Feeds

WinXP product activation cracked: totally, horribly, fatally

Tecchannel fools it into oblivion

  • alert
  • submit to reddit

Security for virtualized datacentres

Since Microsoft introduced Windows Product Activation (WPA) the crackers have gone through a series of WinXP beta builds, finding new ways to at least circumvent the protection system. But now, taking an entirely different approach, Germany's Tecchannel has demonstrated that WPA as shipped in RC1 is full of gaping holes, and can be fooled almost completely.

Tecchannel's report available in English here, or in German here) demonstrates that WPA can be compromised via numerous hardware-related routes; it all centres on the file wpa.dbl, which WinXP keeps in the system32 directory.

This file stores information on the nature of the hardware at the time of activation, and when Windows XP notices more than three items of hardware have changed, it deletes it. Then you need to activate again. You'll also, Tecchannel notes, need to activate immediately if you installed more than 30 days (or 14 with RC1) ago, as that's when the clock starts ticking. This, incidentally, is also the case if you do a 'repair' to fix a bust system - not exactly friendly.

So first of all Tecchannel saved the file then started changing hardware. Two items OK, but replacing a third - the CPU - triggered the deletion. Although you'd think the CPU is only one component, it's actually tallied up as two. Switching off the CPU serial number in the bios and therefore knocking it down to one doesn't get the earlier wpa.dbl back - this has been restored in a non-activated state.

Copy the saved version back? That surely shouldn't work - but it does. Next, Tecchannel tried a completely new installation using the same product key. This produces a new product ID, but nevertheless copying the wpa.dbl file back again works.

They also use this file on another computer, altering the computer's volume ID first, which is easily enough done. They can also use forged network cards MAC addresses, so now they've taken two parts of the hardware ID out of the picture. Next, use the hardware profile to tell the computer it's a notebook with a docking station. This works, and tells WPA to stop counting the IDE/SCSI controller and the graphics card.

That gets the differences counted down to three, hard disk, CPU and CDROM ID, which is within the limit, so WPA is effectively toast.

What does this mean? Tecchannel's investigation shows that, at the very least, you can use the same wpa.dbl file to activate as many computers as you like, provided the RAM size is the same. A 'universal' file that didn't even require the same RAM might be a possibility, but it's more likely that people will simply swap files to get one appropriate for their hardware. If Microsoft doesn't change WPA before WinXP ships, then it's pointless. But changing it when RC2 is looming, and when the holes are so obviously huge, would be difficult.

So farewell then, Windows Product Activation - for the moment? ®

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.