Navicat keygen – how does the registry work?

1. Key words explanation

• Navicat activation public key

  This is a 2048 bit RSA public key, which Navicat uses to encrypt and decrypt activation information.

  This public key is used asRCDataTypes of resources are stored innavicat.exeAmong. Resource name is"ACTIVATIONPUBKEY"。 You can use a software called resource hacker to view it. The specific contents of this public key are:

  -----BEGIN PUBLIC KEY-----  
  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1dqF3SkCaAAmMzs889I  
  qdW9M2dIdh3jG9yPcmLnmJiGpBF4E9VHSMGe8oPAy2kJDmdNt4BcEygvssEfginv  
  a5t5jm352UAoDosUJkTXGQhpAWMF4fBmBpO3EedG62rOsqMBgmSdAyxCSPBRJIOF  
  R0QgZFbRnU0frj34fiVmgYiLuZSAmIbs8ZxiHPdp1oD4tUpvsFci4QJtYNjNnGU2  
  WPH6rvChGl1IRKrxMtqLielsvajUjyrgOC6NmymYMvZNER3htFEtL1eQbCyTfDmt  
  YyQ1Wt4Ot12lxf0wVIR5mcGN7XCXJRHOFHSf1gzXWabRSvmt1nrl7sW6cjxljuuQ  
  awIDAQAB  
  -----END PUBLIC KEY-----

  If you have the corresponding private key and are willing to make it public, please contact me. I will thank you very much for your generosity.

  Be careful:

  fromNavicat Premium 12.0.25Start, Navicat no longernavicat.exeThe private key is loaded in the resource of. In fact, the public key is converted fromlibcc.dllAnd has been encrypted. At the same time, to prevent easy replacement, the encrypted public key is divided into five places to store:

  The following is fromNavicat premium x64 12.0.25 simplified ChineseOflibcc.dllFound in,libcc.dllThe sha256 value of is607e0a84c75966b00f3d12fa833e91d159e4f51ac51b6ba66f98d0c3cbefdce0。 I don’t guarantee that in other versions of Navicat, the related offset is the same as the following, but the related offset isCharacter stringas well asImmediate countProbably.

  1. staylibcc.dllMedium, file offset+0x01A12090The first part of the encrypted public key is stored toCharacter stringForm of storage:

     "D75125B70767B94145B47C1CB3C0755E  
      7CCB8825C5DCE0C58ACF944E08280140  
      9A02472FAFFD1CD77864BB821AE36766  
      FEEDE6A24F12662954168BFA314BD950  
      32B9D82445355ED7BC0B880887D650F5"

  2. staylibcc.dllMedium, file offset+0x0059D799The second part of the encrypted public key is stored toImmediate countThe form of is stored in an instruction:

     0xFE 0xEA 0xBC 0x01

     The corresponding decimal value is:29158142

  3. staylibcc.dllMedium, file offset+0x01A11DA0The third part of the encrypted public key is stored toCharacter stringForm of storage:

     "E1CED09B9C2186BF71A70C0FE2F1E0AE  
      F3BD6B75277AAB20DFAF3D110F75912B  
      FB63AC50EC4C48689D1502715243A79F  
      39FF2DE2BF15CE438FF885745ED54573  
      850E8A9F40EE2FF505EB7476F95ADB78  
      3B28CA374FAC4632892AB82FB3BF4715  
      FCFE6E82D03731FC3762B6AAC3DF1C3B  
      C646FE9CD3C62663A97EE72DB932A301  
      312B4A7633100C8CC357262C39A2B3A6  
      4B224F5276D5EDBDF0804DC3AC4B8351  
      62BB1969EAEBADC43D2511D6E0239287  
      81B167A48273B953378D3D2080CC0677  
      7E8A2364F0234B81064C5C739A8DA28D  
      C5889072BF37685CBC94C2D31D0179AD  
      86D8E3AA8090D4F0B281BE37E0143746  
      E6049CCC06899401264FA471C016A96C  
      79815B55BBC26B43052609D9D175FBCD  
      E455392F10E51EC162F51CF732E6BB39  
      1F56BBFD8D957DF3D4C55B71CEFD54B1  
      9C16D458757373E698D7E693A8FC3981  
      5A8BF03BA05EA8C8778D38F9873D62B4  
      460F41ACF997C30E7C3AF025FA171B5F  
      5AD4D6B15E95C27F6B35AD61875E5505  
      449B4E"

  4. staylibcc.dllMedium, file offset+0x0059D77FThe fourth part of the encrypted public key is stored toImmediate countThe form of is stored in an instruction:

     0x59 0x08 0x01 0x00

     The corresponding decimal value is:67673

  5. staylibcc.dllMedium, file offset+0x01A11D8CThe fifth part of the encrypted public key is stored toCharacter stringForm of storage:

     "92933"

  These five parts are based on"%s%d%s%d%s"The formal output of is the encrypted public key in the same order as the above. The specific output is:

  D75125B70767B94145B47C1CB3C0755E7CCB8825C5DCE0C58ACF944E082801409A02472FAFFD1CD77864BB821AE36766FEEDE6A24F12662954168BFA314BD95032B9D82445355ED7BC0B880887D650F529158142E1CED09B9C2186BF71A70C0FE2F1E0AEF3BD6B75277AAB20DFAF3D110F75912BFB63AC50EC4C48689D1502715243A79F39FF2DE2BF15CE438FF885745ED54573850E8A9F40EE2FF505EB7476F95ADB783B28CA374FAC4632892AB82FB3BF4715FCFE6E82D03731FC3762B6AAC3DF1C3BC646FE9CD3C62663A97EE72DB932A301312B4A7633100C8CC357262C39A2B3A64B224F5276D5EDBDF0804DC3AC4B835162BB1969EAEBADC43D2511D6E023928781B167A48273B953378D3D2080CC06777E8A2364F0234B81064C5C739A8DA28DC5889072BF37685CBC94C2D31D0179AD86D8E3AA8090D4F0B281BE37E0143746E6049CCC06899401264FA471C016A96C79815B55BBC26B43052609D9D175FBCDE455392F10E51EC162F51CF732E6BB391F56BBFD8D957DF3D4C55B71CEFD54B19C16D458757373E698D7E693A8FC39815A8BF03BA05EA8C8778D38F9873D62B4460F41ACF997C30E7C3AF025FA171B5F5AD4D6B15E95C27F6B35AD61875E5505449B4E6767392933

  This encrypted public key can be decrypted with my other repo (how does Navicat encrypt password), where the key isb'23970790'。

  For example:

  E:\GitHub>git clone https://github.com/DoubleLabyrinth/how-does-navicat-encrypt-password.git
  ...
  E:\GitHub>cd how-does-navicat-encrypt-password\python3
  E:\GitHub\how-does-navicat-encrypt-password\python3>python
  Python 3.6.3 (v3.6.3:2c5fed8, Oct  3 2017, 18:11:49) [MSC v.1900 64 bit (AMD64)] on win32
  Type "help", "copyright", "credits" or "license" for more information.
  >>> from NavicatCrypto import *
  >>> cipher = Navicat11Crypto(b'23970790')
  >>> print(cipher.DecryptString('D75125B70767B94145B47C1CB3C0755E7CCB8825C5DCE0C58ACF944E082801409A02472FAFFD1CD77864BB821AE36766FEEDE6A24F12662954168BFA314BD95032B9D82445355ED7BC0B880887D650F529158142E1CED09B9C2186BF71A70C0FE2F1E0AEF3BD6B75277AAB20DFAF3D110F75912BFB63AC50EC4C48689D1502715243A79F39FF2DE2BF15CE438FF885745ED54573850E8A9F40EE2FF505EB7476F95ADB783B28CA374FAC4632892AB82FB3BF4715FCFE6E82D03731FC3762B6AAC3DF1C3BC646FE9CD3C62663A97EE72DB932A301312B4A7633100C8CC357262C39A2B3A64B224F5276D5EDBDF0804DC3AC4B835162BB1969EAEBADC43D2511D6E023928781B167A48273B953378D3D2080CC06777E8A2364F0234B81064C5C739A8DA28DC5889072BF37685CBC94C2D31D0179AD86D8E3AA8090D4F0B281BE37E0143746E6049CCC06899401264FA471C016A96C79815B55BBC26B43052609D9D175FBCDE455392F10E51EC162F51CF732E6BB391F56BBFD8D957DF3D4C55B71CEFD54B19C16D458757373E698D7E693A8FC39815A8BF03BA05EA8C8778D38F9873D62B4460F41ACF997C30E7C3AF025FA171B5F5AD4D6B15E95C27F6B35AD61875E5505449B4E6767392933'))
  -----BEGIN PUBLIC KEY-----
  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1dqF3SkCaAAmMzs889I
  qdW9M2dIdh3jG9yPcmLnmJiGpBF4E9VHSMGe8oPAy2kJDmdNt4BcEygvssEfginv
  a5t5jm352UAoDosUJkTXGQhpAWMF4fBmBpO3EedG62rOsqMBgmSdAyxCSPBRJIOF
  R0QgZFbRnU0frj34fiVmgYiLuZSAmIbs8ZxiHPdp1oD4tUpvsFci4QJtYNjNnGU2
  WPH6rvChGl1IRKrxMtqLielsvajUjyrgOC6NmymYMvZNER3htFEtL1eQbCyTfDmt
  YyQ1Wt4Ot12lxf0wVIR5mcGN7XCXJRHOFHSf1gzXWabRSvmt1nrl7sW6cjxljuuQ
  awIDAQAB
  -----END PUBLIC KEY-----

  Be careful:

  fromNavicat Premium 12.1.11At first, Navicat no longer uses the above method to load the key. Of course, the key is still stored inlibcc.dllIn the document. When Navicat starts, it encrypts the public key with an 8-byte XOR key and stores it in a static data area. When verifiedActivation codeNavicat regenerates the same 8-byte XOR key and decrypts the ciphertext in the static store to obtain the public key.

  staylibcc.dllIn x64, you will see the following instructions:

  xoreax,'M'
  mov byte_xxxxxx,al
  ...
  xoreax,'I'
  mov byte_xxxxxx,al
  ...
  xoreax,'I'
  mov byte_xxxxxx,al
  ...
  xoreax,'B'
  mov byte_xxxxxx,al
  ...
  xoreax,'I'
  mov byte_xxxxxx,al
  ...
  xoreax,'j'
  mov byte_xxxxxx,al
  ...
  ...

• Request code

  This is a Base64 encoded string that represents 256 bytes of data. The 256 bytes of data areOffline activation informationuseNavicat activation public keyEncrypted ciphertext.

• Offline activation request information

  This is a JSON style string. It contains three keys:"K"、"DI"and"P", respectivelyserial number、Equipment identification code(related to your computer hardware information) andplatform(in fact, it is the operating system type).

  For example:

  {"K": "xxxxxxxxxxxxxxxx", "DI": "yyyyyyyyyyyyy", "P": "WIN8"}

• Activation code

  This is a Base64 encoded string that represents 256 bytes of data. The 256 bytes of data areOffline activation reply messageuseNavicat activate private keyEncrypted ciphertext. We don’t know the officialNavicat activate private keySo we have to replace the public key in the software.

• Offline activation reply message

  andOffline activation request informationIt is also a JSON style string. But it contains five keys, which are"K"、"N"、"O"、"T"and"DI".

  "K"and"DI"Significance andOffline activation request informationSame in and value must be the same asOffline activation request informationSame in.

  "N"、"O"、"T"Represent respectivelylogin name、organization、Authorized time。

  login nameandorganizationThe value type of is UTF-8 encoded string.Authorized timeThe value type of can be string or integer (thanks to @ wizr’s report in issue × 10).

  "T"Can be omitted.

• serial number

  This is a string divided into four parts, each of which is four characters long.

  serial numberIt is generated from 10 bytes of data. For convenience, I useuint8_t data[10]To represent the 10 bytes.

  1. data[0]anddata[1]Must be0x68and0x2A。

     These two bytes are the flags of Navicat.

  2. data[2]、data[3]anddata[4]It can be any byte, whatever you want.

  3. data[5]anddata[6]Is the language flag of Navicat with the following values:

     Language type	data[5]	data[6]	Discoverer
     English	0xAC	0x88
     Simplified Chinese	0xCE	0x32
     Traditional Chinese	0xAA	0x99
     Japanese language	0xAD	0x82	@dragonflylee
     Polski	0xBB	0x55	@dragonflylee
     Español	0xAE	0x10	@dragonflylee
     Français	0xFA	0x20	@Deltafox79
     Deutsch	0xB1	0x60	@dragonflylee
     한국어	0xB5	0x60	@dragonflylee
     Русский	0xEE	0x16	@dragonflylee
     Português	0xCD	0x49	@dragonflylee

  4. data[7]Is the Navicat product ID. (thanks for the data provided by @ dragonflye and @ deltafox79)

     Product name	Enterprise	Standard	Educational	Essentials
     Navicat Report Viewer	0x0B
     Navicat Data Modeler 3		0x84	0x85
     Navicat Premium	0x65		0x66	0x67
     Navicat MySQL	0x68	0x69	0x6A	0x6B
     Navicat PostgreSQL	0x6C	0x6D	0x6E	0x6F
     Navicat Oracle	0x70	0x71	0x72	0x73
     Navicat SQL Server	0x74	0x75	0x76	0x77
     Navicat SQLite	0x78	0x79	0x7A	0x7B
     Navicat MariaDB	0x7C	0x7D	0x7E	0x7F
     Navicat MongoDB	0x80	0x81	0x82

  5. data[8]Top 4 representatives ofVersion number。 The lower 4 bits are unknown, but can be used to extend the activation period. The desirable values are0000and0001。

     For example:

     aboutNavicat 12: high 4 bits must be1100For12In binary form.
     aboutNavicat 11: high 4 bits must be1011For11In binary form.

  6. data[9]Not yet, but if you want tonot-for-resale licenseIt can be set as0xFD、0xFCor0xFB。

     according toNavicat 12 for Mac x64The remaining symbol information of the version can be seen as follows:

     • 0xFByesNot-For-Resale-30-days license.
     • 0xFCyesNot-For-Resale-90-days license.
     • 0xFDyesNot-For-Resale-365-days license.
     • 0xFEyesNot-For-Resale license.
     • 0xFFyesSite license.

  Later Navicat usesECBModeDESAlgorithm to encryptdata[10]The last 8 bytes ofdata[2]reachdata[9]Part.

  The corresponding des key is:

  unsigned char DESKey = { 0x64, 0xAD, 0xF3, 0x2F, 0xAE, 0xF2, 0x1A, 0x27 };

  Then use base32 encodingdata[10], where the coding table is changed to:

  char EncodeTable[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";

  After encoding, you should get a 16 byte string, starting with “NAV.”.

  Divide a 16 byte string into four 4-byte chunks, and then use the"-"You can get the connectionserial number。

2. Activation process

1. Check user inputserial numberLegal or not.

2. After the user clicksactivationAfter the button, Navicat will try to activate online first. If it fails, the user can choose to activate offline.

3. Navicat will use theserial numberAnd the generation of information collected from the user’s computerOffline activation request informationAnd then useNavicat activation public keyEncryption, and the ciphertext is encoded with Base64, and finallyRequest code。

4. Under normal process,Request codeIt should be sent to Navicat’s official activation server via a computer that can be connected to the Internet. After that, Navicat’s official activation server will return a legalActivation code。

   But now we use the registration machine to play the role of official activation server. Only the activation public key in Navicat software needs to be replaced with its own public key:

   1. according toRequest codeGet"DI"Value sum"K"Value.

   2. use"K"Values, user names, organization names, and"DI"Fill in valueOffline activation reply message。

   3. Encrypt with your own 2048 bit RSA private keyOffline activation reply message, you will get 256 bytes of ciphertext.

   4. You can use Base64 to encode these 256 bytes of ciphertext to getActivation code。

   5. Fill in Navicat softwareActivation codeOffline activation can be completed.