Reverse Engineer Synergy Serial Key

Posted on
Reverse Engineer Synergy Serial Key Average ratng: 5,9/10 1739 reviews

Reverse Engineering - Getting Started Guide

Can't get SoftICE to work with Windows 2000, XP?, read here first!

Product keys are required for installation of Autodesk products and are used to differentiate products that are both sold independently and as part of a product suite. Mouse Problem (jumping around) By eskimojo 65 replies Jun 11, 2004. I use Serial mouse port & USB port. Reverse engineer executables with the NSA's GHIDRA disassembler. Yesterday was a great experience for me to attend all kind of joubert, one of the challenges i could not solve and understand in the reverse engineering section. This CTF challenge contain.

If you are considering studying the art of software reverse engineering, then this guide below is for you. I'll try to outline here everything you need to know and do (of course this is by no means an exhaustive list or guarantee that you'll become a reversing god overnight but it might just get you started in a whole new world). If you are at all serious then you should take heed and the time to download all of my recommended materials, all the time you invest learning now will serve you well in the future. It will also be worth your while to visit some of the other sites I've linked too on the web. After reading this document and attempting the 2 small sample programs I've made available you'll know whether or not this really is the art for you.

What is Reverse Engineering (precisely)?

Software reverse engineering is the art and process of understanding the intricacies of your own and commercial software at a lower level than the compiler, a fuller definition can be found here. Many reversers focus initially on the various protection schemes used by software writers to disable or otherwise prohibit the full use of their software since this is a convenient (if somewhat legally dubious) starting point with a definite challenge and end point. I personally however have used the knowledge I have gained through 'reversing' to :

i). Produce my own custom tools for circumventing / identifying protections.
ii). Recover usable source code to lost projects.
iii). Identify and understand how specific functionality is implemented.
iv). Debug hard to find errors.
v). Perform analysis of potentially hostile programs.

Sometimes reverse engineering can be the only way out of a development tight spot, however it is not a decision to be taken lightly.

Reverse Engineering is NOT cracking per se, although it is sometimes difficult to draw the fine line between them in the early stages. Most reversers deplore the tens of thousands of warez sites that waste good server space on the web (you probably know them already). If you are looking for easy cracks, key generators or just serial numbers lists then this site and reverse engineering will NOT be for you, even though this information can be obtained with fairly minimal effort I expect most warez aficionados will not find themselves reading this in the first place and certainly won't have a clue how to code, assemble and link a key generator, let alone spend hours upon end studying assembly routines.

By learning to reverse engineer yourself, you are gaining a set of valuable and marketable skills (malware analysis, intellectual property rights management and anti-virus / vulnerability research are booming industries), thus distinguishing yourself from the many losers who would rather waste their time searching through pages of bloated graphics and commercial porn sponsors than learning anything themselves. You'll also find (over a period of time) that your reversing efforts will become less focused on protection schemes and that your interest will move away from simple protection cracking, who knows, perhaps a job in hostile code analysis beckons...

What do I need to know / learn ?

To learn reverse engineering from scratch you will probably need to spend a significant amount of time enhancing your low level knowledge, don't think you can crack any target you fancy by just learning ad nauseam simple techniques. A familiarity with the x86 architecture and instruction set is essential, an awareness of the 6 basic digital logic circuits (binary) will also be useful (AND/OR (inclusive), NOT, NAND, NOR & exclusive OR (XOR)).

I recommend the following reading resources :-

Art of Assembly Language :- A 25 chapter PDF guide to virtually everything you might ever want to know about x86 processors. These documents are very complete yet reading them all will probably take you in excess of a few years so read just the first few chapters and keep the rest like Chapter 14 on the FPU for reference purposes as you improve / require.

HelpPC :- A 220k quick and convenient DOS instruction viewing program from 1991. If you've forgotten a particular assembler command or need to quickly look up how many clocks a particular instruction takes, then this is the guide for you (it is somewhat dated though).

Iczelion's Win32 ASM Resources :- A great site with literally tons of useful resources. Download everything there :-). If you want to really 'get into' windows assembly language programming there isn't much better for free than Iczelion's tutorials.

Intel Developer Manuals :- Anything you ever wanted to know about the nitty-gritty internals of your x86. I recommend Volume 3 (System Programming). I have been told recently that the previous link does not lead to all 3 manuals, you might like to try this link instead. You could also search for 386intel.txt for a good overview. Update 2004 : I believe now the Developer manuals now stretch to 4 guides, either way you shouldn't have much problem finding them.

Mammon_'s Tales to his Grandson & Mammon_'s coming to the Iceage :- 2 definitive guides to configuring your SoftICE and synopses of the main 3 disassemblers by one of the very best reverse engineers out there (25k). Mammon_ abandoned the Windows scene a considerable amount of years ago, an eccentric and enigmatic character, his website still makes for fascinating reading.

Nolan Blender's 'Making Tools Work Together' :- How you can use IDA & SoftICE to maximum effect (related to FLEXlm but applicable elsewhere).

PC Assembly Tutorial :- Dr Paul Carter's free introduction to assembly language (32-bit) using NASM (since its free), taught previously as a university course. Recommended.

Ralph Browns Interrupt List :- A maintained list of all DOS BIOS/Interrupt Services, most of the time you'll be looking for subfunctions of INT 10/13/21. Invaluable for older 16-bit programs or coding your own graphics demos / key generators (even understanding old virii). Somewhat dated now thus I've changed my recommendation from learning this to keeping it just for reference.

Getting and Setting up your Tools

*Updated 2007* : CompuWare have now officially ceased all development upon SoftICE as a product, those of us who watch the scene closely could see this coming for sometime, the text below I leave now as a dedication to the past. Farewell.

Any reverser will tell you that you will only ever be as good as the tools you use and the competency with which you use and customise them. Your best weapons are your tools, invest the time learning how to use them. I suggest you obtain at the minimum the following (either download them from my tools page (if the links are even working) or locate them around the web using various searching techniques).

- A Windows (preferably protected-mode) Debugger - The standard tool in this category is NuMega's SoftICE which can trace just about anything, you will not break some protections without it. Download the versions relevant to the platform you plan to investigate, better still download every version you can. Pre-2000 most of my guides use v3.2x/v4.0x for Windows 98. Pay a regular visit also to CompuWare's (formerly NuMega's) web site to keep informed of any new developments, these guys really know how to produce useful tools (need I also mention BoundsChecker & SmartCheck). Its also worth hunting down the various homepages and articles by (ex & current) NuMega developers, need I mention Matt Pietrek & John Robbins ;-).

* The advent of more recent Microsoft OS's (Windows 2000, XP) & CompuWare's acquisition of NuMega requires that you now source SoftICE as part of a CompuWare package; in fact I've heard that CompuWare won't even sell legitimate developers SoftICE standalone any longer.

DriverStudio (approx. size 184Mb's)

* Requires Installation Serial Number + FLEXlm license

SoftICE / Visual SoftICE
Boundschecker / TrueTime / TrueCoverage

The sale of NuMega to CompuWare also seems to have contributed to a major decline in quality control, many users have reported significant problems with SoftICE under the newer OS's, most of these relate to breakpoints not behaving as they should. There are some workarounds and custom patches, which you might find on the RCE MessageBoard (use the search facility), a lot of reversers however have given up trying to get SoftICE to behave reliably and have resorted instead to using the capable ring 3 debugger OllyDbg. This has also the added capacity to work under VMWare which seems to be all the rage right now.

SoftICE symbols

Getting debug symbols loaded into SoftICE can be a challenge to say the least, before attempting to do so, make sure that you download and install the latest 'Debugging Tools for Windows' from Microsoft. Next replace all copies of symsrv.dll & dbghelp.dll installed by DriverStudio with those from the Debugging Tools folder, if I remember rightly the DriverStudio root directory, the SoftICE root directory and the SymbolRetriever subdirectory all have copies of those files that need to be replaced. Also be sure that your 'Path to NMS' is set to a directory that exists.

SoftICE under VMWare

This advice from my good friend nc. If you browse to your VM directory on the hard disk and open the config file in a text editor (.vmx file), add the following lines to the config file :

vmmouse.present = 'FALSE'
svga.maxFullscreenRefreshTick = '5'
svga.forceTraces = 'TRUE'

If you want to verify that SoftICE is working correctly, try the following advice that I shamelessly borrowed from Kayaker.

Synergy serial key

'If you break at the start of a program with the SoftICE loader (assuming you can), and set a breakpoint say a few lines down, either on an address or an API call - does SoftICE break? It should. Make sure you set your bp *while in the context* of the application you want to break into. This is irrespective of the ADDR command, which you shouldn't have to use since you're already in the correct context. In other words, don't expect to be able to just change the context with ADDR from the desktop and have a reliable bp set. If you do, you also need to specify the CS: portion of the address else you'll set up a bp with the wrong code segment. If all else fails, you could try BPM x breakpoints, they can be more reliable than BPX bp's for 'sticking'. However, they especially should be set while *in* the context of the app.

This small table should provide you with a means to identify which version of SoftICE you have installed on your system.

DriverStudio v2.7SoftICE, DriverWorkbench, BoundsChecker, TrueTime, TrueCoverage, DriverWorks, DriverNetworks, VtoolsD (requires installation serial number only).NTICE.sys file version 4.0.1381, product version 4.2.7 (Build 562). osinfo.dat (191,340 bytes).
DriverStudio v3.1As v2.7, also Visual SoftICE (requires installation serial number + FLEXlm license).NTICE.sys file version 5.1.2601.0, product version 4.3.1 (Build 1722). osinfo.dat (304,588 bytes), osinfob.dat (200,027) bytes.
DriverStudio v3.2As v3.1.NTICE.sys file version, product version 4.3.2 (Build 2485). osinfo.dat (350,737 bytes), osinfob.dat (375,319 bytes).
Latest from Compuware FTPN/A.osinfo.dat (474,346 bytes). osinfob.dat (356,884 bytes - most likely out of date).
DriverStudio v3.2.1 UpdateAs v3.1. *Update Only* here (1.65Mb).NTICE.sys file version 3.2.1 (Build 2560), product version 3.2.1 (Build 2560). osinfo.dat (474,346 bytes). osinfob.dat (356,884 bytes).

As SoftICE is virtually every reversers choice of debugger, some of the more intelligent protections will use various techniques to detect its presence. More likely than not you can find a way around most of these yet in certain cases e.g. Hardlock's wrapper and VBox, you'll need to identify precisely the trick before you can work around it, Hardlock is particularly nasty because after disabling the CreateFileA detection you'll wind up with a frozen computer. In said circumstances an alternative debugger can be very useful, such possibilities include Borland's Turbo Debugger (included with TASM & BC++), Microsoft's WinDbg and LiuTaoTao's superb TRW, you know where to look for these :-).

OllyDbg is now highly recommended as the best alternative if your system simply won't take to SoftICE.

- A Disassembler - There are probably 2 main choices for this category, the quicker but less technical W32Dasm v8.9x from URSoftware and the slower more advanced Intelligent Disassembler Pro from Data Rescue. The differences between these 2 are immense, however for instances where you need a quick 'dumb deadlisting' W32Dasm may suffice, serious analysis and analysts however choose IDA. If you have a few spare moments you might also care to investigate some of the older disassemblers such as Sourcer (more for DOS) and WCB for Windows 3.1 although these are largely obsolete. The choice between the main 2 here is really a question of personal preference. Visual Basic v3 and v4 decompilers are also available, although I've never had a great deal of luck with the VB4 edition. For VB5 & VB6 there exists now a p-code debugger courtesy of the WKT team.

If you are really interested in disassemblers then you should check out dsassm02e, a Win32 disassembler written by a South Korean professor, visit his homepage here and download the program with full C source code. Web searchers might like to try looking for material written by Australian Christina Ciffuentes, especially her thesis on decompiling to recover source code.

- A HEX Editor - In this category there at least a dozen choices, most reversers will however develop their favourite, mine being DOS Hiew. Conventional search engines (e.g. the Simtel archive) will find at least 30 HEX editors (some better than others), of the many out there in the woods the following seem to be popular with reversers. Hex Workshop, UltraEdit, HEdit (* note HEdit appears now to be unsupported) you should of course learn how to reverse your tools first)).

- Our Tools - Progress is constantly being made in this area (although it is sporadic), this section is probably out of date several weeks after I write it. Retrospectively, arguably the 2 best developments have been IceDump by The Owl et al & ProcDump courtesy of G-RoM & Stone (now integrated into IceDump). Many other tools have also made an appearance, for example r!sc has done some very good work in the unpacking and CD protection fields, others have contributed with unpackers for specific packers (check out the Unpacking Gods webpage if you can) & Tsehp has contributed Revirgin.

The games scene has also pushed forward the boundaries of our tools, an entire scene is now built around in-memory patching (or 'training') courtesy of Stone and others delving inside the Win32 debug API. In late 1999 Stone's Webnote (a very interesting collection of his own exploits) disappeared from the web, for personal reasons he is reluctant to ever re-upload it, a decision you might not agree with but should respect, a final archive of some of the very interesting material on his site can be found here (1.08Mb's, 1,141,940 bytes).

- Support Tools, room must also be found in any reversers toolbox for the following tools :-

i) File Monitoring (FileMon) & Registry Monitoring (RegMon) from the wizards at SysInternals.
ii) InstallShield script decompiling (isDCC, Wisdec).
iii) Installation Monitoring (CleanSweep from Quarterdeck).
iv) Resource Editor (BRW 4.5, eXeScope, Symantec Resource Studio, Resource Hacker, Restorator).

Cracking Etiquette

Indeed, there is such a thing as the above. When starting out you should probably adhere closely to these pieces of advice else you might make some very nasty enemies (this applies mainly to IRC and message boards).

i) DON'T the first time you join one of these forums issue long lists of requests for tools, specifically SoftICE and IDA. At best you'll be politely told to 'learn how to search' and at worst you'll be flamed out of existence, not a great way to make friends in this world. However, there are ways and means of obtaining said tools, public forums being not the place. I know that many reversers in private will help you obtain what you need, yet you'll need to develop some skills identifying those that might help and those that will never.

ii) When you've actually cracked a few programs it is very easy to become aloof and maybe somewhat egotistical, I know this to my cost because I've been there and done it too. As a general rule, its best never to boast or be cocky, trust me someone out there knows more than you & will eventually shoot you down in flames no matter how clever you think you are ;-), you aren't compelled to reply to 'lamer requests' so maintaining a respectful silence is often 10x more effective. No-one on a message board appreciates a reply to a request for help along the lines of 'man, you must be stupid, I cracked that in 5 minutes', real help rather than ridicule is the order of the day.

iii) Joining warez groups is a matter for your own consciences, I would guess 50% of the community deplores such groups and 50% tolerates them, I'm one of the tolerant group because you may be able to obtain some very interesting specific targets from these sources, naturally I wouldn't dream of cracking these targets or making them available for the losers to download for free of course. If you are offered hardware incentives to crack for any group you should turn it down immediately (unless of course you have a very secure place to send it).

iv) If you should encounter me on IRC not following my own rules be sure to tell me I'm a hypocrite ;-). The reversing community is much like any other, 'do unto others as you would have them do unto you', apply basic common sense and you won't go far wrong.

Other Resources

Download the documentation for SoftICE and please do read it, else read this (something I shamelessly borrowed from a Programming FAQ) :-

One day a Novice came to the Master.
'Master,' he said, 'How is it that I may become a Writer of Programs?'.
The Master looked solemnly at the Novice.
'Have you in your possession a Compiler of Source Code?' the Master asked.
'No,' replied the Novice. The Master sent the Novice on a quest to the Store of Software.
Many hours later the Novice returned.
'Master,' he said, 'How is it that I may become a Writer of Programs?'.
The Master looked solemnly at the Novice.
'Have you in your possession a Compiler of Source Code?' the Master asked.
'Yes,' replied the Novice.
The Master frowned at the Novice.
'You have a Compiler of Source. What now can prevent you from becoming a Writer of Programs?'.
The Novice fidgeted nervously and presented his Compiler of Source to the Master.
'How is this used?' asked the Novice.
'Have you in your possession a Manual of Operation?' the Master asked.
'No,' replied the Novice.
The Master instructed the Novice as to where he could find the Manual of Operation.
Many days later the Novice returned.
'Master,' he said, 'How is it that I may become a Writer of Programs?'.
The Master looked solemnly at the Novice.
'Have you in your possession a Compiler of Source Code?' the Master asked.
'Yes,' replied the Novice.
'Have you in your possession a Manual of Operation?' the Master asked.
'Yes,' replied the Novice.
The Master frowned at the Novice.
'You have a Compiler of Source, and a Manual of Operation. What now can prevent you from becoming a Writer of Programs?'.
At this the Novice fidgeted nervously and presented his Manual of Operations to the Master.
'How is this used?' asked the Novice.
The Master closed his eyes, and heaved a great sigh.
The Master sent the Novice on a quest to the School of Elementary.
Many years later the Novice returned.
'Master,' he said, 'How is it that I may become a Writer of Programs?'.
The Master looked solemnly at the Novice.
'Have you in your possession a Compiler of Source Code, a Manual of Operation and an Education of Elementary?' the Master asked.
'Yes,' replied the Novice.
The Master frowned at the Novice.
'What then can prevent you from becoming a Writer of Programs?'.
The Novice fidgeted nervously. He looked around but could find nothing to present to the Master.
The Master smiled at the Novice.
'I see what problem plagues you.' said the Master.
'Oh great master, please tell me.' asked the Novice.
The Master turned the Novice toward the door, and with a supportive hand on his shoulder said, 'Go young Novice, and Read The Fucking Manual.' And so the Novice became enlightened.

Both the Command Reference and Users Manual used to be available at NuMega's public ftp but now ship by default with the installations. There are many tutorials on how to use and customise SoftICE, including mine which forms part of the 1st tutorial. The most common problems with SoftICE relate to the configuration file winice.dat, download Mammon_'s superb guide on all aspects of SoftICE configuration (linked above).

Whilst at Greythorne's site (check out his new Security Nexus too), download all of the +ORC teachings which have the added advantage of including the relevant files, you will also find some useful ASM and other snippets (e.g. gij's tutorials). Even though the +ORC programs are fairly old, read the texts very carefully indeed, I have found them useful on many occasions. If you already have some Windows programming knowledge then you will most likely already possess a Windows 32 API guide, otherwise locate the pertinent help file and download it (all C compilers that I know of carry the guide).


As a reverse engineer you will encounter several protectionist strategies, a brief appraisal of the most common schemes are listed below.

1. Serial Number/Password protections - These type of schemes are ubiquitous, just look around the web at the serial number lists and key generators available for losers. Usually the protection of choice for cheaper software, you'll usually find only variations upon very simple schemes, maybe some interesting mathematical manipulations, however you should not dismiss programs using these schemes, some such as ACDSee or WinRAR will prove more than enough challenge to the casual reverser.

Recently several serial number schemes have been based on RSA public/private key encryption (ADC v1.2+, IDA v4.x, Hiew, The Bat! to name but a few), so beware of the target requesting just a serial number. I've heard only of several examples of RSA factoring, the maximum key length being 512-bit, I recommend Ghiri's RSA tutorial on Hiew and also the MIRACL maths libraries for factoring sometime this year. RSA of course is crackable, you could for example simply replace the key with a known quantity :-), often using 1 as the decryption exponent will be satisfactory. An increasing number of serial number schemes are using good off the shelf encryption algorithms, ask around for known targets or check out how the algorithms look when compiled.

2. Time trials - With the explosion in magazine cover CD-ROM's, 30 day trials or 'cinderellas' are also common, although Microsoft prefers to allow you 60 or even 90 days to try their software. Time trials are also fairly easy because the amount of tricks a programmer can use is so limited, remember also that in most cases you will have the opportunity to study such a scheme before your time has elapsed. On smaller software be aware that the authors often change the version fairly regularly so reversing a 30-day trial may not even be necessary.

3. Function Disabled - These are becoming less common now, a program author will lock out certain operations (most commonly Save and Print) allowing you to trial his crippled software. In marketing terms disabled software is less likely to encourage potential buyers to try the software, who will spend 2hrs constructing a work of art which cannot be saved.

Disabled software can be either easily reversed or virtually unreversable depending on whether the program author just locked out the functionality or removed the code altogether, more recently I've seen instances of where reversers have actually added back in the relevant saving code as required although this will depend on how much you know about the missing functionality and whether you have the technical information / skills to add it back in. In most cases (like the Adobe trials) your going to need advanced knowledge of the file format and I have my doubts as to whether its practical to invest the time without referring to the widely available full version.

4. Commercial protection schemes - Now becoming more common as the capitalists seek to market web-ready software, you'll almost certainly run into SalesAgent from Release Software & VBox v4.x from Preview Systems, the latter is a pathetic protection which will require no more than 30 seconds SoftICE work, the former is somewhat trickier. Packers such as ASPack, Petite, Shrinker are also becoming more common, but you'll need to read more about these elsewhere (see the newly added 6. section).

5. Hardware/Dongle Protections - Termed as hardware protection, a dongle is a small device that is usually connected to the parallel port of the computer (serial & USB devices also exist). The strength of any dongle protection will be influenced a lot by the quality of the implementation, a lot of them are fairly weak. If you have the actual dongle then reversing it will obviously be a lot easier as you can just examine the relevant INs and OUTs.

As with any protection, information is power so always identify what flavour of dongle you are dealing with and visit the relevant manufacturers web sites, often you'll be able to download full API sources. In some instances, if you do not have the dongle you may have to pray, although no dongle is unreversable, some of the wrappers incorporate sophisticated and unreversable encryption, anti-SoftICE tricks and self-modifying code, so in some cases you would be well-advised to leave the dongle code as it is and patch the application side. The 2 most common dongles are HASP & Sentinel, if you are serious about the dongle game, visit my dedicated LPT parasite page.

6. Packers - Packing software is now very common and is typically marketed more as a code obfuscation tool rather than a protection in its own right (although some do incorporate their own license schemes). The classic symptoms of encountering a packer, either the packers debugger detection lets you know ('Debugger detected' 'Please unload your debugger' etc, etc) or you load the file into a disassembler and see nothing but junk and a program entry point somewhere other than the first code section. A packer generally works by compressing the programs main code and attaching a loading stub, at runtime the stub decompresses the program and runs it, this is a complete oversimplification of an entire protection field, however it will suffice for now. I suggest you download PEId v0.92 (2004 version) if you want to check quickly a target for a known packer and then search for various unpacking programs for a quick fix; of course you could do it manually but will need to improve your skills considerably before doing so.

Patchers / How to Patch

Although I disagree with the concept of making ready-made patches for software I recognise that in certain circumstances it can be beneficial for reversers to publish examples of their work. Pages which just distribute lamer cracks are wasted space, hence why I mostly avoid including a patch file leaving you to probe on your own. Anyhow, this inevitably raises the question of whether you should use 1 of the existing patching engines or code your own.

For ease of use I recommend Jes's GPatch (tutorial included in the ready to start tutorial), which generates 4-5k COM files. You may like to examine the source code to a very quick C patcher which I wrote fairly hastily, cranking up the compiler options may well reduce the file size, or you may like to calibrate pitty's very good C++ patcher. Pascal guru's (I am not one) may like to use/modify MisterE's Pascal patcher, you can download all the pertinent source codes here (31k). There are many other patchers available, those written in ASM usually produce the smallest file size, although with the size of modern day HD clusters I doubt this is a real consideration.

Windows patchers and patch generators are also available, RTPatch and WinPatch are 2 that I know of and which are used by some fairly high profile software companies, many of the scene groups have their own sophisticated patchers these days. For those of you who insist on complete optimisation I recommend PCOM (Private COMpiler), although you might have to invest a little time getting to know it.

Ready to Start?

Well, if you've downloaded all of the tools and documentation I recommended and perhaps invested a few days internally digesting all that information, then you might be ready to attempt your first and second projects, see the link below, after attempting these examples you might find some more in the newbies section.

Sony Vegas Pro 16 Serial Number [Lifetime Crack] Full Download. Sony Vegas Pro 16 Serial Number is a professional video editing software which is popular among youtube material creators and specialist video makers.You can create montages using specialized editing and enhance results, make use of color curves to lighten the video or reduce the contrast and even add some particular effects to. Sony Vegas Pro 15 Crack is the most famous and world best images and also videos editing program. With the help of this software, a user can render videos in all the formats. It allows you also to record your operating system desktop screen. Sony vegas pro crack. Sony vegas pro 15: the complete video editing masterclass software, start editing your video professionally with the powerful vegas pro 15!! Create professional productions for film, tv, youtube video, and the web and make better video. Step by step guide to activate sony vegas pro 15 and free use. Sony vegas pro 15 serial number crack keygen free. Sony Vegas Pro 15 Key edits your specialist sound and video content in full HD as well as 4K high-definition formats. Discover optimized workflow plug-ins for picture stabilization, make dynamic titles and layout your DVDs and Blu-ray disks to your liking.

Still stuck for a target or 2 to test your skills on?, well what about WinZip or mIRC ;-).

Additionally, why not enhance your OllyDbg skills with this SWF movie tutorial courtesy of lena151 (1.45Mb's).

Return to Main Index
© 1997-2007 CrackZ. Updated 15th July 2007.

Once I saw Brandon Wilson’s note on Xbox 360 Controller Security and become curious about how its really works and decided to take a look by myself.

It was my first Xbox 360 related work and Xbox 360 seemed for me much more simple from software and security point of view than PS3. Just a few modules, kernel (xboxkrnl.exe) and 256kb hypervisor which is used mostly for kv (key vault) management.

At PS3 there are about 400 modules (which are sharing alot of the same and unused code), big hypervisor, kernel and SPUs.

Microsoft ships XDKs (Xbox Development Kit) with zeroed root encryption key, and so updates provided with it are not encrypted and contains debug symbols, even for kernel. And kernel itself looks like a lib and can be debugged on XDK? (Not sure about that, never had one)

So it was a matter of seconds to find XSM3 algo.

After Xbox 360 gets all descriptors from controller, and interface descriptor string “Xbox Security Method 3, Version 1.00, 2005 Microsoft Corporation. All rights reserved.” it starts to send auth packets.

There are my sniffed packets:


0xC1 (Vendor IN)0x810x5B170x1030x1D

49 4B 00 00 17 04 E1 11 54 15 ED 88 55 21 01 33 00 00 80 02 5E 04 8E 02 03 00 01 01 C1


Reverse Engineer Synergy Serial Key Generator

0x41 (Vendor OUT)0x820x30x1030x22

09 40 00 00 1C DE EB 91 87 66 B0 E3 C0 B2 6C 05 6D C8 67 E2 E7 D6 A5 DC 71 6F 21 1F B4 32 28 A0 C2 89


0xC1 (Vendor IN)0x830x5C280x1030x2E

49 4C 00 00 28 7D 66 8F 48 76 EC EB E9 61 B7 81 82 08 84 B2 7E 73 1F 7A 92 47 83 F8 5E 78 22 11 B9 9B FC AD D6 F4 D9 1E 04 7E C1 C0 0B 9A


0x41 (Vendor OUT)0x870x30x1030x16

09 41 00 00 10 60 17 AC 73 E5 0F 10 D4 10 F5 C1 B5 8F 63 56 9B 36


0xC1 (Vendor IN)0x830x5C100x1030x16

49 4C 00 00 10 60 7E 0C 62 AE 46 94 E7 14 BA 3D 70 33 7E 93 DF 09


0x41 (Vendor OUT)0x870x30x1030x16

09 41 00 00 10 47 A2 4C A3 97 DF AC CC 29 48 F1 D0 08 11 D1 FD 57


0xC1 (Vendor IN)0x830x5C100x1030x16

49 4C 00 00 10 49 3A E1 F9 8C 91 73 C3 FA A2 07 D3 CC 1E 2F 17 A0

Data format:

  • [5 bytes - cmd header]
  • [data]
  • [1 byte - chksum (xor of data bytes)]

UsbdSecXSM3GetIdentificationProtocolDataProduct key for microsoft office 2007. contains Serial, Category, VendorID and other data.

Category and VendorID are important bytes. Each device type like wireless controller, wired controller, webcam, memory unit, etc. has their own category. VendorID can be 2 types: Microsoft / 3rd party.

Depending on this bytes encryption key is chosen.

The full reverse engineered algo among with my sniffed usb traffic can be found on my github.

Algo is big, obfuscated and unfortunately contains custom crypto algorithms. I tried to cheat on it: checked pc drivers, xbox sdk, windows debug symbols with hope that Microsoft used it somewhere else, but nothing of that succeeded so I ended up rewriting this algo from PowerPC asm to C.

I did this research back in 2013… who would guess back then that Hex-Rays will release PowerPC decompiler ???

The problem with it that Xbox 360 encrypts hardware serial with fixed key and sends it to usb device. From now on Xbox uses per-console key from kv (key vault) for crypto.

This keys are precalculated from hardware serial on factory, and secret part to do serial to per-console key is put to authorized devices.

Okay, so what now?

Xbox controller, Skylanders Portal etc. uses Infineon TPM chip. But what about unauthorized devices? There are so many of them! Devices like Cronus and XIM need wired controller to bypass auth. Looked at some Chinese ones but they use real MS chips. Seems Datel was the only ones who really cracked it and were selling their own controllers. In one of them I found out 2 MCU’s. One is SiTel SC14450 - a DECT phone controller, probably abused for the radio interface. The other is an unknown 16 pin microcontroller, marked ‘Raw Science’ (this is a Datel company).

DFU firmware for SC14450 can be found in updater, it is CompactRISC CR16C 16-bit microcontroller, but firmware does not contain anything interesting, all cmds are passed direct to the Datel ‘Raw Science’ chip.

Datel chip was decapped. Looks like a smart card or SIM chip, 6 wires, rom, flash & ram. But I was not able to recognize this chip. Wild guess was that MCT = MicroChip Technology, but its not PIC.

Masked rom is not big and easily recognizable so it was not hard to get bootrom dump. Its based on 8051 architecture, but it did not hold anything interesting or something that will help us acquiring secret part.

So at this moment Xbox Security Method 3 is reverse engineered but secret algo to do serial to per-console key is still secret.

To be continued in Part 2…

If you liked this post, you can share it with your followers or follow me on Twitter!