Slashdot Mirror
Microsoft Genuine Advantage Cracked in 24 Hours
jrobie writes "It looks like mandatory validation of your Windows XP license is now voluntary again. A simple hack has been found that disables the check.
BoingBoing has the story. "
← Back to Stories (view on slashdot.org)
A simple hack has been found that disables the check.
It's simple, all right...as simple as the kids over at Microsoft who decided to implement an anti-piracy measure utilizing javascript without any input validation. Sheesh.
____
~ |rip/\/\aster /\/\onkey
Quality programming I tell you. Quality!
Sadly, Microsoft will issue a new version of Genuine Advantage that disables the hack and make you use the new version before you can use Microsoft update, so I believe this is only a temporary reprieve. I guess it will be a back and forth between MS and and hackers until MS has secured Genuine Advantage.
I've got a licensed, genuine version of Windows, but F them for making me jump through hoops to receive continued support. I paid for this and I shouldn't have to keep wasting my time to soothe their paranoid brows.
Just another reason to keep trying new Linux distros and updates on my testbed system until I find one I like enough to switch (tried so far: Ubuntu, SuSE, CentOS 3.3, Linspire, Knoppix, Mandrake 10). Already using OpenOffice, Firefox, and Thunderbird and have a WAMP (Windows, Apache, MySQL, PHP) set-up for development work. Going to Linux is a small step, but there are a few apps (like video editing, graphics editing) where I just don't have the patience to spend a whole bunch of time learning Linux apps that are 'almost' there in terms of their UI. Maybe I'll hit the Crossover Office site to see if they've gone to gold level support on some of my must-have Windows apps yet.
- Greg
Start a happiness pandemic
Let's post it on Slashdot for all to see so Microsoft will find out about it and make it harder to get around!
Are they serious about security, privacy and piracy yet?
Quality Hosting e3 Servers
That one will be fixed pronto in a "critical" security fix.
Download the hack here,
http://www.linux.org/
I mean, seriously, I expected a crack out much sooner. What's it been, six hours?
...after users attempted to update, MS found out that there is actually only 1 registered copy of Windows XP.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
MS continues to do its absolute best (or does it?) to prevent their products from being hacked to bits (no pun intended), and they have no choice. As part of their business, it's mandatory that they attempt to curtail software piracy. But they know, and we know, that it can't be done. It's like the terrorists (now, seriously guys, I'm NOT making a link between hackers and terrorists, I'm above that). But look at it this way. The US government has to protect against all possible terror threats, whereas the terrorists only have to find one single way to break through. That is, Microsoft will have to figure out every possible way that their products can be cracked and provide protection, but the hackers must only find one single weakness. So to speak.
In a cost comparison, they probably figured a cheap, easy means to get people who otherwise did not know they had a pirated version to purchase outweighed trying to lock out people who knowingly run a pirated copy (i.e., people who will use this hack).
most likely...considering that's Nelson's trademark.
Thursday, July 28, 2005
Microsoft "Genuine Advantage" cracked in 24h:
"This week, Microsoft started requiring users to verifiy their serial number before using Windows Update. This effort to force users to either buy XP or tell them where you got the illegal copy is called 'Genuine Advantage.' It was cracked within 24 hours."
Before pressing 'Custom' or 'Express' buttons paste this text to the address bar and press enter:
java script:void(window.g_sDisableWGACheck='all')
It turns off the trigger for the key check.
This bypass also works http://home19.inet.tele.dk/jys05000/ I tested it earlier today, good job MS :D
Erh... Think just a tiny bit before you post inane babble like that - The article was called "Microsoft Genuine Advantage[...]" and in the url it says "microsoft_genuine_ad". - See the resemblance? It's just an autogenerated filename their CMS came up with probably.
And now for something completely different (a comment about the article): I'm pretty sure the one who programmed this check knew that it wasn't bulletproof, and maybe it's just a case of a "proof of concept" project which suddenly becomes a "Gone live" project. - It will be pretty easy for them to fix, but it really is a huge embarassment for them, and you would think that a company with that kind of resources had rules to cover things like that (as in Rule #302742314 "Clientside checking is only okay if followed by a Serverside check").
My <1000 UID is with a hot chick
This seems like such a amatuer web developer move that I'm led to think maybe they left it easy to bypass on purpose. Come on, if Microsoft eliminated all piracy of windows, people might actually try something else.
Since BoingBoing is getting hammered here's the text of the article:
Thursday, July 28, 2005
Microsoft "Genuine Advantage" cracked in 24h:
window.g_sDisableWGACheck='all'
AV sez, "This week, Microsoft started requiring users to verifiy their serial number before using Windows Update. This effort to force users to either buy XP or tell them where you got the illegal copy is called 'Genuine Advantage.' It was cracked within 24 hours."
Before pressing 'Custom' or 'Express' buttons paste this text to the address bar and press enter:
javascript:void(window.g_sDisableWGACheck='all')
It turns off the trigger for the key check.
Link (Thanks, AV!)
You say things that offend me and I can deal with it. Can you?
I cant wait to see how secure the XBox360 will be
Fairly.
Don't mistake MS's "see, we tried" pretend attempts at security, and their "this hurts our bottom line" real security.
The original XBox still has no generally applicable software-only crack for it, after several years in the field. Real security.
This new "please don't pirate Windows" joke lasted 24 hours. Why? Microsoft WANTS people to pirate Windows. Very, very few private individuals would pay $300 for an OS plus $300 for an office app suite. However, if "everyone" uses it already, then the sort of customers who do buy, such as businesses and governments, will far more likely go with Microsoft.
Call me paranoid if you want, but NO modern attempt at secure authentication has any excuse for not using server-side verified, AES-encrypted communication. A pathetic little unverified Javascript toy? Gimme a break.
I found that if you go to Tools->Manage Add-ons (Req. XP SP 2 of course), then select to show "Add-ons that have been used by Internet Explorer" and finally set Windows Genuine Advantage to "Disable" and then Restart Internet Explorer, it lets you do Windows Update just fine.
they would actually treat their customers like their legitimate users unless they give them reason to believe otherwise. Here would be a good idea for Microsoft: allow unlimited product activations if you buy a site license for your house and send them a registration notice in the mail. Then product activation is against others who might steal your serial number.
I have enough PCs that I'd pay $300 for a "home site license." Microsoft could create such a thing without any hassle because for many households, it'd be worth it. All they'd have to do is make you send a copy of your driver's license or something in the mail and then if someone tries using your serial number that doesn't share the data on your driver's license, they go after them for infringement. That way, product activation doesn't harass law-abiding users.
I'd love to use Longhorn because it looks like a good release, but damned if I'm going to buy it and get 2 "harassment-free" installs. If I buy it, you can bet that I'll only buy it after I've either gotten a cracked CD or found a site license serial that actually works like the ones that XP uses. Every windows license I have is valid, though I use cracked CDs just to get around the PA. Seesh, why am I forced to behave like a common criminal? I can't wait to be able to switch back to OS X at this rate...
Click here or a puppy gets stomped!
But for some inexplicable reason, Microsoft is unable to authenticate my info. Which leaves me with no alternative but to use the crack if I want to continue to use XP on that system.
File under 'M' for 'Manic ranting'
If they come from Microsoft, they're OK. Microsoft is trustworthy.
Exam 4/C again. Maybe I'll do better this time.
If you want to get all conspiracy theorist, you could say that they did this on purpose, and it's not a backdoor so much as a honeypot. All of you are now flagged as hackers, enjoy!
Which leads me to put my tin foil hat on and say: was this really a hack? Or is Microsoft happy to have this effect 99% of people on earth, and allow the 1% of techies who are unhappy about this either for privacy reasons, or because they have have a "pirate" edition of Windows, to get around it and stop complaining? I don't really see this as getting one over on Microsoft, smart authoritarian hierarchies often leave little safety valves for discontent like this around, allowing a few people to get away with breaking the rules, instead of them going about trying to change or get rid of the rules.
I know this was tongue-in-cheek, but since it's all client side, they have no way of flagging anybody as far as I can tell.
Anybody know differently?
*everything* is Orwellian to cats.
IANAL
Windows XP from a legitimet source (say Toshiba, as I've seen that mentioned in a couple of posts) and you fail to authenticate, call their support. If they don't solve the problem double quick, write your eterny general. They lied when they sold you the laptop. THEY need to fix it (not you).
If this is a common problem, a class action suit will be created and the manufacurer will have to answer for it. If the manufacturer feels it was actually MS that caused the problem, then they will file suit against them.
All this is academic. I use linux...
Spell check? Why bother. That is what grammer/spelling Nazi freaks who waiste band width posting "spell right" are for.
You are quite correct. They're not targetting the people who download it off of a warez site. They're hoping to get the people who bought a copy that looked real with a manual and all that.
"Hey, it's OK. We're authorized."
Coderz 4 Life
"In a cost comparison, they probably figured a cheap, easy means to get people who otherwise did not know they had a pirated version to purchase outweighed trying to lock out people who knowingly run a pirated copy (i.e., people who will use this hack)."
Thank you for pointing that out -- it's a concept that's lost on many people. It's a bit like the locks that come on your car: they probably won't hinder that professional thief who wants your car, but they'll stop the amateurs.
Sitting in my day care, the art is decopainted.
They aren't actually punishing those people either. In the case where you unknowingly purchased an unlicensed copy of XP, they're giving you a free one if you can provide documentation. From a previous article posted here:
"Customers who discover they have a counterfeit copy of Windows will either be given a free version of the operating system or can purchase it for a discounted price, he said.
To get the free version of Windows, a customer must fill out a counterfeit report identifying the source of the software, provide a proof of purchase and send in a counterfeit CD of the software. If customers don't have all of that information, they can still fill out a counterfeit report and receive a copy of Windows XP Home Edition for $99 or a copy of Windows XP Professional Edition for $149, Lazar said."
So looks like even if you dealt in a shady off-the-truck operation, you would still be eliglble for OEM pricing.
This is probably one of the more briliant ideas from M$ in a long time: consumers who get/got screwed by their OEM can trade evidence that their OEM is shifting fraudulent copies of M$ software for legit copies.
1) Let OEMs shift fraudulent copies
2) Get the customers to seek relief from said fraud
3) Collect evidence against OEM
4) Go after said OEM's pockets
5) Profit (fraud + copyright infringement + etc. = most likely more than enough to cover legal costs)
Personally, I wouldn't use the built in validation controls because they don't output DOM compliant javascript. You can download a set of DOM compliant validation controls here: http://www.okane.com.au/matt/PermaLink,guid,c0797a e3-d041-49bb-bd15-0ae551151271.aspx
But if you are using ANY validation control in ASP.NET, you sure as hell better be calling Page.IsValid on the server side instead of relying on the javascript functionality. well, I guess this assumes you knew that the validation controls can be ran from the server side...
Sadly, Microsoft will issue a new version of Genuine Advantage that disables the hack and make you use the new version before you can use Microsoft update
To appear tomorrow on Slashdot:
javascript:void(window.g_sWGACheckVersion='2.0')
since it's all client side, they have no way of flagging anybody as far as I can tell.
Not necessarily. Client-side Javascript code can write to a cookie, and the server can read that cookie on subsequent submits. The client side Javascript can even communicate the cookie to the server using the XMLHTTPRequest object, or with an iframe, eliminating the need for a subsequent user-initiated request.
Not that I expect them to go to all this trouble, and I'm definitely not saying that they are doing that now. I'm just saying it is theoretically possible.
It was not a valid copy of Windows.
I turned them in to Microsoft after they were completely unresponsive to email and a phone call. What do you know - a few days later I got a package from UPS that they shipped out the day I called Microsoft.
Windows is not so cheap to the OEM that they aren't above sneaking one past Microsoft every chance they get. Illegal and immoral? Sure, but it is Microsoft they are ripping off, so most people aren't going to care.
Comment removed based on user account deletion
You can disable the tool from within IE. Just go Tools > Addons > Disable Windows Geniuine Advantage
"Cracked in 24 hours"? I 'cracked' it so long ago (Proof) I'm surprised that this is even news. And you don't even need javascript enabled - all you need is "WinGenCookie=validation=0;" in your cookie. So just paste this into your location on any microsoft.com page: javascript:document.cookie='WinGenCookie=validatio n=0; expires=01 Jan 2999 00:00:00 GMT'; void 0
I mean, it was just so easy and obvious; I can't believe everyone else hadn't already found out about the easy ways to bypass it long ago.
There's another reason for locks and alarms: To make your car (or whatever) more of a pain to steal than the next guy's. It's like the joke about the campers who hear a grizzly bear coming. One starts putting on his running shoes. The other says, "What are you doing? You can't outrun a bear!" The reply: "I don't have to outrun the bear. I just have to outrun you."