Hi All, I've been away from MDL for some time, but was just browsing last night and came across this thread, I wish it had been here 2 1/2 years ago when I did my own research into KMS client/server and the ZWT 'keygen'. I got stuck at the hashing part Anyhow, that was quite some time ago... @cody, What's the problem with timestamp, this is the code I used: Code: // Fix-up date/time because there is a tolerance built into KMS host FILETIME fileTime; GetSystemTimeAsFileTime(&fileTime); memcpy(&pin_buffer[0x54], &fileTime, sizeof(FILETIME)); Also, if you are looking to create a C# host, then for the RPC part I would recommend an C++/CLI (managed C++) assembly to expose itself as an RPC server and offer up an event delegate everytime it recieves a request that the C# code listen for. C++/CLI is the king of interop I don't get much spare time these days, but if you'd like me to knock up a sample I'll see what I can do. Regards ps. I have read through the whole thread, but didn't see the @nosferati87 hashing code shared publicy? is it available? or just shared privately, as this is the only part I didn't manage to succeed in before and I'de be very interested to learn more about this particular peice of the jigsaw puzzle. pps. 252 bytes (0xfc) is the correct request length -- bedrock
I'm unsure what your trying to do when you say the last 14 bytes? I must admit (as previously stated) that I never got the hashing correct, but I would expect the hash to be the last 16 (0x10) bytes of the packet, and to be made up of everything before hand in the packet. Looking back at my own code I had something like Code: char hash[0x10] = {0}; generate_hash(in_length - 0x10, pin_buffer, 0x10, hash); I just never got the generate_hash function correct
Seems we both reached a similar point... I've never been very good witht the crypto reversing, and in the end I gave up. However I did find a patch point in sppsvc.exe that let me skip the hash check, and ultimately this allowed me to artificially bump the activation count by sending 25 fake client requests and ignoring the hash on them all at the real server end. But really this was a dirty way to achieve this goal. And attaching Olly to sppsvc.exe is a PITA. Unfortunately since I did this work I have had to reinstall and lost my olly .udd file, I just have scraps of paper with breakpoint addresses left. I would still like to better understand the hashing and create a real client request. Hopefully someone will make a breakthrough with the hashing and will be willing to share with the community.
Great news! I knew you would/could do it Might it be possible to add support to fake "office", "client" and "server" activation requests? Changing AppID?