WinXP protection: it's the .NET, stupid

And the latest leak is calling itself 'RC1'...

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

In the past few days another WinXP build, 2474, has leaked out onto IRC, and this time it's acquired an "RC1" tag. Numerous claims have been made that Microsoft's latest protection for product activation has been cracked. According to The Register's sources, however, this is not true - they insist that the current alleged cracks are simply a case of the crackers having managed to confuse themselves.

How so? According to a posting on Winbeta by "Epyx" (who has also been in touch with The Register), the file in the recent WinXP builds that crackers are currently getting excited about is a blind alley. He says: "oobeutil.js is a Javascript file that controls which XML pages are displayed during the activation process. Because the most critical parts of activation are based on the server side, you can't use oobeutil.js to fool the server into giving you something (i.e. a root certificate) that you aren't entitled to."

The claimed crack we were sent last week, he says, switched around the errorlevels pertaining to "SUCCESS" and "USED_PID" - the latter is given when a product key that has been used too many times has been blocked. "Because the crack made you replace oobeutil.js with the hacked version, the following dialog screens get screwed up. This confused the #crackxp people... When it should be telling you that activation is successful ('SUCCESS'), it is actually telling you that 'your key has been used too many times' ('USED_PID'). THen they tell you to try again, and this time it returns a different errorlevel which announces correctly that you are already activated."

But actually, as that product was already activated by the few people who used the escaped key before Microsoft slammed the door on it, the hooky copies people are using it on now will cease to function 14 days after they try.

Makes sense to us. Another person we've heard from, "AD," says that despite claims to the contrary there has been "no crack out for XP as of this date," and that the protection lies somewhere other than in the JavaScript and the previous favourite, winlogon.exe. "I can tell you definitely there is a way around the 14 days, and I have found it, and I can say Microsoft has become a bit more clever, but not impossible."

A crack for the 14 day timeout certainly is being circulated at the moment, but AD argues that the real protection involves the digital signatures we covered here last week. "Everything is digitally signed, but having to break various signatures to get around the protection is not the way, there is another way." Which he's not telling us right now.

But what's interesting is the extent to which the recent leaked builds signpost the direction Microsoft is taking with product activation. Signed files, server-based authentication and certificates start to take us towards a decidedly .NET environment.

Rationally, what Microsoft is doing now is surely testing these mechanisms and their integrity, and so far that seems to be working. The volumes the system currently has to deal with won't be anything like what they'll have to handle when WinXP ships, but then with Office XP out, and using a similar system, at the end of this month, there'll be an opportunity for more of a live battle test.

What Microsoft hasn't done so far, it would appear, is produce a sufficiently secure system that stops activation being, effectively, optional. Previous efforts by the crackers convinced the system it had been activated when it hadn't (maybe AD's getting excessively philosophical when he says this isn't an XP crack), while the most recent (assuming it works) simply stops the system ceasing to function if it's not activated in the first 14 days.

Obviously if XP ships without something fiendishly tougher in the box, then activation will remain optional - although even if you circumvent it on a paid for copy you should note that the current licence Ts & Cs say you do not have a licence if you do not activate the product in the approved way. More likely, breachable protection would be of some interest to the warez community, but when the product actually ships it'll have there'll surely be unlocked corporate editions around, as is the case with OXP, so these are the ones they're going to warez. And cracking the activation will be largely an intellectual exercise.

So what's the big deal? Maybe it's anticipation of what's coming next. Currently Microsoft is presenting activation as a simple, one-time, non privacy-infringing exercise. And indeed, currently it is, and finding out how to not use it with a legitimate copy looks like it might be just plain cussed.

But look at all of the damned nagware parallels that already exist in the world (and note in passing that most of the biggest atrocities aren't foisted on us by Microsoft). You buy the product, and at indeterminate intervals, or even every time you use it, up pops the register now box, and it's usually none to simple to find out how you switch it off. These are registration processes, while product activation and registration are two separate things. (Well, not entirely - in the official 2462 beta 2 code it's very easy to be tricked into checking the register box while you're activating, and funnily enough, you're then filling in the usual data boxes. Microsoft should note that this cheesy stunt has been noted.)

Like everybody else, Microsoft does want that data, and although it's not directly using product activation to get it, in this rev PA is certainly going to be a mechanism for vastly increasing the percentage of registered users Redmond is going to get. Other mechanisms such as certificates, signed files and the beefed-up Windows Update will also substantially increase the amount of information exchanged between WinXP clients and Microsoft servers. So maybe the whole deal is designed to get the maximum number of people possible used to this, and maybe there's a thought in Redmond that this could be so successful that there won't be any real need to make it absolutely compulsory. Or maybe not..? ®

Related stories:
Cracked or not? WinXP protection war hots up

Boost IT visibility and business value

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.