PDA

View Full Version : SHA-1 protected program


LaptoniC
June 20th, 2002, 13:36
I am working on program which has interesting reg check.
It gets name and removes spaces and make uppercase ie Mister Stop -> MISTERSTOP
Then it takes SHA-1 of it 2014A31489DEB684260C49792266DB575E69E5A4
then it gets what serial you entered and send MakeAscii procincluded in zip
Then it takes SHA-1 of this number (E400AA622758FF3B29D0E14546EA48DE31DB8A4E)

Then it gets first char of SHA-1(Name) divide to 80h and get SHA-1 hash which is in the program.(80h precalculated SHA-1) compare to SHA-1 of mangled serial.

In order to reverse this one should find 16 chars serial whose SHA-1 is in the program.I think bruteforcing takes a lot time.It is compiled with visual C.If they used any C random algo maybe we can attack here.Also I think they didnt calculated 16 chars at once instead they calculated 4 by 4 or 8 by 8.Any tips are appreciated.I attached predefined 80h SHA-1 hashes,MakeAscii proc

Lbolt99
June 24th, 2002, 03:22
I think I've followed what you're saying in the 2nd paragraph:

So in a nutshell, what it's doing is running SHA-1 on the name, running SHA-1 on the 16 byte serial you entered. Then it reads in the first byte of the SHA-1 code done on the name, divides it by something so that it's a number in the range of 1-80, which would correspond to one of the 80 available SHA-1 codes stored in the program. Then it compares this with the SHA-1 code calculated on the serial?

Just want to make sure i understand this before thinking on it more

LaptoniC
June 24th, 2002, 12:17
yes what you say is mostly correct but there are 80h=128 predefined SHA-1 hash.Thanks for yor response

Lbolt99
July 29th, 2002, 22:32
Sorry for the delay in getting back. I've thought it through, I'm thinking there's no real easy way to keygen this... the main problem is finding out what the 128 different serial numbers are, whos hashes would match up to the hardcoded hashes. The authors probably just made up a bunch of numbers, or maybe generated them, but that's external of the program so there's no real way to find that out. No way I know of to get from here to there

One thing of interest, in fact I want to look into this myself, is Advanced Disk Cataloger v1.47, which uses MD5 hashes as protection. It was keygenned by DAMN (surprise) and Ivanopolus somehow bruteforced numbers out of it. I want to figure out how that works and how he did that.

In the NFO file, it states that there are hardcoded hashes in the program, so somehow he got from point A to point B as far as keygenning it. Should be interesting

LaptoniC
July 30th, 2002, 17:28
Thanks for the info.You are right I guess.Thanks again for your interest.