![]() It is sufficient for generating keys to EV: Nova, using the perfectly-valid multiple of 1x, but I have found it fails for other v2 products. Rather than analyze the code in detail, I wrote a small script to translate over the disassembled PPC to Python wholesale. The base factors are 0x26 and 0x1C, which are multiples by 0xFF and 0xC0, respectively. The top 5 bits and f3 are never actually checked, so they can be ignored.Ĭonsidering f1 and f2, the values in the sample basekey are 0x25DA and 0x1500, respectively. We do not need the whole algorithm we simply must check that the corresponding regions in the basekey are multiples of the appropriate factors. These are then multiplied by some number and written into the basekey. One aspect validated by the registration app is that the licensee name, number, and game name can be modified to yield a set of base factors. If the authors of the EV: Nova renewal bot have fully reversed the algorithm, perhaps they will one day share the steps to genuine basekey creation. This yields functional keys, just not genuine ones. For the purposes of this write-up, I have not fully reverse engineered the basekey, only duplicated the aspects which are used for validation. I was next curious about code generation. The chart below visualizes the relationships among the various hashes, using the well-known "Barbara Kloeppel" code for EV: Nova. It is not computed by the registration app, but there are several properties by which it must be validated. The second hash, which I'll call the basekey, is the secret sauce of v2 it's what you pay Ambrosia to generate when registering a product. An important change is including multiplication by a factor based on the string size. ![]() It loops through the licensee name, adding the ASCII value, number of copies, and shifting bits. The first hash, which I'll call the userkey, is actually quite similar to v1's algorithm. Fortunately, XOR is reversible, and we can compute one of the hashes. To extract such information from the registration code, we must reverse the XOR operation and split out the two hashes which were combined. But let us look at the algorithm more closely. You can disable the internet connection, set the clock back, and enter codes. Furthermore, the app attempts to verify the system time via a remote time server to minimize registration by changing the computer's clock. To combat tampering, your own information can get locally blacklisted in a similar manner if too many failed attempts occur, at least until the license file is deleted. The registration app checks against a list of blacklisted codes, and if found to be using one, the number of licenses is internally perturbed so that subsequent calculations fail. They also took more aggressive steps to reduce key sharing. Ambrosia now had better control over code distribution, but they assumed their renewal server would never be shut down. This new method was based on polynomial hashing and included a timestamp so that codes could be expired and renewed. Once you have the bitstring module installed via sudo pip install bitstring, you can test the output yourself with python aswreg_v1.py "Anonymous" 100 "Slithereens".Īs Ambrosia's Matt Slot explains, the old system continued to allow a lot of piracy, so in the early 2000's they decided to switch to a more challenging registration system. Here is a Python implementation of the v1 system: aswreg_v1.py The following chart shows an example using a well-known hacked code for Slithereens. This maps the 32-bit string into 8 characters, but due to the limit of a hex digit to only encode 16 values, codes only contain letters from the first 16 of the alphabet. The resulting 32 bits are converted into a text registration code by adding the ASCII offset of $41 to each hex digit. However, the rest of the algorithm remained essentially unchanged. The second loop repeats that operation, only using the game's name instead of the license holder's name.īeginning with Mars Rising, later games added a step to these loops: XOR the current code with the common hex string $DEADBEEF. The first loop iterates over each letter of the capitalized licensee name, adding the ASCII representation of that letter with the number of copies and then rotating the resulting bits. Given a licensee name, number of copies, and game name, the code generator runs through two loops. All of their classic titles use the original algorithm by Andrew Welch. In their earliest days, ASW didn't require registration, but they eventually began locking core features away behind codes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |