| Edit Reply |
|
Anonymous Gerbil |
>> INTRODUCTION The current public discussion of Windows Product Activation (WPA) is characterized by uncertainty and speculation. In this paper we supply the technical details of WPA - as implemented in Windows XP - that Microsoft should have published long ago. While we strongly believe that every software vendor has the right to enforce the licensing terms governing the use of a piece of licensed software by technical means, we also do believe that each individual has the right to detailed knowledge about the full implications of the employed means and possible limitations imposed by it on software usage. In this paper we answer what we think are currently the two most important open questions related to Windows Product Activation. * Exactly what information is transmitted during activation? * How do hardware modifications affect an already activated installation of Windows XP? Our answers to these questions are based on Windows XP Release Candidate 1 (build 2505). Later builds as well as the final version of Windows XP might differ from build 2505, e.g. in the employed cryptographic keys or the layout of some of the data structures. However, beyond such minor modifications we expect Microsoft to cling to the general architecture of their activation mechanism. Thus, we are convinced that the answers provided by this paper will still be useful when the final version of Windows XP ships. This paper supplies in-depth technical information about the inner workings of WPA. Still, the discussion is a little vague at some points in order not to facilitate the task of an attacker attempting to circumvent the license enforcement supplied by the activation mechanism. XPDec, a command line utility suitable for verifying the presented information, can be obtained from http://www.licenturion.com/xp/. It implements the algorithms presented in this paper. Reading its source code, which is available from the same location, is highly recommended. We have removed an important cryptographic key from the XPDec source code. Recompiling the source code will thus fail to produce a working executable. The XPDec executable on our website, however, contains this key and is fully functional. So, download the source code to learn about the inner workings of WPA, but obtain the executable to experiment with your installation of Windows XP. We expect the reader to be familiar with the general procedure of Windows Product Activation. >> INSIDE THE INSTALLATION ID We focused our research on product activation via telephone. We did so, because we expected this variant of activation to be the most straight-forward to analyze. The first step in activating Windows XP via telephone is supplying the call-center agent with the Installation ID displayed by msoobe.exe, the application that guides a user through the activation process. The Installation ID is a number consisting of 50 decimal digits that are divided into groups of six digits each, as in 002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX In this authentic Installation ID we have substituted digits that we prefer not to disclose by 'X' characters. If msoobe.exe is invoked more than once, it provides a different Installation ID each time. In return, the call-center agent provides a Confirmation ID matching the given Installation ID. Entering the Confirmation ID completes the activation process. Since the Installation ID is the only piece of information revealed during activation, the above question concerning the information transmitted during the activation process is equivalent to the question 'How is the Installation ID generated?' To find an answer to this question, we trace back each digit of the Installation ID to its origins. >>> Check digits The rightmost digit in each of the groups is a check digit to guard against simple errors such as the call center agent's mistyping of one of the digits read to him or her. The value of the check digit is calculated by adding the other five digits in the group, adding the digits at even positions a second time, and dividing the sum by seven. The remainder of the division is the value of the check digit. In the above example the check digit for the first group (6) is calculated as follows. 1 | 2 | 3 | 4 | 5 <- position ---+---+---+---+--- 0 | 0 | 2 | 6 | 6 <- digits 0 + 0 + 2 + 6 + 6 = 14 (step 1: add all digits) 0 + 6 + 14 = 20 (step 2: add even digits again) step 3: division 20 / 7 = 2, remainder is 20 - (2 * 7) = 6 => check digit is 6 Adding the even digits twice is probably intended to guard against the relatively frequent error of accidentally swapping two digits while typing, as in 00626 vs. 00266, which yield different check digits. >>> Decoding Removing the check digits results in a 41-digit decimal number. A decimal number of this length roughly corresponds to a 136-bit binary number. In fact, the 41-digit number is just the decimal encoding of such a 136-bit multi-precision integer, which is stored in little endian byte order as a byte array. Hence, the above Installation ID can also be represented as a sequence of 17 bytes as in 0xXX 0xXX 0xXX 0xXX 0xXX 0xXX 0xXX 0xXX 0x94 0xAA 0x46 0xD6 0x0F 0xBD 0x2C 0xC8 0x00 In this representation of the above Installation ID 'X' characters again substitute the digits that we prefer not to disclose. The '0x' prefix denotes hex notation throughout this paper. >>> Decryption When decoding arbitrary Installation IDs it can be noticed that the most significant byte always seems to be 0x00 or 0x01, whereas the other bytes look random. The reason for this is that the lower 16 bytes of the Installation ID are encrypted, whereas the most significant byte is kept in plaintext. The cryptographic algorithm employed to encrypt the Installation ID is a proprietary four-round Feistel cipher. Since the block of input bytes passed to a Feistel cipher is divided into two blocks of equal size, this class of ciphers is typically applied to input blocks consisting of an even number of bytes - in this case the lower 16 of the 17 input bytes. The round function of the cipher is the SHA-1 message digest algorithm keyed with a four-byte sequence. Let + denote the concatenation of two byte sequences, ^ the XOR operation, L and R the left and right eight-byte input half for one round, L' and R' the output halves of said round, and First-8() a function that returns the first eight bytes of an SHA-1 message digest. Then one round of decryption looks as follows. L' = R ^ First-8(SHA-1(L + Key)) R' = L The result of the decryption is 16 bytes of plaintext, which are - together with the 17th unencrypted byte - from now on interpreted as four double words in little endian byte order followed by a single byte as in name | size | offset -----+-------------+------- H1 | double word | 0 H2 | double word | 4 P1 | double word | 8 P2 | double word | 12 P3 | byte | 16 H1 and H2 specify the hardware configuration that the Installation ID is linked to. P1 and P2 as well as the remaining byte P3 contain the Product ID associated with the Installation ID. >>> Product ID The Product ID consists of five groups of decimal digits, as in AAAAA-BBB-CCCCCCC-DDEEE If you search your registry for a value named 'ProductID', you will discover the ID that applies to your installation. The 'About' window of Internet Explorer should also yield your Product ID. >>>> Decoding The mapping between the Product ID in decimal representation and its binary encoding in the double words P1 and P2 and the byte P3 is summarized in the following table. digits | length | encoding --------+---------+--------------------------------------- AAAAA | 17 bits | bit 0 to bit 16 of P1 BBB | 10 bits | bit 17 to bit 26 of P1 CCCCCCC | 28 bits | bit 27 to bit 31 of P1 (lower 5 bits) | | bit 0 to bit 22 of P2 (upper 23 bits) DDEEE | 17 bits | bit 23 to bit 31 of P2 (lower 9 bits) | | bit 0 to bit 7 of P3 (upper 8 bits) The meaning of each of the five groups of digits is documented in the next table. digits | meaning --------+------------------------------------------------- AAAAA | apparently always 55034 (in Windows XP RC1) BBB | most significant three digits of Raw Product Key | (see below) CCCCCCC | least significant six digits of Raw Product Key | plus check digit (see below) DD | index of the public key used to verify the | Product Key (see below) EEE | random value As can be seen, the (Raw) Product Key plays an important role in generating the Product ID. >>>> Product Key The Raw Product Key is buried inside the Product Key that is printed on the sticker distributed with each Windows XP CD. It consists of five alphanumeric strings separated by '-' characters, where each string is composed of five characters, as in FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK Each character is one of the following 24 letters and digits: B C D F G H J K M P Q R T V W X Y 2 3 4 6 7 8 9 Very similar to the decimal encoding of the Installation ID the 25 characters of the Product Key form a base-24 encoding of the binary representation of the Product Key. Decoding the Product Key yields a multi-precision integer of roughly 115 bits, which is stored - again in little endian byte order - in an array of 15 bytes. Decoding the above Product Key results in the following byte sequence. 0x6F 0xFA 0x95 0x45 0xFC 0x75 0xB5 0x52 0xBB 0xEF 0xB1 0x17 0xDA 0xCD 0x00 Of these 15 bytes the least significant four bytes contain the Raw Product Key in little endian byte order. The least significant bit is removed by shifting this 32-bit value (0x4595FA6F - remember the little endian byte order) to the left by one bit position, resulting in a Raw Product Key of 0x22CAFD37, or 583728439 in decimal notation. The eleven remaining bytes form a digital signature, allowing verification of the authenticity of the Product Key by means of a hard-coded public key. >>>> Product Key -> Product ID The three most significant digits, i.e. 583, of the Raw Product Key's nine-digit decimal representation directly map to the BBB component of the Product ID described above. To obtain the CCCCCCC component, a check digit is appended to the remaining six digits 728439. The check digit is chosen such that the sum of all digits - including the check digit - is divisible by seven. In the given case, the sum of the six digits is 7 + 2 + 8 + 4 + 3 + 9 = 33 which results in a check digit of 2, since 7 + 2 + 8 + 4 + 3 + 9 + 2 = 33 + 2 = 35 which is divisible by seven. The CCCCCCC component of the Product ID is therefore 7284392. For verifying a Product Key, more than one public key is available. If verification with the first public key fails, the second is tried, etc. The DD component of the Product ID specifies which of the public keys in this sequence was successfully used to verify the Product Key. This mechanism might be intended to support several different parties generating valid Product Keys with different individual private keys. However, the different private keys might also represent different versions of a product. A Product Key for the 'professional' release could then be signed with a different key than a Product Key for the 'server' release. The DD component would then represent the product version. Finally, a valid Product ID derived from our example Product Key might be 55034-583-7284392-00123 which indicates that the first public key (DD = index = 0) matched and 123 was chosen as the random number EEE. The randomly selected EEE component is the reason for msoobe.exe presenting a different Installation ID at each invocation. Because of the applied encryption this small change results in a completely different Installation ID. So, the Product ID transmitted during activation will most probably differ in the last three digits from your Product ID as displayed by Internet Explorer or as stored in the registry. >>> Hardware Information As discussed above, the hardware configuration linked to the Installation ID is represented by the two double words H1 and H2. >>>> Bit-fields For this purpose, the double words are divided into twelve bit-fields. The relationship between the computer hardware and the bit-fields is given in the following table. double word | offset | length | bit-field value based on ------------+--------+--------+---------------------------- H1 | 0 | 10 | volume serial number string | | | of system volume H1 | 10 | 10 | network adapter MAC address | | | string H1 | 20 | 7 | CD-ROM drive hardware | | | identification string H1 | 27 | 5 | graphics adapter hardware | | | identification string H2 | 0 | 3 | unused, set to 001 H2 | 3 | 6 | CPU serial number string H2 | 9 | 7 | harddrive hardware | | | identification string H2 | 16 | 5 | SCSI host adapter hardware | | | identification string H2 | 21 | 4 | IDE controller hardware | | | identification string H2 | 25 | 3 | processor model string H2 | 28 | 3 | RAM size H2 | 31 | 1 | 1 = dockable | | | 0 = not dockable Bit 31 of H2 specifies, whether the bit-fields represent a notebook computer that supports a docking station. If docking is possible, the activation mechanism will be more tolerant with respect to future hardware modifications. Here, the idea is that plugging a notebook into its docking station possibly results in changes to its hardware configuration, e.g. a SCSI host adapter built into the docking station may become available. Bits 2 through 0 of H2 are unused and always set to 001. If the hardware component corresponding to one of the remaining ten bit-fields is present, the respective bit-field contains a non-zero value describing the component. A value of zero marks the hardware component as not present. All hardware components are identified by a hardware identification string obtained from the registry. Hashing this string provides the value for the corresponding bit-field. >>>> Hashing The hash result is obtained by feeding the hardware identification string into the MD5 message digest algorithm and picking the number of bits required for a bit-field from predetermined locations in the resulting message digest. Different predetermined locations are used for different bit-fields. In addition, a hash result of zero is avoided by calculating Hash = (Hash % BitFieldMax) + 1 where BitFieldMax is the maximal value that may be stored in the bit-field in question, e.g. 1023 for a 10-bit bit-field, and 'x % y' denotes the remainder of the division of x by y. This results in values between 1 and BitFieldMax. The obtained value is then stored in the respective bit-field. >>>> RAM bit-field The bit-field related to the amount of RAM available to the operating system is calculated differently. The seven valid values specify the approximate amount of available RAM as documented in the following table. value | amount of RAM available ------+--------------------------- 0 | (bit-field unused) 1 | below 32 MB 2 | between 32 MB and 63 MB 3 | between 64 MB and 127 MB 4 | between 128 MB and 255 MB 5 | between 256 MB and 511 MB 6 | between 512 MB and 1023 MB 7 | above 1023 MB It is important to note that the amount of RAM is retrieved by calling the GlobalMemoryStatus() function, which reports a few hundred kilobytes less than the amount of RAM physically installed. So, 128 MB of RAM would typically be classified as "between 64 MB and 127 MB". >>>> Real-world example Let us have a look at a real-world example. On one of our test systems the hardware information consists of the following eight bytes. 0xC5 0x95 0x12 0xAC 0x01 0x6E 0x2C 0x32 Converting the bytes into H1 and H2, we obtain H1 = 0xAC1295C5 and H2 = 0x322C6E01 Splitting H1 and H2 yields the next table in which we give the value of each of the bit-fields and the information from which each value is derived. dw & | | offset | value | derived from -------+-------+----------------------------------------------- H1 0 | 0x1C5 | '1234-ABCD' H1 10 | 0x0A5 | '00C0DF089E44' H1 20 | 0x37 | 'SCSI\CDROMPLEXTOR_CD-ROM_PX-32TS__1.01' H1 27 | 0x15 | 'PCI\VEN_102B&DEV_0519&SUBSYS_00000000&REV_01' H2 0 | 0x1 | (unused, always 0x1) H2 3 | 0x00 | (CPU serial number not present) H2 9 | 0x37 | 'SCSI\DISKIBM_____DCAS-34330______S65A' H2 16 | 0x0C | 'PCI\VEN_9004&DEV_7178&SUBSYS_00000000&REV_03' H2 21 | 0x1 | 'PCI\VEN_8086&DEV_7111&SUBSYS_00000000&REV_01' H2 25 | 0x1 | 'GenuineIntel Family 6 Model 3' H2 28 | 0x3 | (system has 128 MB of RAM) H2 31 | 0x0 | (system is not dockable) >>> Using XPDec XPDec is a utility to be run from the command prompt. It may be invoked with one of four command line options to carry out one of four tasks. >>>> XPDec -i This option enables you to access the information hidden in an Installation ID. It decodes the Installation ID, decrypts it, and displays the values of the hardware bit-fields as well as the Product ID of your product. Keep in mind that the last three digits of the Product ID contained in the Installation ID are randomly selected and differ from the Product ID displayed by Internet Explorer. The only argument needed for the '-i' option is the Installation ID, as in XPDec -i 002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX >>>> XPDec -p To help you trace the origin of your Product ID, this option decodes a Product Key and displays the Raw Product Key as it would be used in a Product ID. The only argument needed for the '-p' option is the Product Key, as in XPDec -p FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK Note that this option does not verify the digital signature of the Product Key. >>>> XPDec -v This option calculates the hash of a given volume serial number. It was implemented to illustrate our description of string hashing. First use '-i' to display the hardware bit-fields. Then use this option to verify our claims concerning the volume serial number hash. The only argument needed for the '-v' option is the volume serial number of your system volume, as in XPDec -v 1234-ABCD (The volume serial number is part of the 'dir' command's output.) >>>> XPDec -m This option calculates the network adapter bit-field value corresponding to the given MAC address. Similar to '-v' this option was implemented as a proof of concept. The only argument needed for the '-m' option is the MAC address of your network adapter, as in XPDec -m 00-C0-DF-08-9E-44 (Use the 'route print' command to obtain the MAC address of your network adapter.) >> HARDWARE MODIFICATIONS When looking at the effects of hardware modifications on an already activated installation of Windows XP, the file 'wpa.dbl' in the 'system32' directory plays a central role. It is a simple RC4-encrypted database that stores, among other things like expiration information and the Confirmation ID of an activated installation, a) the bit-field values representing the current hardware configuration, and b) the bit-field values representing the hardware configuration at the time of product activation. While a) is automatically updated each time the hardware configuration is modified in order to reflect the changes, b) remains fixed. Hence, b) can be thought of as a snapshot of the hardware configuration at the time of product activation. This snapshot does not exist in the database before product activation and if we compare the size of 'wpa.dbl' before and after activation, we will notice an increased file size. This is because the snapshot is added to the database. When judging whether re-activation is necessary, the bit-field values of a) are compared to the bit-field values of b), i.e. the current hardware configuration is compared to the hardware configuration at the time of activation. >>> Non-dockable computer Typically all bit-fields with the exception of the unused field and the 'dockable' field are compared. If more than three of these ten bit-fields have changed in a) since product activation, re-activation is required. This means, for example, that in our above real-world example, we could replace the harddrive and the CD-ROM drive and substantially upgrade our RAM without having to re-activate our Windows XP installation. However, if we completely re-installed Windows XP, the information in b) would be lost and we would have to re-activate our installation, even if we had not changed our hardware. >>> Dockable computer If bit 31 of H2 indicates that our computer supports a docking station, however, only seven of the ten bit-fields mentioned above are compared. The bit-fields corresponding to the SCSI host adapter, the IDE controller, and the graphics board are omitted. But again, of these remaining seven bit-fields, only up to three may change without requiring re-activation. >> CONCLUSIONS In this paper we have given a technical overview of Windows Product Activation as implemented in Windows XP. We have shown what information the data transmitted during product activation is derived from and how hardware upgrades affect an already activated installation. Looking at the technical details of WPA, we do not think that it is as problematic as many people have expected. We think so, because WPA is tolerant with respect to hardware modifications. In addition, it is likely that more than one hardware component map to a certain value for a given bit-field. From the above real-world example we know that the PX-32TS maps to the value 0x37 = 55. But there are probably many other CD-ROM drives that map to the same value. Hence, it is impossible to tell from the bit-field value whether it is a PX-32TS that we are using or one of the other drives that map to the same value. In contrast to many critics of Windows Product Activation, we think that WPA does not prevent typical hardware modifications and, moreover, respects the user's right to privacy.  |
| Edit Reply |
|
TwoFer |
[q]I like to think of WPA like automobile registration.[/q] Gerbil #49, why do you want to make an analogy between the rights and privileges of a government and those of Microsoft, a private corporation?
There's no way in hell that I'm going to grant M$ the sort of control which I (begrudgingly) allow the government! While M$ and the government are both monopolies, there are huge differences between them -- and M$ is still subject to the control of the government, just as I am... although it sometimes seems like Bill and Steve really don't understand that. As far as Microsoft's EULA goes: first, it hasn't been completely tested in court, and it's not clear that it truly holds; and second, M$ is abusing their monopoly (even the appeals court strongly agreed they're a monopoly, and abusing that status) by unilaterally changing the terms of the agreement after the users are dependent upon them. They're a monopoly, and the rules are (quite reasonably) different for them. |
| Edit Reply |
|
TwoFer |
[q]When it comes down to it, you do have a choice, period.[/q]
I'm a businessman -- I provide consulting services to the aerospace industry. All my clients use Microsoft products, and to effectively do business with them I must use the same Microsoft products. This is basically what a monopoly is all about, and the only way I can do business is to accept it -- my "choice" is to find different employment, which isn't a real choice at all... and my choice of a legal vocation is certainly [b ot[/b] something which I should rationally leave to [i]an/i] corporation or third party! And that's one of the reasons why monopolies aren't allowed to do things that non-monopolistic businesses are free to do. As many have pointed out, the privacy issues are different from the control issues. While potential violation of my privacy bothers me, my major concern at the moment is control -- and as a businessman, I simply cannot allow this third-party control of my business! [i]Everythin/i] I do is based around the computer -- there's no way I could stay in business without it. And giving Microsoft the power to switch my business operations on and off [i]at their whim[/i] is idiotic! For one, I don't have the faith that they will be in a position to reactivate me at some critical point (See TargetBoy's #59 for great reasons). |
| Edit Reply |
|
elmopuddy |
PSI:
I wish you would spot who you quoted.. You quoted me a few times... The points you quoted...well, I was trying to de-validate some of the comments some of those pesky gerbils were making... I have RC1 up and running, and I love it... I find it exciting, and it is way more stable than 2000... What sold it for me, in a way, was that I got Duke Nukem 3D, a pure DOS game to run..it never ran under 2000.. Anyways... I am tired of the debate... I won't be flamed for liking XP.. EP |
| Edit Reply |
|
Anonymous Gerbil |
Originally Posted by PSI-OMEGA
Yes I am sure everyone wont want to get a vary stable operating system, with good support for programs, better technical support features, beats OS X in almost every category, ect ect. Just so they don’t have to use that cursed droop bar and insert their state or area code. Remember, only a miniscule amount of the population will actually have problems with this. And even the tech savvy shouldn’t have to register it more then once (if ever). If you people can disassemble computers and put them back together in your sleep (AKA the people who are having problems with this) then you sure as hell should be able to go onto DALNET, a newsgroup, or a Warez site and get the auto activation patch. Hell, I am using it now on my laptop with RC1 and the patch only requires a few minutes and a restart or two to get it working. The vast majority of people already send in their registration cards and don’t upgrade their computers vary often, so there is not problem with them. “Joe Sixpack now has to buy the extra licenses that Microsoft originally allowed him to have for free” They have never allowed you to do that in their licensing agreement. Now they are just enforcing the agreement. Ironic, this (product activation) is something that was originally created for businesses and now it has made its way to the consumer. Now you have the tech savvy working up the common person with something that will only affect a small percentage of them. “AllAdvantage, paid-to-surf schemes, anyone??” Remember, thease are the same people who send in registration cards anyway. So what is the big deal? “I guess you could get upset that they *may* know what type of hardware you have, but you do not have to submit any personal info to activate... well only your country...” The mesh does not show any specific hardware at all. Look at the article. In reality this can’t be used to identify your computer as the odds are your hardware mesh would be identical to at least two other individuals (one the upgrading starts). The only way is through your product ID which they probably have anyways. “As for not being able to roll-back to 2000, I have yet to see any software that doesn\'t run on 9x or 2000 that I would use.. All the new games, office apps all run on older platforms... so i don\'t think that\'s a valid point...” I have seen people playing DOOM in DOS and some poorly written 9X games being played on it. This thing is more compatible then 95’. “Compaq” *shudders* NEVER SAY THAT NAME IN MY PRESENCE! “Everything is not a conspiracy...” Um, from what I can tell these are the same people who watch X-Files. “MS stopped supporting the original Win95 in 1999, do you think they will still activate XP in 2005?” But is technical support the same as activation? Time will only tell. Remember a new Windows is good for the tech industry. “It sounds like everyone thinks that the only way around the activation process is going to be to obtain the corporate, non-activation version and use it instead. If someone can reverse engineer it enough to find out what it does, then we\'re very close to having it deactivated by someone taking that information and making a patch or program that defeats it.” I am running the crack now. It works fine… “Microsoft is the one that is pushing this further by forcing it to be done.” With the support of the hardware industry and the programmers. “They might know I have pair of Voodoo II cards? The horror.” I feel for you and you’re Voodoo IIs. “The only problem I have with this is that it\'s a waste of my time to have to call the company” So use the crack! Personally I don’t see this as a huge Trojan horse, I just see it as an annoyance to some of the elite and another ill fated attempt to curve piracy by the corporate world. “In the absence of Microsoft\'s monopoly, that would be a great option. Unfortunately for me (and other consumers), they DO have a monopoly, so I\'m more or less stuck with them.” Again, apparently people don’t know what cracks are. If you don’t want to register then don’t… use a crack. “Bill Gates is not evil, he is just a very successful business man driven by his own self-interest. When that self-interest coincides with my self-interest, all is good. But that is not becasue Bill Gates goves a shit about my self-interest, it is merely because of a momentary alignment. These days, I find that Gates\'s self-interest rarely aligns with my self-interest.” Wow, someone actually posts a good reason why they don’t like Gates. “This is going to end up being a huge mistake for Microsoft. No one in the know supports this \"activation\" scheme, and the backlash is going to only get larger as time goes by.” True. However that does not appear to be happening any time soon. Curently it is not up to that state, and the question is when the mob is going to decide to go into revolt against us. Remember, currently it is only being spouted off by the elite of the tehc savvy and there is no actually proof that it will happen this way. Another question will be if the hardware manufacturers will keep supporting this (as it helps their bottom line every few years). “Ok, for one, Bill Gates isn\'t running the show anymore, really. It\'s Ballmer.” *LOL* that is a bunch of BS. Gates left the company and became an advisor so if the court did split up the company he could “work” at both. “when the last time you saw a playstation crash?” To may times to count. \"When they took away the Fourth Amendment, I said nothing. I didn’t deal in drugs. When they took away the Sixth Amendment, I said nothing. I was innocent. When they took away the Second Amendment, I said nothing. I didn’t own a gun. Now they’ve taken away the First Amendment, and I can say nothing.\" Oh, so AOL-Time Warner has take over already? Besides, do you have any idea what kind of manipulation that would take? *LOL* that would be damn near impossible in the system we have now. Besides, I think that most of those should be removed anyways. “I\'d like to see things get easier for the end user as well, but not at the expense of freedom to do what you want with your PC.” And hardware manufacturers and programmers (the real people who dictate who is in charge) like having only one real OS to support and XP is one of the greatest things ever in their eyes. “you start buying new appliances in your home and suddenly your electricity is turned off and you have to reactivate.” That is what happens when you don’t pay your power bill or you blow a fuse. “Becuase this will only stop casual copying and distribution, any real Pirate person is going to have it cracked and then burned. This is not hard to do, as people have already proven. So this makes us paying customers go out and buy several versions of XP for our home use.” Agree “If MS made the OS reasonably priced they would not have people Pirating there OS” If you look at the economics it is actually vary cheep. Think of all the lines of code that goes into something this big… take into account that an upgrade is only about $100 and most people get it pre-installed on their computer. Then take into account M$ has only really increased their prices with that of inflation and slightly upped it a few bucks because of the extra features (in XP). “which makes my point. its all about control. forced registration/activation gives microsoft all the control. the could start using a 900 number for activation to \"cover the costs\" associated with handling reactivation.” Unfortunately in any case that would make M$ lose a nice chunk of market share as the development community switches over to avoid the hassle. “dissonance, is that like how people have been able to connect to MSN Messenger \"in seconds\" for the past week or so? And what happens if MS loses your information, like they did our Solution Provider data or so many recent MSN accounts? Or what happens when hackers create keygen programs and it looks like your just one of the thieves? What happens if someone else figures out how to take out their DSN infrastructure?” This is a potential problem with every single internet/software company out there. Your point is? “Just like the OEMs aren\'t forced into anything, but if they preload another OS on the machine with an MS OS already on there, they\'re breaking the license agreement. That\'s why there\'s nothing better. MS has a damn anti-competitive legal stranglehold on the market. People will use what their computer comes with.” Ironic since there are more copies of WinAmp running then WMP. I mean WinAmp does know how many people are using it since if it is connected to the net they will get notification of its activation through its mini-browser, registration, or upgrade checks. “What Microsoft is doing is locking the software to a single, particular computer to the exclusion of all other computers you may own in your own home. In essence, M$ is not granting a license to an individual, but rather is granting a license to a particular machine! If I have ten computers in my own home, how is it that I cannot choose at will which one(s) to run it on?” Read your software agreenment. This is what they have always been doing… just now they are doing it actively. “In otherwords, it\'s a pain in the ass for honest people who may want to do nothing more \"criminal\" than to install it on two or three machines they personally own in their own homes.” You idiot, those are not common people. The majority cant even run install… I wish I was kidding. It is to prevent someone just giving their coppy of XP to a friend and installing it on their computer. If you are going to bitch then at least do it correctly. “The main problem generic users are having relates to a poorly worded clause in MS\'s old default EULA. Way back, MS\'s licenses said something to the effect of \'the software can only be in use on one computer at any point in time\'. Users found a neat loophole, and put one copy of WIndows on both their laptop and their desktop. 99% of the time, they\'d only be using one or the other, but not both. Other users saw this and assumed it was the default way things were done. No one ever stopped the users and told them exactly why this was piracy. Quite a few users saw Windows on both laptop and desktop and further assumed that the license was per-user, so they then went and put one copy of Win2k on every PC in their home. This degenerate cycle led to most users assuming that one copy of Windows can go on every PC they own, much like Linux can. Now MS is stomping on exactly this behavior, and it\'s leading to a lot of shocked realizations...” This is true… save even when they changed the wording it did not stop (like it would have). “\'What do you mean I have to spend 10 x 300$ to put WinXP on all ten of my family\'s PCs!?!?!\'” that is also wrong. You see you could just get the upgrade version. “I am curious as to how people would feel about XP, if it didn\'t have the activation... as an OS..” Probably the best OS ever from the (p)reviews I have read. Better GUI then OS X (and much more stable), the best Legacy support in a windows OS ever, better hardware support, more stable then 2K (at least until everyone finds OS tricks and screws the damn thing up), rather low system requirements (if you take into account the complexity of the system and new GUI), better memory management, ect. “The funny thing is, that us casual users who might install on two PC\'s are not going to go out and buy two copies.” Casual users are just going to get new computers anyways? Your point is? “They will go out and find a crack” They don’t know what a crack is anyways. “The people that go to a store and buy a copy of WinXP, are a going to go home and install it and then activate. Then install it on another PC and realize they shoudl have bought two copies. Oh shit they say and go to the internet to find a crack.” There you go. That one is actually right. “If they know how to install XP and activate they will surely know how to find a crack.” Now that is the most moronic comment in your post. You mean that going to a warez site, using its search, finding it, downloading it, and following directions that require a reboot into Safe Mode with an execution of two files and replacement of Winlogon.exe is as simple as… clicking next, typing in country, typing in area code, and then hitting next? “Bill is invading your home, everyone. I hope you enjoy the future.” This is the normal pointless anti-gates thing I am used to. |
| Edit Reply |
|
Anonymous Gerbil |
Bill is invading your home, everyone. I hope you enjoy the future.
|
| Edit Reply |
|
Anonymous Gerbil |
Originally Posted by mctwin2kman
The problem is that if MS wants to combat the home users piracy, then they should make the licenses cheaper. Buy a copy of XP upgrade or full, and then pay maybe $30-$40 a license thereafter. I licenses for 2K, ME, 98SE, 98, 95 OSR2, 95, and 3.11, NT4.0 Workstation. I mean how many do I need to run Windows, I have two PC\'s at home. Yet I have 8 licenses, plus I will need to buy 2 more, for XP. Screw you MS. Then when I upgrade my PC, I will have to re-activate. I upgrade every 6 months to a year. That means twice a year I have to call MS. When the next great MB and Proc, and vid card come out I have to call and beg for forgiveness and a new number. I am just glad I work for one of those lucky Corps. that gets the activated version, Enterprise client, so I will go out and buy a licensed copy and leave the box sealed. Use the corp copy and be hastle free. Thanks MS for being a pain in the ass.... |
| Edit Reply |
|
Anonymous Gerbil |
"The main problem generic users are having relates to a poorly worded clause in MS's old default EULA. Way back, MS's licenses said something to the effect of 'the software can only be in use on one computer at any point in time'. Users found a neat loophole, and put one copy of WIndows on both their laptop and their desktop. 99% of the time, they'd only be using one or the other, but not both."
There's another angle here, though, as well. Over the years I've probably purchased as many as a dozen legitimate licenses to use Windows, in one version or another, either preinstalled on machines I've purchased or in retail software packages/upgrades. The number of machines I personally own is a fraction of that number, and since legally the licenses are to me and not to the machines, I still legally own those dozen or so legitimate Windows licenses. Some might argue that each license of Windows pertains to a specific version of Windows, but that view, it seems to me, opens a Pandora's box of questions. Factually, everytime I go to the Microsoft Windows Update site and download Windows upgrades, I am upgrading to a newer version of Windows, despite how seemingly small (or large) the degree of change might be. So am I granted a new "license" to run a "newer" version of Windows everytime I upgrade via the M$ Internet upgrade site? Apparently, this must be the case, since M$ provides upgrades to the newer versions gratis, over the Inet. So what happens, then, when I purchase M$'s "Upgrade" version of XP to install right over the top of Windows ME, for instance (or '98, etc.)? According to Microsoft, I have purchased an "Upgrade" to an older version of Windows, and indeed in this case XP is designed to install right on top of the older Windows version. I cannot see how, legally, that I lose my license to the older version by installing an "upgrade" version of Windows. So the question, of course, is whether or not the dozen or so Windows licenses I have legitimately purchased should provide me the right to run three copies of Windows XP on my three home machines, even though I have only purchased one upgrade copy of Windows XP. Really, this is the heart of the issue--is it really "piracy" M$ is trying to combat, or is what M$ is doing really nothing more than attempting to protect a continuing revenue stream for itself by charging the same customers over and over again for a continuing, never-ending stream of Windows upgrades? Again, I think the proof is found in Microsoft's own XP FAQ, in which the company makes it crystal clear that the activation scheme has NOTHING to do with combatting organized commercial piracy. 'What do you mean I have to spend 10 x 300$ to put WinXP on all ten of my family's PCs!?!?!' Chuckle......That is certainly what M$ would like to accomplish, regardless of how many previous Windows licenses a person has purchased in one form or another. The fact is that with this form of "activation" M$ is no longer licensing the software to human beings--but rather to one particular machine. Where it gets really, really interesting is in the fact that the XP activation process does not afflict corporate users who purchase site licenses! They are wholly excused. So much for the anti-piracy argument, right? In this case the only people squeezed are individuals who don't need/want to purchase 5 or more simultaneous licenses for XP, regardless of the number of Windows licenses they have purchased in the past. |
| Edit Reply |
|
Anonymous Gerbil |
Originally Posted by mctwin2kman
The funny thing is, that us casual users who might install on two PC\'s are not going to go out and buy two copies. They will go out and find a crack. The people that go to a store and buy a copy of WinXP, are a going to go home and install it and then activate. Then install it on another PC and realize they shoudl have bought two copies. Oh shit they say and go to the internet to find a crack. If they know how to install XP and activate they will surely know how to find a crack. Maybe if the OS was not so expensive to buy a full version, people would not do this. If it was $50 an upgrade and maybe $150 for the full version, I would buy two upgrades. I mean how much money does MS need to make. Honestly I have only bought upgrades my whole life. I bought one PC with a fully licensed version of windows on it. It was actually Win 3.1, and that was the last full version I had. I have neither the computer nor the OS, but I will never pay $300 for an OS. Neither will a lot of Joe Sixpacks. |
| Edit Reply |
|
elmopuddy |
The only thing that can stop MS from going forward.... if any.. is a barrage of calls to reactivate.. I forget which gerbil mentioned this... I'll take one of my test boxes, install XP, them start swapping hardware all over the place.. and call them to reactivate.. tell them I don't have a connection to the internet at the moment...
I am curious as to how people would feel about XP, if it didn't have the activation... as an OS.. I find it to be way more stable then 2000, and I only had to install 2 drivers, latest NVidia, and SB Live.. and it sees my HDD as UDMA 5... EP |
| Edit Reply |
|
Damage |
Perhaps, Forge, but it is a significant choice on Microsoft's part to change [ie fact/i] the way they handle licensing, regardless of the [ie jur/i] situation for a long while now. They want to extract more revenue from consumers, whose casual "piracy" will be the only piracy this scheme really slows.
One reason the MS monopoly hasn't chafed consumers to date is MS's leniency on these points. It was a small price for MS to pay, IMO. The XP activation scheme makes sense for network corporate desktops and servers, but it's no good for casual users or PC hobbyists. |
| Edit Reply |
|
Forge |
The main problem generic users are having relates to a poorly worded clause in MS's old default EULA. Way back, MS's licenses said something to the effect of 'the software can only be in use on one computer at any point in time'. Users found a neat loophole, and put one copy of WIndows on both their laptop and their desktop. 99% of the time, they'd only be using one or the other, but not both. Other users saw this and assumed it was the default way things were done. No one ever stopped the users and told them exactly why this was piracy. Quite a few users saw Windows on both laptop and desktop and further assumed that the license was per-user, so they then went and put one copy of Win2k on every PC in their home. This degenerate cycle led to most users assuming that one copy of Windows can go on every PC they own, much like Linux can. Now MS is stomping on exactly this behavior, and it's leading to a lot of shocked realizations...
'What do you mean I have to spend 10 x 300$ to put WinXP on all ten of my family's PCs!?!?!' That sum it up nicely for all involved? |
| Edit Reply |
|
Anonymous Gerbil |
hmmm good point #59 maybe everyone should buy pirated copies... hehe what a backfire that would be. lol i really dont advocate it... but ms is really being dumb. why would they want to anger the honest people who actually pay for software. maybe i will pick up a pirated copy when i am in indonesia.
|
| Edit Reply |
|
Anonymous Gerbil |
"I just have a problem with people crying foul when Microsoft tries to curb a problem they are facing - casual piracy and copying. The idea that when you buy the software, you own it, is erroneous. Someone mentioned DVD's vs DIVX. This comparison is flawed. When you buy a DVD, you are purchasing a license to view the movie in your private home. You cannot use it in a commercial setting or rent it out for others to use. "
I've never understood this analogy. When you rent or buy a video or DVD, are you restricted to running it on a single playback device in your home? Isn't it A-OK to play it back on any VCR or DVD player you happen to own? What Microsoft is doing is locking the software to a single, particular computer to the exclusion of all other computers you may own in your own home. In essence, M$ is not granting a license to an individual, but rather is granting a license to a particular machine! If I have ten computers in my own home, how is it that I cannot choose at will which one(s) to run it on? But M$ knows what a hinderance this is to legitimate PC owners. It's kind of funny in a weird way how the XP FAQ on M$'s site plainly states that this copy protection is NOT intended to address organized criminal bootleggers who copy the software for commercial resale, but rather, it's meant for "honest people." In otherwords, it's a pain in the ass for honest people who may want to do nothing more "criminal" than to install it on two or three machines they personally own in their own homes. So, does M$ attempt to defray the cost of commercial pirating through added expense to smallfry home users? Are they using this as a tactic to avoid chasing the real problem of commercial counterfeiting? Sure looks exactly that way to me... |
| Edit Reply |
|
linux gerbil |
Yeah, I know I said this on another talkback, but..... Haaaaa haa haa haa haa haa haa haa haa haaaaaaa!!!!!!!!!! Linux rules!
|
| Edit Reply |
|
Anonymous Gerbil |
may Lucifer help Bill get his servers/support people in order before xp hits. If something goes wrong with them, there are gonna be a HEAP of pissed people needing to get shit 'activated' with the dicks.
|
| Edit Reply |
|
Anonymous Gerbil |
When it comes down to it, you do have a choice, period.
----------------- Right, a choice between working an non-working hardware, all because of Microsoft's dirty tricks to eliminate the competition with their OEM licensing agreements. Choice my arse. |
| Edit Reply |
|
Anonymous Gerbil |
You aren't forced into using the product, you choose to use the product because it's better that than the alternative.
---------------------------- Just like the OEMs aren't forced into anything, but if they preload another OS on the machine with an MS OS already on there, they're breaking the license agreement. That's why there's nothing better. MS has a damn anti-competitive legal stranglehold on the market. People will use what their computer comes with. |
| Edit Reply |
|
Anonymous Gerbil |
Originally Posted by mctwin2kman
Yeah I would say the recent fiasco with MSN is not looking good if they want to implement a subscription based service. What happens when I need to re-subscribe and there servers crash. Plus for that .NET stuff. What happens when all my data is liost when the server gets FUBAR big-time. |
| Edit Reply |
|
TargetBoy |
dissonance, is that like how people have been able to connect to MSN Messenger "in seconds" for the past week or so?
And what happens if MS loses your information, like they did our Solution Provider data or so many recent MSN accounts? Or what happens when hackers create keygen programs and it looks like your just one of the thieves? What happens if someone else figures out how to take out their DSN infrastructure? Not only don't I trust Microsoft to have any control over my PC, I don't believe they can pull it off without majorly screwing people. |
| Edit Reply |
|
Anonymous Gerbil |
AG#49 here. Demon -Xanth, you are absolutely correct. The problem of life expectancy for Microsoft products is a real one. This is the one area that can cause real problems if it is not taken care of. Of course, Microsoft would like us to upgrade before that occurs, but I don't know what will happen. I doubt, though, that they will say that the OS will stop working and there will be no way to activate. They may not give technical support, but they make keep the activation servers and phone lines.
We still buy computers with DOS at work as well for production machinery. |
| Edit Reply |
|
Anonymous Gerbil |
#46 "And despite all this talk about phoning Microsoft, are you all ignoring the fact that you can register over the Internet in *gasp* seconds? "
i think you are wrong here. you can ACTIVATE over the net... but i am not so sure about re-activation. with my version of office 2000 I HAD to call. |
| Edit Reply |
|
Demon-Xanth |
#49: I have dealt with problems regarding the high end software vendors. And I have found them on average to be more helpful in the long run as far as supporting thier software. MS has a life expectancy of 4 years. At my work regulations mandate we must support a product 5 years. If we choose to use WinXP in a calibration system, then in 4 years the calibration system has a problem and cannot be brought back because MS won't give authorization (they won't, I guarentee it, I've dealt with the ARC standard that they created) then we're up shit creek on a log.
Unless MS gives a guarenteed authorization time of at least 8 years I cannot reccomend using it. We still use DOS 3.3 systems because the drivers do not work in a later version of DOS, and the 286 computers do thier job perfectly on the 512kB RAM. |
| Edit Reply |
|
Anonymous Gerbil |
So many people think that forced activation or registration is a new idea. It's not. High end CAD systems (AutoCAD is not high-end) have employed similar methods for quite a while, and meny even use a hardware lock or dongle that must be physically attached to the computer for the computer to work. You buy one license and you get one dongle. You MUST buy another license for another computer. There is no sharing without cracking or hacking, and with these methods you are breaking the law. Microsoft's produts are no different. They just have not employed such methods of enforcing proper licensing. Make no mistake about me. I have not actually bought a microsoft product. I reserve my right to choose to break the law and copy and crack.
I just have a problem with people crying foul when Microsoft tries to curb a problem they are facing - casual piracy and copying. The idea that when you buy the software, you own it, is erroneous. Someone mentioned DVD's vs DIVX. This comparison is flawed. When you buy a DVD, you are purchasing a license to view the movie in your private home. You cannot use it in a commercial setting or rent it out for others to use. I like to think of WPA like automobile registration. When you purchase a car, you do not have the right to drive it legally without paying tax, title, and licensing fees. Yes, you may own the car, like you may own the disc that windows is pressed on, but the State that you live in owns the right to grant you license to drive it, as does Microsoft with its software. What's more, you must register that vehicle every year, paying more fees, all the while giving much more information than a simple Windows activation. You can also exercise you right to choose the break the law here as well, by not renewing registration. Yes, there are also differences. Registration is not required after modding the car, and it will not shut down if you have driven too many cars. What I'm trying to get at is that we don't "own" any software unless we wrote it ourselves, and that Microsoft has the right to try to enforce its licensing. We have already been living with forced registration for quite a while. Also, I agree with Dissonance. There is *always* a choice. And to be honest, looking at the majority of computer users, 99% of things that computers are actually used for can be done on a Mac, even though I hate them. |
| Edit Reply |
|
Anonymous Gerbil |
AG #27 here (I actually registered, but the email is at home, I don't know my password, it was right before the server problems, wah, wah, wah. I go by freshmeat, not a linux thing but an old Quake/Q2/CS name . . .)
Dissonance, you utterly discount the effects of microsoft's monopoly. Yes, you have a choice. There ALWAYS is a choice. The question will be, is it a meaningful choice? The essence of a monopoly is that the answer to that question is "NO". For 99% of the computer using population, there is no meaningful alternative to microsoft. The programs they want to use all run on microsoft's OS. Their workplace computers, with which they want to be compatible, all use MS, their friends and neighbors, with whom they wish to exchange files, all use MS. Now, perhaps, in the hands of a skilled expert, one can use linux to accomplish much of that, but as damage's linux article showed (it was damage, wasn't it?), it would have to be a pretty skilled expert. As an analogy, the break-up of AT&T was considered a triumph of antitrust (ignoring the complex procedural posture, that is essentially true). Now MCI could have built it's own infrastructure -- it had a choice. People could have paid far more to MCI for less functionality that AT&T -- they had a choice. But that choice was not a meaningful one, as it was a choice few people would make given AT& T's monoply. EP, you mean you haven't read about MS going to a subscription-based revenue model in asia and europe? You haven't read that Ballmer wanted to use the same model in the US, but their large corporate customers vociferously objected? Sorry, you may want to wait until the moment of truth, and hope that it's not too late, but when I see A, B, and C, I get ready to see D. - fresh |
| Edit Reply |
|
Anonymous Gerbil |
Uh, Elmo, MS has already publicly stated they want to move all of their software to a subscription model. No need to question Bill for that info. They don't want people to be able to pay only once for software. They want to keep milking users over and over again. This guarantees a steady stream of revenue, no matter what the market does. Great for MS and its shareholders, expensive for consumers.
This is not really about piracy. Piracy is what MADE Microsoft products the standard they are today. You think MS Word is that much better than WordPerfect? Give me a major break. MS owes much of its stranglehold on the PC to the fact that easy to obtain copies of their software have been distributed to the masses. And besides, this isn't going to stop piracy at all. This activation is about gently putting it in the consumer's head that software is not owned at all, but should be thought of as an apartment lease. Kind of like what DIVX tried to do before open DVD stomped them into a greasy spot on the floor. Sure, buyers don't really own the software, but we are used to paying once, and getting a lifetime ability to use the program unhindered. You really think that MS will stop at this point, with this annoying activation scheme? You don't know MS very well if you think this isn't part of a larger plan to change the way software is sold. I don't think MS can pull it off, frankly. Maybe at the corporate level, but not at the consumer level. People only like to buy something once. The Swamp |
| Edit Reply |
|
Anonymous Gerbil |
Originally Posted by dissonance
[q]Becuase this will only stop casual copying and distribution, any real Pirate person is going to have it cracked and then burned. [/q] Er, that\'s their whole point. To stop casual piracy. They know they can\'t even hope to come close to what it takes to stop the \'real\' hardcore piracy, but this is where they can take a stab at the piracy market. Joe lending his CD to a friend, or whatever, that\'s what XP activation aims to stop. And despite all this talk about phoning Microsoft, are you all ignoring the fact that you can register over the Internet in *gasp* seconds? Also, there is choice, choice in the software you run. Anything that even remotely approaches an \'essential\' service is supported by standards, standards which are used by Linux, Apple, and the like to provide competitive products to M$. Sure it might not be as good, but choice does exist. |
| Edit Reply |
|
hexenhaus |
What good could this possibly be for the users? The consumers? There is none. This benefits no one but MS and is an inconvience for the user. That is why this is wrong. It violates the way we think and consume.
Also, there is no freedom if you are being told to choose. For me, there is no choice. I have to use windows. The progs I use are not on mac, linux, beOS, amiga, or anything else. If w2k is not supported what choice do I have? I guess I'll have to use a pirated copy which I could have done a month ago. Hey! Isn't that what they are trying to prevent? |
| Edit Reply |
|
Anonymous Gerbil |
#43 .... which makes my point. its all about control. forced registration/activation gives microsoft all the control. the could start using a 900 number for activation to "cover the costs" associated with handling reactivation. dumbasses.
|
>> INTRODUCTION
The current public discussion of Windows Product Activation (WPA) is
characterized by uncertainty and speculation. In this paper we supply
the technical details of WPA - as implemented in Windows XP - that
Microsoft should have published long ago.
While we strongly believe that every software vendor has the right to
enforce the licensing terms governing the use of a piece of licensed
software by technical means, we also do believe that each individual
has the right to detailed knowledge about the full implications of the
employed means and possible limitations imposed by it on software
usage.
In this paper we answer what we think are currently the two most
important open questions related to Windows Product Activation.
* Exactly what information is transmitted during activation?
* How do hardware modifications affect an already activated
installation of Windows XP?
Our answers to these questions are based on Windows XP Release
Candidate 1 (build 2505). Later builds as well as the final version of
Windows XP might differ from build 2505, e.g. in the employed
cryptographic keys or the layout of some of the data
structures.
However, beyond such minor modifications we expect Microsoft to cling
to the general architecture of their activation mechanism. Thus, we
are convinced that the answers provided by this paper will still be
useful when the final version of Windows XP ships.
This paper supplies in-depth technical information about the inner
workings of WPA. Still, the discussion is a little vague at some
points in order not to facilitate the task of an attacker attempting
to circumvent the license enforcement supplied by the activation
mechanism.
XPDec, a command line utility suitable for verifying the presented
information, can be obtained from http://www.licenturion.com/xp/. It
implements the algorithms presented in this paper. Reading its source
code, which is available from the same location, is highly
recommended.
We have removed an important cryptographic key from the XPDec source
code. Recompiling the source code will thus fail to produce a working
executable. The XPDec executable on our website, however, contains
this key and is fully functional.
So, download the source code to learn about the inner workings of WPA,
but obtain the executable to experiment with your installation of
Windows XP.
We expect the reader to be familiar with the general procedure of
Windows Product Activation.
>> INSIDE THE INSTALLATION ID
We focused our research on product activation via telephone. We did
so, because we expected this variant of activation to be the most
straight-forward to analyze.
The first step in activating Windows XP via telephone is supplying the
call-center agent with the Installation ID displayed by msoobe.exe,
the application that guides a user through the activation process. The
Installation ID is a number consisting of 50 decimal digits that are
divided into groups of six digits each, as in
002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX
In this authentic Installation ID we have substituted digits that we
prefer not to disclose by 'X' characters.
If msoobe.exe is invoked more than once, it provides a different
Installation ID each time.
In return, the call-center agent provides a Confirmation ID matching
the given Installation ID. Entering the Confirmation ID completes the
activation process.
Since the Installation ID is the only piece of information revealed
during activation, the above question concerning the information
transmitted during the activation process is equivalent to the
question
'How is the Installation ID generated?'
To find an answer to this question, we trace back each digit of the
Installation ID to its origins.
>>> Check digits
The rightmost digit in each of the groups is a check digit to guard
against simple errors such as the call center agent's mistyping of one
of the digits read to him or her. The value of the check digit is
calculated by adding the other five digits in the group, adding the
digits at even positions a second time, and dividing the sum by
seven. The remainder of the division is the value of the check
digit. In the above example the check digit for the first group (6) is
calculated as follows.
1 | 2 | 3 | 4 | 5 <- position
---+---+---+---+---
0 | 0 | 2 | 6 | 6 <- digits
0 + 0 + 2 + 6 + 6 = 14 (step 1: add all digits)
0 + 6 + 14 = 20 (step 2: add even digits again)
step 3: division
20 / 7 = 2, remainder is 20 - (2 * 7) = 6
=> check digit is 6
Adding the even digits twice is probably intended to guard against the
relatively frequent error of accidentally swapping two digits while
typing, as in 00626 vs. 00266, which yield different check digits.
>>> Decoding
Removing the check digits results in a 41-digit decimal number. A
decimal number of this length roughly corresponds to a 136-bit binary
number. In fact, the 41-digit number is just the decimal encoding of
such a 136-bit multi-precision integer, which is stored in little
endian byte order as a byte array. Hence, the above Installation ID
can also be represented as a sequence of 17 bytes as in
0xXX 0xXX 0xXX 0xXX 0xXX 0xXX 0xXX 0xXX
0x94 0xAA 0x46 0xD6 0x0F 0xBD 0x2C 0xC8
0x00
In this representation of the above Installation ID 'X' characters
again substitute the digits that we prefer not to disclose. The '0x'
prefix denotes hex notation throughout this paper.
>>> Decryption
When decoding arbitrary Installation IDs it can be noticed that the
most significant byte always seems to be 0x00 or 0x01, whereas the
other bytes look random. The reason for this is that the lower 16
bytes of the Installation ID are encrypted, whereas the most
significant byte is kept in plaintext.
The cryptographic algorithm employed to encrypt the Installation ID is
a proprietary four-round Feistel cipher. Since the block of input
bytes passed to a Feistel cipher is divided into two blocks of equal
size, this class of ciphers is typically applied to input blocks
consisting of an even number of bytes - in this case the lower 16 of
the 17 input bytes. The round function of the cipher is the SHA-1
message digest algorithm keyed with a four-byte sequence.
Let + denote the concatenation of two byte sequences, ^ the XOR
operation, L and R the left and right eight-byte input half for one
round, L' and R' the output halves of said round, and First-8() a
function that returns the first eight bytes of an SHA-1 message
digest. Then one round of decryption looks as follows.
L' = R ^ First-8(SHA-1(L + Key))
R' = L
The result of the decryption is 16 bytes of plaintext, which are -
together with the 17th unencrypted byte - from now on interpreted as
four double words in little endian byte order followed by a single
byte as in
name | size | offset
-----+-------------+-------
H1 | double word | 0
H2 | double word | 4
P1 | double word | 8
P2 | double word | 12
P3 | byte | 16
H1 and H2 specify the hardware configuration that the Installation ID
is linked to. P1 and P2 as well as the remaining byte P3 contain the
Product ID associated with the Installation ID.
>>> Product ID
The Product ID consists of five groups of decimal digits, as in
AAAAA-BBB-CCCCCCC-DDEEE
If you search your registry for a value named 'ProductID', you will
discover the ID that applies to your installation. The 'About' window
of Internet Explorer should also yield your Product ID.
>>>> Decoding
The mapping between the Product ID in decimal representation and its
binary encoding in the double words P1 and P2 and the byte P3 is
summarized in the following table.
digits | length | encoding
--------+---------+---------------------------------------
AAAAA | 17 bits | bit 0 to bit 16 of P1
BBB | 10 bits | bit 17 to bit 26 of P1
CCCCCCC | 28 bits | bit 27 to bit 31 of P1 (lower 5 bits)
| | bit 0 to bit 22 of P2 (upper 23 bits)
DDEEE | 17 bits | bit 23 to bit 31 of P2 (lower 9 bits)
| | bit 0 to bit 7 of P3 (upper 8 bits)
The meaning of each of the five groups of digits is documented in the
next table.
digits | meaning
--------+-------------------------------------------------
AAAAA | apparently always 55034 (in Windows XP RC1)
BBB | most significant three digits of Raw Product Key
| (see below)
CCCCCCC | least significant six digits of Raw Product Key
| plus check digit (see below)
DD | index of the public key used to verify the
| Product Key (see below)
EEE | random value
As can be seen, the (Raw) Product Key plays an important role in
generating the Product ID.
>>>> Product Key
The Raw Product Key is buried inside the Product Key that is printed
on the sticker distributed with each Windows XP CD. It consists of
five alphanumeric strings separated by '-' characters, where each
string is composed of five characters, as in
FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK
Each character is one of the following 24 letters and digits:
B C D F G H J K M P Q R T V W X Y 2 3 4 6 7 8 9
Very similar to the decimal encoding of the Installation ID the 25
characters of the Product Key form a base-24 encoding of the binary
representation of the Product Key. Decoding the Product Key yields a
multi-precision integer of roughly 115 bits, which is stored - again
in little endian byte order - in an array of 15 bytes. Decoding the
above Product Key results in the following byte sequence.
0x6F 0xFA 0x95 0x45 0xFC 0x75 0xB5 0x52
0xBB 0xEF 0xB1 0x17 0xDA 0xCD 0x00
Of these 15 bytes the least significant four bytes contain the Raw
Product Key in little endian byte order. The least significant bit is
removed by shifting this 32-bit value (0x4595FA6F - remember the
little endian byte order) to the left by one bit position, resulting
in a Raw Product Key of 0x22CAFD37, or
583728439
in decimal notation.
The eleven remaining bytes form a digital signature, allowing
verification of the authenticity of the Product Key by means of a
hard-coded public key.
>>>> Product Key -> Product ID
The three most significant digits, i.e. 583, of the Raw Product Key's
nine-digit decimal representation directly map to the BBB component of
the Product ID described above.
To obtain the CCCCCCC component, a check digit is appended to the
remaining six digits 728439. The check digit is chosen such that the
sum of all digits - including the check digit - is divisible by
seven. In the given case, the sum of the six digits is
7 + 2 + 8 + 4 + 3 + 9 = 33
which results in a check digit of 2, since
7 + 2 + 8 + 4 + 3 + 9 + 2 = 33 + 2 = 35
which is divisible by seven. The CCCCCCC component of the Product ID
is therefore 7284392.
For verifying a Product Key, more than one public key is available. If
verification with the first public key fails, the second is tried,
etc. The DD component of the Product ID specifies which of the public
keys in this sequence was successfully used to verify the Product Key.
This mechanism might be intended to support several different parties
generating valid Product Keys with different individual private keys.
However, the different private keys might also represent different
versions of a product. A Product Key for the 'professional' release
could then be signed with a different key than a Product Key for the
'server' release. The DD component would then represent the product
version.
Finally, a valid Product ID derived from our example Product Key might
be
55034-583-7284392-00123
which indicates that the first public key (DD = index = 0) matched and
123 was chosen as the random number EEE.
The randomly selected EEE component is the reason for msoobe.exe
presenting a different Installation ID at each invocation. Because of
the applied encryption this small change results in a completely
different Installation ID.
So, the Product ID transmitted during activation will most probably
differ in the last three digits from your Product ID as displayed by
Internet Explorer or as stored in the registry.
>>> Hardware Information
As discussed above, the hardware configuration linked to the
Installation ID is represented by the two double words H1 and H2.
>>>> Bit-fields
For this purpose, the double words are divided into twelve
bit-fields. The relationship between the computer hardware and the
bit-fields is given in the following table.
double word | offset | length | bit-field value based on
------------+--------+--------+----------------------------
H1 | 0 | 10 | volume serial number string
| | | of system volume
H1 | 10 | 10 | network adapter MAC address
| | | string
H1 | 20 | 7 | CD-ROM drive hardware
| | | identification string
H1 | 27 | 5 | graphics adapter hardware
| | | identification string
H2 | 0 | 3 | unused, set to 001
H2 | 3 | 6 | CPU serial number string
H2 | 9 | 7 | harddrive hardware
| | | identification string
H2 | 16 | 5 | SCSI host adapter hardware
| | | identification string
H2 | 21 | 4 | IDE controller hardware
| | | identification string
H2 | 25 | 3 | processor model string
H2 | 28 | 3 | RAM size
H2 | 31 | 1 | 1 = dockable
| | | 0 = not dockable
Bit 31 of H2 specifies, whether the bit-fields represent a notebook
computer that supports a docking station. If docking is possible, the
activation mechanism will be more tolerant with respect to future
hardware modifications. Here, the idea is that plugging a notebook
into its docking station possibly results in changes to its hardware
configuration, e.g. a SCSI host adapter built into the docking station
may become available.
Bits 2 through 0 of H2 are unused and always set to 001.
If the hardware component corresponding to one of the remaining ten
bit-fields is present, the respective bit-field contains a non-zero
value describing the component. A value of zero marks the hardware
component as not present.
All hardware components are identified by a hardware identification
string obtained from the registry. Hashing this string provides the
value for the corresponding bit-field.
>>>> Hashing
The hash result is obtained by feeding the hardware identification
string into the MD5 message digest algorithm and picking the number of
bits required for a bit-field from predetermined locations in the
resulting message digest. Different predetermined locations are used
for different bit-fields. In addition, a hash result of zero is
avoided by calculating
Hash = (Hash % BitFieldMax) + 1
where BitFieldMax is the maximal value that may be stored in the
bit-field in question, e.g. 1023 for a 10-bit bit-field, and 'x % y'
denotes the remainder of the division of x by y. This results in
values between 1 and BitFieldMax. The obtained value is then stored in
the respective bit-field.
>>>> RAM bit-field
The bit-field related to the amount of RAM available to the operating
system is calculated differently. The seven valid values specify the
approximate amount of available RAM as documented in the following
table.
value | amount of RAM available
------+---------------------------
0 | (bit-field unused)
1 | below 32 MB
2 | between 32 MB and 63 MB
3 | between 64 MB and 127 MB
4 | between 128 MB and 255 MB
5 | between 256 MB and 511 MB
6 | between 512 MB and 1023 MB
7 | above 1023 MB
It is important to note that the amount of RAM is retrieved by calling
the GlobalMemoryStatus() function, which reports a few hundred
kilobytes less than the amount of RAM physically installed. So, 128 MB
of RAM would typically be classified as "between 64 MB and 127 MB".
>>>> Real-world example
Let us have a look at a real-world example. On one of our test systems
the hardware information consists of the following eight bytes.
0xC5 0x95 0x12 0xAC 0x01 0x6E 0x2C 0x32
Converting the bytes into H1 and H2, we obtain
H1 = 0xAC1295C5 and H2 = 0x322C6E01
Splitting H1 and H2 yields the next table in which we give the value
of each of the bit-fields and the information from which each value is
derived.
dw & | |
offset | value | derived from
-------+-------+-----------------------------------------------
H1 0 | 0x1C5 | '1234-ABCD'
H1 10 | 0x0A5 | '00C0DF089E44'
H1 20 | 0x37 | 'SCSI\CDROMPLEXTOR_CD-ROM_PX-32TS__1.01'
H1 27 | 0x15 | 'PCI\VEN_102B&DEV_0519&SUBSYS_00000000&REV_01'
H2 0 | 0x1 | (unused, always 0x1)
H2 3 | 0x00 | (CPU serial number not present)
H2 9 | 0x37 | 'SCSI\DISKIBM_____DCAS-34330______S65A'
H2 16 | 0x0C | 'PCI\VEN_9004&DEV_7178&SUBSYS_00000000&REV_03'
H2 21 | 0x1 | 'PCI\VEN_8086&DEV_7111&SUBSYS_00000000&REV_01'
H2 25 | 0x1 | 'GenuineIntel Family 6 Model 3'
H2 28 | 0x3 | (system has 128 MB of RAM)
H2 31 | 0x0 | (system is not dockable)
>>> Using XPDec
XPDec is a utility to be run from the command prompt. It may be
invoked with one of four command line options to carry out one of four
tasks.
>>>> XPDec -i
This option enables you to access the information hidden in an
Installation ID. It decodes the Installation ID, decrypts it, and
displays the values of the hardware bit-fields as well as the Product
ID of your product. Keep in mind that the last three digits of the
Product ID contained in the Installation ID are randomly selected and
differ from the Product ID displayed by Internet Explorer.
The only argument needed for the '-i' option is the Installation ID,
as in
XPDec -i 002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XX
>>>> XPDec -p
To help you trace the origin of your Product ID, this option decodes a
Product Key and displays the Raw Product Key as it would be used in a
Product ID.
The only argument needed for the '-p' option is the Product Key, as in
XPDec -p FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK
Note that this option does not verify the digital signature of the
Product Key.
>>>> XPDec -v
This option calculates the hash of a given volume serial number. It
was implemented to illustrate our description of string hashing. First
use '-i' to display the hardware bit-fields. Then use this option to
verify our claims concerning the volume serial number hash.
The only argument needed for the '-v' option is the volume serial
number of your system volume, as in
XPDec -v 1234-ABCD
(The volume serial number is part of the 'dir' command's output.)
>>>> XPDec -m
This option calculates the network adapter bit-field value
corresponding to the given MAC address. Similar to '-v' this option
was implemented as a proof of concept.
The only argument needed for the '-m' option is the MAC address of
your network adapter, as in
XPDec -m 00-C0-DF-08-9E-44
(Use the 'route print' command to obtain the MAC address of your
network adapter.)
>> HARDWARE MODIFICATIONS
When looking at the effects of hardware modifications on an already
activated installation of Windows XP, the file 'wpa.dbl' in the
'system32' directory plays a central role. It is a simple
RC4-encrypted database that stores, among other things like expiration
information and the Confirmation ID of an activated installation,
a) the bit-field values representing the current hardware
configuration,
and
b) the bit-field values representing the hardware configuration
at the time of product activation.
While a) is automatically updated each time the hardware configuration
is modified in order to reflect the changes, b) remains fixed. Hence,
b) can be thought of as a snapshot of the hardware configuration at
the time of product activation.
This snapshot does not exist in the database before product activation
and if we compare the size of 'wpa.dbl' before and after activation,
we will notice an increased file size. This is because the snapshot is
added to the database.
When judging whether re-activation is necessary, the bit-field values
of a) are compared to the bit-field values of b), i.e. the current
hardware configuration is compared to the hardware configuration at
the time of activation.
>>> Non-dockable computer
Typically all bit-fields with the exception of the unused field and
the 'dockable' field are compared. If more than three of these ten
bit-fields have changed in a) since product activation, re-activation
is required.
This means, for example, that in our above real-world example, we
could replace the harddrive and the CD-ROM drive and substantially
upgrade our RAM without having to re-activate our Windows XP
installation.
However, if we completely re-installed Windows XP, the information in
b) would be lost and we would have to re-activate our installation,
even if we had not changed our hardware.
>>> Dockable computer
If bit 31 of H2 indicates that our computer supports a docking
station, however, only seven of the ten bit-fields mentioned above are
compared. The bit-fields corresponding to the SCSI host adapter, the
IDE controller, and the graphics board are omitted. But again, of
these remaining seven bit-fields, only up to three may change without
requiring re-activation.
>> CONCLUSIONS
In this paper we have given a technical overview of Windows Product
Activation as implemented in Windows XP. We have shown what
information the data transmitted during product activation is derived
from and how hardware upgrades affect an already activated
installation.
Looking at the technical details of WPA, we do not think that it is as
problematic as many people have expected. We think so, because WPA is
tolerant with respect to hardware modifications. In addition, it is
likely that more than one hardware component map to a certain value
for a given bit-field. From the above real-world example we know that
the PX-32TS maps to the value 0x37 = 55. But there are probably many
other CD-ROM drives that map to the same value. Hence, it is
impossible to tell from the bit-field value whether it is a PX-32TS
that we are using or one of the other drives that map to the same
value.
In contrast to many critics of Windows Product Activation, we think
that WPA does not prevent typical hardware modifications and,
moreover, does NOT respects the user's right to privacy.