Captured Windows 8 KMS Activation Network Traffic

Discussion in 'Windows 8' started by Dhilip89, Aug 14, 2012.

  1. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,557
    3,832
    120
    What about the HDD space used for 25 VM snapshots? Although it might be possible i prefer a less resource intensive and time consuming solution.
    If we could make a program that fakes KMS request, changing CMID with every request such program could simply be added to task Scheduler and ran once a day.
     
  2. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,557
    3,832
    120
  3. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,818
    90
    I don't think it consumes that much space as they are almost identical. Snapshots store only the differences. But indeed it's not an elegant solution.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. hack

    hack MDL Senior Member

    Sep 14, 2009
    293
    252
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. hack

    hack MDL Senior Member

    Sep 14, 2009
    293
    252
    10
    #25 hack, Aug 30, 2012
    Last edited: Aug 30, 2012
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,557
    3,832
    120
    #26 FreeStyler, Aug 30, 2012
    Last edited: Aug 30, 2012
    To examine data send to and from Windows 7/Server 2008 R2 with this particular KMS vhd there is no need for SP1 or KB2691586, keep to the facts and things we have and are confirmed working. your last remark will only confuse people,eg: summing up requirements for Windows 8 KMS activation where we don't have the most important item (eg: KMS key)
     
  7. jarod75

    jarod75 MDL Novice

    Oct 29, 2009
    27
    21
    0
    #27 jarod75, Aug 30, 2012
    Last edited: Aug 30, 2012
    Hi,

    Just to share the knowledge:
    - by paste, with letsgoawayhell, we have reversed Phazor tool: Not a big deal, the way he manage 8007000D error ! He use a loop, 10 try..... beg that's activate :cool:

    The true is : By design, WZT KMS just emulate a SPP RPC server but badly (manage badly the RPC ACK response ). here is the source of 8007000D error.

    As explain, i reversed the WZT KMS too. let's see how a real KMS work:

    - The client send a RPC BIND request
    - The KMS server reply with a RPC ACK_BIND
    - The client send a RPC request with the "Activation request data" (explained after)
    - The KMS server reply with a RPC ACK
    - The KMS server send a RPC response with the "Activation response data" (explained after)
    - The client reply with a RPC ACK

    Request data contain Application ID, CMID, Activation ID, Time of the request, etc. Nothing special

    Reponse data contain KMS PID of the KMS server, the Client CMID and a crypto hash of all data from the request data

    concerning CMID, it's not a big challenge to fake 25 or more CMID and enable a KMS server ... just need a Win8/win2012 KMS Host Key ...
     
  8. hack

    hack MDL Senior Member

    Sep 14, 2009
    293
    252
    10
    Don't we all.

    Is this true for the win8/server2012 kms activation. Does KB2691586 only allow for additional windows8/server2012 keys or is there more to it.
    The emulated client was only suggested as a Plan B if the new KMS has changed radically. The ideal solution would be to Emulate the KMS Host for Windows8/Server2012. One consideration however would be to have a randomly generated Extended PID to prevent any "Non Genuine Notices" if MS has implemented Extended PID checking during Validation. Just in case you think that Windows Activation Technologies has been mothballed the Windows 8 official description for SPPSVC:

    "Enables the download, installation and enforcement of digital licenses for Windows and Windows applications.
    If the service is disabled, the operating system and licensed applications may run in a notification mode.
    It is strongly recommended that you not disable the Software Protection service."
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. jarod75

    jarod75 MDL Novice

    Oct 29, 2009
    27
    21
    0
    KB2691586 just add the new function, with the encrypted workflow bethween win8 and KMS 3.0

    By the way, I have spy 50 Windows 8 activations with a true KMS server and I can say without any doubt:

    - Win8 SPP client change the salt key at every request
    - KMS 3.0 always make a response where it join the previously sended client salt key

    The big deal is "JUST" to decrypt the stream just after the salt key ...

    If you can decrypt this, the job is done ...
     
  10. Garbellano

    Garbellano MDL Addicted

    Aug 13, 2012
    947
    248
    30
    how about make a KMS server with the capture of whireshark responding locally?
     
  11. Stannieman

    Stannieman MDL Guru

    Sep 4, 2009
    2,232
    1,818
    90
    But the response is always different cause the salt changes and stuff. You can't just capture a kms host respond and feed it to any client to activate it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. hack

    hack MDL Senior Member

    Sep 14, 2009
    293
    252
    10
    Downloading 64bit version of wireshark now to capture KMS activation with the online CN KMS server. Any case it has been years since I did any crypto analysis, I fear I am out of my depth.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. jarod75

    jarod75 MDL Novice

    Oct 29, 2009
    27
    21
    0
    #33 jarod75, Aug 30, 2012
    Last edited: Aug 30, 2012
    Yes, of course !

    The new KMS scheme is like this:

    Request= REQUEST_HEADER+SALT-KEY+REQUEST_ENCRYPTED_WITH_SALT-KEY
    Response= RESPONSE_HEADER+SALT-KEY+RESPONSE_ENCRYPTED_WITH_SALT-KEY

    In fact, we need to work on sppsvc.exe & sppobjs.dll to find the crypto function involved ...
     
  14. jarod75

    jarod75 MDL Novice

    Oct 29, 2009
    27
    21
    0
    #34 jarod75, Aug 30, 2012
    Last edited by a moderator: Jan 31, 2013
    I Found this on my desktop :biggrin:...

    Hope, it 's help somebody :biggrin:

    Request
    Response

    ---
     
  15. CODYQX4

    CODYQX4 MDL Developer

    Sep 4, 2009
    4,813
    45,775
    150
    #35 CODYQX4, Aug 31, 2012
    Last edited: Apr 12, 2019
    .
     
  16. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,557
    3,832
    120
    #36 FreeStyler, Aug 31, 2012
    Last edited by a moderator: Apr 20, 2017
  17. velocidad

    velocidad MDL Member

    Nov 15, 2009
    152
    73
    10
    #37 velocidad, Aug 31, 2012
    Last edited by a moderator: Jan 31, 2013

    Does it have the key?
     
  18. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,557
    3,832
    120
    It holds a 'Server 2008 R2 DC and IA64 Volume:CSVLK (KMS_C)' KMS host Key (not for use with Win 8/2012)
     
  19. Mr Jinje

    Mr Jinje MDL Expert

    Aug 19, 2009
    1,770
    1,101
    60
    #39 Mr Jinje, Aug 31, 2012
    Last edited: Aug 31, 2012
    I've never used a KMS emulator or been much interested in it til lately. If I wanted to create my own W7/R2 capable KMS VM could I just use the KMS_C key from inside this thing or what does this VM do that I do not understand.
     
  20. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,557
    3,832
    120
    #40 FreeStyler, Aug 31, 2012
    Last edited: Aug 31, 2012