myth about wpa ( how it is done ), windows product activation technique.txt

1000 HOWTOs for various needs [WINDOWS]

 Microsoft's plans to stop people pirating the next version of Windows have suffered a setback.

A German computer magazine has found weaknesses in the piracy protection system built into Windows XP.

The weaknesses could mean that in up to 90% of cases users can circumvent the copy protection system.

But Microsoft said that the protection system would be much stronger and harder to defeat when the final version of XP is released later this year.

Component count

In a bid to combat piracy Microsoft is introducing a product activation system into the XP versions of its software. Activating a product involves contacting Microsoft for an identification number that is then combined with the serial numbers of the components inside your computer to create a unique identifier.



it would be possible to 'activate' nearly 90 percent of home-user machines without Microsoft knowing anything about it

Mike Hartmann, Tec Channel
Big changes to the hardware in a machine could mean that users have to contact Microsoft for a new identification number to re-activate their software.

By tying software to individual machines Microsoft hopes to stop its products being run on more machines than they are licensed for.

But now German computer magazine Tec Channel has analysed the product activation system that is being used in the test, or beta, versions of Windows XP and found that, in many cases, it can be compromised by making simple changes.

File fiddling

When Windows XP is first installed and activated it generates a file called wpa.dbl that stores information about the configuration of your machine.

Changes to any one of the ten components or serial numbers that this file watches are logged. When three changes have been made the wpa.dbl file is deleted forcing the user to contact Microsoft to reactivate the software.

But Mike Hartmann, a journalist at Tec Channel, has found that the ability of the wpa file to spot piracy can be easily compromised.

In tests Mr Hartmann installed and activated XP, then saved a version of the wpa file that was generated. He then changed components on the test machine so XP had to be re-activated. However, copying the old version of the wpa file back in the Windows system directory stopped requests for reactivation.

Piracy problems

The activation was also compromised when XP was fooled into thinking that a desktop PC was a laptop in a docking station, rather than a self-contained machine. In this configuration some components that wpa watches would be in the docking station rather than the portable computer. XP dutifully ignored any changes made to these components.

XP activation items
network card address
graphics card ID number
CPU serial number
SCSI host adapter number
IDE controller number
hard disk serial number
CPU type
Ram size
Volume ID
CD-Rom serial number

In total Mr Hartmann found a way to make the Windows XP activation technology ignore six of the ten components that it monitors. Mr Hartmann said another two can vary in only a small number of ways among all machines making it possible to create a "universal" wpa file that should activate XP on most PCs.

"With some smart tools that do automatic matching of hardware and activation-files it would be possible to 'activate' nearly 90 percent of home-user machines without Microsoft knowing anything about it," Mr Hartmann told BBC News Online.

Mr Hartmann expects to see activation file sites springing up on the web that offer wpa files tied to PCs with particular configurations thus ruining Microsoft's chances of cutting piracy.

"Should Microsoft stick with current version of wpa they will have wasted lots of money for call-center-employees, webservers and the technology itself," he said.

But a spokeswoman for Microsoft said that the version of the activation system that is in the pre-release versions of Windows XP is weaker than that which will ship with the finished version.

"The things that have been highlighted as a way of potentially bypassing activation will not be in the final code," said the spokeswoman. "The final code is going to be very different to what we have now."

"Product activation is not completely fixed in place at this time," she added.


Hacking WindowsXP Product Activation

Basic Issues

The file wpa.dbl in the directory system32 contains information on the system at the time of the Activation. If more than three hardware components are changed, Windows XP will notice it and delete wpa.dbl. With that the user shall be forced to activate XP anew. You do not get another 30 days of time, though, to activate again (in RC1 it is a fortnight). Instead XP takes the date of the installation as a basis. That means you have to activate immediately to run XP again, if the installation took place 30 days ago.

Volume serial number of the system volumes (displayed with dir-command)
MAC address of the network card (displayed with netstat -r -n)
Identification string of the CD ROM drive
Identification string of the displays
CPU serial number
Identification string of the system's hard disk
Identification string of the SCSI host adapter
Identification string of the IDE controller
String of the processor model
RAM size
1 = docking station, 0 = without docking station

First Tests

For a beginning we first of all saved the file wpa.dbl and then replaced the graphics card and the network card. As expected Windows XP was cooperative, so we could work without any disturbance. The first surprise showed up as we replaced the Celeron with a Pentium III: Suddenly Windows XP wanted to activate anew although we only changed three components.
The answer to the riddle is to be found in the serial number of the processor. Replacing the processor did not only change one but already changed two pieces of hardware information. For us that means to restart the computer and to switch off the serial number in the BIOS. Nonetheless XP insists on the Activation. A glance at wpa.dbl shows the reason why: Apparently XP put the file back in a non-activated condition. We again restart the computer, boot into DOS and copy the saved wpa.dbl back into the system directory of XP. With the next start of XP, the demand for Activation has disappeared. Evidently, wpa.dbl is the central authority to decide whether or not Activation already took place.

We re-install Windows XP on our computer from the ground up, using the very same product key. Nevertheless, the computer gets another product ID, as the last three digits are generated randomly. Although the product ID changed, Windows can be activated by copying the saved file wpa.dbl into the appropriate directory. Our next try brings an even bigger surprise: The Activation still works although we use a completely new product key for the installation.

Forged Hardware

These results kept in the back of our minds we try to activate Windows XP on another computer by copying the file wpa.dbl. First of all we adapt the volume ID of the new computer by means of freeware tools. The command line volumeid c: 3333-3333 changes the corresponding coefficient of the new system: The first component of Microsoft's protection is canceled.

With some network cards it is possible to adjust the MAC manually by means of the driver. The corresponding option in the register Advanced is called "Network Address" or "Locally administered Network Address".

So meanwhile we succeeded in switching off two components of the Activation by pretending another network address to the new system. The CPU serial number is switched off anyway, both computers do not have a SCSI host adapter and the memory is of the same size with both of them. With that altogether five sections of the hardware ID are identical.
Six actually, for both computers are not "to be docked". The latter gives us a bold plan...
Notebook of Eight Kilogrammes

What would happen if we tell the operating system that the computer is a notebook? This option can be toggled in the hardware profile of the device manager.

Can Microsoft be tricked that easily? Yes it can! After the next restart of the computer the analysis of the installation ID makes clear that suddenly the graphics card and the IDE/SCSI controller are no longer used to calculate the hardware ID.
So only three more differences in the configuration of the hardware remain:

Identification of the hard disk
Identification of the CPU
Identification of the CD-ROM drive

Because these three components are allowed to be different without XP insisting on a new Activation, this should be sufficient. So we copy the file wpa.dbl into the system32 directory of the second computer and start Windows XP. In the start menu it still says "Activate Windows". But when you call it up, you get your just reward though:

Windows XP enlists ten hardware components to calculate the installation ID, but six of them can be canceled without any problems:

Component To be canceled by
Volume ID Adapted by means of tool
MAC address Tuned by means of driver
Graphics card Switch over to docking station
CPU serial number Switch off in BIOS
SCSI host adapter Switch over to docking station
IDE controller Switch over to docking station

Important: A LAN does not tolerate two computers with the same MAC address.

Only four components are working almost effectively:

Component Size of bit field

Hard disk 7
CPU type 3
CD ROM 7
RAM size 3

Two fields are coded with three bits and two with seven bits. Because in each field the coefficient 0 is impossible, 7*7*127*127=790321 possibilities remain for the file wpa.dbl. As only three components are allowed to change from the moment of Activation onwards, you can take the weakest fixed component for a "Universal Activation".

The CPU type or the RAM size present themselves here as the best solution. It is more than sufficient to only once activate a computer with 128 MBytes of RAM at Microsoft's. With its file wpa.dbl you can then "activate" all other computers of the same memory size.

Conclusion

With its technology of Activation Microsoft wants to thwart the user who occasionally copies software. Up to a certain degree this may still work. But by means of the above described steps nearly everybody can activate his own XP merely by getting a corresponding wpa.dbl file. There certainly will exist some web sites in the near future where the user can comfortably download "his"wpa.dbl.

Should the current procedure of Activation remain, then Microsoft will spend a lot of money like water for technology, web servers and call centers without any considerable success. It would be much more lucrative to drop the Activation and to lower the price for XP.

Microsoft did not comment on the weak points of the Activation until now. But probably their statement goes as follows: "In its final version WPA will look completely different. We did not implement these steps in the RC1 for only one reason, that is not to annoy the testers."

But it definitely is a fact that in-between the Release Candidates and the real Release normally only bugs are rectified. May sharp tongues call the WPA itself a bug, in our opinion it is nothing more but an example of bad programming.


Inside Windows Product Activation

A Fully Licensed Paper

July 2001

Fully Licensed GmbH, Rudower Chaussee 29, 12489 Berlin, Germany

ht*p://www.licenturion.com


>> INTRODUCTION

The current public discussion of Windows Product Activation (WPA) is
characterized by uncertainty and speculation. In this paper we supply
the technical details of WPA - as implemented in Windows XP - that
Microsoft should have published long ago.

While we strongly believe that every software vendor has the right to
enforce the licensing terms governing the use of a piece of licensed
software by technical means, we also do believe that each individual
has the right to detailed knowledge about the full implications of the
employed means and possible limitations imposed by it on software
usage.

In this paper we answer what we think are currently the two most
important open questions related to Windows Product Activation.

* Exactly what information is transmitted during activation?

* How do hardware modifications affect an already activated
installation of Windows XP?

Our answers to these questions are based on Windows XP Release
Candidate 1 (build 2505). Later builds as well as the final version of
Windows XP might differ from build 2505, e.g. in the employed
cryptographic keys or the layout of some of the data
structures.

However, beyond such minor modifications we expect Microsoft to cling
to the general architecture of their activation mechanism. Thus, we
are convinced that the answers provided by this paper will still be
useful when the final version of Windows XP ships.

This paper supplies in-depth technical information about the inner
workings of WPA. Still, the discussion is a little vague at some
points in order not to facilitate the task of an attacker attempting
to circumvent the license enforcement supplied by the activation
mechanism.

XPDec, a command line utility suitable for verifying the presented
information, can be obtained from http://www.licenturion.com/xp/. It
implements the algorithms presented in this paper. Reading its source
code, which is available from the same location, is highly
recommended.

We have removed an important cryptographic key from the XPDec source
code. Recompiling the source code will thus fail to produce a working
executable. The XPDec executable on our website, however, contains
this key and is fully functional.

So, download the source code to learn about the inner workings of WPA,
but obtain the executable to experiment with your installation of
Windows XP.

We expect the reader to be familiar with the general procedure of
Windows Product Activation.

>> INSIDE THE INSTALLATION ID

We focused our research on product activation via telephone. We did
so, because we expected this variant of activation to be the most
straight-forward to analyze.

The first step in activating Windows XP via telephone is supplying the
call-center agent with the Installation ID displayed by msoobe.exe,
the application that guides a user through the activation process. The
Installation ID is a number consisting of 50 decimal digits that are
divided into groups of six digits each, as in

002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX

In this authentic Installation ID we have substituted digits that we
prefer not to disclose by 'X' characters.

If msoobe.exe is invoked more than once, it provides a different
Installation ID each time.

In return, the call-center agent provides a Confirmation ID matching
the given Installation ID. Entering the Confirmation ID completes the
activation process.

Since the Installation ID is the only piece of information revealed
during activation, the above question concerning the information
transmitted during the activation process is equivalent to the
question

'How is the Installation ID generated?'

To find an answer to this question, we trace back each digit of the
Installation ID to its origins.