Thank you guys.
@soxrok2212
Ok, added on Skype. I'll be busy for the next 4 - 5 days, so I'll "pause myself". Looking forward to work with the 'crew', though.
@kcdtv
Yeah, I know what you mean referring to the checksum digit: computing it everytime or having an array of already pre-computed digits. Could be an option.
In any case bruteforcing 11'000 digits or 20'000 doesn't make any difference on modern processors (after the PRNG seed is bruteforced). Also, if the PIN is chosen by the user, then it's most likely that the checksum won't match (odds are 1/10).
I'm not sure about your question on the AuthKey. It is the key used in the HMAC_SHA-256 hash function and it's 32 bytes (256 bits) long (it's not truncated).
To make an example: E-Hash1 = HMAC_SHA-256{AuthKey [32 bytes]}(ES-1 [16 bytes] || PSK1 [16 bytes] || PKE [192 bytes] || PKR [192 bytes]).
PSK1 it the first half of the PIN converted into an array of characters without termination ('\0'), hashed (HMAC_SHA-256) with AuthKey as a key considering the first 16 bytes (half of the hash digest). Just noticed I made the array twice as big...
PKE, PKR, E-Hash1 and E-Hash2 can be all gathered from a wireshark capture. To get AuthKey I have modified the source code of bully. The data is fed to the program as arrays of characters and then parsed and converted into byte arrays.
I'll re-organize the code soon and add some comments. I forgot to release some memory before the program's exit...
I will do more testing later on and send you some data. Just wait a few days...
If you have any other question send me a PM with your Skype ID or email or just reply here if not too long... I'll contact/reply you.