WinXP protection: it's the .NET, stupid

And the latest leak is calling itself 'RC1'...

  • alert
  • submit to reddit

The smart choice: opportunity from uncertainty

In the past few days another WinXP build, 2474, has leaked out onto IRC, and this time it's acquired an "RC1" tag. Numerous claims have been made that Microsoft's latest protection for product activation has been cracked. According to The Register's sources, however, this is not true - they insist that the current alleged cracks are simply a case of the crackers having managed to confuse themselves.

How so? According to a posting on Winbeta by "Epyx" (who has also been in touch with The Register), the file in the recent WinXP builds that crackers are currently getting excited about is a blind alley. He says: "oobeutil.js is a Javascript file that controls which XML pages are displayed during the activation process. Because the most critical parts of activation are based on the server side, you can't use oobeutil.js to fool the server into giving you something (i.e. a root certificate) that you aren't entitled to."

The claimed crack we were sent last week, he says, switched around the errorlevels pertaining to "SUCCESS" and "USED_PID" - the latter is given when a product key that has been used too many times has been blocked. "Because the crack made you replace oobeutil.js with the hacked version, the following dialog screens get screwed up. This confused the #crackxp people... When it should be telling you that activation is successful ('SUCCESS'), it is actually telling you that 'your key has been used too many times' ('USED_PID'). THen they tell you to try again, and this time it returns a different errorlevel which announces correctly that you are already activated."

But actually, as that product was already activated by the few people who used the escaped key before Microsoft slammed the door on it, the hooky copies people are using it on now will cease to function 14 days after they try.

Makes sense to us. Another person we've heard from, "AD," says that despite claims to the contrary there has been "no crack out for XP as of this date," and that the protection lies somewhere other than in the JavaScript and the previous favourite, winlogon.exe. "I can tell you definitely there is a way around the 14 days, and I have found it, and I can say Microsoft has become a bit more clever, but not impossible."

A crack for the 14 day timeout certainly is being circulated at the moment, but AD argues that the real protection involves the digital signatures we covered here last week. "Everything is digitally signed, but having to break various signatures to get around the protection is not the way, there is another way." Which he's not telling us right now.

But what's interesting is the extent to which the recent leaked builds signpost the direction Microsoft is taking with product activation. Signed files, server-based authentication and certificates start to take us towards a decidedly .NET environment.

Rationally, what Microsoft is doing now is surely testing these mechanisms and their integrity, and so far that seems to be working. The volumes the system currently has to deal with won't be anything like what they'll have to handle when WinXP ships, but then with Office XP out, and using a similar system, at the end of this month, there'll be an opportunity for more of a live battle test.

What Microsoft hasn't done so far, it would appear, is produce a sufficiently secure system that stops activation being, effectively, optional. Previous efforts by the crackers convinced the system it had been activated when it hadn't (maybe AD's getting excessively philosophical when he says this isn't an XP crack), while the most recent (assuming it works) simply stops the system ceasing to function if it's not activated in the first 14 days.

Obviously if XP ships without something fiendishly tougher in the box, then activation will remain optional - although even if you circumvent it on a paid for copy you should note that the current licence Ts & Cs say you do not have a licence if you do not activate the product in the approved way. More likely, breachable protection would be of some interest to the warez community, but when the product actually ships it'll have there'll surely be unlocked corporate editions around, as is the case with OXP, so these are the ones they're going to warez. And cracking the activation will be largely an intellectual exercise.

So what's the big deal? Maybe it's anticipation of what's coming next. Currently Microsoft is presenting activation as a simple, one-time, non privacy-infringing exercise. And indeed, currently it is, and finding out how to not use it with a legitimate copy looks like it might be just plain cussed.

But look at all of the damned nagware parallels that already exist in the world (and note in passing that most of the biggest atrocities aren't foisted on us by Microsoft). You buy the product, and at indeterminate intervals, or even every time you use it, up pops the register now box, and it's usually none to simple to find out how you switch it off. These are registration processes, while product activation and registration are two separate things. (Well, not entirely - in the official 2462 beta 2 code it's very easy to be tricked into checking the register box while you're activating, and funnily enough, you're then filling in the usual data boxes. Microsoft should note that this cheesy stunt has been noted.)

Like everybody else, Microsoft does want that data, and although it's not directly using product activation to get it, in this rev PA is certainly going to be a mechanism for vastly increasing the percentage of registered users Redmond is going to get. Other mechanisms such as certificates, signed files and the beefed-up Windows Update will also substantially increase the amount of information exchanged between WinXP clients and Microsoft servers. So maybe the whole deal is designed to get the maximum number of people possible used to this, and maybe there's a thought in Redmond that this could be so successful that there won't be any real need to make it absolutely compulsory. Or maybe not..? ®

Related stories:
Cracked or not? WinXP protection war hots up

Securing Web Applications Made Simple and Scalable

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.