myth about wpa ( how it is done ), windows product activation technique.txt

黑客培训教程

| | | 0 = not dockable

Bit 31 of H2 specifies, whether the bit-fields represent a notebook
computer that supports a docking station. If docking is possible, the
activation mechanism will be more tolerant with respect to future
hardware modifications. Here, the idea is that plugging a notebook
into its docking station possibly results in changes to its hardware
configuration, e.g. a SCSI host adapter built into the docking station
may become available.

Bits 2 through 0 of H2 are unused and always set to 001.

If the hardware component corresponding to one of the remaining ten
bit-fields is present, the respective bit-field contains a non-zero
value describing the component. A value of zero marks the hardware
component as not present.

All hardware components are identified by a hardware identification
string obtained from the registry. Hashing this string provides the
value for the corresponding bit-field.

>>>> Hashing

The hash result is obtained by feeding the hardware identification
string into the MD5 message digest algorithm and picking the number of
bits required for a bit-field from predetermined locations in the
resulting message digest. Different predetermined locations are used
for different bit-fields. In addition, a hash result of zero is
avoided by calculating

Hash = (Hash % BitFieldMax) + 1

where BitFieldMax is the maximal value that may be stored in the
bit-field in question, e.g. 1023 for a 10-bit bit-field, and 'x % y'
denotes the remainder of the division of x by y. This results in
values between 1 and BitFieldMax. The obtained value is then stored in
the respective bit-field.

>>>> RAM bit-field

The bit-field related to the amount of RAM available to the operating
system is calculated differently. The seven valid values specify the
approximate amount of available RAM as documented in the following
table.

value | amount of RAM available
------+---------------------------
0 | (bit-field unused)
1 | below 32 MB
2 | between 32 MB and 63 MB
3 | between 64 MB and 127 MB
4 | between 128 MB and 255 MB
5 | between 256 MB and 511 MB
6 | between 512 MB and 1023 MB
7 | above 1023 MB

It is important to note that the amount of RAM is retrieved by calling
the GlobalMemoryStatus() function, which reports a few hundred
kilobytes less than the amount of RAM physically installed. So, 128 MB
of RAM would typically be classified as "between 64 MB and 127 MB".

>>>> Real-world example

Let us have a look at a real-world example. On one of our test systems
the hardware information consists of the following eight bytes.

0xC5 0x95 0x12 0xAC 0x01 0x6E 0x2C 0x32

Converting the bytes into H1 and H2, we obtain

H1 = 0xAC1295C5 and H2 = 0x322C6E01

Splitting H1 and H2 yields the next table in which we give the value
of each of the bit-fields and the information from which each value is
derived.

dw & | |
offset | value | derived from
-------+-------+-----------------------------------------------
H1 0 | 0x1C5 | '1234-ABCD'
H1 10 | 0x0A5 | '00C0DF089E44'
H1 20 | 0x37 | 'SCSI\CDROMPLEXTOR_CD-ROM_PX-32TS__1.01'
H1 27 | 0x15 | 'PCI\VEN_102B&DEV_0519&SUBSYS_00000000&REV_01'
H2 0 | 0x1 | (unused, always 0x1)
H2 3 | 0x00 | (CPU serial number not present)
H2 9 | 0x37 | 'SCSI\DISKIBM_____DCAS-34330______S65A'
H2 16 | 0x0C | 'PCI\VEN_9004&DEV_7178&SUBSYS_00000000&REV_03'
H2 21 | 0x1 | 'PCI\VEN_8086&DEV_7111&SUBSYS_00000000&REV_01'
H2 25 | 0x1 | 'GenuineIntel Family 6 Model 3'
H2 28 | 0x3 | (system has 128 MB of RAM)
H2 31 | 0x0 | (system is not dockable)

>>> Using XPDec

XPDec is a utility to be run from the command prompt. It may be
invoked with one of four command line options to carry out one of four
tasks.

>>>> XPDec -i

This option enables you to access the information hidden in an
Installation ID. It decodes the Installation ID, decrypts it, and
displays the values of the hardware bit-fields as well as the Product
ID of your product. Keep in mind that the last three digits of the
Product ID contained in the Installation ID are randomly selected and
differ from the Product ID displayed by Internet Explorer.

The only argument needed for the '-i' option is the Installation ID,
as in

XPDec -i 002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX

>>>> XPDec -p

To help you trace the origin of your Product ID, this option decodes a
Product Key and displays the Raw Product Key as it would be used in a
Product ID.

The only argument needed for the '-p' option is the Product Key, as in

XPDec -p FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK

Note that this option does not verify the digital signature of the
Product Key.

>>>> XPDec -v

This option calculates the hash of a given volume serial number. It
was implemented to illustrate our description of string hashing. First
use '-i' to display the hardware bit-fields. Then use this option to
verify our claims concerning the volume serial number hash.

The only argument needed for the '-v' option is the volume serial
number of your system volume, as in

XPDec -v 1234-ABCD

(The volume serial number is part of the 'dir' command's output.)

>>>> XPDec -m

This option calculates the network adapter bit-field value
corresponding to the given MAC address. Similar to '-v' this option
was implemented as a proof of concept.

The only argument needed for the '-m' option is the MAC address of
your network adapter, as in

XPDec -m 00-C0-DF-08-9E-44

(Use the 'route print' command to obtain the MAC address of your
network adapter.)

>> HARDWARE MODIFICATIONS

When looking at the effects of hardware modifications on an already
activated installation of Windows XP, the file 'wpa.dbl' in the
'system32' directory plays a central role. It is a simple
RC4-encrypted database that stores, among other things like expiration
information and the Confirmation ID of an activated installation,

a) the bit-field values representing the current hardware
configuration,

and

the bit-field values representing the hardware configuration
at the time of product activation.

While a) is automatically updated each time the hardware configuration
is modified in order to reflect the changes, remains fixed. Hence,
can be thought of as a snapshot of the hardware configuration at
the time of product activation.

This snapshot does not exist in the database before product activation
and if we compare the size of 'wpa.dbl' before and after activation,
we will notice an increased file size. This is because the snapshot is
added to the database.

When judging whether re-activation is necessary, the bit-field values
of a) are compared to the bit-field values of , i.e. the current
hardware configuration is compared to the hardware configuration at
the time of activation.

>>> Non-dockable computer

Typically all bit-fields with the exception of the unused field and
the 'dockable' field are compared. If more than three of these ten
bit-fields have changed in a) since product activation, re-activation
is required.

This means, for example, that in our above real-world example, we
could replace the harddrive and the CD-ROM drive and substantially
upgrade our RAM without having to re-activate our Windows XP
installation.

However, if we completely re-installed Windows XP, the information in
would be lost and we would have to re-activate our installation,
even if we had not changed our hardware.

>>> Dockable computer

If bit 31 of H2 indicates that our computer supports a docking
station, however, only seven of the ten bit-fields mentioned above are
compared. The bit-fields corresponding to the SCSI host adapter, the
IDE controller, and the graphics board are omitted. But again, of
these remaining seven bit-fields, only up to three may change without
requiring re-activation.

>> CONCLUSIONS

In this paper we have given a technical overview of Windows Product
Activation as implemented in Windows XP. We have shown what
information the data transmitted during product activation is derived
from and how hardware upgrades affect an already activated
installation.

Looking at the technical details of WPA, we do not think that it is as
problematic as many people have expected. We think so, because WPA is
tolerant with respect to hardware modifications. In addition, it is
likely that more than one hardware component map to a certain value
for a given bit-field. From the above real-world example we know that
the PX-32TS maps to the value 0x37 = 55. But there are probably many
other CD-ROM drives that map to the same value. Hence, it is
impossible to tell from the bit-field value whether it is a PX-32TS
that we are using or one of the other drives that map to the same
value.

In contrast to many critics of Windows Product Activation, we think
that WPA does not prevent typical hardware modifications and,
moreover, respects the user's right to privacy.

>> ABOUT THE AUTHORS

Fully Licensed GmbH is a start-up company focusing on novel approaches
to online software licensing and distribution. Have a look at their
website at

http://www.licenturion.com

for more information.

Their research branch every now and then analyzes licensing solutions
implemented by other companies.

>> COPYRIGHT

Copyright