Thanks a lot for this. Btw: This is the first official description of a SLIC I have read. The description isn't detailed, we know already a lot more. The MSDM table is now officially confirmed. It contains data created by a M$ tool, to be injected by the OEMs into ACPI namespace (called from RSDT /XSDT) Anyway we neither know (officially) what are the data nor their length. Unconfirmed a 29 byte sequence. Shown at dump: 49 bytes, though. It might be the mentioned M$ tool creates from a 25 digit serial (+4 hyphens= 29 bytes) the 49 byte table data.
I decided to improve the code of the checker a bit: Code: // GetWindowsKeyEx definition char* GetWindowsKeyEx() { unsigned char KeyData[0xA4]; //Registry data holder unsigned long Size = sizeof(KeyData); //Size of registry data unsigned long Status; //Temporary variable for errors HKEY KeyHandle = NULL; //Registry key handle char Chars[] = "BCDFGHJKMPQRTVWXY2346789"; //Array of valid key characters char KeyOutput[26] = {}; //Key without dashes char NewKeyOutput[26] = {}; //Temporary variable for Windows 8 Key char FinalKey[30] = {}; //Key with dashes const int KeyOffset = 52; //Offset where the key is encoded in KeyData int Last = 0; bool isWin8 = FALSE; //Checks if putting N is needed //Let's open key in registry where the product key should be... Status = RegOpenKeyEx( HKEY_LOCAL_MACHINE, TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\"), 0, KEY_READ|KEY_WOW64_64KEY, &KeyHandle ); //If ERROR if (Status != ERROR_SUCCESS) return "Error1"; //Error 1 //Let's open a value with product key... Status = RegQueryValueEx( KeyHandle, TEXT("DigitalProductId"), NULL, NULL, KeyData, &Size ); //If ERROR if (Status != ERROR_SUCCESS) return "Error2"; //Error 2 //Close registry RegCloseKey(KeyHandle); //Check if it's Windows 8 here isWin8 = (KeyData[66] >> 3) & 1; KeyData[66] = (KeyData[66] & 0xF7) | ((isWin8 & 2) << 2); //Base24 decoding of KeyData (from 52 to 66) for (int i = 24; i >=0; i--) { int Cur = 0; for (int X = 14; X >=0; X--) { Cur = Cur << 8; Cur = KeyData[X + KeyOffset] + Cur; KeyData[X + KeyOffset] = (Cur / 24); Cur %= 24; } KeyOutput = Chars[Cur]; Last = Cur; } //If it's Windows 8, put 'N' if (isWin8) { strncpy(NewKeyOutput, KeyOutput + 1, Last); NewKeyOutput[Last] = 'N'; strncpy(NewKeyOutput + Last + 1, KeyOutput + Last + 1, 25); strncpy(KeyOutput, NewKeyOutput, 25); } //Add some dashes... int j = 0; //This is the number of dashes we put already for (int i = 0; i < sizeof(KeyOutput)-1; i++) { if (!(i % 5) && i) { FinalKey[i+j] = '-'; j++; } FinalKey[i+j] = KeyOutput; } return FinalKey; //Return the final key value (with dashes) } //Usage example: int main() { char Key[30] = { }; Key = GetWindowsKeyEx(); printf("%c", Key); } I have replaced DO loops with FOR since they look better. Key is now null-terminated and dashes are being added another way. I don't know VB but if I will have some time, I improve the VBS code in the same way I added some comments for you to understand the code VBS version: Code: Set WshShell = CreateObject("WScript.Shell") ' Call print ConvertToKey function's result in MessageBox MsgBox ConvertToKey(WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId")) Function ConvertToKey(Key) Const KeyOffset = 52 ' Offset of the first byte of key in DigitalProductId - helps in loops isWin8 = (Key(66) \ 9) And 1 ' Check if it's Windows 8 here... Key(66) = (Key(66) And &HF7) Or ((isWin8 And 2) * 4) ' Replace 66 byte with logical result Chars = "BCDFGHJKMPQRTVWXY2346789" ' Characters used in Windows key ' Standard Base24 decoding... For i = 24 To 0 Step -1 Cur = 0 For X = 14 To 0 Step -1 Cur = Cur * 256 Cur = Key(X + KeyOffset) + Cur Key(X + KeyOffset) = (Cur \ 24) Cur = Cur Mod 24 Next KeyOutput = Mid(Chars, Cur + 1, 1) & KeyOutput Last = Cur Next ' If it's Windows 8, put "N" in the right place If (isWin8 = 1) Then keypart1 = Mid(KeyOutput, 2, Cur) insert = "N" KeyOutput = keypart1 & insert & Mid(KeyOutput, Cur + 2) End If ' Divide keys to 5-character parts a = Mid(KeyOutput, 1, 5) b = Mid(KeyOutput, 6, 5) c = Mid(KeyOutput, 11, 5) d = Mid(KeyOutput, 16, 5) e = Mid(KeyOutput, 21, 5) ' And join them again adding dashes ConvertToKey = a & "-" & b & "-" & c & "-" & d & "-" & e ' The result of this function is now the actual product key End Function
their is a possibility of a buffer overflow in my original code, I settled on dynamically allocating memory for arrays like KeyData. attached is a bit of code to dump the ACPI tables, extract the OEM certificate(s) from tokens.dat and decode the product key and save to files.
According to ACPI website, ACPI Specification - Revision 5.0, MSDM table is introduced. acpi.info/spec50.htm As per the Links to ACPI-Related Documentation, acpi.info/links.htm Microsoft Software Licensing Tables (SLIC and MSDM) is link to msdn.microsoft.com/en-us/library/windows/hardware/hh673514 So it is very likely MS is going to use MSDM for OA3.0, my guess..
Saw this on bios.net.cn forum regarding intel board DH67BL, DH67CF, DH67CL, DH67GD, DH67VR. The latest bios Version 0132 - BLH6710H.86A.0132.2011.1007.1505 In the release notes, as per below, New Fixes/Features: Updated ITE module support. Fixed issue with monitor sleep states. Updated processor support. Updated Intel® ME firmware to version 7.1.20.1119. Added support for Microsoft* OEM Activation 3.0. Fixed issue where certain RAID card hangs when pressing Ctrl-G. Updated vBIOS to version 2119. Added ITE889X module for performance improvement. Wonder if anyone who knows how to look at this bios and see what is the support for Microsoft* OEM Activation 3.0. hxxp://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20586&lang=eng
Huge success!!! Got another HP Pavilion g6 & extract the MSDM table physically.... it has a key inside it Code: MSDM Table: 0x000000009CFEB000 4D 53 44 4D 55 00 00 00 03 28 48 50 20 20 20 20 MSDMU....(HP 31 36 37 30 20 20 20 20 01 00 00 00 4D 53 46 54 1670 ....MSFT 13 00 00 01 01 00 00 00 00 00 00 00 01 00 00 00 ................ 00 00 00 00 1D 00 00 00 42 48 33 52 4E 2D 42 37 ........BH3RN-B7 46 44 4D 2D 43 37 57 47 54 2D 34 43 52 34 58 2D FDM-C7WGT-4CR4X- 36 43 4B 48 4D 6CKHM Signature "MSDM" Length 0x00000055 (85) Revision 0x03 (3) Checksum 0x28 (40) OEM ID "HP " OEM Table ID "1670 " OEM Revision 0x00000001 (1) Creator ID "MSFT" Creator Revision 0x01000013 (16777235) Data 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Data 0x1D 0x00 0x00 0x00 0x42 0x48 0x33 0x52 0x4E 0x2D 0x42 0x37 0x46 0x44 0x4D 0x2D Data 0x43 0x37 0x57 0x47 0x54 0x2D 0x34 0x43 0x52 0x34 0x58 0x2D 0x36 0x43 0x4B 0x48 Data 0x4D Though the key cant be decrypted by CODY's toolkit keychecker The PC came with Windows 7 Home Basic...
I'm full of a cold right now so I've only taken a quick look, but unfortunately I was unable to pull any information from it (invalid key). pidgenx.dll now contains a new function called PidGenX2 which I guess is used for these new serials Simply switching to PidGenX2 results in an invalid arguments error. That'd be because the function looks like this: Code: int __stdcall PidGenX2(int a1, const WCHAR *Buffer, unsigned __int16 *a3, int a4, int a5, wchar_t *a6, void *Dst, void *a8)
I dont know if that product key is present in registry, but if you could dump this reg key. We might get some answers nice find btw. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
This is no Hack it is a Bug! Yes ok, but that's not really a solution. I and others can always disable Java again? You need to install a simple PHP function that works by choking and good.
@Daz When I decompile this function, I get different arguments for this functions. My version decompiles to: Code: signed int __stdcall PidGenX2(int a1, SIZE_T Buffer, int Args, int a4, int a5, wchar_t *Dest, int a7, int Dst) Maybe this will help you to find out what the invalid arguments are. Looking through my decompiled, I can see that int a1 is required and int a4 can be ommited.
In order to check a key you have to use the right pkeyconfig, and as far as we know this might not even be a conventional key but simply used to mark a BIOS as unique for activation, hence not installed like a windows key. MS might use a generic key that when combined with a valid key like this, activate you.