- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
You can find the keygen Для просмотра ссылки Войди или Зарегистрируйся
- The signature will just be a usual RSA / EDCSA Verification, so nothing really hard to replicate:
C#:
NOTE: The tutorial / writeup is not made too simple, so people can get more motivated in getting their own hands dirty and learn even more.
- Download the software from original source (must register).
- Once downloaded, extract the archive SpecterInsight.zip
- It will have a lot of folders, but we're only interested into:
- Starting from the server, we will analyze:
- Now we can check the logic. This is the actual flow:
- You can find ImportLicense that is the actual logic to parse the license file.
Код:
public LicenseValidationInfoEx ImportLicense(string path)
{
byte[] array = Utility.Decrypt(File.ReadAllBytes(path), "71eee87b4a514a7196cf10c42eae4af7");
JsonSerializer serializer = new JsonSerializer();
serializer.Formatting = Formatting.Indented;
LicenseValidationInfoEx licenseValidationInfoEx;
using (MemoryStream ms = new MemoryStream(array))
{
using (StreamReader sr = new StreamReader(ms))
{
using (JsonTextReader jtr = new JsonTextReader(sr))
{
LicenseValidationInfoEx info = serializer.Deserialize<LicenseValidationInfoEx>(jtr);
if (info == null)
{
throw new InvalidDataException("Failed to import license details.");
}
if (!this.IsKeyValid(info.Key))
{
throw new Exception("This license is not valid. Please visit www.practicalsecurityanalytics.com to purchase a license.");
}
if (!info.Validate(info.CustomerEmail))
{
throw new Exception("This license is not valid. Please visit www.practicalsecurityanalytics.com to update your license.");
}
licenseValidationInfoEx = info;
}
}
}
return licenseValidationInfoEx;
}- As you can see, it decrypts with AES the license with the hardcoded key 71eee87b4a514a7196cf10c42eae4af7 then loads the content as JSON.
- It then uses a static Salt and a Marker
- Decryption code (inside AmsiScanner.Common.dll):
Код:
public static byte[] Decrypt(byte[] ciphertextbytes, string password = "5e16e53245c147a8acd1b3e38de0135d")
{
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, Utility.SALT);
byte[] array6;
using (AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider())
{
aesCryptoServiceProvider.KeySize = 256;
aesCryptoServiceProvider.BlockSize = 128;
aesCryptoServiceProvider.Key = rfc2898DeriveBytes.GetBytes(aesCryptoServiceProvider.KeySize / 8);
byte[] array = new byte[16];
Array.Copy(ciphertextbytes, array, array.Length);
aesCryptoServiceProvider.IV = array;
ICryptoTransform cryptoTransform = aesCryptoServiceProvider.CreateDecryptor(aesCryptoServiceProvider.Key, aesCryptoServiceProvider.IV);
using (MemoryStream memoryStream = new MemoryStream())
{
using (MemoryStream memoryStream2 = new MemoryStream(ciphertextbytes))
{
byte[] array2 = new byte[4096];
memoryStream2.Read(array2, 0, 16);
using (CryptoStream cryptoStream = new CryptoStream(memoryStream2, cryptoTransform, CryptoStreamMode.Read))
{
int num;
while ((num = cryptoStream.Read(array2, 0, array2.Length)) > 0)
{
memoryStream.Write(array2, 0, num);
}
}
byte[] array3 = memoryStream.ToArray();
byte[] array4 = new byte[Utility.MARKER.Length];
Array.Copy(array3, array4, array4.Length);
if (!array4.SequenceEqual(Utility.MARKER))
{
throw new Exception("File is not using a supported encryption format.");
}
byte[] array5 = new byte[array3.Length - array4.Length];
Array.Copy(array3, array4.Length, array5, 0, array5.Length);
array6 = array5;
}
}
}
return array6;
}- We can then get the License model from the ImportLicense function, as you can read it's actually LicenseValidationInfoEx
- Now we have all we need to craft the actual license.
- For simplicity, here is a demo code for that model:
Код:
LicenseValidationInfoEx licenseValidationInfoEx = new LicenseValidationInfoEx()
{
ActivationsLeft = "999999",
CustomerEmail = EmailInput.Text,
CustomerName = NameInput.Text,
Expires = DateTime.Now.AddYears(100),
License = "valid",
ItemId = "1094",
ItemName = "CyberArsenal",
LicenseLimit = "999999",
PaymentId = 1234,
PriceId = "1234567890",
Success = true,
SiteCount = "999999",
Key = <licenseKeyEncrypted>
};- <licenseKeyEncrypted> needs to be the Base64 URL Encoded value of the license key, which is split in two values:
- It gets parsed this way:
Код:
public static LicenseKey Parse(string serialized)
{
if (serialized.Length > 256)
{
throw new FormatException("Invalid key length.");
}
byte[] array = WebEncoders.Base64UrlDecode(serialized);
byte[] data = new byte[16];
byte[] signature = new byte[array.Length - 16];
Array.Copy(array, 0, data, 0, 16);
Array.Copy(array, 16, signature, 0, signature.Length);
return new LicenseKey(data, signature);
}C#:
Код:
public bool Validate(X509Certificate2 pkey)
{
bool flag;
using (ECDsa ecdsa = pkey.GetECDsaPublicKey())
{
flag = ecdsa.VerifyData(this._data, this._signature, HashAlgorithmName.SHA256, DSASignatureFormat.Rfc3279DerSequence);
}
return flag;
}- Pretty easy to re-create, check the keygen's code.
- Now we have averything to craft our license, let's sum up:
- Create a self signed certificate + private key as ECDSA
- Replace the Validator resource in both client and server with our own
- Run the keygen to generate a valid license
- Save the license to Specter Insight setting's folder (<base_path>/settings/license.json)
- Run the software and enjoy!
NOTE: The tutorial / writeup is not made too simple, so people can get more motivated in getting their own hands dirty and learn even more.