ratshasa

March 3rd, 2013, 11:19

Hello! I'm having some trouble generating valid serial numbers for an application and I hope someone here can shed some light on the whole thing.

As per the FAQ, here is the relevant info:

A while ago, some developer released version 1.0 of some application, protected by a serial check routine. I was able to understand the algorithm used to validate serial numbers and create a serial generator for that application.

Now, the same developer released an update for that application which requires a new serial number. That validation routine is the same as before, except for an extra step. I was able to create a new, working serial generator, but I am unsure if it's actually as good as it can be.

Custom-made serial number check.

The application is written in Python and I was able to decompile it using a tool called uncompyle2.

Some tutorials on Python programming and a few more on decompiling applications made in Python.

I'm not entirely sure what output I should list here, so I'll try to explain how the serial check routine works in the updated version of the application, keeping it as generic as possible.

First of all, as I mentioned previously, it simply does the same check as in the initial version, 1.0 (that was simple to understand). Then comes the extra step, which goes like this:

1. it takes the name of the application and calculates it's SHA1 hash;

2. it takes that hash and converts it from base 16 to base 10 (I'm not sure if I'm explaining this operation correctly, English is not my native tongue, but I can give an example if needed);

3. it stores the remainder (let's call it R1) of the division between the result from the previous step and a number (constant integer), let's call it X;

4. it takes the entered serial number and calculates it's SHA1 hash;

5. it takes that hash and converts it from base 16 to base 10;

6. it stores the remainder (let's call it R2) of the division between the result from the previous step and X (the constant);

7. it checks if the two remainders, R1 and R2, are equal;

8. if R1 = R2, then the serial number is considered valid.

To generate valid serials for the new version of the application, I create random serials which are valid for the initial version and do the calculations mentioned in the list above again and again, until I get a serial that works.

Basically, I now cannot constantly create valid serials for the updated application like I did before. I have to create many serials and do the calculations on them until I find ones that are valid.

Is my method of generating valid serials for the new version of the application the most efficient one? Or is there a correlation between the SHA1 hashes, the conversion from base 16 to base 10 and the remainders, which I'm not seeing? Does the developer generate valid serials in the same way, or does him/her have a different method, which constantly yields valid serial numbers?

If needed, I can explain the serial check routine more thoroughly.

Thanks!

As per the FAQ, here is the relevant info:

**1. What is the problem....**A while ago, some developer released version 1.0 of some application, protected by a serial check routine. I was able to understand the algorithm used to validate serial numbers and create a serial generator for that application.

Now, the same developer released an update for that application which requires a new serial number. That validation routine is the same as before, except for an extra step. I was able to create a new, working serial generator, but I am unsure if it's actually as good as it can be.

**2. What is the protection.....**Custom-made serial number check.

**3. What tools are you using....**The application is written in Python and I was able to decompile it using a tool called uncompyle2.

**4. What tutorials have you read....**Some tutorials on Python programming and a few more on decompiling applications made in Python.

**5. Show your output listing WITH comments....**I'm not entirely sure what output I should list here, so I'll try to explain how the serial check routine works in the updated version of the application, keeping it as generic as possible.

First of all, as I mentioned previously, it simply does the same check as in the initial version, 1.0 (that was simple to understand). Then comes the extra step, which goes like this:

1. it takes the name of the application and calculates it's SHA1 hash;

2. it takes that hash and converts it from base 16 to base 10 (I'm not sure if I'm explaining this operation correctly, English is not my native tongue, but I can give an example if needed);

3. it stores the remainder (let's call it R1) of the division between the result from the previous step and a number (constant integer), let's call it X;

4. it takes the entered serial number and calculates it's SHA1 hash;

5. it takes that hash and converts it from base 16 to base 10;

6. it stores the remainder (let's call it R2) of the division between the result from the previous step and X (the constant);

7. it checks if the two remainders, R1 and R2, are equal;

8. if R1 = R2, then the serial number is considered valid.

To generate valid serials for the new version of the application, I create random serials which are valid for the initial version and do the calculations mentioned in the list above again and again, until I get a serial that works.

Basically, I now cannot constantly create valid serials for the updated application like I did before. I have to create many serials and do the calculations on them until I find ones that are valid.

**6. NOW ask your question....**Is my method of generating valid serials for the new version of the application the most efficient one? Or is there a correlation between the SHA1 hashes, the conversion from base 16 to base 10 and the remainders, which I'm not seeing? Does the developer generate valid serials in the same way, or does him/her have a different method, which constantly yields valid serial numbers?

If needed, I can explain the serial check routine more thoroughly.

Thanks!