View Full Version : Windows XP WPA authorisation

June 14th, 2006, 04:30
Was thinking about this lately and had a look around on the internet thinking that by now a simple keygen would have been release but the usual spots revealed nothing.

When I say keygen I mean something that will generate the correct response to the authorisation code. All that seems to be out on the internet is license keys and corporate keys etc. to bypass the authorisation steps. Yet I know for other software there have been keygens which work in the same manner i.e. auth code/response code and these have been reversed with some degree of precision.

So the question begs to be answered. Have microsoft created something that is completely unreversable. I have read articles on How WPA is created based on combination of hardware ID etc but surely the response code can be reversed or does it change consistantly. Is it wrapped with a private/public key system. I would have thought a blowfish authorisation would be impossible but surely typing in numbers would have been investigated by now.

Anyway just thinking out loud until someone shoves a sock in it.

June 14th, 2006, 05:54
afaik they validate keys against a certain (unknown currently) range..
the keygen will obviously generate valid keys, which allow install, but probably are outside of the valid range.. thats what they check against...

June 14th, 2006, 09:55
Exactly, the only way to "crack" a database comparison check is to actually steal/guess a valid key (and with valid I mean one that has been actually sold to someone, not one that just matches the client-side checks).

If the MS guys are clever, they'd generate all keys based on completely random seed data, just checking against previous generated keys to avoid any collisions. In that case you are completely toast, and all you can do is to bruteforce the entire valid key space to fins a correct guess, which would be quite hard and easy detectable. It is a theoretical possibility that they might have some system behind their generated/sold keys though, and if you crack this scheme, you will have a very big working keyspace on which you could base a working keygen whose keys could never be blocked/stopped by them.

That being said, you can of course always patch the client side code, but that has to be done for each new MS update, and can also be made to be quite a tedious pain in the ass if the MS guys would like to.

June 14th, 2006, 12:12
There are two levels, client-side and server-side.

Client-side is easy. The product key is a 25-digit base-24 number, and is converted to a binary representation 128 bits. (Not just M$ use this scheme, many other serial validation routines use base-24 as well). A modulo check is used. (Ref: pidgen.dll)

I'm not too sure about serverside but there definitely must be a correlation between the challenge/response code entered during manual activation, as it is completely possible to activate without connecting to the Internet (phone M$ and give them the challenge code, they have a keygen for it).

Why hasn't there been any releases of keygens? Both because most crackers are too lazy to generate their own custom key when there are literally thousands of working product keys out there, and because they don't want M$ to know that their protection is weak

Here is a good start: http://www.licenturion.com/xp/fully-licensed-wpa.txt
(Explains product key and challenge code, but doesn't get much further than that )

June 14th, 2006, 18:49
Again I am not after generation of the product key.... This has been done to death.
I have seen the licenturion article and again it typical of what I see out on the internet it doesn't go into the generation of the confirmation code. It only proves very little information is forwarded to microsoft regarding your machine.

Just to clear it up for others

Product Key -> Challenge/Activation Code ---> Phone M$ --> Confirmation code.

The bit that seems lacking is the the final part "Confirmation code". Thats what I am seeking information on. I have reviewed the articles regarding the product key/challenge/activation code/Hardware IDs etc.

Edit Post Note:
Why ido people always have to pick the easiest solution. "Just crack it by patching the dll." If thats all I wanted I wouldn't have asked the question on how this thing works. I am more interested in the method rather than the quick solution.

June 15th, 2006, 09:42
Patching the DLL wasn't only the 'easiest' solution, it was the only viable one.

I thought evilcrn8/dELTA made it clear that Microsoft are believed to use a straightforward database check for WGA. Specifically, each license distributed by MS is added to their server-side database. When a user then tries to authenticate via WGA their license number is sent off and checked for existence and uniqueness against the database of valid keys. So there can be no elegant way to break this protection. The only feasible solutions require brute-force, server hacking or a blessing from lady luck.


June 15th, 2006, 10:13
I'd like to know, is there a difference between WPA and WGA ? Or is this the same ?

June 15th, 2006, 13:46
WPA is the activation system, there are numerous ways to get around it. The OP wanted information on WPA, not WGA. Specifically, how challenge/response code is compared.

WGA is to check if your (already activated) copy of Windows is Genuine. As posted above, it uses a serverside database.

June 15th, 2006, 22:09
I read a post on a forum somewhere by a guy who runs a retail computer business, (presumably assembles his own "clones", he stated that M$ sold him rolls of serials - like you see the IT guys stick on your box, and it was really cheap, about $10 a serial - awfully hard to write a keygen that doesn't accidently make a correct hit fairly often, I'd love to get my hands on a roll to see if there is any logical sequence.


June 15th, 2006, 22:20
Again people jump on the wagon without reading.

I discussed WPA (Its in the topic) which is not linked to WGA.
Thanks for LLXX detailing the difference.

You stated that there are multiple ways of getting around it. I assume all they ways involve patching/modification without actually providing a method to authorise without modification.

The more I looked the more I don't find any reference for this yet I would have thought this would have been the easiest way forward. Just to clarify generating a confirmation code based on authorisation/challenge code.

It might be time for some sleep again.

June 16th, 2006, 09:52
I read a post on a forum somewhere by a guy who runs a retail computer business, (presumably assembles his own "clones", he stated that M$ sold him rolls of serials

Sounds like a Select agreement. I've had hold of something similar before. MS are very aware that their consumer licensing system is totally inappropriate for large organisations rolling out thousands of desktops/servers/packages.