Starcraft Keys

[LordNevar]

There's quite a few programs out there that will generate every possible set of 13 digit numbers in a specific range. Which is pointless cause that is not what is trying to be done here. That would take way too long, and would take way too many resources to check all those possibilities. Sure it can be done but with alot of work and time consumption. Also let me see you check that many key's against B.net without them catching on.....

The whole point of what is trying to be done is to figure out how it is being done. Not let's make a list and just find them all with the process of elimination. There's a specific combination for every key string, and yes Ringo and some others are noticing it. Every set of numbers is staged with the same number marking a dividing spot in the key string. This number is used to calculate the ending number in a certain multiple and is also used to derive the outcome of the public key, and the private key. Although this is the case, actually generating the right key group is still not worth it. True you will find valid key's, but you will also find that they are valid cause they are purchased copies and belong to other people. After alot of research and trial and error, I have come to a base conclusion, that as someone stated before a key is only valid when it is put on the case. In my results from testing this is very possible. I took a generated list of keys that I did not have in any prior lists, and ran a test on them for a week. Out of each one of the 200 keys tested approximately (71) were invalid, (14) were voided, (23) were muted, (45) were banned, and (47) of them fell in use by different people. Either coicindental or not still doesn't deafeat the fact that even if I am wrong which is still very plausible, you are still going to end up with someone elses key. You need to look at all the possible outcomes of keys, and all the people that actually own a copy. True the odds of you always finding a key inuse is slim but it is still possible. Now I tested a small list of 200 and of those 200 (129) were used at one point or at the present. This list was only tested on the west realm.

[Joe[x86]]

Frozen, unsigned long long.

As Arta said, the installer verification is very well understood. The code disassembled right from the installer is..

Code Select Expand

   mov     eax, 3
   mov     esi, ecx
   mov     ebp, edx
   xor     ecx, ecx
Top:
   movsx   edx, byte ptr [ecx+esi]
   sub     edx, 30h       
   lea     edi, [eax+eax] 
   xor     edx, edi       
   add     eax, edx       
   inc     ecx           
   cmp     ecx, 0Ch       
   jl      short Top
   xor     edx, edx 
   mov     ecx, 0Ah 
   div     ecx       
   
   movsx   eax, byte ptr [esi+0Ch]
   movsx   edx, dl
   add     edx, 30h
   cmp     eax, edx
   jnz     bottom
   mov     eax, 1 
   retn    8
bottom:
   xor     eax, eax
   retn    8

In C++, its..

Code Select Expand

bool verifyStarcraftCDKey(char *cdkey)
{
   int accum = 3;
   for(int i = 0; i < 13; i++)
      accum += ((cdkey[i] - '0') ^ (accum * 2));

   return ((accum % 10) == (cdkey[13] - '0'));
}

In SCKMG, I've modified this function to checksum the first 12 digits of the CD-Key and return the last one. That way instead of verifing ten, we generate one, and end up running ten times as fast.

[dxoigmn]

Argh. As someone already pointed out, stop looking at encoded cdkeys. You're not going to get anywhere. You guys should be look at the public and private value relationship *after* decoding the cdkeys. A good experiment to run is try to find all public values that map to the same private value (i.e. public values ranging [0, 9999999] and a private value of 1). Note: this would require hammering the battle.net servers but seems doable with enough proxies.

[Arta]

You won't get anywhere significant, nor will you arrive at a decent understanding of the mechanisms involved, without concentrating your efforts on decoded keys.

[GoaL]

Well, my way of thinking through it, is: If I have every key in a list, then I could do equations, and I would have the result, like ... 1x + 2 = 6, I have the end result, which makes figuring out the equation a bit easier, and maybe I read it wrong but I believe one of the posts said something along the lines as I only have 0000000000000-9999999999999, I do not, they are all being ran through the installer's check. Then that list I will use MANY proxies and check 1000 out of each range , 1*,2*, etc.

[GoaL]

The list is finished, it is only 1.39 GB. I have uploaded it to a site, if anyone want's it, let me know. I do believe I can get a good number of keys ringo, I get a few thousand proxies per scan, and I and another person are working on a key tester in C++, I am going to incoporate the key tester with the proxie scanner, so they work together, then allow that to run 24/7 on my windows server.

[Arta]

lol

[GoaL]

Of the entire list, or of 1000 of each range?

[Joe[x86]]

Of the entire list, or of 1000 of each range?

I don't claim to be an expert mathematician, but anyone knows that percents stay the same no matter how many things there is total.

Ringo, if they pound the server with, say, 1000 keys per second, they could be done in about I week, methinks. Probably a lot faster.

As for wrong products, is there any way to have an invalid product other than the product of 1?

[GoaL]

Hmmm, best I can do is about 1000 proxies, but I'm waiting on my tester in c++ to be finished because VB can't handel 1.39GB.

[tA-Kane]

The forum's reply with quote is broken for me.   

VB doesn't support 1.39GB files? That surprises me. I wouldn't be surprised if it didn't support 2.0GB files, though... or even 1.99GB. I wonder what its limit is, then?

[UserLoser.]

I don't claim to be an expert mathematician, but anyone knows that percents stay the same no matter how many things there is total.

Nore do i
I have a calculator.

Ringo, if they pound the server with, say, 1000 keys per second, they could be done in about I week, methinks. Probably a lot faster.

Thats a big if

Of the entire list, or of 1000 of each range?

The whole list.
980,000,000,000 wrong product
19,980,000,000 invalid
20,000,000 valid

I think that makes 98% wrong product, 1.998% invalid and 0.002% valid?

Hmm...my list now consists of ~36000 Starcraft CdKeys...where only so far 11000 or so of them are sequential (based on public value) Here's 20 of my CdKeys, maybe it could help you guys:

3300650087719 (1-03230230-669)
3300040017812 (1-03230231-080)
3300870047616 (1-03230232-965)
1316200251637 (1-03230233-764)
1316570261337 (1-03230234-037)
3300300097518 (1-03230235-348)
1316150261038 (1-03230236-407)
1316540201039 (1-03230237-001)
2162582601910 (1-03230238-591)
3300390027718 (1-03230239-673)
3300950727612 (1-03230240-863)
3300040787317 (1-03230241-029)
1316010511431 (1-03230242-540)
2162132191911 (1-03230243-098)
1316170551535 (1-03230244-454)
3300200787117 (1-03230245-209)
1316450541531 (1-03230246-155)
1316340551330 (1-03230247-634)
3300680707216 (1-03230248-321)
2162892171613 (1-03230249-966)

I'm suprised none of you pattern finding people figured out the pattern with the private value on the original CdKey.  It's nothing really special, but eh.  xxxxAxxxBxCxx.  ABC are all based on the private value.  For example, any key that has private of 999 will have A=8, B=8, C=9, 998 will have A=8, B=9, C=9 and so on as my example list shows:

0129893391921 (1-03297129-998)
0226883991973 (1-03237388-998)
0226893891968 (1-03236399-998)
2414895791939 (1-00076469-998)
0409891597988 (1-03299449-998)
0629873891932 (1-03296696-998)
0729843691998 (1-03298265-998)
0825813990909 (1-03300880-998)
4101803792967 (1-03305471-998)
2826835493962 (1-03253842-998)
2629855593968 (1-03295354-998)
2820815393925 (1-03237830-998)
2626865993946 (1-03251687-998)
2826825293969 (1-03253823-998)
0820893791949 (1-03254869-998)
0920823591989 (1-03259953-998)
0920893191979 (1-03257909-998)
0970873794980 (1-06759976-998)
2716875893913 (1-00254796-998)
2329835393943 (1-03297632-998)
2326815993960 (1-03253380-998)
2326845193992 (1-03258615-998)
2327845193995 (1-03248615-998)
2329815393901 (1-03293630-998)
2920815793948 (1-03231970-998)
2926845693933 (1-03256965-998)
2927835293946 (1-03241922-998)
2927865693936 (1-03246967-998)
4004853193921 (1-03251514-998)
4005853693941 (1-03247564-998)
4102803793932 (1-03230471-998)
4202803793902 (1-03233771-998)
4304863093919 (1-03252607-998)
4405863393947 (1-03247137-998)
4502843293939 (1-03230025-998)
4504843393916 (1-03252035-998)
4505833093900 (1-03243002-998)
4604863793900 (1-03253377-998)
0009871987992 (1-03298086-999)
0029873981927 (1-03297086-999)
2857875782974 (1-04342876-999)
4204843183916 (1-03252715-999)
4661843082926 (1-05301305-999)
0629873281991 (1-03298326-999)
0729843381992 (1-03298235-999)
0825873980913 (1-03301886-999)
2961881983992 (1-03308988-999)
2827815783958 (1-03240870-999)
2420855983953 (1-03230484-999)
0326853881993 (1-03238394-999)
0809841087987 (1-03299805-999)
0909871887956 (1-03295996-999)
0926893381907 (1-03230929-999)
2129865483962 (1-03295447-999)
2904811989985 (1-05849980-999)
2227895483953 (1-03240259-999)
2220825283997 (1-03238723-999)
2720885383975 (1-03232728-999)
2826845583970 (1-03252855-999)
2827845283907 (1-03245825-999)
2926875083968 (1-03253906-999)
4302853583961 (1-03235654-999)
4404833683905 (1-03253162-999)
4604853583922 (1-03251354-999)
4605833483962 (1-03245342-999)
4704843483950 (1-03256245-999)
4705813183948 (1-03247210-999)
4705843383914 (1-03242235-999)

[LordNevar]

I'm suprised none of you pattern finding people figured out the pattern with the private value on the original CdKey.  It's nothing really special, but eh.  xxxxAxxxBxCxx.  ABC are all based on the private value.  For example, any key that has private of 999 will have A=8, B=8, C=9, 998 will have A=8, B=9, C=9 and so on as my example list shows:

What makes you think i hadnt?

Agreed

[GoaL]

Well, VB i'm sure can handel it, but ... not as well as i would like. If anyone has a cdkey tester in C++, please tell me. The one that was getting made, well... most likely isn't. Can't someone find a pattern finding program, or make one, then run the list through it? (the way i put it sounds so childish... but yeah ... you know what i mean)

[Kp]

The problem with trying to determine the algorithm from examining the patterns is that you have no constraints on the nature of the algorithm.  In particular, you don't know the order of the algorithm, whether it has logarithms or trigonometric functions involved, or the values of the multipliers in the equation.  Since the only goal for this algorithm is that it be reasonably efficient to compute on the server, Blizzard could've chosen any equation they wanted to relate public and private values.