Since few days I'm trying to generate/spoof new MTA serial. What I've already tried:
- Hooking WMI(it uses it for retrieving bios serial etc., but hooking doesn't change serial)
- Hooking DeviceIoControl (it uses it as well, for retrieving hard drive serial, seems to be called on each connect with the server) didn't work
- Hooking GetAdaptersInfo for MAC spoof - didn't work
- Hooking internal API function GetSerial (netc.dll) worked, the serial looked changed but when joining the server original serial was used(probably there's one more )
- Reinstalling GTA+MTA and hooking again in the hope it will change.
Additional info: the serial is also stored in the registry but it doesn't mean anything as the serial used in hand shakes is in memory.
- SID (generated uniquely on each new windows installation), there's a changer available http://www.stratesave.com/html/sidchg.html but I'm afraid to use it and prefer to do it without modifying my system. Some people tell their serial changed after upgrading/reinstalling their windows.
- The serial is stored somewhere on the hard-drive, or just a binary with hardware data.
Did you manage to reverse what is used to generate the serial/or where the serial is stored?
Netc.dll is injected in both Multi theft auto.exe and gta_sa.exe but 90% it's generated in gta_sa.exe
I'm doing it for purely educational purpose and not intend to hack on servers, as I'm just curious of the method but it's kept as a 'secret' and knowledge only available to MTA staff.
They also have the driver FairplayKD.sys but I doubt it's generated there. It is a 'sandbox'.
The serial is an MD5 hash most probably (or not 128bits = 16 bytes) but I doubt advapi32.dll functions are used for that.
|Address Size Label |
------- ---- -----
.text:100192DB 0010 RIPEMD-128 InitState [32.le.16&]
.text:10021B19 0004 TEA1_DS [32.le.4]
.text:1003581D 0014 SHA1 / SHA0 / RIPEMD-160 initialization [32.le.20&]
.text:10106F61 0015 anti-debug: anti-VMWare [..21]
.text:1013B6BA 000C function where is handled the ZipCrypto password [32.le.12&]
.text:10151203 0008 classical random incrementer 0x343FD 0x269EC3 [32.le.8&]
.rdata:10271400 0040 padding used in hashing algorithms (0x80 0 ... 0) [..64]
.rdata:103737C8 003E rfc3548 Base 64 Encoding with URL and Filename Safe Alphabet [..62]
.rdata:103737C8 0040 B64EncodeTable [..64]
.rdata:1037E0C8 0400 Adler CRC32 (0x191b3141) [32.le.1024]
.rdata:1037E4C8 0400 Adler CRC32 (0x01c26a37) [32.le.1024]
.rdata:1037E8C8 0400 Adler CRC32 (0xb8bc6765) [32.le.1024]
.rdata:1037FF60 0100 Zlib length_code [..256]
.rdata:10380060 0200 Zlib dist_code [..512]
.rdata:10380260 0074 zinflate_lengthExtraBits [32.le.116]
.rdata:103802D8 0078 zinflate_distanceExtraBits [32.le.120]
.rdata:103808B0 0074 Zlib base_length [32.le.116]
.rdata:10380928 0078 Zlib base_dist [32.le.120]
.rdata:103AA518 0011 anti-debug: IsDebuggerPresent [..17]
.rdata:103AAA5C 0015 Windows CryptAcquireContext [..21]
.rdata:103AAAB0 0010 Windows CryptCreateHash [..16]
.rdata:103AAAC2 000E Windows CryptHashData [..14]
.data:103AB058 0120 SHA224 [32.le.288&]
.data:103AB058 0020 SHA224_DS [32.le.32]
.data:103AB078 0020 SHA256 Initial hash value H (0x6a09e667UL) [32.le.32&]
.data:103AB078 0120 SHA256 [32.le.288&]
.data:103AB07C 0010 Crypton kp [32.le.16]
.data:103AB098 0040 Initial hash value H for SHA-384 and SHA-512 [64.le.64&]
.data:103AB098 02C0 SHA384 [64.le.704&]
.data:103AB0D8 0040 Initial hash value H for SHA-512 [64.le.64&]
.data:103AB0D8 02C0 SHA512 [64.le.704&]
.data:103AB118 0100 SHA256 Hash constant words K (0x428a2f98) [32.le.256]
.data:103AB218 0280 Hash constant words K for SHA-384 and SHA-512 [64.le.640]
.data:103ABC70 0040 padding used in hashing algorithms (0x80 0 ... 0) [..64]
.tls:103E0007 0040 padding used in hashing algorithms (0x80 0 ... 0) [..64]
Help appreciated in my research as I'm really curious what is behind it... but trying to do it by myself makes me cry.