Some of you crypto wizards might be interested in this document:

Windows Product Activation (WPA) as implemented in Windows XP

h*tp://www.licenturion.com/xp/fully-licensed-wpa.txt

The text details how the Windows Installation ID, a number consisting of 50 decimal digits generated by msoobe.exe, and which is sent to MS in return for a Confirmation ID to complete the registration process, is derived from the Product ID and your hardware configuration. It doesn't discuss the Confirmation ID of course, just how your hardware config is used to generate the Installation ID.

Kayaker

Doh! My apologies, I see JMI already posted this a day ago on the RE forum. Guess I missed it the first time around. So much for the scoop, heh. In any case, it's interesting and crypto based, so it might as well be mentioned again here.

http://www.woodmann.net/forum/showthread.php?threadid=2139

Way off topic mate, sorry bout that.

Was putting off doing the XP crack so the days counted down.

HAd to reset bios yesterday, now Xp has got clever with the date change and can't log on. Is there a Dos based crack can use, am i insulting anyones intelligence, sorry guys.

Howdy,

Does the puter even boot?
Does it boot then stop and say "no way"?

Anyway, Maybe you should just nuke the partitions and
re-format.

Peace, Woodmann

Looks like about 6 months since the last msg on this thread. I've searched this board and the internet generally and not found anything really useful about the algorithm(s) used by WPA.

On this board it was mentioned that some variant of RIPEMD (-160?) was possibly part of the activation scheme. Around the internet, there doesn't seem to be any real keygens.

From what I can see, an activation code would have to be more than a simple hash of the CD key and "unique" system identifier, because changing just one bit of the system ident. would completely alter the hash value. Since one is apparently allowed to make certain hardware changes without triggering re-activation, there has to be other stuff going on.

On this board, there were a few threads, now months old, about taking the reversing of the whole WPA scheme underground. Does anyone have any new information they wouldn't mind sharing? Could be done through private email (with or without PGP) if it's still considered sensitive information.

Normally I don't respond to these requests but since it is in the RCE section I will.

There are several cracks running around the net for XP and XP Office. They operate by doing a hardware search then coming up with a key, note I have NOT tested it. According to the discussions I have seen it takes the program about 10 attempts to get it right. So if you want the crack I suggest you search in the usual places for it, then reverse it.

I hope your math is up to the task, I hear it is pretty nasty.

MTB

It only generates product keys, which would normally be found on a legit certificate that comes with the product. The only thing that does for you is give you something that can be used to activate the product with over the phone.

There's no info out there that explains (or attempts to explain) how an activation code is genned from this key or where in the boot process the key is verified to give a go/no-go indication.

News stories claiming the WPA is "totally" cracked are just wrong. The way I see it, almost a year after release the MS WPA scheme has yet to truly be "cracked" by anyone.

Thanks for the response, in any case.