Is there any way to crack/decrypt the WinXP CONSUMER activation system to generate Activation IDs?

Discussion in 'Windows XP / Older OS' started by ENZOLU, Aug 20, 2019.

  1. TheoFaron

    TheoFaron MDL Novice

    Oct 23, 2019
    3
    1
    0
    I have little knowledge of the details of the activation, but if private keys are impossible to crack is it possible to exchange the certificates in the client?
     
  2. diamondggg

    diamondggg MDL Novice

    Sep 30, 2016
    23
    73
    0
    The certificate is built in system executables, not in a separate replaceable file/registry. So one would need to patch important system files.

    From the point of view of a battle of wits between attackers and protectors, the patching means admitting defeat.

    From the practical point of view, the patching comes with a lot of drawbacks. Less importantly, winlogon.exe/licdll.dll have a number of internal checks to protect the important data, including the certificate, so one would either need to patch out those as well, or be extra careful to make a replacement certificate with the same checksum as the original one (which might be possible). More importantly, patching a system file automatically means problems with system protection mechanisms like SFC, with updates, with antiviruses, with WGA checker, leaves easily detectable traces of intrusion.

    It could work if it would be the only way to go (IIRC some early anti-WPA hacks did patch winlogon.exe, although not in this way), but it makes no practical sense in presence of other anti-WPA methods that won't provide a validatable activation in this concrete way but do provide a better solution of the problem as a whole.
     
  3. TheoFaron

    TheoFaron MDL Novice

    Oct 23, 2019
    3
    1
    0
    #43 TheoFaron, Jan 19, 2021
    Last edited: Jan 19, 2021
    Well, I don't think cracking an RSA-1024 key is a realistic outlook. But then again I haven't found any recent numbers on the computation cost. So the two options left is either to find a flaw in the client logic so that it will accept stuff signed with a fake key or to steal the keys from Microsoft.
     
  4. Mishakaaka

    Mishakaaka MDL Novice

    Mar 2, 2021
    1
    0
    0
    The windows XP Leaked source code contains source code for pidgen.dll
     
  5. trashe33

    trashe33 MDL Member

    May 8, 2016
    127
    63
    10
    #45 trashe33, Mar 4, 2021
    Last edited: Dec 18, 2021
    [removed because of misinformation]
    -trashe33
     
  6. #46 Deleted member 1435102, Mar 5, 2021
    Last edited by a moderator: Mar 5, 2021
     
  7. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream

    Dec 21, 2012
    6,755
    7,688
    210
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sk00ter

    sk00ter MDL Novice

    Apr 30, 2017
    25
    33
    0
    I've looked into DPCDLL122Func() a bit more and wish to adjust the struct and enum.
    Code:
    enum LicenseType : DWORD { // matches the license type field in DigitalProductId3
      LT_RETAIL,
      LT_UPGRADE,
      LT_OEM,
      LT_VOL, // volume license (previously Microsoft Select)
      LT_MLP, // Microsoft License Pack for stuff like CALs probably?
      LT_MOLP, // Microsoft Open License Program
      LT_MSDN
    };
    struct Lic {
      DWORD dwIndex; // index into the license index
      struct BlessedLic { // BlessedLic is signed
        DWORD dwId; // always same as dwIndex in practice
        DWORD dwBinkId; // ID of the relevant BINK
        DWORD dwMinSiteId; // minimum channel/site ID
        DWORD dwMaxSiteId; // maximum channel/site ID
        LicenseType dwLicenseType; // type of license
        DWORD dwDaysToActivate; // time to activate before OS stops working, 0x7fffffff for no activation needed
        DWORD dwTrialDays; // time for a trial installation before it disables itself
      } blessed;
      DWORD dwSignatureLength; // signature length in bytes
      CONST BYTE *pabSignature; // signature
    };
    HRESULT WINAPI DPCDLL122Func(DWORD dwBinkId, DWORD dwSiteId, DWORD dwBuildId, struct Lic *pLic);
    
    The license type enum actually matches what's in use with pidgen.dll.

    The Lic struct has a signature. The "blessed" sub-struct is signed.

    The signature uses RSA-1024 with PKCS#1 padding and SHA1. The public key is stored as a CryptoAPI blob in winlogon.exe, which also makes it the apparently only caller that I know of.

    To save you some trouble, here's an example taken from XP volume license dpcdll.dll (same signing key used for other languages as well; not sure if retail shares the same key or even the entire struct list, but it probably shares both; not sure if 2003 shares the same key, but it probably doesn't):

    Code:
    #!/usr/bin/env ruby
    # frozen_string_literal: true
    
    require 'base64'
    require 'openssl'
    
    # winlogon.exe @ 0x1016cb8, converted from blob to PEM
    PUBKEY = <<EOK
    -----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsKGLtQ8bUveKs8GYDs+/b+Vs2
    tG3btT2g/ZSI9ExWXZCTyrnsxdMIoiyEFovYulodzu60QReEree3szKnpobay04c
    qpqr4n3IfFUaWpOYCFtdKosgQrCsKoXNN+w3rqz4UxAAE0LEZvci0+Qo22/VRKSo
    sOX+w8C+8ss1KhxsJwIDAQAB
    -----END PUBLIC KEY-----
    EOK
    
    # This is the data of a struct Lic.
    # The pointer to the signature is 0x012d89b0 for demo.
    #
    # struct Lic {
    #   .dwIndex = 0x0e,
    #   .blessed = {
    #     .dwId = 0x0e,
    #     .dwBinkId = 0x28,
    #     .dwMinSiteId = 5,
    #     .dwMaxSiteId = 110,
    #     .dwLicenseType = 3, // LT_VOL
    #     .dwTrialDays = 14,
    #     .dwTrialDays = 125
    #   },
    #   .dwSignatureLength = 0x80,
    #   .abSignature = 0x012d89b0
    # };
    lic = Base64.decode64('DgAAAA4AAAAoAAAABQAAAG4AAAADAAAADgAAAH0AAACAAAAAsIktAQ==')
    
    signed = lic[4...(4+(7*4))]
    signature_encoded = <<EOSIG
    KhS4yXIrs9bISyve8GadyYtfvE5G2ynvxJbFPfuUbMGi7VqC5wBoQpw1N9/F
    c4g9lkPDl0UbtnPDgMAalRs4BJ667yscrOI8bocE3NB96FiyqB0lfIEKJeWU
    kZbQbCfYcxi7/P4WLDLbMjJAE9CPx78TBfkt74XjXFON1TOHa1w=
    EOSIG
    # reverse the bytes in the signature because OpenSSL uses big-endian numbers,
    # but OpenSSL uses little-endian
    signature = Base64.decode64(signature_encoded).reverse
    
    rsa = OpenSSL::PKey::RSA.new(PUBKEY)
    puts(rsa.verify('SHA1', signature, signed)) # true
    
    You won't be able to sign your own dpcdll.dll structs. Breaking RSA-1024 is computationally infeasible (Schnorr's recent paper has been debunked).
     
  9. NonverbalMel

    NonverbalMel MDL Member

    Oct 11, 2021
    102
    37
    10
    I’ve taken a minute to read through this entire thread, and given how old XP is (and out of support), one would’ve figured that all the product key, activation, etc would’ve been cracked and keygens would be commonplace. However, with my limited understanding of cryptography the larger the bit count, the harder it is to decrypt. (Again limited understanding), so I might not see MS legacy products keygens in my lifetime by the looks of it.
     
  10. trashe33

    trashe33 MDL Member

    May 8, 2016
    127
    63
    10
    what do you mean by that? nowadays we can crack the private keys of the bink resources of pidgen.dll in a matter of twenty minutes (for Windows 98FE/SE, ME, 2000, XP, server 2003, pre- and early post-reset Longhorn/Vista) with which we can reliably generate a product key. (if you cannot figure out how, ask sk00ter)

    furthermore, the phone activation procedure (for non vlk copies of Windows XP and Server 2003) has also been cracked (see diamondggg's keygen, available on request). This allows us to keygen telephone activation for all non-vlk copies of Windows between Windows XP build 2600 (pre-RTM builds of Windows XP do not work woth said keygen, I already tried it) and early Windows Vista post reset builds (including Server 2003, XP 64-bit/x64 and pre-reset Longhorn)

    Sure, there is no fully publicly known method (that I know of) to crack phone activation except that one closed source tool of unknown origin from diamondggg, but I would confidently say that Windows XP's and Server 2003's WPA is pretty busted. And that is before I even talk about AntiWPA.

    Adressing some misinformation that I may have spread in this thread:
    I would like to add that the Windows XP/2003 keygen from github that I mentioned indeed does not compile a working binary on Linux, however it does in MinGW32 and MSYS2's MinGW64 under Windows. I do not actually know the cause of this, but I suspect that the default compiler options of gcc in ubuntu and manjaro mess something up.
    Also, I claimed once that pidgen code was not included in the source code leak last year. That is kinda true for Server 2003, but not for the Windows XP SP1 build tree where it was included.
     
  11. NonverbalMel

    NonverbalMel MDL Member

    Oct 11, 2021
    102
    37
    10

    Well… I learn something new every day. I will be sending appropriate requests to the people involved to get copies of the appropriate keygens . @diamondggg; would be the person for the phone actuation keygen I wonder who the appropriate person would be for the keygen for just the product keys? Further, what I meant by my comment is somebody mentioned an RSA-1024 encryption key involved with the phone activation… My basic understanding is that RSA is rather hard to crack, and with that many bits one would figure that there would be so many possibilities… That one would have to keep counting Ansari eventually breaks. Again, this is probably due to very outdated knowledge as I am not familiar with the capabilities of much modern hardware, it could also be pure misunderstanding on my side.
     
  12. pottzman

    pottzman MDL Member

    Dec 8, 2009
    153
    119
    10
    I believe you can activate these legacy products now with telephone activation because microsoft has altered the telephone system. I don't think it actually cares anymore what product key you use, it just spits out an Confirmation ID that will activate the product, no questions asked and not because the so called keygens produce valid (valid in the sense that MS believes them to be valid) product keys.
     
  13. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    18,802
    18,982
    340
    Is it the following one?

    Code:
      CRC-32: 0fb1bab6
         MD5: db8dfc80e136a28655d148a077e72205
       SHA-1: 26632479f9bdde172f47d23902c3e7caaabe2b4f
     SHA-256: 5a4bcac5a50eb5113dd6a2f88c35ebdb709c4df8a792c71ad03ea347afaced52
    
    Tagging @LostED as well.
     
  14. NeoDesktop

    NeoDesktop MDL Novice

    Nov 21, 2020
    8
    23
    0
    I believe this to be the same file, at least from the hashes I saw in PM
     
  15. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    4,150
    5,947
    150
    #55 Dark Dinosaur, May 26, 2023
    Last edited: May 26, 2023

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. wvv000

    wvv000 MDL Senior Member

    Feb 21, 2019
    446
    552
    10
    Why do we have to use retail & OEM XP in 2023?
    Shouldn't VL mode be better? Although you uploaded a bunch of activations, the crack program is used to activate xp....

    In other words, Microsoft will not be so stubborn. I believe that in the era when XP was released, Microsoft's download center provided an official tool that could authorize conversion, only for XP
     
  17. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    4,150
    5,947
    150
    #57 Dark Dinosaur, May 26, 2023
    Last edited: May 26, 2023
    I believe there are some that still use it ...
    now I downloading ... this iso. to check the new tool
    en_windows_xp_professional_with_service_pack_3_x86_cd_x14-80428.iso

    I think most of the guys maybe forget this tool exists.
    from the old era... :D

    1.png

    2.png

    upload_2023-5-26_21-25-18.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. Chuterix

    Chuterix MDL Senior Member

    Apr 18, 2022
    275
    124
    10
    frankenbuilder?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Tito

    Tito Super Mod / Adviser
    Staff Member

    Nov 30, 2009
    18,802
    18,982
    340