Actually I don't know how to decrypt it. Pajero is very skilled about SLP1.0. I don't know if he's still active here...........but I'll have a look at those files as well...........
What about the string 'MediaSmart Server'? Also note that the characters are case sensitive! I assume the valid range is the same as at XP.
Was just thinking the same thing, I guess it wont hurt to try it before I run off. Will post back what happens later. Edit: NOPE, not MediaSmart Server
Well I've just managed to get the decrypted info at my test machine (ASUS_FLASH, windows XP). Code: Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00ECB880 5B 4F 45 4D 42 49 4F 53 [OEMBIOS 00ECB890 5D 0D 0A 42 49 4F 53 3D 66 30 30 30 2C 63 30 30 ]..BIOS=f000,c00 00ECB8A0 30 2C 33 66 66 66 2C 41 04 B9 EC 00 EE F1 EE F1 0,3fff,A.¹ì.îñîñ 00ECB8B0 48 00 5B 48 61 73 68 54 61 62 6C 65 5D 0A 0A 48 H.[HashTable]..H 00ECB8C0 61 73 68 42 6C 6F 63 6B 73 3D 31 30 30 00 48 61 ashBlocks=100.Ha 00ECB8D0 73 68 53 69 7A 65 3D 31 33 31 30 37 32 00 0A 48 shSize=131072..H At least you can see the valid address range in clear text! Steps: Log off Log in and open quickly winhex. Open RAM-->winlogon---->entire memory. Search for oembios string. If you don't find it, retry all again......now I'm looking how to obtain the valid string...................... Maybe this procedure works at server as well. Edit: The string is probably right behind the address ranges shown still encrypted. Puh! I've tried to catch the oembios string again. Multiple log-off, log-in trials. You have to try over and over again. Only one success so far. Maybe a debugger is more reliable therefore.
My method was using Server 2003 OEMBIOS files to activate instead of real WHS files. Thats why the Hewlett-Packard string worked on my end. I actually uploaded those 2003 OEM files for people to test WHS, but now that we have the real SLP WHS files to work with, finding the bios string that works for those would be the best option.
We should go on more systematic. First: We cannot afford wrong results which brings us into the wrong direction. To read the valid range Code: [OEMBIOS 00ECB890 5D 0D 0A 42 49 4F 53 3D 66 30 30 30 2C 63 30 30 ]..BIOS=f000,c00 00ECB8A0 30 2C 33 66 66 66 2C 41 04 B9 EC 00 EE F1 EE F1 0,3fff Means: the string is valid at FC000 to FFFFF (size 3FFFF). So my encrypted dump verifies the address range published at web. It's ASUS_FLASH. The length is shown and the first and last character of it (A and H)! "I agree, but now I have the proof that it isnt 'Hewlett-Packard' OR MediaSmart Server lol..." This is not true! The strings could be the right ones, but at different address ranges, who knows? The next step is: Install home server and try to catch the OEMBIOS string at winlogon allocated RAM. At least we should get the valid addresses, the length of string and probably the first and last characters. There are HP XP files that matches to Hewlett-Packard, HP PAVILION, Hewlett, Compaq! Also the server 2003 OEMBIOSFILES matches to Hewlett-Packard. The valid address range of XP HP files is F0000-FFFFF (wide range) I don't get why the HP OEM´files of windows home server don't activate against Hewlett-Packard??? Are they different (CRC)? Are the OEMBIOS files of WHS working (without activation, but no error at install) at XP? In that case we can decrypt them from a XP platform...... Do I miss something??? I don't have a server CD........
-No 2003 & WHS oemfile don't work in XP -I try the "very fast winlogon memory dump" in 2003 with no success -I search a memory dump utility that i can launch during the winlogon process in command line. Any idea ?
Yes, I've managed ONE time only to catch that string......(I surely had 20 attempts) At antiwpa forums there were instructions, but not available anymore??.... Some are using a 'live' debugger such as OllyDbg and attach it to winlogon. But I never tried it........ This is interesting...... ..............but try it please from time to time again, since we've got no alternative so far. Once caught the OEMBIOS string we can go on......
Ok after put a hook and auditing the process, here the conclusion : 17:43:42 => put hook and press enter for login 17:43:43 => audit : Winlogon decrypt oembios file One second after that a press "enter", so dump winlogon process when explorer start is too late (3 to 5 s later). My futur test : dump winlogon before explorer start...
Well, I am trying within win2003 whs and I have tried the same amount of times, all I can catch is a half mangled chunk that says hashtable but nothing else of use around it. As for the debugger catching itself, I have not tried that, I can in a bit. I just want to make sure you know I am running these tests from within actual win home server, with the oembios I uploaded, so if it "could" work with what I have tried, it would. But like offon agreed, its basically impossible to catch and yes it is a different crc than other oembios files.