Windows 8 Product Key Decoding

Discussion in 'Windows 8' started by Bob65536, Sep 20, 2012.

Thread Status:
Not open for further replies.
  1. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    31
    833
    0
    #1 Bob65536, Sep 20, 2012
    Last edited by a moderator: Apr 20, 2017
  2. Daz

    Daz MDL Developer

    Jul 31, 2009
    9,525
    67,335
    300
    Very well written. Thanks :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Alphawaves

    Alphawaves Admin / Developer
    Staff Member

    Aug 11, 2008
    6,787
    22,503
    210
  4. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    31
    833
    0
    Great info thanks.


    I updated the first post with new code. All of the functions required for decoding and encoding a pkey. I also fixed a bug in the ConvertChars() function. Dashes should be ignored when considering the index of N.
     
  5. cysm

    cysm MDL Junior Member

    Jun 6, 2007
    56
    8
    0
    This is really interesting; good luck with this
     
  6. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    31
    833
    0
    #6 Bob65536, Sep 21, 2012
    Last edited by a moderator: Apr 20, 2017
    (OP)
    I have completed the decoding and encoding code. I tested it on a number of valid pkeys. I also generated my own keys and Windows accepted them with any value for the unknown parameter.

    I don't know if the keys will work for online activation. I'm pessimistic though. I think the unknown parameter is either a hash or randomly generated data that the server checks. It will be a while before I can try online testing. I need to setup the proper environment on an ultra-slow laptop.

    If any brave souls would like to try mess around with it, you can use the code below to generate pkeys. You can find valid GroupIds and KeyRanges as I explained in the first post.
    Code:
    WCHAR key0[30]={0};
    BYTE key1[25]={0};
    UINT128u key2={0};
    UINT128u key3={0};
    UINT32u check={0};
    UINT32u group={0};
    UINT32u keyid={0};
    UINT64u unknown={0};
    
    keyid.u32=
    group.u32=
    unknown.u64=
    
    SetInfo(group,keyid,unknown,key3);
    SetHash(key3,key2,check);
    Encode(key2,key1);
    UnconvertChars(key1,key0);
    Information we need to know:
    • Is the unknown parameter verified during online activation?
    • Are all key ranges in the XML file unlocked for online activation?
    • Are all the keys inside of a key range unlocked for online activation?
     
  7. cyberbot

    cyberbot MDL Addicted

    Jul 30, 2011
    515
    26
    30
    interesting post,
    thank you !
    +1
     
  8. lunar21

    lunar21 MDL Addicted

    Dec 14, 2008
    754
    277
    30
    #8 lunar21, Sep 21, 2012
    Last edited by a moderator: Apr 20, 2017
    I hope this goes somewhere. Keep up the good work and looking forward to seeing some good news in the very near future :D

     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. woot332

    woot332 MDL Senior Member

    Feb 18, 2011
    397
    831
    10
    That hash table looks like a crc table.
     
  10. meShell

    meShell MDL Novice

    Jan 27, 2009
    27
    16
    0
    #11 meShell, Sep 21, 2012
    Last edited by a moderator: Apr 20, 2017
  11. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    31
    833
    0
    Thanks for pointing that out. There must have been a bug in the code when I generated that example. I updated the examples.


    I can confirm that this method cannot be used with online activation. The server says the key is not valid.

    I assume that the unknown parameter is random data generated when the key is created. The server then stores a HMAC-SHA-256 hash of the entire key for verification.

    The less likely possibility is that it is a hash of some information based on the GroupId and KeyId. In which case it would require a leak from Microsoft to determine the hash function.

    The unknown parameter has 9007199254740991 possibilities assuming there are no collisions. This is too large of a space to brute force. If you could try 1,000 keys a second it would take 142,710 years on average.
     
  12. Fraggy

    Fraggy MDL Addicted

    Jun 13, 2011
    736
    389
    30
    Could you analyse some leaked keys to determine these parameters ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. frwil

    frwil MDL Addicted

    Sep 22, 2008
    545
    200
    30
    Is it right that in previous OS's (and for Win8 CSVLK keys) this unknown parameter is a signature of PID, verified by PubKey pointed by GroupID?
    If so, then it'd look more possible that now it's indeed hash of some sort, maybe somehow shrinked/cut sha256...
     
  14. tere112

    tere112 MDL Novice

    Aug 16, 2009
    26
    4
    0
    How to i use this?
     
  15. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    31
    833
    0
    Its very unlikely. I looked a some valid keys and nothing stood out.
    This gives me an idea. The servers for online activation verify this parameter. I wonder if the KMS servers do as well. If so we could reverse the hash function from a KMS server.
    A few people have asked me about this. I compiled a simple CLI program for encoding and decoding keys. Run if without any parameters for a description of the interface. You need to install the Microsoft Visual C++ 2012 Redistributable to be a able to run it microsoft com/en-us/download/details.aspx?id=30679 (only a few more posts until I can post links)

    UPDATE: The decoding process seems to work with Office 2013 keys as well.

    UPDATE: Removed attachment from this post I will keep an updated copy attached to the first post.
     
  16. meShell

    meShell MDL Novice

    Jan 27, 2009
    27
    16
    0
    Thank you for this one!I have one small information regarding the "N" in a Key, it seems not to be a "must have" and it can be in first 10 chars, I will send you some more information.
     
  17. Jachra

    Jachra MDL Member

    Apr 5, 2010
    199
    69
    10
    #18 Jachra, Sep 22, 2012
    Last edited by a moderator: Apr 20, 2017
  18. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    31
    833
    0
    Thank you to Jachra and meShell for pointing out my mistake. The N must be in the first 0x18 characters not 0x8, meaning that it can be any character except the last one. The code has been updated.
     
  19. Bob65536

    Bob65536 MDL Novice

    Sep 1, 2012
    31
    833
    0
    I have named the unknown parameter "secret".

    It is verified

    • During online activation.
    • By the software generating confirmation IDs for phone activation.
    It is not verified
    • When changing your product key.
    • When activating using a KMS server.

    Given that, it is unlikely we will ever know how this parameter is generated unless it is leaked from Microsoft.