An Analysis of DiskGenius registration algorithms

The first contact with DiskGenius has become a distant memory. At that time, only the DOS version was available. Later, I came to the Windows version and used it to handle several cases of retrieving lost partitions, which is convenient and practical. Up to now, it has become more and more powerful and one of the essential tools for start-up technology and desktop support staff.

Recalling a case several years ago, an old machine that has been used for a long time suddenly crashed, and some physical damage to the disk boot failed to start the system. General data can be recovered using tools such as DiskGenius, but the focus is no longer here, because I have a backup for most of the data.
What worries me is that I have an EFS-encrypted file and Outlook Email, but there is no backup. It contains the account and authorization information of all software systems and servers of individuals and companies. If I cannot enter the system, it means I will say goodbye to them permanently. It is chilling.
I tried a lot of data Recovery tools, including "NTFS/EFS Recovery" and "Raw Copy" on Windows and other systems. They are useless. Because there is no digital certificate, this EFS file is equivalent to a heap of junk bytes and cannot enter the email account.
It is not reassuring to hand over the data to a professional data recovery company. Of course, I don't have the secrets like Edison. If he had an EFS, he wouldn't have caused so much saliva and impacted the lives of so many people, haha.
Later, I finally solved the problem and put it simply: In another system, I constructed an account that is exactly the same as that of the Down system. At least I still remember the username and password. The key point is to ensure that the new account and the original account have the same SID, so that the Hash in SAM is the same as the original, and the system maps the account and file owner through the SID.
In Windows, you can access another user's system after obtaining the Hash. In A Microsoft TechEd demonstration of Marcus Murray "Knowing the Enemy-A lightning demonstration on how hackers attack networks", we found that using Hash to intrude one machine in the network into another machine as A springboard. Mark Russinovich is also well known in this regard.
What we learned is that eggs cannot be placed in one basket: backup, backup, or backup. What's more, is EFS really safe? If you really want to use it, follow the "best practice": Back up the certificate and remove it from the system.

This story is separated from this topic. The cause of the incident was an "accident" that occurred some time ago: the younger brother reinstalls the system for the employee and gets the wrong image, causing data loss in other partitions. This is terrible, and no one else is depressed. We have to help people recover.
I haven't done this for a long time. I feel that DiskGenius is more effective and accurate with the experience of DiskGenius and R-STUDIO.

DiskGenius is available in both the free and professional versions. The free version is used for user experience. The size of files to be restored is limited to 64 KB, And the search algorithm is relatively simple. It is the same as the unregistered Professional Edition. Due to restrictions, it is basically useless, either buy or "crack ". Out of preference for reverse, coupled with curiosity about the legendary "Dark pile", I decided to play and learn its methods.
Of course, you should first try several "cracked versions" on the Virtual Machine and find that only version 3.8 is a "real cracking", while others are "pseudo cracking ". Even if the Title and About of a program are modified by a "crack patch" in the memory, it is inevitable that the members will be "Masturbation" members of the Japanese Empire. Few people mention the activation file Options. ini. The registration code is also incorrect.

This article takes the latest DiskGenius Pro 4.2.0.100 as an example. The idea is to find out its registration algorithm instead of "cracking" to achieve perfect activation. It is the highest level to seek and attack people without fighting.
First, officially declare that the software is useful only for technical discussion. Please purchase the software. The specific details will not be exposed here, so the proposition is "analysis", and some interesting things may be more interesting throughout the process.

I. Secrets of registration codes
For unregistered Professional Edition users, the title of the window will be "not registered", and the "about" dialog box will contain an "register now" button:

Click in. the "register DiskGenius" dialog box appears. Fill in some items and click "Activate now". The system prompts "invalid registration code. Please enter it again .".

Very friendly, isn't it. In this dialog box, we learned that two methods are activated: Network (online/offline) and encryption lock. In addition, the entered registration code does not meet its requirements, the client has a preliminary verification before submitting a webpage. Straightforward, start with the Window Process in the dialog box, find its verification algorithm, and explore the mysteries of the registration code.
The code analysis shows that there is a simple encrypted Base36 character set, but not a standard sequence, but a custom one. The last four characters are '01io'. The decoding algorithm confirms that: the registration code is actually Base32 encoded. The numbers and letters that are easy to be mistaken are discarded. Each five characters is a group and five groups contain 25 characters, separated. Similar to Microsoft's CDKEY or Product Key, MSFT uses Base24 and discards the '5aelnsuz' that is easy to be mistaken '. Does not involve the elliptic curve signature algorithm? Daunting! Hash (or Checksum bits) is used to verify the validity of the registration code.

Obviously, Base32 is much larger than the large integer represented by Base24, which means we have more options and are relatively easy to choose. With the Base32 Character Set and verification algorithm, we can start to generate our own registration code. However, I don't want to copy the disassembly code. In another way, I use HTML pages and browsers for UI and Javascript For algorithm implementation. I only need a text editor that supports highlight and ease of use, for example, EmEditor can easily design the interface and modify the program for debugging.
Because I have an existing "Password Generator" page from About.com and slightly changed it to "regcode Generator" to randomly generate the registration code and use the verification algorithm to get the Hash. The About page is concise and beautiful. Layout uses DIV + CSS. Unlike most people who use TABLE, I remember that there was a debate between DIV and TABLE before.
Javascript and C ++ are both Object-oriented. Javascript has "Regular Expressions" that is not available in C ++, but neither of them has a simple operator such as the Assembly command ROR/ROL, examples of the implementation of the two COMMANDS in C ++ can be found in Bruce Eckel's "Thinking in C ++" and Volume 1.

However, Javascript in the registration code generator has two problems to solve: Large integers and unsigned integers.
In Javascript, numbers are represented by 64-bit double-precision floating-point numbers that comply with IEE754 specifications. Apparently, the registration code easily exceeds the 64-bit limit. You need to find a simple Javascript library to process "Big Number". For details, refer to stanford.edu's "RSA and ECC in JavaScript, but we don't need to be so complicated here.
For data Types, UInt8, Int32, Int64 [-2 ^ 53, 2 ^ 53], and Uint64 [0, 2 ^ 53]; Mozilla has long supported Int64 and UInt64 in ctypes. We don't want to make it so tedious. We only need to rewrite the necessary operations (left shift, addition/with bitwise addition, exclusive or/or) to ensure that the result is of the UINT type.
In addition, numbers often need to be converted between binary, decimal, and hexadecimal. The Number. toPrecision ([precision]) of Javascript cannot be used, and the precision is not enough. You have to find a solution on your own. IE strictly follows the JScript documentation. If precision is greater than 21, an error is returned. If precision is set to 40 in Firefox, an approximate number is returned.
FF's Javascript performance far exceeds IE, which can be clearly felt when the large integer is Base32. Unexpectedly, MSFT is no longer satisfied with positioning IE as a pure Browser, and IE has become a super client trying to better meet the requirements of server products, at the same time, it is inseparable from the operating system and very bloated.

Page for "regcode Generator for DiskGenius:

This part is easy. First, the first 22 digits of the registration code are randomly generated, and then the 16 bits Hash value is encoded as Base32 characters to get the last three digits of the registration code.

Ii. What is the activation request sent?
The registration code is valid now. Try to activate it. But this time the server replied "Error: the registration code is invalid !", It can be understood that the registration code still has a problem, is indeed invalid, or is valid, but there is no record in its database, there may be a record in the database, but other fields do not match. In either case, it is impossible to expect it to return useful information, and it is also embarrassing to harass people's servers.
Instead, let's start with the code that processes the returned results. To facilitate and avoid errors, I need to enable the HTTP Service locally and direct the address of the activated server to the local device for simulation. If the program needs any data, it will respond to it as required, so that I can proceed step by step.

But before that, we have to figure out what data the program sent to the activation server to help us guess and understand the composition of the returned data. Use tools such as Wireshark to record HTTP Request and Response content.
The captured data is simple and clear. It uses the GET method to send the request data. The fields in the URL are in sequence (which can be observed during the process ):
Code:
Ver = 4.2.0.100
Code = YH23U-R65WC-CKPA2-RN2JB-XENVZ
Name = MistHill
Email = misthill % 40easycompany.com
Mid = mOD_CDOcD ^ OFHLOHLHLL % 1A % 1A % 1A % 1A % 1CL % 1C
Appname = DiskGenius
Diskinfo1 = XCyo | kXg | z {obGJKFo | jJ | gxkQ> % 3F >>>>>>>>>>>>>>>>>>>% 3FQ: % 3F7: % 3D >:>
Note: first, the passed value must be encoded as a valid URI (Uniform Resource Identifier ). Second, the content of mid and diskinfo1 is encrypted, and the meaning of other fields is clear at a glance.
The mid literally refers to the machine code, which is the result of the three CPUID commands.
Diskinfo1 clearly indicates the disk information. I only have one hard disk mounted on the debugged machine. Will diskinfo1 be sent in the case of two or more disks ?, The program code is not carefully checked and cannot be confirmed.
The program creates a disk object for each disk found. A total of 0x80 disks are supported. Call KERNEL32.DeviceIoControl twice for each disk object. Take Geometry for the first time and ProductId and SerialNumber for the second time.
Calculate the total number of sectors of the disk based on Geometry, and add ProductId (model) and SerialNumber (serial number) to get the diskinfo1 content.

3. Implement a simple HTTP service
The preceding describes two methods: Activating networks and encrypting locks. No encryption locks can be written into a Driver for simulation. To make things simple, I select the network mode. If there is a ready-made IIS or Apache [Tomcat] locally, you can simply write a page to respond to the request.
Here I decided to use a ready-made template to write an APP to implement simple HTTP Services, so I don't have to do a lot of things on the debugging virtual machine, which will facilitate similar work in the future.
You can find a lot of similar things, but I want to be as simple as possible and have to have detailed documents. There is an article "nweb: a tiny, safe Web server (static pages only)" from IBM's maid. The full source code is only lines and supports static Page .htmlor .htm, images, and compressed files. Unfortunately, it requires UNIX systems, such as Ubuntu, Fedora, OpenSUSE, and Debian.
I need a Windows environment. MSFT's David Cook article "Write a Simple HTTP-based Server Using MFC and Windows Sockets" is exactly what I am looking for. The article is published in MSJ (predecessor of Microsoft Systems Journal-MSDN) february 1996. Well ..., Such an old thing? That's it. The sooner it is, the easier it is to be regarded as a classic.
Its project name is Webster. The article is very detailed and covers HTML, HTTP, and Sockets. You can set basic Server options to be highly controllable. "MIME Data Types" can be expanded; supports detailed debugging and logging; supports the "System Tray" icon; the source code is also well annotated.
After the connection is compiled, use Telnet to test the connection:

Aha, it's totally normal! Now we can use our "Activate server. However, at the time of activation, the Webster server Hung was there to trace the Bug: the Buffer used to receive the GET request URI was too small, and the request URI string was too long, resulting in "Buffer overflow ".
Again, this time no problem:

The following changes are made to the project Webster:
A) HTTP/1.1 protocol support. At that time, only HTTP/0.9 and HTTP/1.0 were supported.
B) URI Buffer size.
C) supported horizontal scroll bars of CWebView derived from CScrollView.
D) the font of Controls in the CPropertyPage property labels of CWebProps derived from CPropertySheet.

Iv. Perfect Activation
Next, write the registration machine according to the analysis of the code of the activation code processed by the program. Because CPUID commands and API calls are required, they are written in VC ++.

The Activation Key is actually the result of converting and encrypting the submitted information during Activation. This is the task of activating the server background. After the program decrypts the activation code, it compares those information one by one. If there is no problem, the activation is successful.
The activation code can be considered as a certificate, which has several types. For example, whether a specific version is restricted. If no version is available, the general certificate applies to other versions. You can also specify the expiration date for a trial certificate. There is also another method, which determines the source of hardware information comparison, whether it is an encryption lock or an API, without looking at the code in detail, it is not certain.
The uncheck two Encrypted checkboxes in the figure show the plain text of mid and diskinfo1 respectively.
After successful activation, the program will write the activation file Options. ini for restart verification. At the same time, it will copy a copy to the dos folder for the DOS version. The format is basically like this:
Code:
[License]
User = "MistHill"
Email = "misthill@easycompany.com"
Regcode = "YH23U-R65WC-CKPA2-RN2JB-XENVZ"
Key = "9876543210FEDCBA9876543210FEDCBA9876543210FEDCBA9876543210FEDCBA"
[LicenseInfo]
Show = "N"
Here, the registration code (regcode) currently seems to be "valid"; the activation code (key) is manually typed by me, which is obviously invalid and cannot pass verification. However, it is sufficient for the program to remove the "unregistered" text in the Title and the "register now" button in the "about" dialog box:

The profile is successfully registered. This is one of the "Dark stakes.

5. Registration Code license, registration code
Change the key content back to the "Activation Key" content in the registration server (DiskGenius Keygen). The verification can be restarted. Should it be "Perfect Activation?
No, No, No..., Something wrong! Failed to Restore Files larger than 64 KB. The error type indicates "not registered "!
It seems that there are still xuanjicang. Review the code after the activation code verification is passed. It is found that the registration code has been verified again by calling. The current regcode has not passed!
After studying the code carefully, I suddenly realized that it was actually learned from the MSFT CDKEY. The registration code consists of three parts: serial number and Signature) + check bit (Hash ). The signature is obtained by the serial number according to the signature algorithm, and the check bit is the result calculated based on the first two parts.
At the same time, we also figured out which key signs should be the value of DWORDs to indicate that it was successfully registered.
Go back to the "regcode Generator for DiskGenius" page in Section 1 and "Phase I" solves the Hash problem. Next, "Phase II" solves the signature problem. First, generate a random RegCode, obtain the serial number, obtain the signature part based on its inverse algorithm, and finally calculate the check bit.

In this way, the registration process of DiskGenius is divided into two steps: 1) generate a valid registration code using the HTML page; 2) generate an activation code using the registration machine. Webster is only a tool for analyzing problems and is no longer needed.
Try again to Restore Files larger than 64 KB. This time, of course, there will be no problem:


Finally, I would like to thank the author of DiskGenius for providing a great tool and hope it will be more powerful! I have fun analyzing its code.
Thank you for reading this article! Please criticize and correct the mistakes