Unlike SLIC tables, OEM Certificates aren't as easy to identify. So here's a little tutorial that will allow you to properly identify an OEM Certificate, and match it with its correspondent SLIC table. Tools needed: - WinHex Note: I will use as an example, the ubiquitous Asus SLIC table and OEM Certificate. 1. Open up the OEM Certificate with Winhex. 2. Locate and highlight the software licensing data (it always starts with "kgAAAAAAA"). In this case (Asus certificate) we will highlight this: Code: kgAAAAAAAgBfQVNVU18BAAEAb5Kd3LN57icmCPjcW9hfSyE0q2DskMfC1WDV9dmC+S6+6EM41cJbniW4k80VuBvDMH2tVWl5vRp+RMi8WVoXvoGt7+6WITfMikJixhQFCSFpeuGMSs7WyBh4eIYrMGOm5WS30hReK0S+MxJra6O9noW7vmzhsTPC2pGA80S0yp8= 3. Go to "Edit" > "Copy Block" > "Into New File". Give it any name you want and save. You will get this: Code: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 6B 67 41 41 41 41 41 41 41 67 42 66 51 56 4E 56 kgAAAAAAAgBfQVNV 00000010 55 31 38 42 41 41 45 41 62 35 4B 64 33 4C 4E 35 U18BAAEAb5Kd3LN5 00000020 37 69 63 6D 43 50 6A 63 57 39 68 66 53 79 45 30 7icmCPjcW9hfSyE0 00000030 71 32 44 73 6B 4D 66 43 31 57 44 56 39 64 6D 43 q2DskMfC1WDV9dmC 00000040 2B 53 36 2B 36 45 4D 34 31 63 4A 62 6E 69 57 34 +S6+6EM41cJbniW4 00000050 6B 38 30 56 75 42 76 44 4D 48 32 74 56 57 6C 35 k80VuBvDMH2tVWl5 00000060 76 52 70 2B 52 4D 69 38 57 56 6F 58 76 6F 47 74 vRp+RMi8WVoXvoGt 00000070 37 2B 36 57 49 54 66 4D 69 6B 4A 69 78 68 51 46 7+6WITfMikJixhQF 00000080 43 53 46 70 65 75 47 4D 53 73 37 57 79 42 68 34 CSFpeuGMSs7WyBh4 00000090 65 49 59 72 4D 47 4F 6D 35 57 53 33 30 68 52 65 eIYrMGOm5WS30hRe 000000A0 4B 30 53 2B 4D 78 4A 72 61 36 4F 39 6E 6F 57 37 K0S+MxJra6O9noW7 000000B0 76 6D 7A 68 73 54 50 43 32 70 47 41 38 30 53 30 vmzhsTPC2pGA80S0 000000C0 79 70 38 3D yp8= 4. In the new file you've just created, go to "Edit" > "Convert..." > "Base64->Binary" You will get this: Code: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 92 00 00 00 00 00 02 00 5F 41 53 55 53 5F 01 00 ’......._ASUS_.. 00000010 01 00 6F 92 9D DC B3 79 EE 27 26 08 F8 DC 5B D8 ..o’ܳyî'&.øÜ[Ø 00000020 5F 4B 21 34 AB 60 EC 90 C7 C2 D5 60 D5 F5 D9 82 _K!4«`ìÇÂÕ`ÕõÙ‚ 00000030 F9 2E BE E8 43 38 D5 C2 5B 9E 25 B8 93 CD 15 B8 ù.¾èC8ÕÂ[ž%¸“Í.¸ 00000040 1B C3 30 7D AD 55 69 79 BD 1A 7E 44 C8 BC 59 5A .Ã0}*Uiy½.~DȼYZ 00000050 17 BE 81 AD EF EE 96 21 37 CC 8A 42 62 C6 14 05 .¾*ïî–!7ÌŠBbÆ.. 00000060 09 21 69 7A E1 8C 4A CE D6 C8 18 78 78 86 2B 30 .!izáŒJÎÖÈ.xx†+0 00000070 63 A6 E5 64 B7 D2 14 5E 2B 44 BE 33 12 6B 6B A3 c¦åd·Ò.^+D¾3.kk£ 00000080 BD 9E 85 BB BE 6C E1 B1 33 C2 DA 91 80 F3 44 B4 ½ž…»¾lá±3ÂÚ‘€óD´ 00000090 CA 9F 00 ÊŸ. As you can see, the information in the OEM Certificate (encoded in Base64) matches the one in the Asus SLIC: Code: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 53 4C 49 43 76 01 00 00 01 4B 5F 41 53 55 53 5F SLICv....K_ASUS_ 00000010 4E 6F 74 65 62 6F 6F 6B 24 06 00 11 4D 53 46 54 Notebook$...MSFT 00000020 97 00 00 00 00 00 00 00 9C 00 00 00 06 02 00 00 —.......œ....... 00000030 00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00 .$..RSA1........ 00000040 6F 92 9D DC B3 79 EE 27 26 08 F8 DC 5B D8 5F 4B o’ܳyî'&.øÜ[Ø_K 00000050 21 34 AB 60 EC 90 C7 C2 D5 60 D5 F5 D9 82 F9 2E !4«`ìÇÂÕ`ÕõÙ‚ù. 00000060 BE E8 43 38 D5 C2 5B 9E 25 B8 93 CD 15 B8 1B C3 ¾èC8ÕÂ[ž%¸“Í.¸.à 00000070 30 7D AD 55 69 79 BD 1A 7E 44 C8 BC 59 5A 17 BE 0}*Uiy½.~DȼYZ.¾ 00000080 81 AD EF EE 96 21 37 CC 8A 42 62 C6 14 05 09 21 *ïî–!7ÌŠBbÆ...! 00000090 69 7A E1 8C 4A CE D6 C8 18 78 78 86 2B 30 63 A6 izáŒJÎÖÈ.xx†+0c¦ 000000A0 E5 64 B7 D2 14 5E 2B 44 BE 33 12 6B 6B A3 BD 9E åd·Ò.^+D¾3.kk£½ž 000000B0 85 BB BE 6C E1 B1 33 C2 DA 91 80 F3 44 B4 CA 9F …»¾lá±3ÂÚ‘€óD´ÊŸ 000000C0 01 00 00 00 B6 00 00 00 00 00 02 00 5F 41 53 55 ....¶......._ASU 000000D0 53 5F 4E 6F 74 65 62 6F 6F 6B 57 49 4E 44 4F 57 S_NotebookWINDOW 000000E0 53 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S .............. 000000F0 00 00 00 00 00 00 24 B0 89 CF B1 F3 1D B8 7A 80 ......$°‰Ï±ó.¸z€ 00000100 35 CB CD 4A C8 2F 84 CE 99 A0 4F 38 76 B0 04 F9 5ËÍJÈ/„Ι*O8v°.ù 00000110 6F 05 33 C7 EC A8 58 A6 D7 B7 3F 5B 82 B1 EE 2B o.3Çì¨X¦×·?[‚±î+ 00000120 A7 81 52 F3 45 13 CE EE D5 57 37 FE 75 5F 5C 62 §RóE.ÎîÕW7þu_\b 00000130 C4 53 DA 86 F1 34 FA ED 91 86 73 9E D2 65 FD 8A ÄSÚ†ñ4ú푆sžÒeýŠ 00000140 3D 86 94 2F 2A 65 18 5C D9 E5 7C 15 1E F2 08 C5 =†”/*e.\Ùå|..ò.Å 00000150 85 C4 8F 0B FA A5 C3 A9 B0 F1 B2 E7 6A 46 FB 18 …Ä.ú¥Ã©°ñ²çjFû. 00000160 01 5D 4C 36 33 DE FB E7 1D E8 15 C2 85 9F 8A A9 .]L63Þûç.è.Â…ŸŠ© 00000170 32 68 1F B4 BC A8 2h.´¼¨ BLUE - OEMID RED - RSA modulus ORANGE - RSA public exponent Always: 01 00 01 00 (65537) GREEN - Windows Marker version Always: 00 00 02 00 (0x20000) PURPLE - Size of the OEM Certificate's licensing data. Always: 92 00 00 00 (146 bytes)
HEY!!... if you play with this more you can make for your name SLIC and cert i wonder if it can work (slic from האח הגדול)
Different LENOVO SLICs share the only same CERT Different TOSHBA SLICs must match different CERTs BOTH have got the same PUBKEY but didderent MARKERs! (Sorry, didn't mean to offend anybody, just to tell the truth)
I'm sorry, but I don't see what the problem is. The certificate authenticates both the Public Key AND OEMID. Lenovo SLICs have the same pubkey & OEMID ("LENOVO"). This means that the same certificate will successfully authenticate all Lenovo SLICs. Toshiba SLICs have the same pubkey, but have different OEMIDs ("TOSHIB", "TOSINV", "TOSCPL", etc.). This means that you'll need different certs to authenticate different OEMIDs.
Hi crypto i need a favour from you .. can you please let me know what is the best tool to edit tokens.dat .. and it would be great if you could give me any tutorial about Winhex
Thank for the pubkeycompare. But, It seems that it can't verify the validation of Cert. I create a fake cert, and pubkeycompare says it match the SLIC.