Is there any way to crack/decrypt the WinXP CONSUMER activation system to generate Activation IDs?

Discussion in 'Windows XP / Older OS' started by ENZOLU, Aug 20, 2019.

  1. veso266

    veso266 MDL Novice

    Sep 3, 2015
    13
    1
    0
    Now the onlything thats left to do is to recreate online activation server (althought I am not sure that would be possible without patching your own root certificate inside licdll.dll)
     
  2. pottzman

    pottzman MDL Member

    Dec 8, 2009
    146
    107
    10
    its not needed anymore because of the phone activator. just need to add office activation to the activator
     
  3. xxhbdl

    xxhbdl MDL Novice

    Mar 7, 2015
    16
    3
    0
    anyone for VB net? Tnx
     
  4. CONIGUERO

    CONIGUERO MDL Novice

    May 19, 2023
    13
    2
    0

    I wonder if they changed something in the algorithm or just the parameters. If it's the latter it should be fairly easy to implement, given that (I think) the Confirmation ID generator doesn't have any "cracked" keys, it just takes advantage of an inherent insecurity of the algorithm. I could be wrong however.

    EDIT: I WAS WRONG. Dumb of me to not see the post on the previous page.
     
  5. CONIGUERO

    CONIGUERO MDL Novice

    May 19, 2023
    13
    2
    0
    Woah, thank you so much for your work! This will come in very handy.

    As an aside, do you know why the generator produces different (but equally working) CIDs than the official Microsoft servers? You can check this by watching any "Activating Windows XP by phone in ${CURRENT_YEAR}" videos on YouTube
     
  6. d45h

    d45h MDL Novice

    May 31, 2023
    2
    6
    0
    This is explained in the Sagemath code I am referring to. The decrypted bytes of the confirmation IDs provided by the MS servers store the first bytes of the sha1 hashed product key but they can be omitted and that's what the keygen does.
    As an example, for the installation ID 293221-258112-373604-693481-127192-824692-042003-124815-710622:
    - official MS confirmation ID = 060684-651911-411000-641723-322094-412701-480893, decoded bytes = ca0100a808000003000000000000
    - keygen confirmation ID = 200451-343194-499671-022685-975306-679530-748750, decoded bytes = 0000000000000000000000000000

    Also, the number 3 at the middle is the attempt (as said in the keygen) because the hyperelliptic curve encryption can fail (due to some math stuff I don't really understand) and this 7th byte is incremented until the encryption works.
     
  7. kocoman

    kocoman MDL Senior Member

    May 16, 2007
    358
    6
    10
    does this work on the xp mode virtual image? thx
     
  8. pottzman

    pottzman MDL Member

    Dec 8, 2009
    146
    107
    10
    it should in theory. that image is activated be OEM-SLP so u should be able to change product key to regular OEM and use activator
     
  9. kocoman

    kocoman MDL Senior Member

    May 16, 2007
    358
    6
    10
    it doesn't activate because i convert the image to virtualbox..
    how to convert oem edition to retail edition without reinstall ? thx
     
  10. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,007
    2,877
    150
    #90 acer-5100, Jun 4, 2023
    Last edited: Jun 4, 2023
    If you mean using the XPMode.VHD in a Hypervisor different than Windows VirtualPC, yes it works w/o any problem

    This is Hyper-V, but VMware or VBox, or Virtual PC, Parallels Workstation, QEMU.... isn't any different

    You can also boot it natively on baremetal (just like any W7+ native vhd), using grub4dos and the SVbus driver.

    (obviously not being a crack but a "proper" activation, you need to reactivate if you move the image from an Hypervisor to another)

    upload_2023-6-4_19-48-4.png
     
  11. kocoman

    kocoman MDL Senior Member

    May 16, 2007
    358
    6
    10
    ok the ./xpactivate <Installation ID> does work.. didn't need to change product id (because it was saying invalid in the keygen.. ok thanks)
     
  12. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,007
    2,877
    150

    BTW in Virtualbox is easy to emulate the same bios ID as Windows VPC, hence activation isn't needed at all.

    Surely having two different working methods is better than having just one
     
  13. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream

    Dec 21, 2012
    6,456
    7,200
    210
    AFAIK, the BIOS string used by XP Mode is outside the address range emulated by VB and you need to actually path files.
     
  14. CONIGUERO

    CONIGUERO MDL Novice

    May 19, 2023
    13
    2
    0
    That does make a lot of sense. Thank you

    Now onto the task of extending this to Office and MS Plus! ME too! I hope all they changed were the hyperelliptic curve params and not the signature/key length or algorithm in general...
     
  15. tro511

    tro511 MDL Member

    Dec 9, 2019
    124
    98
    10
    #95 tro511, Jun 5, 2023
    Last edited: Jun 5, 2023
    Can anyone confirm this? If true, is there some BIOS binary/file that is 'pathed'? Is it the same BIOS the VM actually uses?

    I guess, what I'm asking is, what is the process if what Carlos says is true?
     
  16. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,007
    2,877
    150

    Not sure what you mean with path files.

    I Just said it's easy, you need to add the extradata line to the XPM machine

    <ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/BiosRom" value="\path-to-VirtualXP.bin"/>
     

    Attached Files:

  17. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,007
    2,877
    150
  18. pottzman

    pottzman MDL Member

    Dec 8, 2009
    146
    107
    10
    AFAIK you dont even need the .bin file. I believe you can achieve the same result with this

    <ExtraDataItem name="VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" value="insert SLP string here"/>
     
  19. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,007
    2,877
    150
    Thanks.

    So when many ways are working, one should evaluate other parameters.

    Sometimes an alternate method works but only since the version X.y.z, or works until the version W.r.s.

    Now, If I remember correctly, there was a reason if I choose the .bin way years ago, I really don't remember which reason it was, but rarely I choose a solution before many tests.

    Whatever, thanks for sharing, I said above that two alternatives are better than one, then obviously three alternatives are better than two. ;)