The big Windows Server 2003 and earlier product key and activation research thread

Discussion in 'Windows XP / Older OS' started by sk00ter, Apr 5, 2021.

  1. sk00ter

    sk00ter MDL Novice

    Apr 30, 2017
    25
    33
    0
    #1 sk00ter, Apr 5, 2021
    Last edited: Apr 7, 2021
  2. sk00ter

    sk00ter MDL Novice

    Apr 30, 2017
    25
    33
    0
    In Windows Server 2003, they apparently introduced an in-PIDGEN.DLL list of ranges separate from the DPCDLL.DLL ones.

    For PIDGEN.DLL for 2003 VL, this list sits at .data:004080A8, contains 34 entries and has this format:

    Code:
    struct PIDRangeInfo {
    /* 0x00 */ BOOLEAN fIsBlacklisted; /* only ever set to FALSE? */
    /* 0x01 */ BYTE unknown; /* only ever set to 0; either unused, reserved or padding */
    /* 0x02 */ WORD wBinkID; /* BINK resource ID this refers to */
    /* 0x04 */ DWORD dwPIDRangeLower; /* minimum PID including site code */
    /* 0x08 */ DWORD dwPIDRangeUpper; /* maximum PID including site code */
    /* 0x0c */ DWORD dwFlags; /* not sure what this stuff does, but PIDGenRc returns this value via PIDGenEx2A */
    };
    The first record looks like this:

    Code:
    struct PIDRangeInfo a = {
    .fIsBlacklisted = FALSE,
    .unknown = 0,
    .wBinkID = 0x54,
    .dwPIDRangeLower = 12000000,
    .dwPIDRangeUpper = 65999999,
    .dwFlags = 0x21
    };
    Flags values I've seen: 0x21, 0x22, 0x121, 0x1010121, 0x2010121, 0x3010121, 0x20022. Not sure what this does or if this even really is flags.

    The only calling sites I could find:

    wssoc.dll: HKLM\SOFTWARE\Microsoft\ServerAppliance, key Edition, related to some log(x), where x is 8 for 0x10180 and 0x4010122, 4 for 0x30101021, 2 for 0x2010121 and 1 for 0x1010121; check that the range info & 0xff0000 == 0x10000

    cd2chain.exe: ((dwFlags >> 8) & 1) must be 1 if IsOS(OS_DATACENTER or OS_ADVSERVER or OS_SERVER)
    ^ this is about R2 CD2

    hpcoc.dll: (dwPIDRangeInfo & 0xff0000) must be == 0x20000, used later down the line for something relating to "compute server" in HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions, key ProductSuite

    Those are the only calling sites I could find. Most of this is largely unexplained. There's no good way to locate the range list, either, other than disassembly.
     
  3. pottzman

    pottzman MDL Member

    Dec 8, 2009
    143
    105
    10
    Hey sk00ter,

    Windows XP also has an in-PIDGEN.DLL list of blacklisted PID's located at data:00406020 however it doesn't use the same structure as "2003" PIDGEN.

    I also noticed the Windows Server 2003 VL pidgen location data:004080A8 has first 4 records that are blacklisted PIDs, then follows the list of valid PID ranges

    Code:
     {
    .fIsBlacklisted = TRUE,
    .unknown = 0,
    .wBinkID = 0x5A,
    .dwPIDRangeLower = 640000008,
    .dwPIDRangeUpper = 640000008,
    .dwFlags = 0
    };
    
    {
    .fIsBlacklisted = TRUE,
    .unknown = 0,
    .wBinkID = 0x5A,
    .dwPIDRangeLower = 640059289,
    .dwPIDRangeUpper = 640059289,
    .dwFlags = 0
    };
    
    {
    .fIsBlacklisted = TRUE,
    .unknown = 0,
    .wBinkID = 0x5A,
    .dwPIDRangeLower = 640462676,
    .dwPIDRangeUpper = 640462676,
    .dwFlags = 0
    };
    
    {
    .fIsBlacklisted = TRUE,
    .unknown = 0,
    .wBinkID = 0x5A,
    .dwPIDRangeLower = 640471551,
    .dwPIDRangeUpper = 640471551,
    .dwFlags = 0
    };
     
  4. un user

    un user MDL Member

    Jun 16, 2013
    151
    104
    10
    Hello @pottzman.
    testing keys in key tester and inspecting msi, some contain PidCa.dll similar to pidgen.
    for example: wes2009 setup include "Binary.PIDDLL" (PidCa.dll) wich have BINKID 0D assigned to Embedded Family.
     
  5. pottzman

    pottzman MDL Member

    Dec 8, 2009
    143
    105
    10
    DPCDLL-Viewer
     
  6. pottzman

    pottzman MDL Member

    Dec 8, 2009
    143
    105
    10
    Hey un user, I have found Pidgens for the following BINKID's

    ID's 02,03,04,05,06,07,08,09,0A,0D,0E,0F,12,13,1C,1D,20,21,22,23,24,25,28,29,2A,2B,2C,2D,2E,2F,32,33,52,53,54,55,58,59,5A,5B,64,65,66,67,68,69,6C,6D,6E,6F,70,71,72,73,74,75,76,77,78,79,7C,7D,7E,7F,80,81,82,83,84,85,86,87,88,89

    Have you ever seen/found any of the missing BINKID's in that list?
     
  7. un user

    un user MDL Member

    Jun 16, 2013
    151
    104
    10
    I will verify later today. I have a list, but i do not remember too much from that list.
     
  8. un user

    un user MDL Member

    Jun 16, 2013
    151
    104
    10
    @pottzman

    Apart from your list i have:
    00, 30, 31, 40, 41, 50, 51, 56, 57.

    P.S
    I have BINKID info, not pidgens.
     
  9. NeoDesktop

    NeoDesktop MDL Novice

    Nov 21, 2020
    8
    23
    0
    I hate to necro-revive this thread but does anyone have a copy of this program?

    This this the only thread I've found with the phrase DPCDLL-Viewer and google turns up nothing