Most of the code are skipped for easier reading but the code that changes the decoding is only 6 bytes so its very simple. Numbers are in hexdecimal. Example WinAsm: invoke RegQueryValueEx,eax,addr strname2,0,0,addr productkeyBuffer,addr buffersize2 ; get windows product key and byte ptr ds:[productkeyBuffer+42h],07h ; "magic" add this rigt after reading the product key from registry use the same algorithm that is found in every Windows product key viewer thats it.
How would one do this in the context of C# source? I don't really know any assembly and I figure the code I use varies a bit as I can't determine what the "buffer" in my code is.
I'm not good with assembly so that's pretty much Russian to me. Keep in mind that this is something that needs to be doable from VBS for the scripters.
cast the key buffer to a single dimensional byte array then Code: ByteArray[0x42] = ByteArray[0x42] & 0x07; or the short way Code: ByteArray[0x42] &= 0x07; should do it.
23456789BCDFGHJKMNPQRTVWXYbcdfghjkmnpqrtvwxy 23456789BCDFGHJKMNPQRTVWXY BCDFGHJKMNPQRTVWXY23456789 One of them 3.
Can't seem to make any of them work. Any changes I make to letters take me farther from the match, but I don't really understand the changes so much as plugging things in hoping it will work.
Thanks I installed win8 an caught the key index error, it seems like maybe a shift right (<<) operation on one of the bytes may rotate the last bit around cant do it in VBS though.
Looking at the supplied product.ini in the Windows 8 DP DVD, you can see which products has keys with the letter 'N' in it. These products and keys are: Code: EnterpriseNEval=KJC88-XWNCH-C4F7V-8X4DM-XBPMH ServerStorageStandard=XM9N3-TV9DQ-HTXBK-M7M6B-X4MRP ServerStorageWorkgroup=KJTGN-JD69D-FYQDK-WRD9B-VQRFH ServerStandardEval=K239N-DKBKY-BPJ7K-8V44P-PGT72 Embedded=MNMRC-69F8V-2FCXX-GFQVY-BXQ3X ServerDatacenterEval=WK3NH-YPQH4-7WQ9D-YGT3H-G6H4D Prerelease=H9VCT-63NFW-FWHDR-F4J43-972K8 EnterpriseEval=BNMMY-9D8F2-TKGQ6-BT8DJ-JFCMG ServerMultiPointStandard=83MRD-NQGP3-FJBJD-9X8TT-72V44 PrereleaseARM=D9HNY-JTJDK-BQM84-K3VTB-JK4D3 PrereleaseN=T87VG-N82DX-9Q7G4-67CHR-KBPMB ServerMultiPointPremium=N2MW6-VPYJ7-W9H3D-6GWJ2-6JBTC gvlkServerMultiPointStandard=3CK7G-VRNKC-8QBFR-9G8HC-YKG8W gvlkPrereleaseARM=NTJQR-RKW42-DMDHB-D8F6T-3V2MF gvlkServerMultiPointPremium=GRMDJ-JNF7H-W9WTC-WKQRG-H8KW6 gvlkPrerelease=NHKTD-YYMG6-H77XH-BWBC8-MR8X9 As you can see only the first block and the second block of the productkey have the letter 'N'. If it is safe to assume that will be always the case when Windows 8 or the new Windows Server goes RTM then the last three blocks can be calculated as we have always done. The trick is then to handle block1 and block2. For decoding the productkey, we are parsing one value to much. Code: Set WshShell = CreateObject("WScript.Shell") MsgBox ConvertToKey(WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId")) Function ConvertToKey(Key) Const KeyOffset = 52 Key(66) = Key(66) And 07 i = 28 Chars = "BCDFGHJKMPQRTVWXY2346789" Do Cur = 0 x = 14 Do Cur = Cur * 256 Cur = Key(x + KeyOffset) + Cur Key(x + KeyOffset) = (Cur \ 24) And 255 Cur = Cur Mod 24 x = x -1 Loop While x >= 0 i = i -1 KeyOutput = Mid(Chars, Cur + 1, 1) & KeyOutput If (((29 - i) Mod 6) = 0) And (i <> -1) Then i = i -1 KeyOutput = "-" & KeyOutput End If Loop While i >= 1 ConvertToKey = KeyOutput End Function
Looks like this: First in the (wrong) row is J J is 7th (BCDFGHJ) So del first and insert N on 7th place in a row May be just a coincidence, lol. However, N being 10th would somehow explain why only first two blocks are affected...
Maybe we have to process the first 2 blocks separately. We compute the last 3 then take care of the other 2. Of course that's based on an assumption that N cannot happen after block 2. If this isn't a coincidence, then one reads the first letter, removes it, and shoves an N in spot 7. Not sure how to test that
I built some code on the first letter = N assumption, and I create the right key (you do string processing after the fact). Can someone install the server dev preview, dump their PID to reg so I can see if it works? Feels like an assumption though as some keys have the first letter = N. I assume they would decode with B as first?
Not that easy - this would mean every key has one N inside, but in product ini of WDP there're many keys without N at all...
Oh crap I tried installing a different key to WDP to see if it would install so I could post it, but now windows went non-genuine. I can't activate again with the correct key cause it can't connect to the server... SCREWED EDIT: Oh you're right, I thought Jachra posted all keys, not only those with N. But then there's indeed a problem. EDIT2: Could it be that only skus that support volume licensing, have N in the key? There are some exothic server versions, but for the rest I see that the ones you can buy in store and server home products don't have N, while other servers and enterprise do have an N. All WDP installs in the world have the same key, so that's also VL, that's probably why prerelease versions have an N too.
Perhaps if the first letter is large (as in its index in the char alphabet is greater than 10), then there is no N, and the first letter is valid. That is why I want to see the other outputs of W8 keys, to see if the pattern holds. NOTE: We cannot tell what the first letter would be on the keys that have no N by looking at them, but if the first letter is Q or greater there is no N. In my code now J = 6, K = 7, ... P = 9, Q = 10. So how I set my code up is at the begginning of the function, if the OS is W8 (I got my own class for this, but I just check if the Win version is 6.2 or greater), then I do the AND 07 thing else skip it. Then at the end of processing the decodedChar, I check OS again in the if for W8, if not, return like normal, otherwise figure out where the first letter is in the char index. If it is in index 0-9, remove the first letter and all dashes, use substring to build up a string and shove N in the right spot, then put dashes back. This is producing the proper W8 Dev preview key but I want to test the WDP Server to be sure this isn't a one off hack.