Windows 8 Product Key Decoding

Discussion in 'Windows 8' started by Bob65536, Sep 20, 2012.

Thread Status:
Not open for further replies.
  1. madhadder

    madhadder MDL Novice

    Feb 8, 2012
    11
    5
    0
    Well, I just checked 100k keys with no timeouts or IP blocking. So I guess there is currently no restrictions on the MS server side.
    As for the Hardware ID bit, I'm sure its actually just a code computed from various system variables and changed with each OS install.
     
  2. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,701
    6,729
    270
    I haven't run into any timeouts. As madhadder has done, when I click MAK to select all in VAMT it will check thousands of the mak keys at once and with the new win8->2012R2 and office2013 it only takes a few seconds to bang them all out and show counts. Everything below (e.g. Win7 Office14) takes a lot longer.
     
  3. kelorgo

    kelorgo MDL Addicted

    Oct 29, 2012
    848
    1,512
    30
    @madhadder: What you are proposing is not feasible. A simple estimate will show you that. The secret id part of a product key is 7 bytes (56 bits) long. Assuming an extreme scenario where you can validate 1 million keys per second, and that you have 1 million devices working on it, it would take 20 hours to find a single valid key. This is assuming that you are trying with a group id and key id that has actually been given out by MS, and you cant even be sure of that. Brute force search for valid keys is just not practical.
     
  4. kelorgo

    kelorgo MDL Addicted

    Oct 29, 2012
    848
    1,512
    30
    :doh: You do realise that every product key corresponds to a group id + key id + secret combination? The whole point of the OP is to show how they are converted to each other (in either direction). Hence trying a random product key is the same as trying a random combination of group id + key id + secret. There are in fact slightly more product keys than there are id combinations, because of check digits.

    What I posted is therefore fully relevant to what you are trying to do, and puts an estimate on the lower bound on your search efforts. In plain English: searching random product keys takes even longer than searching for a valid secret.
     
  5. pottzman

    pottzman MDL Member

    Dec 8, 2009
    229
    377
    10
    I would like to know how does one check a generated key against M$ server to see if it is valid? Is it buy trying to activate it? wouldn't that in effect destroy genuine product keys abilities to activate for legit customers because you have already activated it.
     
  6. Superfly

    Superfly MDL Expert

    Jan 12, 2010
    1,147
    552
    60
    .. if a generated key matches one from a legit source that would invalidate it yes... thus I'm not a supporter of this method of brute-force .. too Warez for me :eek:

    Much prefer we find a way to hook SPP for permanent activation.. even if we have to use a generated key...being local, M$ servers are excluded from the equation (assuming phoning home can be manipulated as well?) - whether that's even possible IDK.. just thinking conceptually :p
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. madhadder

    madhadder MDL Novice

    Feb 8, 2012
    11
    5
    0
    Knowlege is good, but when it relies on something you don't have (Secret Hash) to generate valid Keys, then its kinda useless isn't it?
    Just how long would it take to brute-force the secret key hash, huh? Prob. just as long or longer than my method. Seeing as I can pump out
    around 10Million keys every 8-15 seconds (In 1 Process,On only 1 PC). Adding more generating PCs into the mix will greatly shorten the time
    needed to gen all the keys.. Is your quoted number for "All possible keys" or just the ones beginning with "B"?.
     
  8. kelorgo

    kelorgo MDL Addicted

    Oct 29, 2012
    848
    1,512
    30
    At this point, I am flabbergasted by how silly you are being.
    Yes, and we are trying to impart some on you, but you are not listening.
    Nonsense. We don't know the values, but we know exatly how many there are.
    I already answered this, in two separate posts, it is as if you haven't bothered to read them. It takes longer to go through product keys than secret hashes. Period.
    I already explained to you that this is nowhere near fast enough.
    Doesn't really matter. If deagles meant just the ones beginning with B, then all possible keys will be 24 times that much.

    It seems to me that you are just being stubborn for the sake of being stubborn, in order not to have to admit that you were mistaken. You are not reading or choosing to ignore actual information being presented to you. You seemingly know next to nothing about product key structure, despite posting in a thread dedicated to the very topic.

    You are like a person who wants to walk to the South Pole in a T-shirt, without caring about how cold it will get. The reason why noone else is trying is because people realise that they would just freeze to death. There is such a thing as thinking ahead.
     
  9. Tito

    Tito Admin / Adviser
    Staff Member

    Nov 30, 2009
    19,091
    19,920
    340
    @madhadder

    Its simple mathematics, let P is the product key which can be treated as P = f(x, y, z) where x, y & z are the 3 required parameters. We already know the valid ranges of all parameters. Isn't it statistically better to estimate only z aka the secret rather than P itself??

    :eek:
     
  10. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    7,466
    11,872
    240
    It's not that it's impossible to generate a working secret hash, but that MS has whitelisted all of their Keys to certain hardware combinations.
    There's built-in WAT that officially controls these things as well as the hidden Activation reporting techniques. MS reports the activation data to a data collection server every 24 hours.
    They also use a special name server from Mark Monitor that helps report illegal usage.

    You combine all those things and you'll realize that it's better to either completely disable all of those things, or just use KMS; which we've kind-of done.
     
  11. Shenj

    Shenj MDL Expert

    Aug 12, 2010
    1,555
    654
    60
    Trying to bruteforce a secret hash is going to take forever just because of how long it can be and how you literally need to DDoS the server with million requests per second, this isn't going to work.

    You could though, try to hook the Phone Activation because of how it works it could be quite easy to activate windows this way. Instead of having to generate a huge 48 digit number, you only have to generate a 6 digit number for each box because the Dialog checks each box invidually as far as i can remember (which is about 1million combinations for each box), if you try to enter just some random digits into the first box it will already error out. But who knows if this really makes you legit activated with a generated key.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. deagles

    deagles MDL Developer

    Feb 22, 2013
    252
    1,265
    10
    #194 deagles, Jan 10, 2014
    Last edited by a moderator: Apr 20, 2017
    Most of software licensing related client functions are in sppc.dll.
    Code:
    HRESULT WINAPI SLDepositOfflineConfirmationId(
      _In_  HSLC hSLC,
      _In_  const SLID *pProductSkuId,
      _In_  PCWSTR pwszInstallationId,
      _In_  PCWSTR pwszConfirmationId
    );
    
    HRESULT WINAPI SLGenerateOfflineInstallationId(
      _In_   HSLC hSLC,
      _In_   const SLID *pProductSkuId,
      _Out_  PWSTR *ppwszInstallationId
    );
    
    I wrote a program that directly calls these functions.
    So it's possible to trigger sl rpc handler in sppsvc.exe (software licensing server).
    Rpc Server Interface (L"ncalrpc:[SPPCTransportEndpoint-00001]").

    This is the server side entry point for all sppc calls.
    Code:
    RPC_STATUS RPC_ENTRY Rpc_Server_Interface(
        HANDLE hRpc, // Rpc handle
        DWORD dwFunctionID, // SL function id
        DWORD dwParamSizeInBytes,
        PBYTE pParam, // Parameter struct
        PBYTE pStruct2, // Unknown
        PBYTE pStruct3 // Unknown
    );
    
    
    SLGenerateOfflineInstallationId = 0x16, dwParamSizeInBytes = 0x38
    SLDepositOfflineConfirmationId = 0x17, dwParamSizeInBytes = 0x140

    Code:
    typedef struct _SL_Param_Header {
        DWORD Hash; // Similar to CRC32 & hash in pkey, Offset: 0
        DWORD MajorVersion; // 0x00000004, Offset: 4
        DWORD MinorVersion; // 0x00000000, Offset: 8
    } SL_Param_Header, *PSL_Param_Header;
    
    typedef struct _SLGenerateOfflineInstallationId_Param {
        SL_Param_Header SkuID_Header; //  Offset: 0
        DWORD SkuID_SizeInBytes; // 0x00000010, Offset: 12
        SLID SkuID; // Offset: 16
    
        SL_Param_Header Unknown_Header; //  Offset: 32
        DWORD Unknown_SizeInBytes; // 0x00000004, Offset: 44
        DWORD Unknown; // 0x00000000, Offset: 48 (HRESULT or Rpc_Status?)
        BYTE Unknown_Pad[4]; // 0x00 (8byte rpc value padding), Offset: 52
    } SLGenerateOfflineInstallationId_Param, *PSLGenerateOfflineInstallationId_Param;
    
    typedef struct _SLDepositOfflineConfirmationId_Param {
        SL_Param_Header SkuID_Header; // Offset: 0
        DWORD SkuID_SizeInBytes; // 0x00000010, Offset: 12
        SLID SkuID; // Offset: 16
    
        SL_Param_Header IID_Header; // Offset: 32
        DWORD IID_SizeInBytes; // 0x00000080, Offset: 44
        WCHAR IID[64]; // incl. check digits, null-terminated, Offset: 48
    
        SL_Param_Header CID_Header; // Offset: 176
        DWORD CID_SizeInBytes; // 0x00000062, Offset: 188
        WCHAR CID[49]; // incl. check digits, null-terminated, Offset: 192
        BYTE CID_Pad[6]; // 0x00 (8byte rpc value padding), Offset: 290
    
        SL_Param_Header Unknown_Header; // Offset: 296
        DWORD Unknown_SizeInBytes; // 0x00000004, Offset: 308
        DWORD Unknown; // 0x00000000, Offset: 312 (HRESULT or Rpc_Status?)
        BYTE Unknown_Pad[4]; // 0x00 (8byte rpc value padding), Offset: 316
    } SLDepositOfflineConfirmationId_Param, *PSLDepositOfflineConfirmationId_Param;
    
    
    The server interface is the same for every call.
    You can place a bp on the function id and you will break in a function switch.
    Code:
    
    Hex dump          Command                                  Comments
    8D0C9D 20B303 LEA ECX,[EBX*4+103B320]                  ; EBX = dwFunctionID, table look-up
    E8 93FBFFFF   CALL GetDecodedPtr                            ; Get pointer
    FFD0          CALL EAX                                              ; Call function by id
    
    GetDecodedPtr:
    Hex dump          Command                                  Comments
    8B09          MOV ECX,DWORD PTR DS:[ECX]
    E9 80DEFFFF   JMP DecodePtr
    
    DecodePtr:
    Hex dump          Command                                  Comments
    8BFF          MOV EDI,EDI
    51            PUSH ECX                                        ; /Arg1
    FF15 70C20301 CALL DWORD PTR DS:[<&KERNEL32.DecodePointer>]
    C3            RETN
    
    
    Somewhere in this function handler it runs then decrypted and heavily obfuscated code.
    I did find the base10 decoding but it's very hard to follow. I give up for now. :g:
     
  13. Superfly

    Superfly MDL Expert

    Jan 12, 2010
    1,147
    552
    60
    #195 Superfly, Jan 11, 2014
    Last edited by a moderator: Apr 20, 2017
    Nice :)... please don't give up :hug2:


    BTW.. wrote a GUI but need 8.1 group ID's..assume they are all 2xxx... if any1 has these..?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Please-8

    Please-8 MDL Junior Member

    Sep 12, 2012
    99
    60
    0
    #196 Please-8, Jan 11, 2014
    Last edited by a moderator: Apr 20, 2017
    Code:
    a41 2625 Win 8.1 Pro OEM:DM
    a3f 2623 Win 8.1 CoreSingleLanguage OEM:DM
    a3e 2622 Win 8.1 CoreN OEM:DM
    a3d 2621 Win 8.1 CoreCountrySpecific OEM:DM
    a3c 2620 Win 8.1 ProWMC Retail default
    a3b 2619 Win 8.1 CoreARM OEM:DM
    a3a 2618 Win 8.1 Pro MAK
    a39 2617 Win 8.1 ProWMC Volume:GVLK
    a38 2616 Win 8.1 ProN Volume:GVLK
    a37 2615 Win 8.1 Pro Volume:GVLK
    a36 2614 Win 8.1 EnterpriseN Volume:GVLK
    a35 2613 Win 8.1 Enterprise Volume:GVLK
    a34 2612 Win 8.1 CoreSingleLanguage Volume:GVLK
    a33 2611 Win 8.1 CoreN Volume:GVLK
    a32 2610 Win 8.1 CoreCountrySpecific Volume:GVLK
    a31 2609 Win 8.1 CoreARM Volume:GVLK
    a30 2608 Win 8.1 CoreARM OEM:DM
    a2f 2607 Win 8.1 Core Volume:GVLK
    a2e 2606 Win 8.1 EnterpriseEval Retail:TB:Eval
    a2d 2605 Win 8.1 EnterpriseNEval Retail:TB:Eval
    a2c 2604 Win 8.1 ProWMC Retail
    a2b 2603 Win 8.1 ProWMC Retail
    a2a 2602 Win 8.1 ProN Retail
    a29 2601 Win 8.1 ProN Retail
    a28 2600 Win 8.1 Pro Retail
    a27 2599 Win 8.1 CoreN Retail
    a26 2598 not valid
    a25 2597 Win 8.1 Core OEM:DM
    a24 2596 Win 8.1 Core Retail default
    a23 2595 Win 8.1 ProN OEM:NONSLP
    a22 2594 Win 8.1 Pro OEM:NONSLP
    a1a 2586 Win 8.1 Core OEM:DM
     
  15. LostED

    LostED SVF Patch Lover

    Jul 30, 2009
    7,279
    21,931
    240
    now all forums/blogs will be full of easy generated keys...

    :(
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. deagles

    deagles MDL Developer

    Feb 22, 2013
    252
    1,265
    10
    #198 deagles, Jan 11, 2014
    Last edited by a moderator: Apr 20, 2017
    I found the SHA256 hash in sppobjs.dll.

    SHA256 constants:
    Code:
    CPU Disasm
    Hex dump          Command                                  Comments
    8BFF          MOV EDI,EDI                              ; (guessed Arg1)
    55            PUSH EBP
    8BEC          MOV EBP,ESP
    8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
    C700 67E6096A MOV DWORD PTR DS:[EAX],6A09E667
    C740 04 85AE6 MOV DWORD PTR DS:[EAX+4],BB67AE85
    C740 08 72F36 MOV DWORD PTR DS:[EAX+8],3C6EF372
    C740 0C 3AF54 MOV DWORD PTR DS:[EAX+0C],A54FF53A
    C740 10 7F520 MOV DWORD PTR DS:[EAX+10],510E527F
    C740 14 8C680 MOV DWORD PTR DS:[EAX+14],9B05688C
    C740 18 ABD98 MOV DWORD PTR DS:[EAX+18],1F83D9AB
    C740 1C 19CDE MOV DWORD PTR DS:[EAX+1C],5BE0CD19
    C740 20 00000 MOV DWORD PTR DS:[EAX+20],0
    C740 24 00000 MOV DWORD PTR DS:[EAX+24],0
    5D            POP EBP
    C2 0400       RETN 4
    
    
    I can confirm sha256(IID+CID) and sha256(BYTE(01)+IID). :D
     
  17. pottzman

    pottzman MDL Member

    Dec 8, 2009
    229
    377
    10
    #199 pottzman, Jan 12, 2014
    Last edited by a moderator: Apr 20, 2017
    This sounds like great progress. I am hesitant to ask but does this mean the days of having to call M$ every time I re install windows are nearing an end? ie: ***local phone activation*** :mauridia:
     
  18. Tito

    Tito Admin / Adviser
    Staff Member

    Nov 30, 2009
    19,091
    19,920
    340