Feeds

Cracked or not? WinXP protection war hots up

Did the Dark Side win? Which one is the Dark Side anyway?

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Following our piece on Windows XP copy protection yesterday (MS tips its hand on WinXP protection system) we've received some interesting emails, and there may also have been developments, one of these being that a new build of XP, 2475, may have leaked.

We'll get back to that one, but the question of whether or not the security surrounding Microsoft's Product Activation technology has been breached is for the moment the most interesting matter. We've been contacted by a Mr Jack Flack, who specifically asked for a name-check (hello there, Jack), said he was a courier, and claimed cracking credit for the #crackXP team on DALnet. We're not in a position to verify the crack, but the files he sent are interesting in that they don't involve the replacement of winlogon.exe with an older version (which is how people got around protection in previous builds).

Instead, the key seems to be the replacement of oobeutil.js (out of box experience utility - so Microsoft is still sticking the signposts on the code). This route, by the way, is getting to be pretty common currency in the relevant IRC channels, so we're not telling them or Microsoft anything they didn't know already. The #crackXP routine may work, and there may already be other cracks using a similar approach. One snag on the verification issue is this, from the instruction file: "You CANNOT forward your clock to see if this works, it is a bug in XP 2469 that means forwarding the clock fucks everything up, it will say it isnt activated yet it is. Take our word on this!"

So that kind of leaves things open for the next two weeks, which is when it'll stop working if the the crack didn't work after all. Unless the bug got fixed in 2475, of course.

Another interesting mail, this time from somebody who really didn't sound like he wanted a name check, sounds extremely plausible, and casts considerable doubt on the possibility of a swift, easy crack for the new system. "The new build of Windows XP includes digital signatures on all vital login code, including Winlogon.exe. If you pick apart this file with de-assembly tools you can clearly see the exported keys." He also mentions that Microsoft has digitally signed all its theme files, and muses about why this would be. Maybe worth us musing further another time.

He goes on: "Creating a crack will be far harder than anyone thought for the above listed reasons and for a new reason, all the files that are used to activate are being cross checked. In order to create a working a crack, one would need to break the digital signature on at least 2 files (winlogon.exe & msgina.dll) and possibly several others, including the setup program. (which appears to check the digital signature on file copy) On top of all this, the crack will need to pick apart an activation process that is done via SSL."

So the interesting thing about the possible cracks now doing the rounds is that they at least superficially seem to take a route other than attacking winlogon.exe, while the interesting thing about what this guy has to say is that Microsoft appears to be using cross-checking of digitally signed files as part of the protection. Widen the number of files involved and the crack can easily be made a much trickier proposition. So long, of course, as the signing itself cannot be compromised on the local machine. Once you're running XP you can certainly make your own choices about signed files, but that needn't necessarily be the case in the OOBE phase.

Our sceptic (who was writing yesterday, before alleged cracks started appearing), ends: "There's a budding murmur of agreement that Microsoft just might have won this time amongst crackers out there." This is reinforced by a posting on neowin.net which says: "People on IRC are screaming blue murder, crying out for Microsoft's blood and the well known forces of the 'Crack elite' are shrugging their shoulders in wake of this re-newed onslought from Microsoft. It seems that the cry for Warez 1 - Microsoft 0 was a little premature."

Maybe, maybe not. But Microsoft is clearly getting serious about this, and the spy v spy war looks like its going to get seriously interesting before WinXP ships in October. ®

3 Big data security analytics techniques

More from The Register

next story
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.