Well, I just checked 100k keys with no timeouts or IP blocking. So I guess there is currently no restrictions on the MS server side. As for the Hardware ID bit, I'm sure its actually just a code computed from various system variables and changed with each OS install.
I haven't run into any timeouts. As madhadder has done, when I click MAK to select all in VAMT it will check thousands of the mak keys at once and with the new win8->2012R2 and office2013 it only takes a few seconds to bang them all out and show counts. Everything below (e.g. Win7 Office14) takes a lot longer.
@madhadder: What you are proposing is not feasible. A simple estimate will show you that. The secret id part of a product key is 7 bytes (56 bits) long. Assuming an extreme scenario where you can validate 1 million keys per second, and that you have 1 million devices working on it, it would take 20 hours to find a single valid key. This is assuming that you are trying with a group id and key id that has actually been given out by MS, and you cant even be sure of that. Brute force search for valid keys is just not practical.
You do realise that every product key corresponds to a group id + key id + secret combination? The whole point of the OP is to show how they are converted to each other (in either direction). Hence trying a random product key is the same as trying a random combination of group id + key id + secret. There are in fact slightly more product keys than there are id combinations, because of check digits. What I posted is therefore fully relevant to what you are trying to do, and puts an estimate on the lower bound on your search efforts. In plain English: searching random product keys takes even longer than searching for a valid secret.
I would like to know how does one check a generated key against M$ server to see if it is valid? Is it buy trying to activate it? wouldn't that in effect destroy genuine product keys abilities to activate for legit customers because you have already activated it.
.. if a generated key matches one from a legit source that would invalidate it yes... thus I'm not a supporter of this method of brute-force .. too Warez for me Much prefer we find a way to hook SPP for permanent activation.. even if we have to use a generated key...being local, M$ servers are excluded from the equation (assuming phoning home can be manipulated as well?) - whether that's even possible IDK.. just thinking conceptually
Knowlege is good, but when it relies on something you don't have (Secret Hash) to generate valid Keys, then its kinda useless isn't it? Just how long would it take to brute-force the secret key hash, huh? Prob. just as long or longer than my method. Seeing as I can pump out around 10Million keys every 8-15 seconds (In 1 Process,On only 1 PC). Adding more generating PCs into the mix will greatly shorten the time needed to gen all the keys.. Is your quoted number for "All possible keys" or just the ones beginning with "B"?.
At this point, I am flabbergasted by how silly you are being. Yes, and we are trying to impart some on you, but you are not listening. Nonsense. We don't know the values, but we know exatly how many there are. I already answered this, in two separate posts, it is as if you haven't bothered to read them. It takes longer to go through product keys than secret hashes. Period. I already explained to you that this is nowhere near fast enough. Doesn't really matter. If deagles meant just the ones beginning with B, then all possible keys will be 24 times that much. It seems to me that you are just being stubborn for the sake of being stubborn, in order not to have to admit that you were mistaken. You are not reading or choosing to ignore actual information being presented to you. You seemingly know next to nothing about product key structure, despite posting in a thread dedicated to the very topic. You are like a person who wants to walk to the South Pole in a T-shirt, without caring about how cold it will get. The reason why noone else is trying is because people realise that they would just freeze to death. There is such a thing as thinking ahead.
@madhadder Its simple mathematics, let P is the product key which can be treated as P = f(x, y, z) where x, y & z are the 3 required parameters. We already know the valid ranges of all parameters. Isn't it statistically better to estimate only z aka the secret rather than P itself??
It's not that it's impossible to generate a working secret hash, but that MS has whitelisted all of their Keys to certain hardware combinations. There's built-in WAT that officially controls these things as well as the hidden Activation reporting techniques. MS reports the activation data to a data collection server every 24 hours. They also use a special name server from Mark Monitor that helps report illegal usage. You combine all those things and you'll realize that it's better to either completely disable all of those things, or just use KMS; which we've kind-of done.
Trying to bruteforce a secret hash is going to take forever just because of how long it can be and how you literally need to DDoS the server with million requests per second, this isn't going to work. You could though, try to hook the Phone Activation because of how it works it could be quite easy to activate windows this way. Instead of having to generate a huge 48 digit number, you only have to generate a 6 digit number for each box because the Dialog checks each box invidually as far as i can remember (which is about 1million combinations for each box), if you try to enter just some random digits into the first box it will already error out. But who knows if this really makes you legit activated with a generated key.
Most of software licensing related client functions are in sppc.dll. Code: HRESULT WINAPI SLDepositOfflineConfirmationId( _In_ HSLC hSLC, _In_ const SLID *pProductSkuId, _In_ PCWSTR pwszInstallationId, _In_ PCWSTR pwszConfirmationId ); HRESULT WINAPI SLGenerateOfflineInstallationId( _In_ HSLC hSLC, _In_ const SLID *pProductSkuId, _Out_ PWSTR *ppwszInstallationId ); I wrote a program that directly calls these functions. So it's possible to trigger sl rpc handler in sppsvc.exe (software licensing server). Rpc Server Interface (L"ncalrpc:[SPPCTransportEndpoint-00001]"). This is the server side entry point for all sppc calls. Code: RPC_STATUS RPC_ENTRY Rpc_Server_Interface( HANDLE hRpc, // Rpc handle DWORD dwFunctionID, // SL function id DWORD dwParamSizeInBytes, PBYTE pParam, // Parameter struct PBYTE pStruct2, // Unknown PBYTE pStruct3 // Unknown ); SLGenerateOfflineInstallationId = 0x16, dwParamSizeInBytes = 0x38 SLDepositOfflineConfirmationId = 0x17, dwParamSizeInBytes = 0x140 Code: typedef struct _SL_Param_Header { DWORD Hash; // Similar to CRC32 & hash in pkey, Offset: 0 DWORD MajorVersion; // 0x00000004, Offset: 4 DWORD MinorVersion; // 0x00000000, Offset: 8 } SL_Param_Header, *PSL_Param_Header; typedef struct _SLGenerateOfflineInstallationId_Param { SL_Param_Header SkuID_Header; // Offset: 0 DWORD SkuID_SizeInBytes; // 0x00000010, Offset: 12 SLID SkuID; // Offset: 16 SL_Param_Header Unknown_Header; // Offset: 32 DWORD Unknown_SizeInBytes; // 0x00000004, Offset: 44 DWORD Unknown; // 0x00000000, Offset: 48 (HRESULT or Rpc_Status?) BYTE Unknown_Pad[4]; // 0x00 (8byte rpc value padding), Offset: 52 } SLGenerateOfflineInstallationId_Param, *PSLGenerateOfflineInstallationId_Param; typedef struct _SLDepositOfflineConfirmationId_Param { SL_Param_Header SkuID_Header; // Offset: 0 DWORD SkuID_SizeInBytes; // 0x00000010, Offset: 12 SLID SkuID; // Offset: 16 SL_Param_Header IID_Header; // Offset: 32 DWORD IID_SizeInBytes; // 0x00000080, Offset: 44 WCHAR IID[64]; // incl. check digits, null-terminated, Offset: 48 SL_Param_Header CID_Header; // Offset: 176 DWORD CID_SizeInBytes; // 0x00000062, Offset: 188 WCHAR CID[49]; // incl. check digits, null-terminated, Offset: 192 BYTE CID_Pad[6]; // 0x00 (8byte rpc value padding), Offset: 290 SL_Param_Header Unknown_Header; // Offset: 296 DWORD Unknown_SizeInBytes; // 0x00000004, Offset: 308 DWORD Unknown; // 0x00000000, Offset: 312 (HRESULT or Rpc_Status?) BYTE Unknown_Pad[4]; // 0x00 (8byte rpc value padding), Offset: 316 } SLDepositOfflineConfirmationId_Param, *PSLDepositOfflineConfirmationId_Param; The server interface is the same for every call. You can place a bp on the function id and you will break in a function switch. Code: Hex dump Command Comments 8D0C9D 20B303 LEA ECX,[EBX*4+103B320] ; EBX = dwFunctionID, table look-up E8 93FBFFFF CALL GetDecodedPtr ; Get pointer FFD0 CALL EAX ; Call function by id GetDecodedPtr: Hex dump Command Comments 8B09 MOV ECX,DWORD PTR DS:[ECX] E9 80DEFFFF JMP DecodePtr DecodePtr: Hex dump Command Comments 8BFF MOV EDI,EDI 51 PUSH ECX ; /Arg1 FF15 70C20301 CALL DWORD PTR DS:[<&KERNEL32.DecodePointer>] C3 RETN Somewhere in this function handler it runs then decrypted and heavily obfuscated code. I did find the base10 decoding but it's very hard to follow. I give up for now.
Spoiler Nice ... please don't give up BTW.. wrote a GUI but need 8.1 group ID's..assume they are all 2xxx... if any1 has these..?
Spoiler Code: a41 2625 Win 8.1 Pro OEM:DM a3f 2623 Win 8.1 CoreSingleLanguage OEM:DM a3e 2622 Win 8.1 CoreN OEM:DM a3d 2621 Win 8.1 CoreCountrySpecific OEM:DM a3c 2620 Win 8.1 ProWMC Retail default a3b 2619 Win 8.1 CoreARM OEM:DM a3a 2618 Win 8.1 Pro MAK a39 2617 Win 8.1 ProWMC Volume:GVLK a38 2616 Win 8.1 ProN Volume:GVLK a37 2615 Win 8.1 Pro Volume:GVLK a36 2614 Win 8.1 EnterpriseN Volume:GVLK a35 2613 Win 8.1 Enterprise Volume:GVLK a34 2612 Win 8.1 CoreSingleLanguage Volume:GVLK a33 2611 Win 8.1 CoreN Volume:GVLK a32 2610 Win 8.1 CoreCountrySpecific Volume:GVLK a31 2609 Win 8.1 CoreARM Volume:GVLK a30 2608 Win 8.1 CoreARM OEM:DM a2f 2607 Win 8.1 Core Volume:GVLK a2e 2606 Win 8.1 EnterpriseEval Retail:TB:Eval a2d 2605 Win 8.1 EnterpriseNEval Retail:TB:Eval a2c 2604 Win 8.1 ProWMC Retail a2b 2603 Win 8.1 ProWMC Retail a2a 2602 Win 8.1 ProN Retail a29 2601 Win 8.1 ProN Retail a28 2600 Win 8.1 Pro Retail a27 2599 Win 8.1 CoreN Retail a26 2598 not valid a25 2597 Win 8.1 Core OEM:DM a24 2596 Win 8.1 Core Retail default a23 2595 Win 8.1 ProN OEM:NONSLP a22 2594 Win 8.1 Pro OEM:NONSLP a1a 2586 Win 8.1 Core OEM:DM
I found the SHA256 hash in sppobjs.dll. SHA256 constants: Code: CPU Disasm Hex dump Command Comments 8BFF MOV EDI,EDI ; (guessed Arg1) 55 PUSH EBP 8BEC MOV EBP,ESP 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] C700 67E6096A MOV DWORD PTR DS:[EAX],6A09E667 C740 04 85AE6 MOV DWORD PTR DS:[EAX+4],BB67AE85 C740 08 72F36 MOV DWORD PTR DS:[EAX+8],3C6EF372 C740 0C 3AF54 MOV DWORD PTR DS:[EAX+0C],A54FF53A C740 10 7F520 MOV DWORD PTR DS:[EAX+10],510E527F C740 14 8C680 MOV DWORD PTR DS:[EAX+14],9B05688C C740 18 ABD98 MOV DWORD PTR DS:[EAX+18],1F83D9AB C740 1C 19CDE MOV DWORD PTR DS:[EAX+1C],5BE0CD19 C740 20 00000 MOV DWORD PTR DS:[EAX+20],0 C740 24 00000 MOV DWORD PTR DS:[EAX+24],0 5D POP EBP C2 0400 RETN 4 I can confirm sha256(IID+CID) and sha256(BYTE(01)+IID).
This sounds like great progress. I am hesitant to ask but does this mean the days of having to call M$ every time I re install windows are nearing an end? ie: ***local phone activation***