Registry Licensing

I have explained how to crack VideoSoft controls that just look for the presence of a registry license key. Most controls protect themselves a little better than that. But not much.

Microsoft has developed a licensing scheme that they themselves use with their own software. What happens is the software looks at a string stored under HKCR\Licenses in the registry. The string is validated and that's how the software knows it is licensed. In the HKCR\Licenses subtree you will see keys that look like CLSID's (such as 11C5CDD8-9280-11D1-B8F4-0080ADA85B53) that have values (such as ecgcdcccnjhcccljpddceckcpdldjjlcicod).

So one day I decided to figure out what was going on with these license strings. I exported that portion of the registry and printed out all the keys on my system. Then after about 15 minutes staring at these values I started to see patterns (of course, I can also stare at static on my TV for 15 minutes and see patterns).

But anyway I noticed the following: - Most values were 36 characters long (and I assume the others weren't using the Microsoft licensing method). - They all contained lower case letters - No single line contained more than 16 unique letters - In each line no letters were more than 16 letters apart

It was obvious that since the string value was the same length as the registry key (if you include the hyphens) that it must be a function of that key. This also made sense because the license key is a Hex value and the magic number 16 showed up a couple of times in my notes.

Then after a bunch of lucky guesses and came up with the algorithm for encrypting these keys. Here is some VB code to determine the encryption key that was used to generate the value:

---Cut here---

Public Function GetEncryptionKey(ByVal RegistryKey As String, ByVal LicenseString As String) As String

'---------------------------------------------------------------------

' VB6 Source to determine the encryption key used to generate a

' license string

' Inputs:

' RegistryKey - The registry key that appears in HKCR\Licenses\

' LicenseString - The value of that registry key (should be 36

'   characters long)

'---------------------------------------------------------------------

Dim i As Integer

Dim sTemp As String

Dim sRegKey As String

Dim LowestAscii As Integer

 

LowestAscii = Asc("z")

sRegKey = Replace(RegistryKey, "-", "0") 'Convert hyphens to zero's

 

'Find the lowest ascii character being used in the string

For i = 1 To 36

   If Asc(Mid(LicenseString, i, 1)) < LowestAscii Then LowestAscii = Asc(Mid(LicenseString, i, 1))

Next i

 

'Calculate the encryption string

For i = 1 To 36

   sTemp = sTemp & Hex("&h" + Hex(Trim$(Asc(Mid(LicenseString, i, 1)) -  LowestAscii)) Xor "&h" + Mid$(sRegKey, i, 1))

Next i

 

GetEncryptionKey = sTemp

 

End Function

 

---Cut here---

What good is this code? I don't know yet but maybe if a company used the same encryption key for each of their controls and you already had one registered control then you could register the rest of them, right?

I have also created code that will take a registry key and encryption key and generate a bunch of valid values, but there are some things I still need to work out. For example, where does the encryption key come from and how does it know which letter to start at.

But this is a start and I am sure I will soon have the rest of the answers.

The dumbest thing about this licensing scheme is that when an EXE is compiled with a registered ActiveX control, the license string is put in there also. Many companies have downloadable executable demos that they compiled on their own registered computers. These files are goldmines for registry licenses. Just open the EXE file in a hex editor and browse for the class name of the control. Just above the class name look for a 36-character all lowercase string with no more than 16 unique letters not more than 16 letters apart and you have the license key. Now just run RegMon with the demo to find out where in the Registry that string belongs and you are registered.

Here's a fun one also. If you are installing a Microsoft product that uses .STF files in their setup, you will often find license strings just laying around in there. For example, look in the one for VB5 and you can even find out how to make your Pro edition into the Enterprise edition.

Also you will find the license files for all of the Enterprise edition controls (this was useful after SP2 and before SP3 when they forgot to give us those licenses).

Microsoft is so damn smug about their weak licensing scheme. The lame thing about it is that it gives developers a false sense of security for their controls. I have a car that automatically fastens the top part of my seat belt for me. I am supposed to fasten the bottom part manually. But I feel so secure with the top belt fastened that I never really do the bottom part. I might as well not be wearing any seatbelt at all. That's false security.

But back to registry licenses. Here's another way to crack them using SoftIce. This method frequently works with controls compiled in C:

1. Open up VB and select the target in the components dialog
2. Set a bpx on regqueryvalue
3. Put the control on a form
4. Now set a bpx on lstrcmp and/or lstrcmpi
5. Press CTRL+D
6. You should now be in lstrcmp or lstrcmpi
7. Press F8 a couple of times to see what is being compared. It should be comparing two 36-character values. One is the string in your registry and the other is the string that would be in your registry if you were a registered developer :)

So anyway, the license string is just a function of its registry value. Duh. Crackers just love this type of idiotic protection. In fact, I challenge someone to come up with a utility that will register any program that uses this scheme (it couldn't be too hard). You can have my other code to get you started.

If you are an ActiveX developer read this: don't use the standard licensing scheme. It is lame. Unless you want us to have your software for free.