The Register: WinXP product activation cracked: totally, horribly , fatally

Owen Blacker owen.blacker at wheel.co.uk
Tue, 17 Jul 2001 16:18:35 +0100 

=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.theregister.co.uk/content/4/20433.html

| WinXP product activation cracked: totally, horribly, fatally
|=20
| By John Lettice <john.lettice@theregister.co.uk>
| Posted: 17/07/2001 at 12:35 GMT
|=20
| Since Microsoft introduced Windows Product Activation (WPA) the =
crackers
| have gone through a series of WinXP beta builds, finding new ways to =
at
| least circumvent the protection system. But now, taking an entirely
| different approach, Germany's Tecchannel has demonstrated that WPA as
| shipped in RC1 is full of gaping holes, and can be fooled almost
| completely.  =20
|=20
| Tecchannel's report available in English
| <http://www.tecchannel.de/betriebssysteme/746/index.html>, or in =
German
| <http://www.tecchannel.de/betriebssysteme/743/index.html>) =
demonstrates
| that WPA can be compromised via numerous hardware-related routes; it =
all
| centres on the file wpa.dbl, which WinXP keeps in the system32 =
directory.
|  =20
|=20
| This file stores information on the nature of the hardware at the =
time of
| activation, and when Windows XP notices more than three items of =
hardware
| have changed, it deletes it. Then you need to activate again. You'll
| also, Tecchannel notes, need to activate ~immediately~ if you =
installed
| more than 30 days (or 14 with RC1) ago, as that's when the clock =
starts
| ticking. This, incidentally, is also the case if you do a 'repair' to =
fix
| a bust system -- not exactly friendly.  =20
|=20
| So first of all Tecchannel saved the file then started changing =
hardware.
| Two items OK, but replacing a third -- the CPU -- triggered the =
deletion.
| Although you'd think the CPU is only one component, it's actually =
tallied
| up as two. Switching off the CPU serial number in the bios and =
therefore
| knocking it down to one doesn't get the earlier wpa.dbl back -- this =
has
| been restored in a non-activated state.  =20
|=20
| Copy the saved version back? That surely shouldn't work -- but it =
does.
| Next, Tecchannel tried a completely new installation using the same
| product key. This produces a new product ID, but nevertheless copying =
the
| wpa.dbl file back again works.  =20
|=20
| They also use this file on another computer, altering the computer's
| volume ID first, which is easily enough done. They can also use =
forged
| network cards MAC addresses, so now they've taken two parts of the
| hardware ID out of the picture. Next, use the hardware profile to =
tell
| the computer it's a notebook with a docking station. This works, and
| tells WPA to stop counting the IDE/SCSI controller and the graphics =
card.
|  =20
|=20
| That gets the differences counted down to three, hard disk, CPU and =
CDROM
| ID, which is within the limit, so WPA is effectively toast.  =20
|=20
| What does this mean? Tecchannel's investigation shows that, at the =
very
| least, you can use the same wpa.dbl file to activate as many =
computers as
| you like, provided the RAM size is the same. A 'universal' file that
| didn't even require the same RAM might be a possibility, but it's =
more
| likely that people will simply swap files to get one appropriate for
| their hardware. If Microsoft doesn't change WPA before WinXP ships, =
then
| it's pointless. But changing it when RC2 is looming, and when the =
holes
| are so obviously huge, would be difficult.  =20
|=20
| So farewell then, Windows Product Activation -- for the moment? =AE

- --=20
Owen Blacker
Senior Software Developer / InfoSec Consultant    Wheel: Clerkenwell
See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys
Sig  0x00036874 | d39f b776 fa20 c125 b0e2  aa6d 555e 4126 0003 6874

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
Comment: Due to RIP, pls check for revocation before using this key!

iQA/AwUBO1RWkFVeQSYAA2h0EQINpACdGkSkOwI865YLmyz5EJIAUvcO9rcAoNYf
xy6YlIrvwY6AF/ula59TXG/G
=3DaZLs
-----END PGP SIGNATURE-----

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/