I thought it brings the KMS server to the required count automatically? Can anyone clarify? Currently I run it automatically every day on the KMS server itself. Also, Windows command line coders need to take a good hard look at UNIX command line tools regarding usability.
Good work on the tool for spoofing the client requests. Would be nice if we could work out how to create valid responses to the activation request we could ditch the kms server...
Would love to continue this thread also? I have taken a quick look at the updated sppsvc.exe, but it seems full of obfuscated code which looks beyond me at this time. I was hoping for as a starter to just be able to debug through sppsvc.exe and find the decrypted V5 packet in memory to actually see if M$ have changed anything, or just added the full packet encryption, but so far I haven't made any progress. @jarod75, I have been looking at the version of sppsvc on Win7 SP1 with the KB2757817 applied, but I dont see the same addresses as mentioned in a couple of your posts, eg. sub_75B0EB, am I using IDA incorrectly, or is this due to address layout randomization? From reading thorugh this thread, I cant help but feel there is enough skilled people on this forum that can work together and make progress with a Win8 kms server emulator? What do you all think? -- bedrock
If anyone wants to research SPPSVC.EXE, one might want to start with the subroutine sub_45B063() because it holds the RPC interface. Any communication starts or ends there. One could use this subroutine to see how it decodes the traffic from a KMS Service.
is it able to Compile the KMS-EMU under Linux? so that we can run the KMS-Emu (server) maybe on a Linux-Server/Router (example: on a Fritzbox with Freetz)?
Or this case... hmm someone will maybe find it usefull, this little Devices ar running 24/7... =/... maybe anyone now`s what has to be ported like RPC or includes :/
In new protocol (Kms Host-Client) Microsoft uses an encryption like AES128-CBC. The session key is: BYTE SessionKey[16]={0xCD,0x7E,0x79,0x6F,0x2A,0xB2,0x5D,0xCB,0x55,0xFF,0xC8,0xEF,0x83,0x64,0xC4,0x70}; For research, you should use the KMS-server based on Windows7x86 with the update KB2691586 (not KB2757817), because Microsoft made a mistake, which will help us. Probably help us...
Now we move on... The structures of data are: struct REQUEST{ WORD MinorVer; WORD MajorVer; DWORD Tag; DWORD LicenseStatus; DWORD GraceTime; GUID AppIdGUID; GUID SkuIdGUID; GUID KmsIdGUID; GUID CmIdGUID; DWORD MinimumClients; FILETIME TimeStamp; BYTE Reserved1[16]; wchar_t WorkstationName[33]; BYTE Reserved2[62]; }; struct RESPONSE{ WORD MinorVer; WORD MajorVer; DWORD KmsPIDLen; wchar_t kmsPID[49]; GUID CmId; FILETIME TimeStamp; DWORD ActivatedMachines; DWORD ActivationInterval; DWORD RenewalInterval; }; struct REQUEST_V5{ WORD MinorVer; WORD MajorVer; BYTE Salt[16];--------------changes every time. REQUEST Request;------encrypted with sessionkey. BYTE Pad[4];---------------encrypted with sessionkey. }; struct RESPONSE_V5{ WORD MinorVer; WORD MajorVer; BYTE SaltKey[16];---------------------changes every time (equ to request's) RESPONSE Response;--------------encrypted with sessionkey. BYTE Data1[16];------------------------encrypted with sessionkey. BYTE Data2[16];------------------------encrypted with sessionkey. BYTE Data3[16];------------------------encrypted with sessionkey. BYTE Pad[2];----------------------------encrypted with sessionkey. }; Attention! The following information applies to unencrypted data. Request_v5.Pad={0x04,0x04,0x04,0x04} Response_v5.Pad={0x02,0x02} Response_v5.Data1=Salt^DSalt]^aaaa, where Salt is Request.Salt, DSalt is "Decrypted" Salt, aaaa is word: {0x61,0x61...0x61}, ^ - is XOR. Response_v5.Data2={0x0C,0x0B,0xEA,0xCE,0xF8,0x87,0x7B,0xBF,0x24,0x16,0xEB,0x00,0xF2,0xB5,0xDC,0x96}; Response_v5.Data3={0x35,0x4E,0x26,0xDD,0x1D,0xF5,0x51,0x73,0x20,0x45,0x9B,0x12,0x36,0x86,0x0F,0x8C};