00000000
....
$+D8 >00000000 .... >00000000
....
$+DC >00000000 .... >00000000
....
$+E0 >00000000 .... >00000000
....
$+E4 >00000000 .... >00000000
....
$+E8 >32DCDA8C O2 >80712685
.&q? ;Block_a size 80
$+EC >79FB7661 avy >311379EE y
1
$+F0 >92F8A7A2 ' >AA3725A7
%7
$+F4 >C749186A j I >F9C29E2F
/z
$+F8 >114AF194 "J >6B3B4512
E;k
$+FC >D228CE87 ?( >1F7F9153 S'
$+100 >93BF4D30 0M" >C9F0F6D3
$+104 >151726CF & >66561AD0
?Vf
$+108 >F4B194FB " >43485D2B
+]HC
$+10C >374EA105 N7 >D7227E27
'~"
$+110 >DBAACFFC Ϫ >26B1DB9D
۱&
$+114 >B1E0B83B ; >80703717
7p?
$+118 >1B5EA11B ^ >9A29A282
???)s
$+11C >A011229B >" >97D0D60A
.-
$+120 >2490D527 'Ր$ >A1C39184
???'á
$+124 >5EB67769 iw^ >DC5E9102
'^
$+128 >10CD4EE1 N >BA003638
86.
$+12C >09B63AA0 :. >B209A42A
*.
$+130 >DB1084D0 ??? >A5969EE0
z-
$+134 >2DCE5573 sU- >A5D07136
6qХ
$+138 >AF0BC6FA >C5F1492E
.I
$+13C >30EEE577 w0 >FFAE259C
o%
$+140 >0D644276 vBd. >BBA8B3DA
ڳ
$+144 >C86D048A S m >75701CFC
pu
$+148 >E3CA06AC >416BCF24
$kA
$+14C >8AFAE90B S >681E4418 D
h
$+150 >247134DA 4q$ >8E2BE87A
z+Z
$+154 >F2541906 T >CE7C17EB
|
$+158 >92F750EA P' >878C467A
zFO?
$+15C >6C7918B2 yl >3BA4BAF8
;
$+160 >C6E42A04 * >6C8C5F2A
*_Ol
$+164 >7DED9C78 xo} >72A9A104
r
$+168 >4188E5B5 ^A >20C1F9F5
;Block_b size
80
$+16C >37D58F51 Q7 >6FE936E9
6o
$+170 >4B663414 4fK >EE290CE3
.)
$+174 >CA36EA2F /6 >04A4C6FA Ƥ
$+178 >86DC0269 i ? >2A4567E5
gE*
$+17C >2584D27D }???% >B52EBD82
???.
$+180 >5D1DF76F o ] >26C243CC
C&
$+184 >05CA6B20 k >6272F741
Arb
$+188 >B8E0AC70 p >4A9F065E ^
YJ
$+18C >55815E4F O^U >0B5A8CDE OZ
$+190 >9DD70607 ם >DBF6BFBD
$+194 >96364120 A6- >D284EE67
g???
$+198 >480869FF i H >7748F220
Hw
$+19C >7C8E68A1 hZ| >CE61C46A
ja
$+1A0 >10C49B28 (> >8F43CB28
(C
$+1A4 >166461FA ad >D62FA82D
-/
$+1A8 >545B3DB3 =[T >19343F57 W?4
$+1AC >83670639 9 gf >B94C4383
fCL
$+1B0 >35C7A99C o5 >BB745504
Ut
$+1B4 >48A60F73 s H >20998FE4
T
$+1B8 >D712ADC0 >EC6B78E0
xk
$+1BC >BA84A8A1 ??? >D622C3D3
"
$+1C0 >FD709454 T"p >87EFF5A7
?
$+1C4 >C4238A4D MS# >CEED448F
D
$+1C8 >3C20B4FC < >BFF9E4C5
$+1CC >13C65928 (Y >2095DD22
".
$+1D0 >26707D97 -}p& >51AE7419
tQ
$+1D4 >6A5D0A57 W.]j >BC8B619F
Ya<
$+1D8 >832BC174 t+f >23A5D5CB
ե#
$+1DC >FF8E9605 -Z >2522E7D1
"%
$+1E0 >99DA01AB T >EE8CE115
O
$+1E4 >30EABCF3 0 >E5FB28B1
(
Usage:
BLock p,2 a
BLock p,2 b
Microsoft Product-key Identification program uses a public key stored in
PIDGEN.DLLs BINK resource, which is an Elliptic Curve Cryptography public
key, which is composed of:
y=x+ax+b mod p
p, a, b construct an elliptic curve
G(x,y) represents a point on the curve, and this point is so called
generator
K(x,y) represents a point on the curve, and this point is the product of
integer k and the generator G.
K= k*G
1.compute
H=SHA-1(5D OS Family,Hash, prefix, 00 00) the total length is 11 byte.
H is 160-bit long, and
we only need the first 2 words.
Right lift Hs second word by 2 bits.
E.g. if SHA-1() returns FE DC BA
98 76 54 32 10
H= FE DC BA 98 1D 95
0C 04.
2.compute R(rx,ry)= Signature * (Signature*G + H*K) (mod p)
3.compute
SHA-1(79 OS Family, rx, ry) the total input length = 1+2+64*2=131 bytes.
4.compare Hash and result, and if identical, the key is valid.
http://en.wikipedia.org/wiki/Elliptic_curve
http://www.certicom.com/index.php?action=ecc_tutorial,home
special RPC:
10e 270
14f 335
3d5 981
3d6 982
3d7 983
3d4 980
1B6B0B00 460 000 000x
RPC=5
20a 522
PID Bundle of PId's
DigitalProductId
Registry(XP-PRO) XP_COP_SRV
XP_EVAL_SRV
00000000 000000A4 ... 000000A4 ...
000000A4 ... ;CONST Size
00000004 00000003 ... 00000003 ...
00000003 ... ?CONST ?
00000008 37333535 5537 31383936 6981
36373936 6976 ;ProductID
0000000C 31302D35 5-01 34362D35 5-64
30302D33 3-00
00000010 37372D31 1-77 35302D30 0-05
30302D35 5-00
00000014 38363839 9868 39383239 9289
39333030 0039
00000018 32322D34 4-22 35342D32 2-45
33342D32 2-43
0000001C 00323130 012. 00323431 142.
00373631 167.
00000020 0000002C ,... 0000005A Z...
00000056 V... ;ID_OF_BLINK First byte of BLINK Res
00000024 2D323241 A22- 2D323241 A22-
37393731 1797 ;StockID
00000028 30303030 0000 30303030 0000
5A5A5958 XYZZ
0000002C 00000031 1... 00000031 1...
00000059 Y...
00000030 00000000 .... 00000000 ....
00000000 ....
00000034 81677E38 8~g D6C7D500 .
60FAC00A .` ;CDKEY
00000038 4757E622 "WG D5C5AB9C o
243173B3 s1$ ;CDKEY
0000003C 62628E62 bZbb 9DB71642 B
A9FA3C3C << ;CDKEY
00000040 00043DF0 = . 00018D2A * .
0002130C . . ;CDKEY
00000044 00000000 .... 00000000 ....
00000000 .... Unused
00000048 4150A200 .PA 40BFE202 @
41519CB4 oQA ;TimeStamp (Seconds since
1.1.1970) ;34..35j*365*24*60min*60s=3FE8D700..41CA0A80
0000004C 00BDD23D =ҽ. 000116FD .
03BE1FF7 ;GetTickCount
00000050 00000000 .... 00000000 ....
00000000 .... ;PRC TimeStamp/1.000.000==RPC->3
RPC==335->6 ,RPC!=980->6 + Memstats
1 if last bit of pid is set
00000054 00000000 .... 00000000 ....
00000000 ....
00000058 00000000 .... 00000000 ....
00000000 ....
0000005C 00000000 .... 00000000 ....
00000000 .... ;4-Byte String
00000060 00000000 .... 00000000 ....
00000000 ....
00000064 00000000 .... 00000000 ....
00000000 ....
00000068 32383038 8082 32383038 8082
32383038 8082 ;HardwareDigit
0000006C 00000033 3... 00000036 6...
00000036 6...
00000070 00000000 .... 00000000 ....
00000000 ....
00000074 000007DF .. 000007DF ..
000007DF .. ;L5 Year+11 7df
= 2015
00000078 407577CF wu@ 407577CF wu@
407577CF wu@ ;L4 Date
407577CF = 08.04.2004 16:03:27
0000007C 00000200 . .. 00000200 . ..
00000200 . .. ;L3
00000080 00000D83 f... 000014D6 ..
000013C8 .. ;13C8=5064
00000084 00000000 .... 00000000 ....
00000000 ....
00000088 00000000 .... 00000000 ....
00000000 ....
0000008C 00000000 .... 00000000 ....
00000000 ....
00000090 00000000 .... 00000000 ....
00000000 ....
00000094 00000000 .... 00000000 ....
00000000 ....
00000098 00000000 .... 00000000 ....
00000000 ....
0000009C 00000000 .... 00000000 ....
00000000 ....
000000A0 827947F9 Gy??? E55AF436 6Z
FA1661C7 a ;Checksum
0F4240 = 1.000.000
Call stack of main thread
Procedure
Called from
<PIDGen._i_Pidgen>
PIDGen.PIDGenA+2F
PIDGen.PIDGenA
PIDGen.PIDGenW+176
PIDGen.PIDGenW
PIDGen.SetupPIDGenW+40
WINNT32U.SetupPIDGenW
WINNT32U.ValidatePid30+0DF
WINNT32U.ValidatePid30
WINNT32U.CdPid30WizPage+1BB
Maybe WINNT32U.CdPid30WizPage USER32.77D18706
0123456789abcdef012345678=18 (17 Letters)
BCDFGHJKMPQRTVWXY2346789. ;mask
2^1Bit =2 Byte
2^2Bit =4 Byte
2^3Bit =8 Byte
2^4Bit =16Byte maybe this is enough for 17 Letters
2^5Bit =32Byte this will fit for 17 Letters (15 will by wasted)
coperated Server
69815 270
82503 SkuProfessionalEval
69763 SkuProfessionalEval
51883 SkuServerNFR "C11"
51882 SkuAdvServerNFR "C10-00013"
51873 SkuProfessionalFPP "B23-00079"
51874 SkuProfessionalCCP "B23-00082"
51876 SkuServerFPP "C11-00016"
51877 SkuServerCCP "C11-00027"
51879 SkuAdvServerFPP "C10-00016"
51880 SkuAdvServerCCP "C10-00027"
51891 SkuDTCFPP "C49-00001"
51873 SkuProfessionalSelect
SkuUnknown "A22-00001"
"OEM-93523"
PidKeyName
SYSTEM\Setup\Pid"
PidListKeyName SYSTEM\Setup\PidList"
PidValueName Pid"
PidSelectId 270"
PidOemId OEM"
FinalPidKeyName SOFTWARE\Microsoft\Windows
NT\CurrentVersion"
FinalPidValueName ProductId"
SkuProfessionalFPP B23-00079"
SkuProfessionalCCP B23-00082"
SkuProfessionalSelect B23-00305"
SkuProfessionalEval B23-00084
SkuServerFPP C11-00016
SkuServerCCP C11-00027"
SkuServerSelect C11-00222"
SkuServerEval C11-00026"
SkuServerNFR C11-00025"
SkuAdvServerFPP C10-00010"
SkuAdvServerCCP C10-00015"
SkuAdvServerSelect C10-00098"
SkuAdvServerEval C10-00014"
SkuAdvServerNFR C10-00013"
SkuDTCFPP C49-00001"
SkuDTCSelect C49-00023"
SkuUnknown A22-00001"
SkuOEM
OEM-93523" |
|
|
|
BoRK
Guest
|
| Posted: Tue Apr
05, 2005 10:05 pm
Post subject: |
|
|
WoW! It's amazing info,
crkware2k, once again ur brain power beats all...
I'm
really admired of ur win cracking knowledges!
Go
on... |
|
|
Guest
|
| Posted: Sat Apr
16, 2005 11:26 pm
Post subject: Generate Windows Server 2003 Arbitrary
range keys |
|
|
Is there a program that can
generate a Windows Server 2003 key in an arbitrary range? For
example, the mskey keygen can make Windows XP and Office XP
keys in any range, but Windows Server 2003 keys are only
generated in the range 640-649. With Windows Server 2003 SP1,
there are new key ranges to enable new functionality (R2), so
I need a way to generate a valid key (DD = 45) in a specific
range. If someone can come up with a program to do this, I'd
be happy to share range values. Also, it would be good if it
could be extensible and generate keys for any value of DD
(would probably need BINK values from a particular pidgen to
do this) as there are other products that have special
functionality for certain ranges.
-bt |
|
Powered
by phpBB
2001, 2002 phpBB
Group
|