Feeds

WinXP product activation cracked: totally, horribly, fatally

Tecchannel fools it into oblivion

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Since Microsoft introduced Windows Product Activation (WPA) the crackers have gone through a series of WinXP beta builds, finding new ways to at least circumvent the protection system. But now, taking an entirely different approach, Germany's Tecchannel has demonstrated that WPA as shipped in RC1 is full of gaping holes, and can be fooled almost completely.

Tecchannel's report available in English here, or in German here) demonstrates that WPA can be compromised via numerous hardware-related routes; it all centres on the file wpa.dbl, which WinXP keeps in the system32 directory.

This file stores information on the nature of the hardware at the time of activation, and when Windows XP notices more than three items of hardware have changed, it deletes it. Then you need to activate again. You'll also, Tecchannel notes, need to activate immediately if you installed more than 30 days (or 14 with RC1) ago, as that's when the clock starts ticking. This, incidentally, is also the case if you do a 'repair' to fix a bust system - not exactly friendly.

So first of all Tecchannel saved the file then started changing hardware. Two items OK, but replacing a third - the CPU - triggered the deletion. Although you'd think the CPU is only one component, it's actually tallied up as two. Switching off the CPU serial number in the bios and therefore knocking it down to one doesn't get the earlier wpa.dbl back - this has been restored in a non-activated state.

Copy the saved version back? That surely shouldn't work - but it does. Next, Tecchannel tried a completely new installation using the same product key. This produces a new product ID, but nevertheless copying the wpa.dbl file back again works.

They also use this file on another computer, altering the computer's volume ID first, which is easily enough done. They can also use forged network cards MAC addresses, so now they've taken two parts of the hardware ID out of the picture. Next, use the hardware profile to tell the computer it's a notebook with a docking station. This works, and tells WPA to stop counting the IDE/SCSI controller and the graphics card.

That gets the differences counted down to three, hard disk, CPU and CDROM ID, which is within the limit, so WPA is effectively toast.

What does this mean? Tecchannel's investigation shows that, at the very least, you can use the same wpa.dbl file to activate as many computers as you like, provided the RAM size is the same. A 'universal' file that didn't even require the same RAM might be a possibility, but it's more likely that people will simply swap files to get one appropriate for their hardware. If Microsoft doesn't change WPA before WinXP ships, then it's pointless. But changing it when RC2 is looming, and when the holes are so obviously huge, would be difficult.

So farewell then, Windows Product Activation - for the moment? ®

Beginner's guide to SSL certificates

More from The Register

next story
ONE MILLION people already running Windows 10
A third of them are doing it in VMs, but early feedback focuses on frippery
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.