Slashdot Mirror
Deciphering Windows Product Activation
Stephen Lau writes: "Fully Licensed GmbH seems to have deciphered and analyzed the WPA code that Microsoft plans to use to protect from privacy in future products. They've got source and executables up on their site..." As well as an interesting paper which purports to describe the activation process but does not provide details on how these guys reverse-engineered it.
You are assuming that MS would actually be able to successfully prosecute these guys for reverse engineering. Here's a newsflash: reverse engineering is legal. Europe has neither DMCA nor UCITA. The world is bigger than US.
___
___
If you think big enough, you'll never have to do it.
The key they removed (from the source) is:
...stuff deleted...
...more stuff deleted...
/. doesn't allow <pre>'s)
void KeyedHash(unsigned char *Data, unsigned char *Result)
{
SHA_CTX Context;
unsigned char Digest[20];
static unsigned char Key[4] =
{
#error The key has been removed from the source code. Please obtain the executable.
};
SHA1_Init(&Context);
SHA1_Update(&Context, Data, 8);
SHA1_Update(&Context, Key, 4);
SHA1_Final(Digest, &Context);
memcpy(Result, Digest, 8);
}
Doing a quick disassembly of the code:
00401590 KeyedHash proc near ; CODE XREF: sub_4015F0+19p
00401590
00401590 var_74 = dword ptr -74h
00401590 var_70 = dword ptr -70h
00401590 var_60 = byte ptr -60h
00401590 arg_0 = dword ptr 4
00401590 arg_4 = dword ptr 8
00401590
004015AE push 4
004015B0 lea eax, [esp+88h+var_60]
004015B4 push offset dword_40A034 ; ********** MAGIC!
004015B9 push eax
004015BA call sub_402170
004015E8 retn
004015E8 KeyedHash endp
And the location they referenced:
0040A034 dword_40A034 dd 0D45EC86Ah
Thusly, the key should be 0xD45EC86A.
More than one can play this game.
Enjoy! (Sorry for the formatting,
I was actually looking forward to the day when I could say, "Well, Grandma, I could change your busted hard drive for you, but that would mean that nice Gates man would want another $300. Maybe you should just buy another computer..."
"Buy another computer?! What's wrong with you, boy? I'll just shop around for a cheaper copy of Windows! Someone'll will have it on sale..."
I was so looking forward to listening to Grandma on MS tech support demanding another activation code, and chewing them out when they inevitably refuse to give it to her...
XP activation was going to be the wake-up call for Joe EndUser. Now that it's been publicly hacked, I'm really rather torn...
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
My god, think of how much those metrics alone are worth... A snapshot on DVD adoption, SCSI cards, % of laptops out there? Almost seems like the anti-copy stuff is just a smokescreen.
+++ UGUCAUCGUAUUUCU
An often ignored concept (that George Broussard from 3D Realms seems to have understood) is that most pirated copies would NOT have been purchased anyways. There are lots of users that will not use the software unless they can get it for free. So in effect, they can either not pay for the software and use it, or not use it at all. Note that such users dont give ANYTHING to the company anyway; it is just a question of whether or not they will use the sotrware. In this case, the software company enjoys a larger installed base.
This is most of the reason why I see the Y Company lost $X to piracy as a BS argument. I've always noticed that lots of people won't pay for software at all; if they had to pay they would do without. IN that case, the Y Company is losing $X in potential sales because their price is too high/marketing not good enough/etc... How different is that from any other company in the tangible good and services industries that loses sales because consumers dont want to pay that much for the product? Why, then, should we treat software companies any differently from those that have poor sales policies?
I haven't seen any of the license agreements concerning Windows installs that have WPA, but I assume that there's something against reverse engineering. Not only have these people reverse engineered (part of) the WPA process, but they've published the source code. While they didn't put the cryptographic key in the source, they did put it in the executable, and even clearly proclaim this, almost a wink wink nudge nudge to the people out there who are sure to take the executable appart, get the key, put it back into the source code, and then re-publish the complete, non-crippled source.
Given all this, it seems like their really asking for MS to sue them. Is something like this covered under an "academic research" clause that allows reverse engineering for research purposes?
Suppose you were an idiot. And suppose that you were a member of Congress. But I repeat myself.
Give a man a fire, and he'll be warm for a day, but set him on fire, and he'll be warm for the rest of his life.
Onstensibly, the paper's purpose is to analyze the privacy impact of the registraction procedure; i.e. how much information about YOU Microsoft can glean from the hashed system info.
;)
In this light, the paper itself is relatively benign; enough so that Microsoft shouldn't be overly worried about it.
The fact that it can be used to spoof WAP isn't even mentioned in the paper
I am guessing this is entirely intentional.
I beg to differ. There are countless articles written on how to pick locks. Here is one that is written on the level of the layman:
How Stuff Works: Lock Picking.
There are methods for doing many untasteful things(i.e. building bombs, cooking methamphetamine, etc) freely available, but this does not mean that everyone is blowing up buildings. I don't think it causes harm to simply have the information available. Security by obscurity is no securtity at all.
Enigma
Enigma
Various strings are run through a hashing function and are stored in the key you read to the Microsoft rep over the phone (the Installation key). They are:
- Your network card's MAC address
- Amount of RAM installed
- Processor model
- Processor serial number
- Volume serial number
- Hardware ID strings from
- Your CD-ROM drive
- Your hard drive
- Your video card
- Your SCSI host adapter
- Your IDE controller
These values are thrown together (along with some other values) into a huge bit field. Also, a three-digit random number is thrown into the mix. Because the end result that you read to the phone rep is encrypted, this three digit number causes your code to be entirely different on each install.Here's the real fun part: The OS also stores a snapshot of your hardware configuration. If you change more than three of these hardware components out? It's time to call Microsoft and re-activate your license.
When you re-activate, naturally you'll have to generate a new Installation Key and they'll be able to see exactly what components you changed out. Fun, huh?
Many commercial software developers like to list piracy as a reason for high costs. Microsoft included.
:-) .
But when did Microsoft ever sell, say Win95 for $35 ? So, how has piracy raised the price? It's always been sold for one price (~$80) and hasn't gone up or down depending on how many copies are purchased.
And then there's the user base argument. When people are pirating your software, they're strengthening your monopoly. Just as it's good for FreeSoftware everytime a Linux/*BSD CD is given to someone new, how does it hurt MS when a home user borrows their friend's Win95 CD? The more times Win95 is installed, the more people are using it and the more likely that person is to become a valuable Windows-using consumer. Buying Windows software, perhaps purchasing a new computer with Win98 preinstalled. Requiring a Windows PC at work. Purchasing upgrades.
Now, I must admit that most people who are going to borrow a Win95 CD will be unlikely to turn 100% legal overnight. But then, when has Microsoft ever been struggling. Well, only when EVERYONE ELSE has been struggling. Back when the economy was booming, Microsoft wasn't struggling to survive due to piracy. Only when everyone else has been struggling has MS even started to feel the pinch.
Like I said, it's the same old cookie-cutter answer to "MSFT looses $X Billion to piracy each year", but it's always a fun argument
kickin' science like no one else can,
my dick is twice as long as my attention span.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Bothered by filling out that Apple registration form? Lie.
I think that when I registered the iMac a certain company bought to do web compatibility testing, it wound up being used primarily for scientific research. In an elementary school.
They ask you for _your_ email address. But all they require is _an_ email address. Besides, you have a throwaway webmail account for everything that asks for your address where there's a slight chance that they might actually need to use it to achieve something you want, right?
On the other hand, the WinXP product verification collects true information about your computer. Perhaps the one for OS X does also, but they haven't mentioned anything about not being able to install that copy of OS X on another Mac. There are indications that changing your hardware "too much" will invalidate your XP product verification. People have asked Microsoft, "How much is too much?", and they're not telling. That certainly seems worse to me.
I suppose this would bother me more if I were ever going to use one of these operating systems at home, but I'm not. This is one of the main reasons I use free software. If I see an operating system or program that looks useful, I download it and use it. If I like it, I continue to use it. If not, I discard it with no sense of loss. The most invasive thing I've ever encountered was when someone wanted me to send them a postcard for using their software.
Sotto la panca, la capra crepa
WMBC freeform/independent online radio.