Hello, MDL community My first post here I've just captured some network traffics while activating Windows 8 Pro with a working KMS server inside the virtual machine. The purpose is to replicate or emulating the real KMS server using some basic TCP programming, but there are some chunk of data inside which need to be studied to make it possible (possible?). I have uploaded documents, which I really hope this can be used to aid the KMS emulator development. Link: (This ZIP file contains 2 set documents, in .DOCX document format.)
I know from Window 7 the data send contains the Application ID, and Windows AppID the App ID in the Wireshark capture, Windows 7 App ID 55c92734-d682-4d71-983e-d6ec3f16059f some in Reverse Bytes (Little/Big Endian) Code: FC 00 00 00 FC 00 00 00 00 00 04 00 01 00 00 00 02 00 00 00 F4 A1 00 00 34 27 C9 55 82 D6 71 4D 98 3E D6 EC 3F 16 05 9F 09 E5 2E AE 34 1B C0 41 AC B7 6D 46 50 16 89 15 19 52 DE 7F FA FB 4A 48 82 C9 34 D1 AD 53 E8 56 2B 14 93 AD 57 3B FE 4F BE 6C 11 B1 94 69 17 70 19 00 00 00 E3 74 27 64 6C 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00 42 00 6F 00 78 00 2D 00 50 00 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 85 58 55 76 87 D3 A0 81 76 E2 BD B8 82 CD 4B DB Application ID, ae2ee509-1b34-41c0-acb7-6d4650168915 (Windows 7 Enterprise) Code: FC 00 00 00 FC 00 00 00 00 00 04 00 01 00 00 00 02 00 00 00 F4 A1 00 00 34 27 C9 55 82 D6 71 4D 98 3E D6 EC 3F 16 05 9F 09 E5 2E AE 34 1B C0 41 AC B7 6D 46 50 16 89 15 19 52 DE 7F FA FB 4A 48 82 C9 34 D1 AD 53 E8 56 2B 14 93 AD 57 3B FE 4F BE 6C 11 B1 94 69 17 70 19 00 00 00 E3 74 27 64 6C 79 CD 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 00 42 00 6F 00 78 00 2D 00 50 00 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 85 58 55 76 87 D3 A0 81 76 E2 BD B8 82 CD 4B DB What the rest of the data is, i don't know (yet)
Updated document (Set B): http : // www . mediafire . com / view / ? g2c293vwh3r4cwh For the new Windows 8 KMS, I can't see any traces of App ID (a98bcd6d-5343-4603-8afe-5908e4611112) inside the stream. Seems something has changed (wrong capture?)
KMS communication has considerably changed with Windows 8. In Windows 7 the messages were unencrypted and only appended by a hash of the message for authentication. In Windows 8 the messages seem to be longer and completely encrypted. The first two packets are part of the RPC protocol that is used and are not very interesting. The actual messages begin with the bytes 00 00 04 00 (Windows 7) and 00 00 05 00 (Windows 8).
in the dump, we can see that 6b a7 13 a8 cd 9a 50 e5 ce 83 28 6d 76 07 71 ea and d2 07 81 e6 6e 32 70 22 84 4d c6 de 03 2e 02 are Salt keys. KMS Client encrypt his stream request with it. KMS decrypt the request with this key, compute the response, encrypt with the key send by client and send it back to client with encrypt key. At each request, the key change.
Generally speaking, with some encryption types if you already know the exact content of what is being encrypted then it's possible to decrypt the master key by brute force algorithm.
How can you be sure? Why would the server use the same nonce the client used for his request, and then still embed the key again in the response?
It a non sense to reply a part of the request of the client if this part had no utility during protocol exchange ! Be sure that if KMS join this, it's must make sense for kms client ...
Yes that would allow Windows 8 clients (threshold 25) and Windows Server 2012 (threshold 5) as well. How the threshold works: 4 client CMID's and 1 Server CMID make a total of 5 from where you can start activating Server OS's 5 server CMID's and 20 Client CMID make a total of 25 from where you can start activating Client OS's as well I have been looking into something to fake Windows 7/Windows Server 2008 R2 activation request, faking CMID count to be able to use a KMS VHD with only a few clients. If anyone has more info how to accomplish this, please share.
Sorry probably could have worded it better. One of the approaches with the activation failure of Office with the Original ZWT was to clear the CMID (Besides changing the Hardcoded Extended PID). Is it possible rather to create an simple app that clears the windows 8 CMID from the machine and then attempts to activate it multiple times against the Valid KMS Host thus increasing the current count without the need for the emulation of the client.
If the trafic is encrypted at the client side then how does the host know how to decrypt it? Either it's a fixed key and something in the first message is used a salting, or the key is based in the current time, or it's a combo. We need more systems and keys to play with I think. See if the first message changes when using a different machine, or a different installation id. Also see if it changes when using a different KMS key etc...
The clients's CMID was send to modified keygen like it always/normally does, what could this possibly have to do with the Office activation failing using KMS keygen and/or a hardcoded Extended PID The CMID data send to the keygen is original, the keygen does not use this or other submitted data other for the purpose of returning proper valid data to the client, eg: The Windows 7 KMS activation seems to send data as clear text (unencrypted) using a hash to validate submitted/returned data. Clearing/changing the CMID is a solution, as far as i know this can only be done using sysprep /generalize (making it time consuming to be able to reach the 25 client threshold)
Can vm operations be batched (vmware, virtualbox, ... doesn't matter)? So when some shortcut is clicked vmware starts the first snapshot and let it run for 10 minutes, then it goes automatically to the 2nd snapshot and runs it for 10 minutes... If in each vm a kms activation script is placed in the startup folder then all clients will connect to the host. Only once a month the thing needs to be started to be good, and you can run it during the night or whatever moment you're doing nothing with your pc.