VisualAssist-keygen-demo icon indicating copy to clipboard operation
VisualAssist-keygen-demo copied to clipboard

Published 20 hours ago verified publisher icon DoubleLabyrinth

How to use a custom private BasePointGenerator?

Open x64bugreport opened this issue 2 years ago • 3 comments

struct Custom { static inline const uint32_t BasePointGenerator[] = { 2127088620, // Armadillo Encrypt Template = "3" 2127088620 // Armadillo Encrypt Template = "3" }; static inline const BigInteger PrivateKey[] = { "0x2def66c7f63c047c2e7af50b55e6", // 0x2def66c7f63c047c2e7aad777e6e + 0x000000004793d778 "0x2def66c7f63c047c2e7ca2948191" // 0x2def66c7f63c047c2e7aad777e6e + 0x00000001f51d0323 }; }; when I modify BasePointGenerator,The Keygen Result No match VAX code,I confirm that I have successfully replaced the corresponding public key string.What should I do after modifying the seed? Looking forward to your answer.

x64bugreport avatar Jun 24 '22 08:06 x64bugreport

I hope chage Custom BasePointGenerator to Offine BasePointGenerator and reduce the replacement scope.

x64bugreport avatar Jun 24 '22 08:06 x64bugreport

If you want to use different BasePointGenerator, that would be a little hard.

There are two official public key string in VA_X.dll which are

static inline const std::string PublicKeyString[] = {
    "1329115615,9626603984703850283064885442292035,3463780848057510008753765087591958",
    "4065234961,2221233238252903594850812155620126,3175203956977476891557515669668792"
};

You said you had found it, good! However, there exists a check in VA_X.dll that verifies public key string. It checks that

VisualAssistCryptoConfig::GeneratePublicKeyStringMd5(PublicKeyString[i]) == PublicKeyStringMd5[i];

for both of two official public key string where PublicKeyStringMd5[i] is also verified by other complicated functions that I am tired to analysing.

So I made a cuda program to find a collision that can help me bypass this check. That is why the private keys I selected have such a form

0x2def66c7f63c047c2e7af50b55e6 = 0x2def66c7f63c047c2e7aad777e6e + 0x000000004793d778

where 0x000000004793d778 is collision shift.

If you debug my keygen, you can find that VisualAssistCryptoConfig::Official::PublicKeyStringMd5 and VisualAssistCryptoConfig::Custom::PublicKeyStringMd5 are the same which indicates the private/public keys I selected can bypass VA_X.dll's check.

So, for you, I'm sorry that I can't do much help. You have to find a new collision if you select different BasePointGenerator which won't be a easy work. I suggest you abandon such idea.

DoubleLabyrinth avatar Jun 24 '22 10:06 DoubleLabyrinth

First of all, thank you very much for answering me and letting me know what the problem is.The cause of the incident is that I found a set of replacement public keys in a hijacking patch. The Custom::BasePointGenerator and official::BasePointGenerator parts are the same. Of course, I don't know what the corresponding private key is. There is only a set of The keycode, after modifying the BasePointGenerator, I found that it is not feasible, and I am curious how the original author did it. I already know the problem from your answer, thank you very much.

x64bugreport avatar Jun 24 '22 13:06 x64bugreport