AWMA the Elephant – The Winner is…

AWMA and I had an argument,
And I was determined to win it,
Yes I did, so three cheers for me,
Whoop, Whoop, Whoop!

While I was writing the previous installment of my adventures with AWMA, I spotted a bit of code that I hadn’t fully noticed the first time that I was skimming through the code. To be honest, I wasn’t really looking for it anyway. It’s shown below, and you may notice that is gives quite a big clue on how the licence code that you need to type is decoded.

That’s right… it gets the encoded license string, and for each number, adds 10 to it and then subtracts the relevant value in the xorcode array. This value is then modded against 10 (in other words gets the unit value of the number) and then adds it to a new string. Having this insight into how the code works, I decided to see exactly how far I could go. And armed with a few valid codes (from activating it so many times) I could test to see if any of them worked.

To start off with, I wrote down one of the activation codes, and then ran through this code line by line on a piece of paper. If you can’t read my writing (who can?!) then I’ve made a pretty table beneath the image for you.

Step-by-step calculations of decoding the AWMA license code
Only after I had written all of this did I realise I didn’t need to add 10 at the start!

License 7 9 7 7 3 8 3 2 6 5 0 7
xorcode 6 3 7 4 2 9 7 5 8 6 2 5
Decoded 1 6 0 3 1 9 6 7 8 9 8 2

Knowing that this licence runs out in a years’ time, the first six characters that were decoded looked very much date like (160319 – 2016-03-19). This was confirmed to me by looking further through the code, where it splits this decoded string into an expiry date and a hash.

Now all that was needed to see what created this hash code, so that it could be used. However, this is where I had to stop trying to work this out on paper and move over to a computer doing my work for me. Why? Well, this is the code that creates the hash:

Although I did try and work out bitwise addition on paper, the working out of MD5 hashes was something I wasn’t prepared to do. Moving over to NetBeans, and creating a new Java project, I copied over the AWMA license code, and started to step through it. Checking through the license string being decoded (albeit with a different license code) and making sure that the results were correct meant that I hadn’t wasted the last hour or so.

The decode licence function debugging on a computer
Having a computer debug your working out is a good idea

Carrying on debugging the program, I eventually got to the code that creates the hash that I needed. This hash is worked out by getting a string of the user’s profile location, doing some calculations on it, and then getting the first six characters of it (this is why a license is needed for each user of the program). This section of the program shows four variables are being used. The expiry of the license, the hash stored in the license, the ID of the machine and the hash that is calculated.

The hash calculation function being debugged and showing values that are needed
The magic numbers that I need to generate a valid license code

This is all of the information that is needed to generate a valid license code. Sticking the relevant parts together (expiry and calculated hash) and reversing the license decoding steps (add each number with the xorcode and then mod it by 10) a code that looked valid was created.

Expiry 1 6 0 3 2 3
Calculated hash 0 5 4 2 9 2
xorcode 6 3 7 4 2 9 7 5 8 6 2 5
Encoded 7 9 7 7 4 2 7 0 2 8 1 7

Having this code in front of me, I fired up a copy of AWMA and typed in the code. I was prompted by this (ignore that the code doesn’t match what is above):

AWMA displaying that the licence code is valid
Two hours after starting, I cheered at this point.

Feeling experimental, I set the date to be the last day in 2099 and put this into the AWMA activation screen.

The AWMA licence screen, with a date of 2099-12-31 as the expiry date
I’m worried about how well AWMA will work in the year 2100

While it works, when you launch AWMA next it will complain that the licence has expired. Still, being able to generate our licences without needing to contact Pearson each time is going to save us quite a bit of hassle. And considering this is the first time I’ve ever reverse engineered something, being able to do it in 2 hours I don’t think is too bad.

In conclusion, looks like I have won the argument with AWMA, and I now have a nice little nifty tool that can generate the licenses for me too, should I ever need any more.

Leave a Reply

Your email address will not be published. Required fields are marked *