this post was submitted on 06 Dec 2023
1618 points (99.1% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
54716 readers
315 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
Ko-fi | Liberapay |
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The Basekey
The basekey is where we must handle timestamps and several validation checks. Consider the binary representation of the sample 0x090a1452e822bd05:
Timestamps
Timestamp are encoded as a single byte comprised of bits indexed at
b56,51,42,37,28,23,14,9
from the basekey. In this example, the timestamp is01100010
or0x62
or 98.The timestamp represents the number of fortnights that have passed since Christmas Day, 2000 Eastern time, modulo 256 to fit in one byte. For example, 98 fortnights places the code at approximately October 2004.
Stored as a single byte, there are 256 unique timestamps. This is 512 weeks or about 10 years. Yes, this means that a code's validity rotates approximately once every decade.
After the code's timestamp is read, it is subtracted from the current timestamp (generated from the system clock or network time server if available). The difference must be less than 2, so codes are valid for 4 weeks or about a month at a time.
Of note, Pillars of Garendall has a bug in which the modulo is not taken correctly, so the timestamp corresponding to
0xFF
is valid without expiry.Validity Check
The last three bits,
b60-63
, contain the sum of all other 3-bit chunks in the basekey, modulo 7. Without the correct number in these bits, the result will be considered invalid.To this point, we have covered sufficient material to renew licenses. The timestamp can be changed, the last three bits updated, the result XOR'd with the userkey, and finally, the code converted from binary to text.
Factors for Basekey Generation
I was next curious about code generation. For the purposes of this write-up, I have not fully reverse engineered the basekey, only duplicated the aspects which are used for validation. This yields functional keys, just not genuine ones. If the authors of the EV: Nova renewal bot have fully reversed the algorithm, perhaps they will one day share the steps to genuine basekey creation.
One aspect validated by the registration app is that the licensee name, number, and game name can be modified to yield a set of base factors. These are then multiplied by some number and written into the basekey. We do not need the whole algorithm; we simply must check that the corresponding regions in the basekey are multiples of the appropriate factors.
The regions of note in the basekey are
f1 = b5-9,47-51,33-37,19-23
,f2 = b43-47,29-33,15-19,57-61
, andf3 = b24-28,10-14,52-56,38-42
. The top 5 bits andf3
are never actually checked, so they can be ignored.Considering f1 and f2, the values in the sample basekey are
0x25DA
and0x1500
, respectively. The base factors are0x26
and0x1C
, which are multiples by0xFF
and0xC0
, respectively.Rather than analyze the code in detail, I wrote a small script to translate over the disassembled PPC to Python wholesale. It is sufficient for generating keys to EV: Nova, using the perfectly-valid multiple of 1x, but I have found it fails for other v2 products.
Scripts
Here is a Python implementation for v2: aswreg_v2.py and aswreg_v2core.py
With bitstring installed, you can renew codes like
python aswreg_v2.py renew "L4B5-9HJ5-P3NB" "Barbara Kloeppel" 1 "EV Nova"
(just sample syntax, blacklisted codes will still fail in the app). There's also a function to check a code's timestamp withdate
or create a new license withgenerate
.As earlier cautioned, generating basekeys relies on code copied from disassembled PPC and will likely not work outside EV: Nova. In my tests with other v2 products, all essential parts of the algorithm remain the same, even the regions of the basekey which are checked as multiples of the factors. What differs is the actual calculation of base factors. Recall that these keys were created by Ambrosia outside the local registration system, so the only options are to copy the necessary chunks of code to make passable factors for each product or to fully reverse engineer the basekey algorithm. I've no doubt the factors are an easy computation once you know the algorithm, but code generation becomes less critical when renewal is an option for other games. I leave it to the authors of the Zeus renewal bot if they know how to find these factors more generally.
To renew codes for other games, keep in mind the name must be correct. For instance, Pillars of Garendall is called "Garendall" internally. You can find a game's name by typing a gibberish license in the registration app and seeing what file is created in Preferences. It should be of the form
License
.Finally, a couple disclaimers: I have only tested with a handful of keys, so my interpretations and implementations may not be completely correct. YMMV. Furthermore, these code snippets are posted as an interesting case study about how a defunct company once chose to combat software piracy, not to promote piracy. Had Ambrosia remained operational, I'm sure we would have seen a v3 registration system or a move to online-based play as so many other games are doing today, but I hope this has been helpful for those who still wish to revisit their favorite Ambrosia classics.