Captured Windows 8 KMS Activation Network Traffic

Discussion in 'Windows 8' started by Dhilip89, Aug 14, 2012.

  1. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #221 CODYQX4, Oct 26, 2012
    Last edited: Apr 12, 2019
    .
     
  2. TCM

    TCM MDL Addicted

    Aug 25, 2011
    808
    417
    30
    The old one for Win7/Office2010, right?
     
  3. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #223 CODYQX4, Oct 27, 2012
    Last edited: Apr 12, 2019
    .
     
  4. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #224 CODYQX4, Oct 29, 2012
    Last edited: Apr 12, 2019
    .
     
  5. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #225 CODYQX4, Nov 10, 2012
    Last edited: Apr 12, 2019
    .
     
  6. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #226 CODYQX4, Nov 10, 2012
    Last edited: Apr 12, 2019
    .
     
  7. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #227 CODYQX4, Nov 11, 2012
    Last edited: Apr 12, 2019
    .
     
  8. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #228 CODYQX4, Nov 11, 2012
    Last edited: Apr 12, 2019
    .
     
  9. bedrock

    bedrock MDL Member

    Nov 16, 2007
    129
    46
    10
    #229 bedrock, Nov 11, 2012
    Last edited by a moderator: Apr 20, 2017
    Hi All,

    I've been away from MDL for some time, but was just browsing last night and came across this thread, I wish it had been here 2 1/2 years ago when I did my own research into KMS client/server and the ZWT 'keygen'. I got stuck at the hashing part :(

    Anyhow, that was quite some time ago...

    @cody,

    What's the problem with timestamp, this is the code I used:

    Code:
    // Fix-up date/time because there is a tolerance built into KMS host
    FILETIME fileTime;
    GetSystemTimeAsFileTime(&fileTime);
    memcpy(&pin_buffer[0x54], &fileTime, sizeof(FILETIME));
    
    Also, if you are looking to create a C# host, then for the RPC part I would recommend an C++/CLI (managed C++) assembly to expose itself as an RPC server and offer up an event delegate everytime it recieves a request that the C# code listen for. C++/CLI is the king of interop :) I don't get much spare time these days, but if you'd like me to knock up a sample I'll see what I can do.

    Regards

    ps. I have read through the whole thread, but didn't see the @nosferati87 hashing code shared publicy? is it available? or just shared privately, as this is the only part I didn't manage to succeed in before and I'de be very interested to learn more about this particular peice of the jigsaw puzzle.

    pps. 252 bytes (0xfc) is the correct request length :)

    --
    bedrock
     
  10. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #230 CODYQX4, Nov 11, 2012
    Last edited: Apr 12, 2019
    .
     
  11. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #231 CODYQX4, Nov 11, 2012
    Last edited: Apr 12, 2019
    .
     
  12. bedrock

    bedrock MDL Member

    Nov 16, 2007
    129
    46
    10
    #232 bedrock, Nov 11, 2012
    Last edited by a moderator: Apr 20, 2017
    I'm unsure what your trying to do when you say the last 14 bytes?

    I must admit (as previously stated) that I never got the hashing correct, but I would expect the hash to be the last 16 (0x10) bytes of the packet, and to be made up of everything before hand in the packet.

    Looking back at my own code I had something like
    Code:
    char hash[0x10] = {0};
    generate_hash(in_length - 0x10, pin_buffer, 0x10, hash); 
    I just never got the generate_hash function correct :(
     
  13. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #233 CODYQX4, Nov 11, 2012
    Last edited: Apr 12, 2019
    .
     
  14. bedrock

    bedrock MDL Member

    Nov 16, 2007
    129
    46
    10
    Seems we both reached a similar point...

    I've never been very good witht the crypto reversing, and in the end I gave up. However I did find a patch point in sppsvc.exe that let me skip the hash check, and ultimately this allowed me to artificially bump the activation count by sending 25 fake client requests and ignoring the hash on them all at the real server end. But really this was a dirty way to achieve this goal. And attaching Olly to sppsvc.exe is a PITA. Unfortunately since I did this work I have had to reinstall and lost my olly .udd file, I just have scraps of paper with breakpoint addresses left.

    I would still like to better understand the hashing and create a real client request. Hopefully someone will make a breakthrough with the hashing and will be willing to share with the community.
     
  15. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #235 CODYQX4, Nov 14, 2012
    Last edited: Apr 12, 2019
    .
     
  16. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #236 CODYQX4, Nov 14, 2012
    Last edited: Apr 12, 2019
    .
     
  17. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,563
    3,857
    120
    #237 FreeStyler, Nov 14, 2012
    Last edited: Nov 14, 2012
    Great news! I knew you would/could do it :D
    Might it be possible to add support to fake "office", "client" and "server" activation requests? Changing AppID?
     
  18. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #238 CODYQX4, Nov 14, 2012
    Last edited: Apr 12, 2019
    .
     
  19. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,563
    3,857
    120
    Let me see what i can come up with...give me a hour or so

    Nope, my bad ;)
     
  20. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,776
    150
    #240 CODYQX4, Nov 14, 2012
    Last edited: Apr 12, 2019
    .