Great info thanks. I updated the first post with new code. All of the functions required for decoding and encoding a pkey. I also fixed a bug in the ConvertChars() function. Dashes should be ignored when considering the index of N.
I have completed the decoding and encoding code. I tested it on a number of valid pkeys. I also generated my own keys and Windows accepted them with any value for the unknown parameter. I don't know if the keys will work for online activation. I'm pessimistic though. I think the unknown parameter is either a hash or randomly generated data that the server checks. It will be a while before I can try online testing. I need to setup the proper environment on an ultra-slow laptop. If any brave souls would like to try mess around with it, you can use the code below to generate pkeys. You can find valid GroupIds and KeyRanges as I explained in the first post. Code: WCHAR key0[30]={0}; BYTE key1[25]={0}; UINT128u key2={0}; UINT128u key3={0}; UINT32u check={0}; UINT32u group={0}; UINT32u keyid={0}; UINT64u unknown={0}; keyid.u32= group.u32= unknown.u64= SetInfo(group,keyid,unknown,key3); SetHash(key3,key2,check); Encode(key2,key1); UnconvertChars(key1,key0); Information we need to know: Is the unknown parameter verified during online activation? Are all key ranges in the XML file unlocked for online activation? Are all the keys inside of a key range unlocked for online activation?
I hope this goes somewhere. Keep up the good work and looking forward to seeing some good news in the very near future
Thanks for pointing that out. There must have been a bug in the code when I generated that example. I updated the examples. I can confirm that this method cannot be used with online activation. The server says the key is not valid. I assume that the unknown parameter is random data generated when the key is created. The server then stores a HMAC-SHA-256 hash of the entire key for verification. The less likely possibility is that it is a hash of some information based on the GroupId and KeyId. In which case it would require a leak from Microsoft to determine the hash function. The unknown parameter has 9007199254740991 possibilities assuming there are no collisions. This is too large of a space to brute force. If you could try 1,000 keys a second it would take 142,710 years on average.
Is it right that in previous OS's (and for Win8 CSVLK keys) this unknown parameter is a signature of PID, verified by PubKey pointed by GroupID? If so, then it'd look more possible that now it's indeed hash of some sort, maybe somehow shrinked/cut sha256...
Its very unlikely. I looked a some valid keys and nothing stood out. This gives me an idea. The servers for online activation verify this parameter. I wonder if the KMS servers do as well. If so we could reverse the hash function from a KMS server. A few people have asked me about this. I compiled a simple CLI program for encoding and decoding keys. Run if without any parameters for a description of the interface. You need to install the Microsoft Visual C++ 2012 Redistributable to be a able to run it microsoft com/en-us/download/details.aspx?id=30679 (only a few more posts until I can post links) UPDATE: The decoding process seems to work with Office 2013 keys as well. UPDATE: Removed attachment from this post I will keep an updated copy attached to the first post.
Thank you for this one!I have one small information regarding the "N" in a Key, it seems not to be a "must have" and it can be in first 10 chars, I will send you some more information.
Thank you to Jachra and meShell for pointing out my mistake. The N must be in the first 0x18 characters not 0x8, meaning that it can be any character except the last one. The code has been updated.
I have named the unknown parameter "secret". It is verified During online activation. By the software generating confirmation IDs for phone activation. It is not verified When changing your product key. When activating using a KMS server. Given that, it is unlikely we will ever know how this parameter is generated unless it is leaked from Microsoft.