Slashdot Log In
Deciphering Windows Product Activation
Posted by
michael
on Mon Jul 09, 2001 09:57 PM
from the this-ain't-your-daddy's-rot13 dept.
from the this-ain't-your-daddy's-rot13 dept.
Stephen Lau writes: "Fully Licensed GmbH seems to have deciphered and analyzed the WPA code that Microsoft plans to use to protect from privacy in future products. They've got source and executables up on their site..." As well as an interesting paper which purports to describe the activation process but does not provide details on how these guys reverse-engineered it.
This discussion has been archived.
No new comments can be posted.
Deciphering Windows Product Activation
|
Log In/Create an Account
| Top
| 339 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
let them try (Score:5)
___
Caller ID? (Score:4)
Caller ID, plus a reverse phone number lookup and what more do you need to know?
Can a MAC adress be linked to your IP by going to a site or server (windows update active X controls?)?
Lookup a name and get a street adress, use public records to see who owns the home and it's value. you know they'll get the IP and know all about the computer, partner with doubleclick(or whoever) for tracking surfing habits..
it's not the information that's transmitted, it's what they can do to link it to you
who owns your data?
Re:No identifiable information (Score:4)
Windows XP connection logs (Score:4)
It does all this without prompting the user.
The box was isolated at 192.168.1.3 and had ALL outgoing traffic denied and logged, these are the highlights.
device eth0 entered promiscuous mode
device eth1 entered promiscuous mode
Packet log: input DENY eth1 PROTO=17 192.168.1.3:123 207.46.228.33:123 L=76 S=0x00 I=5 F=0x0000 T=128 (#5)
time.windows.com (207.46.228.33)
This one is rather obvious, it sets the operating system clock, but don't try using netdate on it, it's proprietary to Windows only (whoops!)
Packet log: input DENY eth1 PROTO=6 192.168.1.3:1027 207.46.197.100:80 L=48 S=0x00 I=88 F=0x4000 T=128 SYN (#5)
(microsoft.com, www.domestic.microsoft.com, and microsoft.net address pool)
Packet log: input DENY eth1 PROTO=6 192.168.1.3:1043 207.46.227.40:80 L=48 S=0x00 I=770 F=0x4000 T=128 SYN (#5)
(wpa.one.microsoft.com try https [207.46.227.40] to it and see the certificate yourself!)
This is the Product Activation certificate, it attempted to connect to this server an incredibly large number of times.
Packet log: input DENY eth1 PROTO=17 192.168.1.3:1039 192.168.0.1:2869 L=48 S=0x00 I=673 F=0x0000 T=128 (#5)
Not sure what it did here, 192.168.0.1 is the gateway I don't have the packet data at all, I'll do that in the near future. MAD props to brewt for some of the info!
Re:Feeling ambivalent about Grandma... (Score:3)
This is a first, a businessman taking credit for something a politician did...
Re:Isn't this asking for a lawsuit? (Score:3)
That doesn't look like it was done in the the name of "interoperability" at all ...
But of course it was:
"My copy of Windows XP didn't work any more after I changed my hardware, so I took it apart to find out why! Oh, and by the way, here's what I found out..."
The key they removed: 0xD45EC86A (Score:5)
void KeyedHash(unsigned char *Data, unsigned char *Result)
{
SHA_CTX Context;
unsigned char Digest[20];
static unsigned char Key[4] =
{
#error The key has been removed from the source code. Please obtain the executable.
};
SHA1_Init(&Context);
SHA1_Update(&Context, Data, 8);
SHA1_Update(&Context, Key, 4);
SHA1_Final(Digest, &Context);
memcpy(Result, Digest, 8);
}
Doing a quick disassembly of the code:
00401590 KeyedHash proc near ; CODE XREF: sub_4015F0+19p
00401590
00401590 var_74 = dword ptr -74h
00401590 var_70 = dword ptr -70h
00401590 var_60 = byte ptr -60h
00401590 arg_0 = dword ptr 4
00401590 arg_4 = dword ptr 8
00401590
004015AE push 4
004015B0 lea eax, [esp+88h+var_60]
004015B4 push offset dword_40A034 ; ********** MAGIC!
004015B9 push eax
004015BA call sub_402170
004015E8 retn
004015E8 KeyedHash endp
And the location they referenced:
0040A034 dword_40A034 dd 0D45EC86Ah
Thusly, the key should be 0xD45EC86A.
More than one can play this game.
Enjoy! (Sorry for the formatting,
Re:Isn't this asking for a lawsuit? (Score:3)
What if there is? Anything in an EULA which against the law is automatically void. Germany still appears to have laws protecting free speach in the area of software examination.
Feeling ambivalent about Grandma... (Score:5)
I was actually looking forward to the day when I could say, "Well, Grandma, I could change your busted hard drive for you, but that would mean that nice Gates man would want another $300. Maybe you should just buy another computer..."
"Buy another computer?! What's wrong with you, boy? I'll just shop around for a cheaper copy of Windows! Someone'll will have it on sale..."
I was so looking forward to listening to Grandma on MS tech support demanding another activation code, and chewing them out when they inevitably refuse to give it to her...
XP activation was going to be the wake-up call for Joe EndUser. Now that it's been publicly hacked, I'm really rather torn...
reminds me of DeCSS (Score:3)
On a similar note, check out a Salon article on MS's bullying tactics on poor schools: http://www.salon.com/tech/feature/2001/07/10/micro soft_school/print.html [salon.com]
Re:hash pipe... (Score:3)
The hash function can be extremely complex, but given a small range of inputs M (only 2 double words), a hash table of possible values can be pre-calculated. The actual number of possible values for M will be very small, on the order of a few thousand, up to possibly 25,000. The input M to the RC5 hash will be a known, limited number of drive IDs, video card IDs, CD-ROM IDs, etc. micr~1.oft is in the position to have a list of every drive manufacturer and video card identification string, and could use those lists to obtain the original string from the hash.
This is what password cracking programs do, instead of trying to reverse the hash, pre-compute dictionaries and compare the outputs.
the AC
The real win here is marketing. (Score:5)
"an important cryptographic key" (Score:4)
Kinda like: "Here are the plans to build a nuclear bomb, but we took out the part about where to get plutonium. But if you want one pre-made with plutonium ready to go, we can hook you up with that, too."
Isn't this whole thing just a matter of time and programmer determination anyway?
Re:Same old Cut 'n Paste argument. But anyway... (Score:5)
This is most of the reason why I see the Y Company lost $X to piracy as a BS argument. I've always noticed that lots of people won't pay for software at all; if they had to pay they would do without. IN that case, the Y Company is losing $X in potential sales because their price is too high/marketing not good enough/etc... How different is that from any other company in the tangible good and services industries that loses sales because consumers dont want to pay that much for the product? Why, then, should we treat software companies any differently from those that have poor sales policies?
Isn't this asking for a lawsuit? (Score:5)
I haven't seen any of the license agreements concerning Windows installs that have WPA, but I assume that there's something against reverse engineering. Not only have these people reverse engineered (part of) the WPA process, but they've published the source code. While they didn't put the cryptographic key in the source, they did put it in the executable, and even clearly proclaim this, almost a wink wink nudge nudge to the people out there who are sure to take the executable appart, get the key, put it back into the source code, and then re-publish the complete, non-crippled source.
Given all this, it seems like their really asking for MS to sue them. Is something like this covered under an "academic research" clause that allows reverse engineering for research purposes?
Suppose you were an idiot. And suppose that you were a member of Congress. But I repeat myself.
What a shock (Score:3)
--
Re:How long? (Score:4)
there are two things that could make things ugly for Fully Licensed GmbH. one is a license agreement, but so far, the validity of click-through, shrink-wrap or similiar licenses is highly doubted in germany. AFAIK, none has ever been enforced in a court.
second, there is a provision against reverse-engineering in the german copyright law. however, it also allows for a number of exceptions.
one way or the other, since they are a GmbH, the worst that can happen is that they'll be sued out of business, but with no loss to their private capital. so they'll immediatly start a new company under a similiar name and harvest all the free publicity advantages.
because lastly, sueing them would be the equivalent of saying "yes, we feel guilty. yes, we've done wrong. and no, we can't stand that you found us with the hand in the cookie jar." - a pretty dumb publicity stunt, even for M$ standards.
Make sure to mirror this.... (Score:4)
- A.P.
--
Re:VMware (Score:3)
Or they might not. VMWare is in bed pretty deep with MS--maybe they have to be, since it'd be pretty easy for MS to make the EULA invalid in a VM (legal or not, no corporation would run it in a VM if the EULA denied that right). Or MS could take technical countermeasures (see also DR-DOS and Windows 3.1) to keep XP from running in a VM, essentially putting VMWare out of business.
One thing I noted is that about a year ago, there was an announcement with much fanfare that VMWare would sell bundles of MS licenses with VMWare. At roughly the same time, OS/2 support, which had been worked on and tested for some time, was suddenly dropped. Can I prove cause and effect? No. Are there lots of other reasons support can have been removed? Sure. But the timing's awfully suspect.
Also, VMWare is hard coded to use a certain OUI (Organizational Unit Identifier) for VM network card NIC addresses--meaning they'll always start with a known prefix. VMWare provides no way to change this, meaning that MS or any other organization with access to the NIC address (or even a hash, probably) will know one is running a VM. (Imagine a typical Georgia network nazi reaction to seeing that with a sniffer.)
I'm not confident VMWare's going to be allowing anyone to change hardware serial numbers in VMs--I'll bet they randomize them just to avoid jepoardizing their "strategic relationship" with Microsoft.
Ridiculous (Score:3)
Really, checking the amount of RAM in a system? Of course, no one EVER adds RAM, right?
MS has perfected the art of "incremental monopoly." Each step is not too bad, and after 10 steps, you are used to the last 3 steps, so it still seems ok. Eventually, you have
Privacy or Piracy? (Score:3)
purpose of paper? (Score:5)
In this light, the paper itself is relatively benign; enough so that Microsoft shouldn't be overly worried about it.
The fact that it can be used to spoof WAP isn't even mentioned in the paper
I am guessing this is entirely intentional.
Re:lok-tite (Score:3)
I know how to pick locks, but I'm not a theif. I know how to hack, but I'm not a cracker. I can decrypt DVD's with DeCSS, but I don't pirate films. Same thing here. No security system should rely on common (the same for all users) secrets to maintain strength.
twb
Registration (Score:3)
Quite interesting... (Score:3)
How long? (Score:3)
Will they change the algorithm before the next build? Probably not, their lawyers need the money.
Copy protection (Score:3)
--
When I'm good I'm very good, when I'm bad I'm better, But when I'm evil you better run
Re:lok-tite (Score:5)
I beg to differ. There are countless articles written on how to pick locks. Here is one that is written on the level of the layman:
How Stuff Works: Lock Picking. [howstuffworks.com]
There are methods for doing many untasteful things(i.e. building bombs, cooking methamphetamine, etc) freely available, but this does not mean that everyone is blowing up buildings. I don't think it causes harm to simply have the information available. Security by obscurity is no securtity at all.
Enigma
For those of you who didn't read the doc: (Score:5)
Various strings are run through a hashing function and are stored in the key you read to the Microsoft rep over the phone (the Installation key). They are:
- Your network card's MAC address
- Amount of RAM installed
- Processor model
- Processor serial number
- Volume serial number
- Hardware ID strings from
- Your CD-ROM drive
- Your hard drive
- Your video card
- Your SCSI host adapter
- Your IDE controller
These values are thrown together (along with some other values) into a huge bit field. Also, a three-digit random number is thrown into the mix. Because the end result that you read to the phone rep is encrypted, this three digit number causes your code to be entirely different on each install.Here's the real fun part: The OS also stores a snapshot of your hardware configuration. If you change more than three of these hardware components out? It's time to call Microsoft and re-activate your license.
When you re-activate, naturally you'll have to generate a new Installation Key and they'll be able to see exactly what components you changed out. Fun, huh?
Same old Cut 'n Paste argument. But anyway... (Score:5)
But when did Microsoft ever sell, say Win95 for $35 ? So, how has piracy raised the price? It's always been sold for one price (~$80) and hasn't gone up or down depending on how many copies are purchased.
And then there's the user base argument. When people are pirating your software, they're strengthening your monopoly. Just as it's good for FreeSoftware everytime a Linux/*BSD CD is given to someone new, how does it hurt MS when a home user borrows their friend's Win95 CD? The more times Win95 is installed, the more people are using it and the more likely that person is to become a valuable Windows-using consumer. Buying Windows software, perhaps purchasing a new computer with Win98 preinstalled. Requiring a Windows PC at work. Purchasing upgrades.
Now, I must admit that most people who are going to borrow a Win95 CD will be unlikely to turn 100% legal overnight. But then, when has Microsoft ever been struggling. Well, only when EVERYONE ELSE has been struggling. Back when the economy was booming, Microsoft wasn't struggling to survive due to piracy. Only when everyone else has been struggling has MS even started to feel the pinch.
Like I said, it's the same old cookie-cutter answer to "MSFT looses $X Billion to piracy each year", but it's always a fun argument
kickin' science like no one else can,
my dick is twice as long as my attention span.
Re:lok-tite (Score:3)
Well, then, I guess my employer is going ot hell after all! He promises customers something he doesnt't have (a functioning network), then pays me peanuts to fix it/install it/etc. without telling me how much the customer is paying him (obviously, more than he pays me).
Re:My Experience with XP Activation (Score:3)
Also, may I point out:
--Apple Doesn't Require Serial Numbers For MacOS X!-- (It does for OSX Server, though)
I think that kinda beats out a small annoyance with the registration.
Just my $0.02CDN.
Argh, this really will suck... (Score:4)
Now, I swap out video cards, CD's, NIC's, and CPU's fairly often. I also use removable HDD chassis to ease swapping drives in my primary box.
This really will be a pain for those who have rigs used for a lot of testing.
The Mac registration isn't mandatory. (Score:4)
-jcr
Re:Actually, (Score:3)
Like "neunhundertneunundneunzigtausendneunhundertneunu
Or "Rindfleischetikettierungsüberwachungsaufgabenübe
I look at it sort of like a user interface issue: what's going to increase comprehension and decrease error rates -- using spaces between words, ornotusingspacesbetweenwords?
The former, obviously. So why on earth choose the latter?!
--
Re:My Experience with XP Activation (Score:5)
I think that when I registered the iMac a certain company bought to do web compatibility testing, it wound up being used primarily for scientific research. In an elementary school.
They ask you for _your_ email address. But all they require is _an_ email address. Besides, you have a throwaway webmail account for everything that asks for your address where there's a slight chance that they might actually need to use it to achieve something you want, right?
On the other hand, the WinXP product verification collects true information about your computer. Perhaps the one for OS X does also, but they haven't mentioned anything about not being able to install that copy of OS X on another Mac. There are indications that changing your hardware "too much" will invalidate your XP product verification. People have asked Microsoft, "How much is too much?", and they're not telling. That certainly seems worse to me.
I suppose this would bother me more if I were ever going to use one of these operating systems at home, but I'm not. This is one of the main reasons I use free software. If I see an operating system or program that looks useful, I download it and use it. If I like it, I continue to use it. If not, I discard it with no sense of loss. The most invasive thing I've ever encountered was when someone wanted me to send them a postcard for using their software.
Sotto la panca, la capra crepa
Re:Question about the keys (Score:3)
A CD key is ideally a random piece of data (numbers, digits, etc) that includes some hard-to-compute checksum information. For a good key, it would be extremely difficult to determine the algorithm used to find this cheksum. Note that these keys have become progressively more complex over the years, getting longer and using more digits/letters. Note that all the keys will work on any copy of that specific release of the software, so they only add a minor annoyance to pirates.
Starting with Office 2k, MS required actual activation of the product in much the same way as Win XP. Office generates a hardware ID for your system and submits it to Microsoft. MS then gives you another product key specifically for that hardware ID. They allows you to register online once, and you're required to call an 800 number each time after that to get your key.
Office required a new key on a hard drive upgrade and on a motherboard upgrade. The fourth time I installed it (on my laptop), I also had to submit my serial number (generated from the CD Key I assume) to receive my activation key.
Though this might be new for MS, other companies have been doing it for years. Much of the engineering software we use here for classes (Mentor Graphics, Orcad, etc) has much more intrusive licensing, since a license for the software can cost several times the price of a low-end workstation. This software can often get away with tough licensing restrictions because of the small market served. Because windows is so widespread, however, Microsoft will have a hard time keeping their progressively more complex protection schemes from being thwarted.
Re:All the hardware you're not allowed to change: (Score:4)
---
TheGreenReaper (Laurence Parry)
No identifiable information (Score:3)
I don't know about the online activation (haven't run a sniffer on it, yet), but I tried the telephone activation today, and there was no personal information exchanged. I called the toll-free number, waited on hold for about 10 minutes (and we're still in the beta stage--just wait until this thing hits mainstream), then finally talked to a patronizing tech support drone. He asked me for the product activation key, a numeric string that makes MS CD keys look sane--32 digits, IIRC. He then read back a 36-digit numeric string to be entered in the activation window. That was it--no e-mail address, no name, phone number/address, etc. I suppose it could have been a hash code containing my name, but that's all it could have contained, as I had not entered any other information to that point. Probably just a hardware ID.
Incidentally, I recommend everybody register every copy of Windows by phone. First of all, you know what you're telling them, at least directly, but more importantly, it costs them more money. Think about it: ten minutes on hold on a toll-free line (their expense), five minutes of techie-time. Even at a modest $10/hr for the techie, that's almost a dollar spent on him, plus the phone charge. Now, imagine ten million copies of Windows being registered by phone. The infrastructure cost alone would be enormous--you know they haven't planned for that many people to call. Just one more example of my favorite form of vengeance: use their own weapons against them.
Re:For those of you who didn't read the doc: (Score:3)
Then you can change whatever you like, whenever you like.
Re:My Experience with XP Activation (Score:4)
All the postcard-ware licenses I've seen simply ask you to send a postcard if you like the software. No registration, no details, just a postcard from where you live. I think it's cool.
"We all say so, so it must be true!"