diff --git a/Keygen.vcxproj b/Keygen.vcxproj
index 217458f..10149ba 100644
--- a/Keygen.vcxproj
+++ b/Keygen.vcxproj
@@ -99,7 +99,7 @@
$(OutDir)$(TargetName).pdb
Console
"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"
- mainCRTStartup
+ wWinMainCRTStartup
true
@@ -144,7 +144,7 @@
$(OutDir)$(TargetName).pdb
Windows
"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"
- mainCRTStartup
+ wWinMainCRTStartup
true
diff --git a/header.h b/header.h
index 0c82e67..7146ae6 100644
--- a/header.h
+++ b/header.h
@@ -49,9 +49,6 @@
typedef unsigned long ul32;
-extern HANDLE hConsole;
-
-extern ul32 dwSeed;
extern byte charset[];
extern const char pXP[];
@@ -132,8 +129,9 @@ void generateServerKey(
ul32 *prefix
);
+void generate2003(char *pkey, EC_GROUP *ec, EC_POINT *generator, BIGNUM *order, BIGNUM *priv, ul32 *osfamily, ul32 *prefix);
+
// utilities.cpp
-void cprintf(const char *Format, int nColor, ...);
void endiannessConvert(byte *data, int length);
ul32 randomRange(ul32 dwLow, ul32 dwHigh);
@@ -154,8 +152,6 @@ EC_GROUP *initializeEllipticCurve(
// key.cpp
void unbase24(ul32 *byteSeq, const char *cdKey);
void base24(char *cdKey, ul32 *byteSeq);
-void printProductKey(const char *pKey);
-void printProductID(const ul32 *pRaw);
// windows.cpp
bool InitializeWindow(HINSTANCE hInstance);
diff --git a/key.cpp b/key.cpp
index 17d8baa..9af64be 100644
--- a/key.cpp
+++ b/key.cpp
@@ -65,50 +65,4 @@ void unbase24(ul32 *byteSeq, const char *cdKey) {
// Reverse the byte sequence.
endiannessConvert((byte *) byteSeq, n);
-}
-
-/* Print Product Key. */
-void printProductKey(const char *pKey) {
- assert(strlen(pKey) == 25);
-
- SetConsoleTextAttribute(hConsole, 0x0A);
-
- for (int i = 0; i < PK_LENGTH; i++) {
- putchar(pKey[i]);
- if (i != PK_LENGTH - 1 && i % 5 == 4) putchar('-');
- }
-
- SetConsoleTextAttribute(hConsole, 0x0F);
-}
-
-/* Print Product ID using a Product Key. */
-void printProductID(const ul32 *pRaw) {
- char raw[12];
- char b[6], c[8];
-
- // Cut away last bit of the product key and convert it to an ASCII-number (=raw)
- sprintf(raw, "%09lu", pRaw[0] >> 1);
-
- // Make B-part {...-640-...} -> most significant 3 digits of Raw Product Key
- strncpy(b, raw, 3);
- b[3] = 0;
-
- // Make C-part {...-123456X-...} -> least significant 6 digits of Raw Product Key
- strcpy(c, raw + 3);
-
- int digit = 0;
-
- // Reverse sum algorithm to find a check digit that would add to the rest to form a sum divisible by 7.
- for (int i = 0; i < 6; i++)
- digit -= c[i] - '0';
-
- while (digit < 0)
- digit += 7;
-
- // Append check digit + null terminate.
- c[6] = digit + '0';
- c[7] = 0;
-
- printf("Product ID: ");
- cprintf("PPPPP-%s-%s-23XXX\n", 0x0E, b, c);
}
\ No newline at end of file
diff --git a/main.cpp b/main.cpp
index 6a81596..e72141e 100644
--- a/main.cpp
+++ b/main.cpp
@@ -3,12 +3,6 @@
Rewritten by Endermanch
*/
-#include "header.h"
-
-HANDLE hConsole;
-ul32 dwSeed;
-byte charset[] = "BCDFGHJKMPQRTVWXY2346789";
-
/*
* PK: VX8CG-8KC6V-PVPMD-GKPPH-GC7W8
*
@@ -49,55 +43,28 @@ byte charset[] = "BCDFGHJKMPQRTVWXY2346789";
* EEE | random value (used for phone activation, different installation IDs are generated)
*/
-/*
- * Decoding the Product Key results in an example byte sequence.
- *
- * 0x6F 0xFA 0x95 0x45 0xFC 0x75 0xB5 0x52 0xBB 0xEF 0xB1 0x17 0xDA 0xCD 0x00
- *
- * Of these 15 bytes the least significant four bytes contain the Raw
- * Product Key in little endian byte order. The least significant bit is
- * removed by shifting this 32-bit value (0x4595FA6F - remember the
- * little endiannessConvert byte order) to the left by one bit position, resulting
- * in a Raw Product Key of 0x22CAFD37, or
- *
- * 583728439
- *
- * in decimal notation.
- */
+ /*
+ * Decoding the Product Key results in an example byte sequence.
+ *
+ * 0x6F 0xFA 0x95 0x45 0xFC 0x75 0xB5 0x52 0xBB 0xEF 0xB1 0x17 0xDA 0xCD 0x00
+ *
+ * Of these 15 bytes the least significant four bytes contain the Raw
+ * Product Key in little endian byte order. The least significant bit is
+ * removed by shifting this 32-bit value (0x4595FA6F - remember the
+ * little endiannessConvert byte order) to the left by one bit position, resulting
+ * in a Raw Product Key of 0x22CAFD37, or
+ *
+ * 583728439
+ *
+ * in decimal notation.
+ */
-int main() {
- ul32 nAmount = 1;
+#include "header.h"
- hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
+byte charset[] = "BCDFGHJKMPQRTVWXY2346789";
+INT wWinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ WCHAR *pCmdLine, _In_ INT nCmdShow) {
srand(GetTickCount64());
- HINSTANCE hInstance = GetModuleHandleW(nullptr);
-
- int p = InitializeWindow(hInstance);
-
- system("cls");
- cprintf("Windows XP VLK Keygen\n\n", 0x08);
-
- cprintf("Principle of Operation:\n", 0x0C);
- printf("We need a valid Raw Product Key to generate a Product ID in form of AAAAA-BBB-CCCCCCS-DDEEE.\n\n");
- printf("AAAAA is the Windows XP Series constant - different for each version.\n");
- printf("Raw Product Key directly represents the BBB-CCCCCC part of the Product ID.\n");
- printf("S is a \"check bit\": it's picked so that the sum of all C digits with it added makes a number divisible by 7.\n");
- printf("DD is the index of the public key used to verify the Product Key.\n");
- printf("EEE is a random number used to generate a different Installation ID each time.\n\n");
-
- printf("The Product Key itself can at most contain 114 bits of information, as per the alphabet capacity formula.\n");
- printf("Based on that, we unpack the 114-bit Raw Product Key into 3 ordered segments:\n");
- printf("\tData (31 bits), Hash (28 bits) and Signature (55 bits).\n\n");
- printf("Microsoft uses a really elegant Elliptic Curve Algorithm to validate the product keys.\n");
- printf("It is a public-key cryptographic system, thus Microsoft had to share the public key,\nand it's, in fact, stored within pidgen.dll.\n");
- printf("To crack the CD-key generation algorithm we must find the corresponding private key from the public key,\nwhich was conveniently computed before us.\n");
- printf("In general, there are 2 special cases for the Elliptic Curve leveraged in cryptography - F2m and Fp.\nMicrosoft used the latter.\n");
- printf("\ty^2 = x^3 + ax + b %% p.\n");
- printf("The task boils down to generating a valid Hash/Signature pair for the Raw Key we provided:\n");
- printf("\t1. We need to generate a random 384-bit number r, and define C = R(r.x, r.y) = rG.\n");
- printf("\t2. Hash = (First32Bits(SHA1(pRaw, r.x, r.y)) >> 4.\n");
- printf("\t3. Signature = privateKey * Hash + (C %% Order)\n");
- printf("Finally, we pack these components together, convert them to Base24 and get a valid Windows XP key.\n");
+ return InitializeWindow(hInstance);
}
diff --git a/server.cpp b/server.cpp
index 75cb40d..f982bc1 100644
--- a/server.cpp
+++ b/server.cpp
@@ -1,4 +1,4 @@
-//
+//
// Created by Andrew on 09/04/2023.
//
@@ -23,13 +23,21 @@ const char genOrderSv[] = "4CC5C56529F0237D";
const char privateKeySv[] = "2606120F59C05118";
void unpackServer(ul32 *osFamily, ul32 *hash, ul32 *sig, ul32 *prefix, ul32 *raw) {
- osFamily[0] = raw[0] & 0x7ff;
+
+ // We're assuming that the quantity of information within the product key is at most 114 bits.
+ // log2(24^25) = 114.
+ // OS Family = Bits [0..10] -> 11 bits
+ osFamily[0] = raw[0] & 0x7ff;
+
+ // Hash = Bits [11..41] -> 31 bits
hash[0] = ((raw[0] >> 11) | (raw[1] << 21)) & 0x7fffffff;
+ // Signature = Bits [42..103] -> 62 bits
sig[0] = (raw[1] >> 10) | (raw[2] << 22);
sig[1] = ((raw[2] >> 10) | (raw[3] << 22)) & 0x3fffffff;
+ // Prefix = Bits [104..113] -> 10 bits
prefix[0] = (raw[3] >> 8) & 0x3ff;
}
@@ -40,114 +48,146 @@ void packServer(ul32 *raw, ul32 *osFamily, ul32 *hash, ul32 *sig, ul32 *prefix)
raw[3] = (sig[1] >> 22) | (prefix[0] << 8);
}
-bool verifyServerKey(EC_GROUP *eCurve, EC_POINT *generator, EC_POINT *public_key, char *cdKey) {
- int i, j, k;
+bool verifyServerKey(EC_GROUP *eCurve, EC_POINT *generator, EC_POINT *publicKey, char *cdKey) {
+ BN_CTX *context = BN_CTX_new();
+
+ // Convert Base24 CD-key to bytecode.
+ ul32 osFamily, hash, sig[2], prefix;
+ ul32 bKey[4]{};
- BN_CTX *ctx = BN_CTX_new();
-
- ul32 bkey[4] = {0};
- ul32 osfamily[1], hash[1], sig[2], prefix[1];
- unbase24(bkey, cdKey);
- printf("%.8x %.8x %.8x %.8x\n", bkey[3], bkey[2], bkey[1], bkey[0]);
- unpackServer(osfamily, hash, sig, prefix, bkey);
-
- printf("OS Family: %u\nHash: %.8x\nSig: %.8x %.8x\nPrefix: %.8x\n", osfamily[0], hash[0], sig[1], sig[0], prefix[0]);
-
- byte buf[FIELD_BYTES_2003], md[SHA_DIGEST_LENGTH];
- ul32 h1[2];
- SHA_CTX h_ctx;
-
- /* h1 = SHA-1(5D || OS Family || Hash || Prefix || 00 00) */
- SHA1_Init(&h_ctx);
- buf[0] = 0x5d;
- buf[1] = osfamily[0] & 0xff;
- buf[2] = (osfamily[0] & 0xff00) >> 8;
- buf[3] = hash[0] & 0xff;
- buf[4] = (hash[0] & 0xff00) >> 8;
- buf[5] = (hash[0] & 0xff0000) >> 16;
- buf[6] = (hash[0] & 0xff000000) >> 24;
- buf[7] = prefix[0] & 0xff;
- buf[8] = (prefix[0] & 0xff00) >> 8;
- buf[9] = buf[10] = 0;
- SHA1_Update(&h_ctx, buf, 11);
- SHA1_Final(md, &h_ctx);
- h1[0] = md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24);
- h1[1] = (md[4] | (md[5] << 8) | (md[6] << 16) | (md[7] << 24)) >> 2;
- h1[1] &= 0x3FFFFFFF;
- printf("h1: %.8x %.8x\n", h1[1], h1[0]);
-
- BIGNUM *s, *h, *x, *y;
- x = BN_new();
- y = BN_new();
- endiannessConvert((byte *) sig, 8);
- endiannessConvert((byte *) h1, 8);
- s = BN_bin2bn((byte *)sig, 8, nullptr);
- h = BN_bin2bn((byte *)h1, 8, nullptr);
+ unbase24(bKey, cdKey);
- EC_POINT *r = EC_POINT_new(eCurve);
- EC_POINT *t = EC_POINT_new(eCurve);
- /* r = sig*(sig*generator + h1*public_key) */
- EC_POINT_mul(eCurve, t, nullptr, generator, s, ctx);
- EC_POINT_mul(eCurve, r, nullptr, public_key, h, ctx);
- EC_POINT_add(eCurve, r, r, t, ctx);
- EC_POINT_mul(eCurve, r, nullptr, r, s, ctx);
- EC_POINT_get_affine_coordinates_GFp(eCurve, r, x, y, ctx);
+ // Extract segments from the bytecode and reverse the signature.
+ unpackServer(&osFamily, &hash, sig, &prefix, bKey);
+ endiannessConvert((byte *)sig, 8);
+
+ byte t[FIELD_BYTES_2003]{}, md[SHA_DIGEST_LENGTH]{};
+ ul32 checkHash, newHash[2]{};
- ul32 h2[1];
- /* h2 = SHA-1(79 || OS Family || r.x || r.y) */
- SHA1_Init(&h_ctx);
- buf[0] = 0x79;
- buf[1] = osfamily[0] & 0xff;
- buf[2] = (osfamily[0] & 0xff00) >> 8;
- SHA1_Update(&h_ctx, buf, 3);
+ SHA_CTX hContext;
- memset(buf, 0, FIELD_BYTES_2003);
- BN_bn2bin(x, buf);
- endiannessConvert((byte *) buf, FIELD_BYTES_2003);
- SHA1_Update(&h_ctx, buf, FIELD_BYTES_2003);
+ // H = SHA-1(5D || OS Family || Hash || Prefix || 00 00)
+ SHA1_Init(&hContext);
- memset(buf, 0, FIELD_BYTES_2003);
- BN_bn2bin(y, buf);
- endiannessConvert((byte *) buf, FIELD_BYTES_2003);
- SHA1_Update(&h_ctx, buf, FIELD_BYTES_2003);
+ t[0] = 0x5D;
+ t[1] = (osFamily & 0xff);
+ t[2] = (osFamily & 0xff00) >> 8;
+ t[3] = (hash & 0xff);
+ t[4] = (hash & 0xff00) >> 8;
+ t[5] = (hash & 0xff0000) >> 16;
+ t[6] = (hash & 0xff000000) >> 24;
+ t[7] = (prefix & 0xff);
+ t[8] = (prefix & 0xff00) >> 8;
+ t[9] = 0x00;
+ t[10] = 0x00;
- SHA1_Final(md, &h_ctx);
- h2[0] = (md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24)) & 0x7fffffff;
- printf("Calculated hash: %.8x\n", h2[0]);
-
+ SHA1_Update(&hContext, t, 11);
+ SHA1_Final(md, &hContext);
+
+ // First word.
+ newHash[0] = md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24);
+
+ // Second word, right shift 2 bits.
+ newHash[1] = (md[4] | (md[5] << 8) | (md[6] << 16) | (md[7] << 24)) >> 2;
+ newHash[1] &= 0x3FFFFFFF;
+
+ endiannessConvert((byte *)newHash, 8);
+
+ BIGNUM *x = BN_new();
+ BIGNUM *y = BN_new();
+ BIGNUM *s = BN_bin2bn((byte *)sig, 8, nullptr);
+ BIGNUM *e = BN_bin2bn((byte *)newHash, 8, nullptr);
+
+ EC_POINT *u = EC_POINT_new(eCurve);
+ EC_POINT *v = EC_POINT_new(eCurve);
+
+ // EC_POINT_mul calculates r = generator * n + q * m.
+ // v = s * (s * generator + e * publicKey)
+
+ // u = generator * s
+ EC_POINT_mul(eCurve, u, nullptr, generator, s, context);
+
+ // v = publicKey * e
+ EC_POINT_mul(eCurve, v, nullptr, publicKey, e, context);
+
+ // v += u
+ EC_POINT_add(eCurve, v, u, v, context);
+
+ // v *= s
+ EC_POINT_mul(eCurve, v, nullptr, v, s, context);
+
+ // EC_POINT_get_affine_coordinates() sets x and y, either of which may be nullptr, to the corresponding coordinates of p.
+ // x = v.x; y = v.y;
+ EC_POINT_get_affine_coordinates_GFp(eCurve, v, x, y, context);
+
+ // Hash = First31(SHA-1(79 || OS Family || v.x || v.y))
+ SHA1_Init(&hContext);
+
+ t[0] = 0x79;
+ t[1] = (osFamily & 0xff);
+ t[2] = (osFamily & 0xff00) >> 8;
+
+ // Hash chunk of data.
+ SHA1_Update(&hContext, t, 3);
+
+ // Empty buffer, place v.y in little-endian.
+ memset(t, 0, FIELD_BYTES_2003);
+ BN_bn2bin(x, t);
+ endiannessConvert(t, FIELD_BYTES_2003);
+
+ // Hash chunk of data.
+ SHA1_Update(&hContext, t, FIELD_BYTES_2003);
+
+ // Empty buffer, place v.y in little-endian.
+ memset(t, 0, FIELD_BYTES_2003);
+ BN_bn2bin(y, t);
+ endiannessConvert(t, FIELD_BYTES_2003);
+
+ // Hash chunk of data.
+ SHA1_Update(&hContext, t, FIELD_BYTES_2003);
+
+ // Store the final message from hContext in md.
+ SHA1_Final(md, &hContext);
+
+ // Hash = First31(SHA-1(79 || OS Family || v.x || v.y))
+ checkHash = (md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24)) & 0x7fffffff;
+
BN_free(s);
- BN_free(h);
+ BN_free(e);
BN_free(x);
BN_free(y);
- EC_POINT_free(r);
- EC_POINT_free(t);
- BN_CTX_free(ctx);
- if (h2[0] == hash[0]) return true;
- else return false;
+ BN_CTX_free(context);
+
+ EC_POINT_free(v);
+ EC_POINT_free(u);
+
+ // If we managed to generate a key with the same hash, the key is correct.
+ return checkHash == hash;
}
void generateServerKey(char *pKey, EC_GROUP *eCurve, EC_POINT *generator, BIGNUM *order, BIGNUM *privateKey, ul32 *osFamily, ul32 *prefix) {
+ EC_POINT *r = EC_POINT_new(eCurve);
BN_CTX *ctx = BN_CTX_new();
- BIGNUM *c = BN_new();
- BIGNUM *s = BN_new();
- BIGNUM *x = BN_new();
- BIGNUM *y = BN_new();
- BIGNUM *b = BN_new();
- EC_POINT *r = EC_POINT_new(eCurve);
-
- ul32 bKey[4];
- ul32 h1[2];
+ ul32 bKey[4]{},
+ bSig[2]{};
do {
- ul32 hash = 0, sig[2]{};
+ BIGNUM *c = BN_new();
+ BIGNUM *s = BN_new();
+ BIGNUM *x = BN_new();
+ BIGNUM *y = BN_new();
+ BIGNUM *b = BN_new();
+
+ ul32 hash = 0, h[2]{};
memset(bKey, 0, 4);
+ memset(bSig, 0, 2);
// Generate a random number c consisting of 512 bits without any constraints.
BN_rand(c, FIELD_BITS_2003, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY);
-
+
// r = generator * c
EC_POINT_mul(eCurve, r, nullptr, generator, c, ctx);
@@ -157,7 +197,7 @@ void generateServerKey(char *pKey, EC_GROUP *eCurve, EC_POINT *generator, BIGNUM
SHA_CTX hContext;
byte md[SHA_DIGEST_LENGTH]{}, buf[FIELD_BYTES_2003]{};
- // hash = SHA-1(79 || OS Family || r.x || r.y)
+ // Hash = SHA-1(79 || OS Family || r.x || r.y)
SHA1_Init(&hContext);
buf[0] = 0x79;
@@ -183,7 +223,7 @@ void generateServerKey(char *pKey, EC_GROUP *eCurve, EC_POINT *generator, BIGNUM
hash = (md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24)) & 0x7fffffff;
- /* h1 = SHA-1(5D || OS Family || Hash || Prefix || 00 00) */
+ // H = SHA-1(5D || OS Family || Hash || Prefix || 00 00)
SHA1_Init(&hContext);
buf[0] = 0x5D;
@@ -200,44 +240,88 @@ void generateServerKey(char *pKey, EC_GROUP *eCurve, EC_POINT *generator, BIGNUM
buf[9] = 0x00;
buf[10] = 0x00;
+
+ // Input length is 11 bytes.
SHA1_Update(&hContext, buf, 11);
SHA1_Final(md, &hContext);
- h1[0] = md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24);
- h1[1] = (md[4] | (md[5] << 8) | (md[6] << 16) | (md[7] << 24)) >> 2;
- h1[1] &= 0x3FFFFFFF;
- printf("h1: %.8x %.8x\n", h1[1], h1[0]);
+ // First word.
+ h[0] = md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24);
+
+ // Second word, right shift 2 bits.
+ h[1] = (md[4] | (md[5] << 8) | (md[6] << 16) | (md[7] << 24)) >> 2;
+ h[1] &= 0x3FFFFFFF;
+
+ endiannessConvert((byte *)h, 8);
+ BN_bin2bn((byte *)h, 8, b);
- /* s = ( -h1*privateKey + sqrt( (h1*privateKey)^2 + 4k ) ) / 2 */
- endiannessConvert((byte *) h1, 8);
- BN_bin2bn((byte *)h1, 8, b);
+ /*
+ * Signature * (Signature * G + H * K) = rG (mod p)
+ * ↓ K = kG ↓
+ *
+ * Signature * (Signature * G + H * k * G) = rG (mod p)
+ * Signature^2 * G + Signature * HkG = rG (mod p)
+ * G(Signature^2 + Signature * HkG) = G (mod p) * r
+ * ↓ G^(-1)(G (mod p)) = (mod n), n = order of G ↓
+ *
+ * Signature^2 + Hk * Signature = r (mod n)
+ * Signature = -(b +- sqrt(D)) / 2a → Signature = (-Hk +- sqrt((Hk)^2 + 4r)) / 2
+ *
+ * S = (-Hk +- sqrt((Hk)^2 + 4r)) (mod n) / 2
+ *
+ * S = s
+ * H = b
+ * k = privateKey
+ * n = order
+ * r = c
+ *
+ * s = ( ( -b * privateKey +- sqrt( (b * privateKey)^2 + 4c ) ) / 2 ) % order
+ */
+
+ // b = (b * privateKey) % order
BN_mod_mul(b, b, privateKey, order, ctx);
+
+ // s = b
BN_copy(s, b);
+
+ // s = (s % order)^2
BN_mod_sqr(s, s, order, ctx);
+
+ // c <<= 2 (c = 4c)
BN_lshift(c, c, 2);
+
+ // s = s + c
BN_add(s, s, c);
+
+ // s^2 = s % order (order must be prime)
BN_mod_sqrt(s, s, order, ctx);
+
+ // s = s - b
BN_mod_sub(s, s, b, order, ctx);
+
+ // if s is odd, s = s + order
if (BN_is_odd(s)) {
BN_add(s, s, order);
}
- BN_rshift1(s, s);
- sig[0] = sig[1] = 0;
- BN_bn2bin(s, (byte *)sig);
- endiannessConvert((byte *)sig, BN_num_bytes(s));
- packServer(bKey, osFamily, &hash, sig, prefix);
- printf("OS family: %u\nHash: %.8x\nSig: %.8x %.8x\nPrefix: %.8x\n", *osFamily, hash, sig[1], sig[0], *prefix);
- printf("%.8x %.8x %.8x %.8x\n", bKey[3], bKey[2], bKey[1], bKey[0]);
- } while (bKey[3] >= 0x40000000);
+ // s >>= 1 (s = s / 2)
+ BN_rshift1(s, s);
+
+ // Convert s from BigNum back to bytecode and reverse the endianness.
+ BN_bn2bin(s, (byte *)bSig);
+ endiannessConvert((byte *)bSig, BN_num_bytes(s));
+
+ // Pack product key.
+ packServer(bKey, osFamily, &hash, bSig, prefix);
+
+ BN_free(c);
+ BN_free(s);
+ BN_free(x);
+ BN_free(y);
+ BN_free(b);
+ } while (bSig[1] >= 0x40000000);
base24(pKey, bKey);
-
- BN_free(c);
- BN_free(s);
- BN_free(x);
- BN_free(y);
- BN_free(b);
BN_CTX_free(ctx);
EC_POINT_free(r);
@@ -274,14 +358,13 @@ bool keyServer(char *pKey) {
ul32 osFamily = 1280, prefix = 0;
+ // Generate a 30-bit prefix.
RAND_bytes((byte *)&prefix, 4);
-
- prefix &= 0x3ff;
-
- generateServerKey(pKey, eCurve, genPoint, genOrder, privateKey, &osFamily, &prefix);
+ prefix &= 0x3FF;
- printProductKey(pKey);
- printf("\n\n");
+ do {
+ generateServerKey(pKey, eCurve, genPoint, genOrder, privateKey, &osFamily, &prefix);
+ } while (!verifyServerKey(eCurve, genPoint, pubPoint, pKey));
- return verifyServerKey(eCurve, genPoint, pubPoint, pKey);
+ return true;
}
\ No newline at end of file
diff --git a/utilities.cpp b/utilities.cpp
index d8b7dc6..1bbefb2 100644
--- a/utilities.cpp
+++ b/utilities.cpp
@@ -4,19 +4,6 @@
#include "header.h"
-/* Colored output. */
-void cprintf(const char *Format, int nColor, ...) {
- va_list vList;
-
- va_start(vList, nColor);
-
- SetConsoleTextAttribute(hConsole, nColor);
- vprintf(Format, vList);
- SetConsoleTextAttribute(hConsole, 0x0F);
-
- va_end(vList);
-}
-
/* Convert data between endianness types. */
void endiannessConvert(byte *data, int length) {
for (int i = 0; i < length / 2; i++) {
diff --git a/windows.cpp b/windows.cpp
index f807cb8..a36b1b3 100644
--- a/windows.cpp
+++ b/windows.cpp
@@ -15,7 +15,9 @@ HWND hMainWindow;
const WCHAR *pAboutLink = L"https://github.com/Endermanch/XPKeygen",
*pWebsite = L"https://malwarewatch.org",
- *pVersion = L"2.2";
+ *pVersion = L"2.2",
+ *pTitle = L"Windows XP Pro SP3 // Server 2003 SP0 x86 VLK - Enderman[ch]",
+ *pGroupTitle = L"Windows XP Pro SP3 // Server 2003 SP0 x86 VLK";
bool bServer = false,
bMusic = true;
@@ -62,6 +64,8 @@ void formatXP(WCHAR *pBSection, WCHAR *pCSection, WCHAR *pText) {
);
}
+
+
void formatServer(WCHAR *pText) {
WCHAR pFPK[32]{};
@@ -676,7 +680,7 @@ bool InitializeWindow(HINSTANCE hInstance) {
hMainWindow = CreateWindowExW(
0,
L"XPKeygen",
- L"Windows XP VLK // Server 2003 - Enderman[ch]",
+ pTitle,
WS_SYSMENU,
x, y,
w, h,
@@ -728,7 +732,7 @@ bool InitializeWindow(HINSTANCE hInstance) {
HWND hGroupBox = CreateWindowExW(
0,
- L"Static", L"Windows XP Pro VLK x86 // Server 2003 + SP2 x64",
+ L"Static", pGroupTitle,
WS_CHILD | WS_VISIBLE |
SS_CENTER,
42, 150,
@@ -877,11 +881,11 @@ bool InitializeWindow(HINSTANCE hInstance) {
HWND hRadioLabel2 = CreateWindowExW(
0,
L"Static",
- L"Windows Server 2003 / SP2 x64",
+ L"Windows Server 2003 VLK",
WS_CHILD | WS_VISIBLE |
SS_NOTIFY,
218, 221,
- 170, 16,
+ 142, 16,
hMainWindow, (HMENU)IDC_LABEL3,
hInstance, nullptr
);
@@ -974,18 +978,18 @@ bool InitializeWindow(HINSTANCE hInstance) {
SendMessageW(hVersion, WM_SETFONT, (WPARAM)hSmolFont, 0);
SendMessageW(hVersion, WM_APP + 0x69, 0, 0);
- HWND hMotto = CreateWindowExW(
+ HWND hBRText = CreateWindowExW(
0,
L"Static",
- L"we keep on downloading ◄ 12/04/2023",
+ L"z22 / mskey / Endermanch ◄ 16/04/2023",
WS_CHILD | WS_VISIBLE,
- w - (170 + 15), 436,
+ w - (170 + 20), 436,
170, 16,
hMainWindow, (HMENU)IDC_LABEL5,
hInstance, nullptr
);
- SendMessageW(hMotto, WM_SETFONT, (WPARAM)hSmolFont, 0);
+ SendMessageW(hBRText, WM_SETFONT, (WPARAM)hSmolFont, 0);
ShowWindow(hMainWindow, SW_SHOW);
UpdateWindow(hMainWindow);
diff --git a/xp.cpp b/xp.cpp
index 46818ab..69bfedd 100644
--- a/xp.cpp
+++ b/xp.cpp
@@ -57,18 +57,12 @@ bool verifyXPKey(EC_GROUP *eCurve, EC_POINT *generator, EC_POINT *publicKey, cha
// Convert Base24 CD-key to bytecode.
ul32 bKey[4]{};
- ul32 pID, hash, sig[2];
+ ul32 pID, checkHash, sig[2];
unbase24(bKey, cdKey);
-
- // Output CD-key bytecode.
- printf("Bytecode: %.8lX %.8lX %.8lX %.8lX\n", bKey[3], bKey[2], bKey[1], bKey[0]);
// Extract data, hash and signature from the bytecode.
- unpackXP(&pID, &hash, sig, bKey);
- printProductID(&pID);
-
- printf("PID: %.8lX\nHash: %.8lX\nSignature: %.8lX %.8lX\n", pID, hash, sig[1], sig[0]);
+ unpackXP(&pID, &checkHash, sig, bKey);
// e = Hash
// s = Signature
@@ -76,7 +70,7 @@ bool verifyXPKey(EC_GROUP *eCurve, EC_POINT *generator, EC_POINT *publicKey, cha
// Put hash word into BigNum e.
e = BN_new();
- BN_set_word(e, hash);
+ BN_set_word(e, checkHash);
// Reverse signature and create a new BigNum s.
endiannessConvert((byte *) sig, sizeof(sig));
@@ -147,8 +141,6 @@ bool verifyXPKey(EC_GROUP *eCurve, EC_POINT *generator, EC_POINT *publicKey, cha
newHash = (md[0] | (md[1] << 8) | (md[2] << 16) | (md[3] << 24)) >> 4;
newHash &= 0xfffffff;
- printf("Calculated hash: %.8lX\n", newHash);
-
BN_free(e);
BN_free(s);
BN_free(x);
@@ -159,9 +151,8 @@ bool verifyXPKey(EC_GROUP *eCurve, EC_POINT *generator, EC_POINT *publicKey, cha
EC_POINT_free(u);
EC_POINT_free(v);
- // If we managed to generateXPKey a pKey with the same hash, the pKey is correct.
- if (newHash == hash) return true;
- else return false;
+ // If we managed to generate a key with the same hash, the key is correct.
+ return newHash == checkHash;
}
/* Generate a valid Product Key. */
@@ -245,8 +236,6 @@ void generateXPKey(char *pKey, EC_GROUP *eCurve, EC_POINT *generator, BIGNUM *or
// Pack product key.
packXP(bKey, pRaw, &hash, sig);
-
- printf("PID: %.8lX\nHash: %.8lX\nSignature: %.8lX %.8lX\n\n", *pRaw, hash, sig[1], sig[0]);
} while (bKey[3] >= 0x40000);
// ↑ ↑ ↑
// bKey[3] can't be longer than 18 bits, else the signature part will make
@@ -297,14 +286,10 @@ bool keyXP(char *pKey, ul32 nRaw) {
// Shift left once.
nRaw <<= 1;
- cprintf("Product Key:", 0x0A);
+ // Generate the key until it's valid. (In XP it's valid 100% of the times)
+ do {
+ generateXPKey(pKey, eCurve, genPoint, genOrder, privateKey, &nRaw);
+ } while (!verifyXPKey(eCurve, genPoint, pubPoint, pKey));
- // Generate the key.
- generateXPKey(pKey, eCurve, genPoint, genOrder, privateKey, &nRaw);
- printProductKey(pKey);
-
- printf("\n\n");
-
- // Verify the key.
- return verifyXPKey(eCurve, genPoint, pubPoint, pKey);
+ return true;
}
\ No newline at end of file