[Request] Need TCG Loot Codes and information.

**pros599** · 10-26-2016

I'm going to be attempting to reverse engineer the TCG codes. If you have any TCG cards laying around, can you fill out the survey? (Ideally, I'd like to receive both redeemed and unredeemed codes; however, if you donate the latter - it may potentially be redeemed).

TCG Codes Survey

I will post with updates as soon as I start the analysis. I plan to use some ML on the data once I get

Thanks!

**TommyT** · 10-26-2016

Seems legit....

**~~Ashoran~~** · 10-26-2016

Seems totally legit.

**jimmyamd** · 10-26-2016

Who will give you unredeemed codes for free? Lol

Most likely he will claim your redeemed codes as hack meaning you'll lose the mount as he will get it since he has the physical code so don't fall for it.

**Veritable** · 10-26-2016

You might have as much luck finding codes, as you would with a pattern generator like this:

Generate Random Codes - Try for free - Random Code Generator

make them Digits, 23 characters, and export to a text file. Then insert a 00 before each code, and good luck getting banned after failing 15 codes in a row

**Sklug** · 10-26-2016

ROFL right...

I mean, at least he didn't outright lie and say, "I know how to reverse engineer the code." He is going to get your unused code, try for about 30 seconds, determine it's not possible, then say, "I tried but it didn't work out."

LOL these posts are always hilarious.

**pros599** · 10-26-2016

To be super clear (and to stop the flaming), I'd prefer the USED codes so that you guys don't have ammo if I fail. I'm not saying this will work, nor am I saying that I'll have success. I am saying that if you send an unused code, I can't guarantee it won't be used as I'm going to do validation on a random sample of the codes to ensure I have real codes. (In other words, I'm not sure if selecting the realm on the redemption page locks the code or not...)

Also, I am saying if someone wants to donate unused codes, I'm happy to discuss the why's behind it.

I appreciate the "seems legit" responses, but I'm quite serious about attempting to find a pattern. The worst case scenario is that I'd have a bunch of used codes that end up leading me down a road of wasted time...

I doubt that will be the case. There is a pattern to the codes - there's no way their database is being queried to see if a code exists out of millions every single check. There has to be some sort of common practice with the codes, which is why I ask for the used codes.

**pros599** · 10-26-2016

Side note - I believe there was someone else who made headway on this, but I'd love to see if I can tie his/her project off if they're no longer working on it. I'm certain there's a dump of used codes somewhere, but was hoping someone knew where.

**Sklug** · 10-26-2016

Originally Posted by pros599

To be super clear (and to stop the flaming), I'd prefer the USED codes so that you guys don't have ammo if I fail. I'm not saying this will work, nor am I saying that I'll have success. I am saying that if you send an unused code, I can't guarantee it won't be used as I'm going to do validation on a random sample of the codes to ensure I have real codes. (In other words, I'm not sure if selecting the realm on the redemption page locks the code or not...)

Also, I am saying if someone wants to donate unused codes, I'm happy to discuss the why's behind it.

I appreciate the "seems legit" responses, but I'm quite serious about attempting to find a pattern. The worst case scenario is that I'd have a bunch of used codes that end up leading me down a road of wasted time...

I doubt that will be the case. There is a pattern to the codes - there's no way their database is being queried to see if a code exists out of millions every single check. There has to be some sort of common practice with the codes, which is why I ask for the used codes.

Since I have a little experience in cryptography, let me help you understand why generating a TCG loot keygen is not going to happen. First off, one needs to understand how a product key or serial is created in the first place. For it to work there is a pattern within the code that needs to be recognized. These patterns can be simple or rather complex. Let me give you a very simple answer that no one really uses, but is easy to see what I am saying. A pattern could be that every odd character must be a letter, while ever even character must be a number (so E1J5c3b0). See what I mean? That is a very easily recognizable pattern.

Usually these codes are quite long because it allows you to create an incredibly complex cipher. Now, most reverse-engineers/hackers that create these keygens are not necessarily some Math wiz or intuitive genius that is able to see these patterns. You see, the actual code to decipher a product key is embedded into the source code of the program (another problem you will have here as the source code for TCG loot is server side, so you cannot reverse engineer it with the method I am about to describe). You see, there are fairly powerful disassemblers out there that can give you a reasonable idea of what the source code looks like. An extremely experienced coder, or let's say, hacker in this sense, can understand the patterns within the assembler and then translated the code back to C (or C++). For code junkies, it is easy to tell from assembly if it is C++ because of the "this" pointer gets passed in the ECX register.

So, if you know what you are doing you basically can decipher the key validation routine and then reverse it with a key generator.

Here is the problem now you will face as I am 100% certain Blizz does this. If the developer (Blizz in this case), uses asymmetrical encryption to generated the keys (RSA/Elliptical), the only way break into a program is to actually hack the runtime so you can run the program without needing a product key. Obviously, in this circumstance, that approach is not valid. THE ONLY OTHER WAY TO CREATE A KEYGEN IN THIS CIRCUMSTANCE IS TO HAVE ACCESS TO THE PRIVATE KEY. Seriously, you are not going to reverse engineer this key.

In case you are trying to understand why one needs to understand what asymmetrical encryption means. It essentially means that one key encrypts and a completely different key decrypts. In other words, the key that generates the serial for the TCG loot cards is not actual part of the Warcraft program, but the program can still vaidate the key (of which even an extra layer of security is that all validation even occurs server side anyway, so the wow program installed on your computer does not actually have any way to be reverse engineered to develop a keygen for TCG loot cards.

You can watch this video for a really simple understanding of how asymmetric encryption works on public keys.

But get this, if Blizz really wanted to they could add even more layers of complexity on top of this! There's a certain level of diminishing returns on security at some point of course.

TL;DR - you are only ever going to build a keygen for something like this if a program can verify a key offline, but if it needs to contact another server (it does in this case), you are not going to decipher an asymmetrically encrypted key.

**pros599** · 10-26-2016

Here is the problem now you will face as I am 100% certain Blizz does this. If the developer (Blizz in this case), uses asymmetrical encryption to generated the keys (RSA/Elliptical), the only way break into a program is to actually hack the runtime so you can run the program without needing a product key. Obviously, in this circumstance, that approach is not valid. THE ONLY OTHER WAY TO CREATE A KEYGEN IN THIS CIRCUMSTANCE IS TO HAVE ACCESS TO THE PRIVATE KEY. Seriously, you are not going to reverse engineer this key.

I'm on board with everything you've said and fully understand it as I am a developer with a minor in math. My intention of wanting to mine the data was to see if the codes are actually asymmetrically encrypted. My theory is that they weren't since each key is locked to the Expansion, Item Type, and Server once it's created. While the client may not have a way of validating the code (and I wouldn't expect them to), I'd imagine I'd see SOME sort of pattern with codes for specific types of items, realms, and more.

I'm not attempting to make a key gen (yet); however, I am trying to see if there's any pattern between the redemption codes, the items, the codes printed on the cards, and the servers. If there is a pattern, that'd be the first step to understand how keys are generated based off of inputs.

If you're absolutely certain that each and every code is randomly generated and printed without any sort of pattern, then you're right - my efforts would be moot without the private key. I may get a few here and there, but that would require much more effort than it's worth. If they aren't randomly generated (deck serial numbers, card numbers, print date, item info, etc printed into the card or redemption key), this should be a relatively interesting problem to research in my free time.

I mean, I'm not an expert in cryptology by any means, and I'm not claiming to be one. I did notice a few things that were a bit off about the redemption... The cards are printed as a long INT - one long string of numbers (25 to be exact). On the redemption form, there are five different inputs that are sent to the server with varying lengths - (redemptionCode1,2,3,4,5) (4,6,5,6,4).. Now, they could have done this to make it easier for the users to type in, but the post data to the server seems to indicate differently... (they don't concat using javascript before sending it, I doubt they do on the backend too).

Code:

regionId:1
realmName:Aegwynn
redemptionCode1:XXXX
redemptionCode2:XXXXXX
redemptionCode3:XXXXX
redemptionCode4:XXXXXX
redemptionCode5:XXXX

My suspicion is that they needed these numbers split for some sort of analysis on the development side of things, but I could be wayyy off.

TL;DR (for non-developers)... I really like sudoku.

**Sychotix** · 10-26-2016

Originally Posted by Sklug

Since I have a little experience in cryptography, let me help you understand why generating a TCG loot keygen is not going to happen. First off, one needs to understand how a product key or serial is created in the first place. For it to work there is a pattern within the code that needs to be recognized. These patterns can be simple or rather complex. Let me give you a very simple answer that no one really uses, but is easy to see what I am saying. A pattern could be that every odd character must be a letter, while ever even character must be a number (so E1J5c3b0). See what I mean? That is a very easily recognizable pattern.

Usually these codes are quite long because it allows you to create an incredibly complex cipher. Now, most reverse-engineers/hackers that create these keygens are not necessarily some Math wiz or intuitive genius that is able to see these patterns. You see, the actual code to decipher a product key is embedded into the source code of the program (another problem you will have here as the source code for TCG loot is server side, so you cannot reverse engineer it with the method I am about to describe). You see, there are fairly powerful disassemblers out there that can give you a reasonable idea of what the source code looks like. An extremely experienced coder, or let's say, hacker in this sense, can understand the patterns within the assembler and then translated the code back to C (or C++). For code junkies, it is easy to tell from assembly if it is C++ because of the "this" pointer gets passed in the ECX register.

So, if you know what you are doing you basically can decipher the key validation routine and then reverse it with a key generator.

Here is the problem now you will face as I am 100% certain Blizz does this. If the developer (Blizz in this case), uses asymmetrical encryption to generated the keys (RSA/Elliptical), the only way break into a program is to actually hack the runtime so you can run the program without needing a product key. Obviously, in this circumstance, that approach is not valid. THE ONLY OTHER WAY TO CREATE A KEYGEN IN THIS CIRCUMSTANCE IS TO HAVE ACCESS TO THE PRIVATE KEY. Seriously, you are not going to reverse engineer this key.

In case you are trying to understand why one needs to understand what asymmetrical encryption means. It essentially means that one key encrypts and a completely different key decrypts. In other words, the key that generates the serial for the TCG loot cards is not actual part of the Warcraft program, but the program can still vaidate the key (of which even an extra layer of security is that all validation even occurs server side anyway, so the wow program installed on your computer does not actually have any way to be reverse engineered to develop a keygen for TCG loot cards.

You can watch this video for a really simple understanding of how asymmetric encryption works on public keys.

But get this, if Blizz really wanted to they could add even more layers of complexity on top of this! There's a certain level of diminishing returns on security at some point of course.

TL;DR - you are only ever going to build a keygen for something like this if a program can verify a key offline, but if it needs to contact another server (it does in this case), you are not going to decipher an asymmetrically encrypted key.

Actually, it is still possible to write a generator with reasonable success if you are EXTREMELY smart. I know of someone who was able to get (iirc) an 80%ish success rate for generating a valid gametime code based on reversing used codes.

The biggest issue that you are missing is that blizzard has gotten into the habit of activating these codes on purchase (similar to gift cards). Even if a valid key is generated.... it will be useless unless you activated it after someone purchased it, but before they claimed it. Good luck with that.

Since these are TGC codes, they may be slightly different... but your pool of unused codes is also significantly smaller.

To Pros599... you are better off spending your time doing something else. Unless you are basically a mathematical and cryptographic genius who is also lucky that they have an awful algorithm... you WILL fail this task.

**pros599** · 10-26-2016

Originally Posted by Sychotix

To Pros599... you are better off spending your time doing something else. Unless you are basically a mathematical and cryptographic genius who is also lucky that they have an awful algorithm... you WILL fail this task.

I'm not, but it doesn't mean that I'm still not up for the challenge / side-project.

**Sklug** · 10-26-2016

Well, all I can say is GL. Sounds like it could be a fun side project. I am really skeptical they did not use asymmetrical encryption in making the keys, but if they did not, I suppose it's possible it could be vulnerable. I am just really skeptical. Either way, as long as you are having fun with it, I'd say go for it. Sorry I do not have any extra cards or old loot cards lying around.

**~~i0n4til~~** · 10-28-2016

100% Fraud , Do Not Add the Code there .
Blizzard can Cancel inGame item ( TCG ) if you answer some Security Questions . after that the " New Code " can be Redeem Again on a Diferent Realm , Player Etc ..

**pros599** · 10-28-2016

Originally Posted by i0n4til

100% Fraud , Do Not Add the Code there .
Blizzard can Cancel inGame item ( TCG ) if you answer some Security Questions . after that the " New Code " can be Redeem Again on a Diferent Realm , Player Etc ..

Lol........ Clearly someone didn't read.

Shout-Out

User Tag List

Thread: [Request] Need TCG Loot Codes and information.

Thread Tools

Search Thread

[Request] Need TCG Loot Codes and information.

Similar Threads

TCG Loot Code Generation

[Trading] WOW gametime (card codes) and expansion codes for TCG loot codes

[Buying] Looking for ghostly charger tcg loot codes!!

[Request] Need a new Sig and Avatar

[Request] need a New Sig and Avatar, +Rep x8

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino