Slashdot Mirror
Microsoft Genuine Advantage Cracked in 24 Hours
jrobie writes "It looks like mandatory validation of your Windows XP license is now voluntary again. A simple hack has been found that disables the check.
BoingBoing has the story. "
← Back to Stories (view on slashdot.org)
A simple hack has been found that disables the check.
It's simple, all right...as simple as the kids over at Microsoft who decided to implement an anti-piracy measure utilizing javascript without any input validation. Sheesh.
____
~ |rip/\/\aster /\/\onkey
Quality programming I tell you. Quality!
Sadly, Microsoft will issue a new version of Genuine Advantage that disables the hack and make you use the new version before you can use Microsoft update, so I believe this is only a temporary reprieve. I guess it will be a back and forth between MS and and hackers until MS has secured Genuine Advantage.
I've got a licensed, genuine version of Windows, but F them for making me jump through hoops to receive continued support. I paid for this and I shouldn't have to keep wasting my time to soothe their paranoid brows.
Just another reason to keep trying new Linux distros and updates on my testbed system until I find one I like enough to switch (tried so far: Ubuntu, SuSE, CentOS 3.3, Linspire, Knoppix, Mandrake 10). Already using OpenOffice, Firefox, and Thunderbird and have a WAMP (Windows, Apache, MySQL, PHP) set-up for development work. Going to Linux is a small step, but there are a few apps (like video editing, graphics editing) where I just don't have the patience to spend a whole bunch of time learning Linux apps that are 'almost' there in terms of their UI. Maybe I'll hit the Crossover Office site to see if they've gone to gold level support on some of my must-have Windows apps yet.
- Greg
Start a happiness pandemic
Let's post it on Slashdot for all to see so Microsoft will find out about it and make it harder to get around!
Are they serious about security, privacy and piracy yet?
Quality Hosting e3 Servers
That one will be fixed pronto in a "critical" security fix.
That really is amazing. Proof of why I don't use the MS Validation Control when we develop in VS.NET - Just turn it off!
Download the hack here,
http://www.linux.org/
I mean, seriously, I expected a crack out much sooner. What's it been, six hours?
...after users attempted to update, MS found out that there is actually only 1 registered copy of Windows XP.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
MS continues to do its absolute best (or does it?) to prevent their products from being hacked to bits (no pun intended), and they have no choice. As part of their business, it's mandatory that they attempt to curtail software piracy. But they know, and we know, that it can't be done. It's like the terrorists (now, seriously guys, I'm NOT making a link between hackers and terrorists, I'm above that). But look at it this way. The US government has to protect against all possible terror threats, whereas the terrorists only have to find one single way to break through. That is, Microsoft will have to figure out every possible way that their products can be cracked and provide protection, but the hackers must only find one single weakness. So to speak.
In a cost comparison, they probably figured a cheap, easy means to get people who otherwise did not know they had a pirated version to purchase outweighed trying to lock out people who knowingly run a pirated copy (i.e., people who will use this hack).
well,
o ws+Vista&btnG=Search
hahahahaha
after reading this http://www.google.com/search?hl=en&lr=&q=new+wind
Introducing Windows Vista(TM). It enables a new level of confidence in your PC and
in your ability to get the most out of it
LOL
ROFL
hahahahaha
etc ect
A product with the market penetration as big as Windows is always going to be cracked, as soon as possible after it comes out. No matter what they do to try and prevent it, which is why some companies don't spend that much on anti-piracy for the product on release now, something microsoft can't do... so they have to try their best.
Business Voyeur
as simple as the kids over at Microsoft who decided to implement an anti-piracy measure utilizing javascript without any input validation.
;-)
You mean I don't even have to hold down the Shift key?
Javascript + Nintendo DSi = DSiCade
I guess they've answered "Can Open Source and Commercial Software Coexist?" with a YES, and added a HOW!
most likely...considering that's Nelson's trademark.
Thursday, July 28, 2005
Microsoft "Genuine Advantage" cracked in 24h:
"This week, Microsoft started requiring users to verifiy their serial number before using Windows Update. This effort to force users to either buy XP or tell them where you got the illegal copy is called 'Genuine Advantage.' It was cracked within 24 hours."
Before pressing 'Custom' or 'Express' buttons paste this text to the address bar and press enter:
java script:void(window.g_sDisableWGACheck='all')
It turns off the trigger for the key check.
This bypass also works http://home19.inet.tele.dk/jys05000/ I tested it earlier today, good job MS :D
Erh... Think just a tiny bit before you post inane babble like that - The article was called "Microsoft Genuine Advantage[...]" and in the url it says "microsoft_genuine_ad". - See the resemblance? It's just an autogenerated filename their CMS came up with probably.
And now for something completely different (a comment about the article): I'm pretty sure the one who programmed this check knew that it wasn't bulletproof, and maybe it's just a case of a "proof of concept" project which suddenly becomes a "Gone live" project. - It will be pretty easy for them to fix, but it really is a huge embarassment for them, and you would think that a company with that kind of resources had rules to cover things like that (as in Rule #302742314 "Clientside checking is only okay if followed by a Serverside check").
My <1000 UID is with a hot chick
This seems like such a amatuer web developer move that I'm led to think maybe they left it easy to bypass on purpose. Come on, if Microsoft eliminated all piracy of windows, people might actually try something else.
Since BoingBoing is getting hammered here's the text of the article:
Thursday, July 28, 2005
Microsoft "Genuine Advantage" cracked in 24h:
window.g_sDisableWGACheck='all'
AV sez, "This week, Microsoft started requiring users to verifiy their serial number before using Windows Update. This effort to force users to either buy XP or tell them where you got the illegal copy is called 'Genuine Advantage.' It was cracked within 24 hours."
Before pressing 'Custom' or 'Express' buttons paste this text to the address bar and press enter:
javascript:void(window.g_sDisableWGACheck='all')
It turns off the trigger for the key check.
Link (Thanks, AV!)
You say things that offend me and I can deal with it. Can you?
This is deigned for people who think they have a legit copy. It will help with that. I bet a lot of white box shops who install cracked versions of windows are a little nerviousr right now.
Is that anything like Military Intelligence?
---
Somewhere in Redmond, a developer is emptying his desk.
Introducing Windows Vista(TM). It enables a new level of confidence in your PC and in your ability to get the most out of *YOU*.
Religion is a gateway psychosis. -- Dave Foley
You can also just find a direct link to what you want to download. For instance, go to2 d60-49b5-44dc-ae35-fca2f2c6f0cc/MicrosoftAntiSpywa reInstall.exe
http://download.microsoft.com/download/8/1/5/815d
to get the anti-spyware program.
I cant wait to see how secure the XBox360 will be
Fairly.
Don't mistake MS's "see, we tried" pretend attempts at security, and their "this hurts our bottom line" real security.
The original XBox still has no generally applicable software-only crack for it, after several years in the field. Real security.
This new "please don't pirate Windows" joke lasted 24 hours. Why? Microsoft WANTS people to pirate Windows. Very, very few private individuals would pay $300 for an OS plus $300 for an office app suite. However, if "everyone" uses it already, then the sort of customers who do buy, such as businesses and governments, will far more likely go with Microsoft.
Call me paranoid if you want, but NO modern attempt at secure authentication has any excuse for not using server-side verified, AES-encrypted communication. A pathetic little unverified Javascript toy? Gimme a break.
I found that if you go to Tools->Manage Add-ons (Req. XP SP 2 of course), then select to show "Add-ons that have been used by Internet Explorer" and finally set Windows Genuine Advantage to "Disable" and then Restart Internet Explorer, it lets you do Windows Update just fine.
they would actually treat their customers like their legitimate users unless they give them reason to believe otherwise. Here would be a good idea for Microsoft: allow unlimited product activations if you buy a site license for your house and send them a registration notice in the mail. Then product activation is against others who might steal your serial number.
I have enough PCs that I'd pay $300 for a "home site license." Microsoft could create such a thing without any hassle because for many households, it'd be worth it. All they'd have to do is make you send a copy of your driver's license or something in the mail and then if someone tries using your serial number that doesn't share the data on your driver's license, they go after them for infringement. That way, product activation doesn't harass law-abiding users.
I'd love to use Longhorn because it looks like a good release, but damned if I'm going to buy it and get 2 "harassment-free" installs. If I buy it, you can bet that I'll only buy it after I've either gotten a cracked CD or found a site license serial that actually works like the ones that XP uses. Every windows license I have is valid, though I use cracked CDs just to get around the PA. Seesh, why am I forced to behave like a common criminal? I can't wait to be able to switch back to OS X at this rate...
Click here or a puppy gets stomped!
The US government has to protect against all possible terror threats, whereas the terrorists only have to find one single way to break through.
Which is much of WHY, in a race between weapons and armor, weapons always eventually win.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
But for some inexplicable reason, Microsoft is unable to authenticate my info. Which leaves me with no alternative but to use the crack if I want to continue to use XP on that system.
File under 'M' for 'Manic ranting'
If they come from Microsoft, they're OK. Microsoft is trustworthy.
Exam 4/C again. Maybe I'll do better this time.
To quote from Microsoft's own rejected key page:
Did you know that Windows XP can keep your computer up-to-date automatically with the latest updates and enhancements? You can set Windows to recognize when you are online, search for downloads from the Windows Update Web site, and deliver them directly to your desktop. Genuine Windows validation is not required to use the Automatic Updates feature.
So... whats the point?
"What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
If you want to get all conspiracy theorist, you could say that they did this on purpose, and it's not a backdoor so much as a honeypot. All of you are now flagged as hackers, enjoy!
Which leads me to put my tin foil hat on and say: was this really a hack? Or is Microsoft happy to have this effect 99% of people on earth, and allow the 1% of techies who are unhappy about this either for privacy reasons, or because they have have a "pirate" edition of Windows, to get around it and stop complaining? I don't really see this as getting one over on Microsoft, smart authoritarian hierarchies often leave little safety valves for discontent like this around, allowing a few people to get away with breaking the rules, instead of them going about trying to change or get rid of the rules.
The original XBox still has no generally applicable software-only crack for it, after several years in the field. Real security.
5 1
What about softmods? There's several of them around, designed for various purposes. Most of them are meant to be used to run XBMC, admittedly, but in theory they could be generalized to run Linux or something.
Check the various tutorials: http://www.xboxscene.net/tutorials.php?p=151%7C#1
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I know this was tongue-in-cheek, but since it's all client side, they have no way of flagging anybody as far as I can tell.
Anybody know differently?
*everything* is Orwellian to cats.
IANAL
Windows XP from a legitimet source (say Toshiba, as I've seen that mentioned in a couple of posts) and you fail to authenticate, call their support. If they don't solve the problem double quick, write your eterny general. They lied when they sold you the laptop. THEY need to fix it (not you).
If this is a common problem, a class action suit will be created and the manufacurer will have to answer for it. If the manufacturer feels it was actually MS that caused the problem, then they will file suit against them.
All this is academic. I use linux...
Spell check? Why bother. That is what grammer/spelling Nazi freaks who waiste band width posting "spell right" are for.
You are quite correct. They're not targetting the people who download it off of a warez site. They're hoping to get the people who bought a copy that looked real with a manual and all that.
instead of
javascript:void(window.g_sDisableWGACheck='all')
you have to use
javascript:void(window.g_sEnableAltOS='Linus')
-- Tigger warning: This post may contain tiggers! --
Asking people to think before they post has the potential to spoil a lot of my entertainment.
It's the land of the brave, and the home of the free
Where the less you know, the better off you'll be.
"Hey, it's OK. We're authorized."
Coderz 4 Life
"In a cost comparison, they probably figured a cheap, easy means to get people who otherwise did not know they had a pirated version to purchase outweighed trying to lock out people who knowingly run a pirated copy (i.e., people who will use this hack)."
Thank you for pointing that out -- it's a concept that's lost on many people. It's a bit like the locks that come on your car: they probably won't hinder that professional thief who wants your car, but they'll stop the amateurs.
Sitting in my day care, the art is decopainted.
they probably figured a cheap, easy means to get people who otherwise did not know they had a pirated version...
I don't believe that there are many people who don't know that they are using a "quote" pirated "unquote" version of Windows. In the USA, it is extremely rare for unregistered versions of Windows to be used in Offices. And most people who buy PCs 'ready-to-operate' will have the Windows license included at a vastly reduced bulk price. People who build their own PC from components will know that the installed Windows is unregistered.
The only people who might not know that their Windows is unregistered are those who have had a friend or relative assemble a super-cheap PC from components for them. Or who have received a hand-me-down or secondhand PC from someone who installed an unregistered Windows, and didn't pass this piece of information along.
This is maybe 1% or less of all users in the USA. Outside the wealthy countries of the world, the situation would be that people would probably assume that either the Windows on the PC was unregistered or would not be aware that Microsoft was actually expecting to receive a large sum of money for every copy of Windows on every PC.
But Microsoft should lighten up about this policy. They are already the richest software company. Their chairman is the richest man in the world and possibly the richest man that every lived. They don't really do anything with the money that they already have. It would be in their best interest to lower the cost of their operating system in the developing world. Not by actually lowering the price, which would cause arbitrage from the wealthy countries, but by reducing the difficulty of inplementation of unregistered and by not penalizing people who use unregistered copies. They already have all the money that they are going to get from operating systems, so they should concentrate on preserving market share in the face of low cost alternatives like Linux.
Microsoft has admitted that was a typo, what they meant was:
Introducing Windows Vista(TM). It enables a new level of confidence in your PC and in our ability to get the most out of *YOU*.
"Good things don't end with eum, they end with mania or teria." - H. Simpson
- to prevent people who have no idea what they're doing from being able to break in
- to make the break-in appear dangerous enough that a large portion of those who could break in are too afraid to try.
Now, maybe some security measures will make it really hard for even those with quite a lot of expertise, but that's pretty rare. Most locks/alarms rely on fear and a lack of expertise, and that's pretty effective.They aren't actually punishing those people either. In the case where you unknowingly purchased an unlicensed copy of XP, they're giving you a free one if you can provide documentation. From a previous article posted here:
"Customers who discover they have a counterfeit copy of Windows will either be given a free version of the operating system or can purchase it for a discounted price, he said.
To get the free version of Windows, a customer must fill out a counterfeit report identifying the source of the software, provide a proof of purchase and send in a counterfeit CD of the software. If customers don't have all of that information, they can still fill out a counterfeit report and receive a copy of Windows XP Home Edition for $99 or a copy of Windows XP Professional Edition for $149, Lazar said."
So looks like even if you dealt in a shady off-the-truck operation, you would still be eliglble for OEM pricing.
In Soviet Russia, ... oh you beat me to it. Nuts.
It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
This is probably one of the more briliant ideas from M$ in a long time: consumers who get/got screwed by their OEM can trade evidence that their OEM is shifting fraudulent copies of M$ software for legit copies.
1) Let OEMs shift fraudulent copies
2) Get the customers to seek relief from said fraud
3) Collect evidence against OEM
4) Go after said OEM's pockets
5) Profit (fraud + copyright infringement + etc. = most likely more than enough to cover legal costs)
sounds kind of like everyone who wnats can get windows for free now... 1. Download Windows XP Professional from Bittorrent 2. make CD 3. Print cover on CD. 4. Print paperbox. 5. Fold paperbox. 6. Take picture. 7. Send picture as proof of buy to Microsoft and report you got it from some Thaiguy. 8. Recieve free Windows XP Professional. 9. ??? 10. Profit.
Sadly, Microsoft will issue a new version of Genuine Advantage that disables the hack and make you use the new version before you can use Microsoft update
To appear tomorrow on Slashdot:
javascript:void(window.g_sWGACheckVersion='2.0')
since it's all client side, they have no way of flagging anybody as far as I can tell.
Not necessarily. Client-side Javascript code can write to a cookie, and the server can read that cookie on subsequent submits. The client side Javascript can even communicate the cookie to the server using the XMLHTTPRequest object, or with an iframe, eliminating the need for a subsequent user-initiated request.
Not that I expect them to go to all this trouble, and I'm definitely not saying that they are doing that now. I'm just saying it is theoretically possible.
Actually if you need to use the car comparison, a better representation would be this: It won't stop the professional car thief, but it will stop the person who unknowingly walks up to the wronng car in the parking lot and expects to be able to unlock the door and drive away.
Many, many people have bought pre-built PCs with Windows loaded on it by a PC builder that was pirating Windows to his heart's content They just have no idea it's not legit.
If the unknowning "customers" with a whitebox setup from an unscrupulous dealer didn't actually purchase Windows, then they aren't Microsoft's customers, are they?
Comment removed based on user account deletion
You can disable the tool from within IE. Just go Tools > Addons > Disable Windows Geniuine Advantage
Actually, the main idea is to delay access. The harder it is and the longer it takes, the more likely it is that the perp will be noticed. Hopefully, they'll give up and go elsewhere rather than stand there and increase their chances of getting caught.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Me thinks people at Microsoft know it can be disabled, they might be having a different reason for it. And no, I dont work for MS.
"Cracked in 24 hours"? I 'cracked' it so long ago (Proof) I'm surprised that this is even news. And you don't even need javascript enabled - all you need is "WinGenCookie=validation=0;" in your cookie. So just paste this into your location on any microsoft.com page: javascript:document.cookie='WinGenCookie=validatio n=0; expires=01 Jan 2999 00:00:00 GMT'; void 0
I mean, it was just so easy and obvious; I can't believe everyone else hadn't already found out about the easy ways to bypass it long ago.
There's another reason for locks and alarms: To make your car (or whatever) more of a pain to steal than the next guy's. It's like the joke about the campers who hear a grizzly bear coming. One starts putting on his running shoes. The other says, "What are you doing? You can't outrun a bear!" The reply: "I don't have to outrun the bear. I just have to outrun you."
All of your analogies are flawed.
/. posts.. the fact that a) only new content is being withheld, not security fixes. So if your "vacuum" is broken, the manufacturer is still going to fix it for you. They just won't give you the new attachment. And b) duped computer buyers will have the chance to get a legitimate copy of Windows at no extra cost, albeit given a few hoops they have to jump through. Considering Microsoft is under no obligation to provide this, legal, ethical, or moral, it's a pretty good deal. They're not screwing any of their users, they're just trying to stop illegal distribution of their product.
If you buy a vacuum cleaner, you expect a working belt to come with it.
But people who buy an open-box vacuum off the back of a truck and discover that there is no belt probably aren't going to complain to the vacuum maker. And if they do, the vacuum maker is going to laugh in their face.
Without the CoA, a Windows license/installation is no better than a vacuum cleaner bought off the back of a truck.
You buy a fax machine, you expect a reasonable amount of toner to come with it.
You might expect it, but unless that's written on the box, you shouldn't complain if you don't get it. And again, we get into the "authorized retailer" game, where someone might sell you a used or stolen fax machine without the box and all the manuals. Microsoft is targetting people who bought a PC from a retailer who didn't give them all the manuals/CoA/License, etc. Everything you're talking about has the unspoken assumption that you've purchased it legitimately and from either an authorized retailer or the company itself. No one who buys Windows off the shelf from Best Buy is going to run into a problem with this security check.
It really is a smart way that MS is trying to catch the unscrupulous dealers but shitting on potential customers is just plain wrong.
Ah, so you prefix "customers" with "potential". That's good.
Of course, you still overlook the fact that's been pointed out several times in various other
It's like buying flood insurance for you house and your house floods and they don't cut a check for you.
That's not even an analogy to this situation.
Family and friends??
No, this is to nail 'whitebox' sellers who purportedly sold you a copy of Windows XP but just pocketed the proceeds and left you high and dry.
It's unknown in the small town I live in now, but I saw lots of sketchy software in Vancouver.
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
Some people get very upset when personally identifiable data is sent to servers. Does Microsoft ever send the Windows serial number across the network today? I am guessing that they chose to do this client-side (knowing it would get bypassed) because they did not want to deal with the backlash from passing the data to the server.
I'm abroad, in Israel; I RARELY see a legal copy of Windows; no-one has a CD, and it "just came on the computer" they bought from a local, small company that puts computers together.
They aren't targeting the tech savvy people you happen to know, that's all.
I'm a concientious
It's good for Microsoft because they now know exactly who and where the shady dealer is and can go after him.
This policy wasn't intended to fight P2P piracy (not directly anyway).
Adversive
My cat's breath smells like cat food.
3. Print cover on CD.
*looks at his shiny WinXP CD, all nice and holographic*
Uhm...how do I copy this?