Captured Windows 8 KMS Activation Network Traffic

.

 

int RequestActivation(handle_t IDL_Handle, int RequestSize, unsigned char *Request,
int *ResponseSize, unsigned char **Response)
{
int i;
REQUEST_V5 *Request_v5;
RESPONSE_V5 *Response_v5;
BYTE *Buffer;
MemoryBuffer=(unsigned char*)midl_user_allocate(MemoryBufferSize);
Buffer = new BYTE[512];
Request_v5=(REQUEST_V5 *)Request;
Response_v5 = new RESPONSE_V5;
memset(Response_v5,0x00,sizeof(RESPONSE_V5));
memcpy((BYTE *)Response_v5->Salt,(BYTE *)Request_v5->Salt,16);
AesInit(AES_TYPE_128,AES_MODE_CBC,0x02,SessionKey,Request_v5->Salt);
DecryptMessage(256,(BYTE *)(&Request_v5->Salt));
Response_v5->MinorVer=0;
Response_v5->MajorVer=5;
Response_v5->Response.MinorVer=0;
Response_v5->Response.MajorVer=5;
Response_v5->Response.KmsPIDLen=0x62;
memcpy((BYTE *)Response_v5->Response.kmsPID,(BYTE *)kmsPID,0x62);
memcpy((BYTE *)(&Response_v5->Response.CmId),(BYTE *)(&Request_v5->Request.CmId),16);
memcpy((BYTE *)(&Response_v5->Response.TimeStamp),(BYTE *)(&Request_v5->Request.TimeStamp),8);
Response_v5->Response.ActivatedMachines=ActivatedMachines;
Response_v5->Response.ActivationInterval=ActivationInterval;
Response_v5->Response.RenewalInterval=RenewalInterval;
for(i=0 ; i<16 ; i++){
Response_v5->Data1=Request_v5->Salt^Response_v5->Salt^0x61;
};
memcpy((BYTE *)(Response_v5->Data2),Data2,16);
memcpy((BYTE *)(Response_v5->Data3),Data3,16);
EncryptMessage(190,(BYTE *)&Response_v5->Response);
AesClear();
memcpy(MemoryBuffer,(BYTE *)Response_v5,sizeof(RESPONSE_V5));
*ResponseSize=sizeof(RESPONSE_V5);
*Response = MemoryBuffer;
printf("Activation response sent.\r\n");
delete(Response_v5);
delete(Buffer);
return 0;
};

 

The session key is static.

For KMS-server based on Windows7x86 with the update KB2691586 we have:
Response_v5.Data1=Salt^DSalt]^aaaa. This is an error of Microsoft.

For KMS-server based on Windows7x86 with the update KB2757817 and later we have:
Response_v5.Data1=Salt^DSalt]^aaaa^Rnd. In this case "Rnd" affects Data2 and Data3.
Unfortunately, I do not know this algorithm. The Rnd word is changed every time when
the KMS-server reloads. But this is not important, because Data2 and Data3 posted early
work properly.

 

.

 

.

 

Please look up an attachment.

{
BYTE *Buffer;
Buffer = new BYTE[512];
delete(Buffer);
} - > This code is not needed...

const int MemoryBufferSize=1024;
const int ActivatedMachines=50;
const int ActivationInterval=120;
const int RenewalInterval=7*24*60;
BYTE *MemoryBuffer;

void DecryptMessage(int MessageSize, BYTE *Message)
{
BYTE *p;
DWORD q;
p = new BYTE[MessageSize];
memcpy(p,Message,MessageSize);
AesDecrypt(p,MessageSize,Message,&q);
delete(p);
};

void EncryptMessage(int MessageSize, BYTE *Message)
{
BYTE *p;
DWORD q;
p = new BYTE[MessageSize];
memcpy(p,Message,MessageSize);
AesEncrypt(p,MessageSize,Message,&q);
delete(p);
};

 

.

 

I think you should include in the file data.h after line "#define DataH" the following information:
#include <windows.h> or #include "Defines.h" to define "BYTE", "WORD" etc.

 

It is advisable to set the Project's property "Struct Member Alignment" to "1" to prevent any surprises.

 

.

 

.

 

Well done! We all look forward to working KMSEmulator with the ability to change the KMSPid.

 

If i'm not mistaken you can change the KMSpid with KMSServer.

KMSserver.exe [port#] [KMSpid#]

 

.

 

Amazing news so far CODYQX4! All the best

 

.

 

You need to login to view this posts content.

 

mikmik38, thank you for your contributions! Wouldn't be where we are, without it

 

I just wanted to help people.

 

Thanks for your great help...