Log in

View Full Version : GenuineCheck.exe


naides
March 27th, 2005, 13:56
OK. This thread is completely off topic.

This is reagarding this little program that Microsoft asks you to download and run before allowing you to Download certain new functionalities and updates. (an Anti Spyware, among others, from all things). Its function is to check that you are running a genuine copy of the WinXP OS, generates some Key that you are supposed to send back to MS web site. . .
When I ran the little contraption, my firewall could not detect any communiction it generated to the outside world, but when I disassembled it, Oh boy! its almost completely composed of TCP/IP and other network functions, which I seriously doubt are required to extract a meager activation key from your system. . .
Does anybody (perhaps people with inside information) know what is the whole story about this little program?
Sounds like institutionalized spyware to me!

babar0ga
March 27th, 2005, 22:42
hi naides!

I downloaded that file from hxxp://download.microsoft.com/download/1/1/a/11a73739-0b11-4bf2-950f-cbd99511904c/GenuineCheck.exe
and started it. My firewall(Agnitum Outpost) reported inet activity(go.microsoft.com:80) to me and i was able to block it(hope so).
After that i looked at imports section...There are 12 API's from WININET lib.
File size is 337,672 bytes
Is it same over at your's place?

naides
March 28th, 2005, 08:37
Yes, It is the same file.
I wonder why you did detect inet activity. Pehaps my firewall is crappy, or the app does not always send packets (phone home) when activated.
Time to do some debugging and run this app under more controlled conditions.
It will be nice to find out WTF this thing is sending to microsoft.com

lifewire
March 28th, 2005, 08:37
Which firewall do you use, naides? (I use Kerio personal firewall, and it detects it too)

naides
March 28th, 2005, 09:43
MxAfee Personal Firewall plus

babar0ga
March 28th, 2005, 12:59
Seams to me it's going to hxxp://go.microsoft.com/fwlink/?LinkId=34628
which is redirected to hxxp://www.microsoft.com/downloads/sync.aspx.
It's sending nothing(at least at that stage) but receiving some "code"...

I checked it(link) with Opera and IE and both gave me the same result...
Code:
1:2b4fbbe0-b95b-7ff2-bbd9-8dcd4211787f

but last time I chcked it was different probably becuase my IP was different and/or date...

babar0ga
March 28th, 2005, 14:04
Im sorry. My mistake...

Here is communication...

GenuineCheck.exe --> microsoft
Code:
GET /fwlink/?LinkId=34628 HTTP/1.1
Accept: */*
User-Agent: LegitCheck
Host: go.microsoft.com
Cache-Control: no-cache
Cookie: MC1=GUID=845b0a3e74ff68459a25db4a431a8610&HASH=3e0a&LV=20053&V=3


GenuineCheck.exe <-- microsoft

Code:

HTTP/1.1 302 Found
Connection: close
Date: Mon, 28 Mar 2005 18:27:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: http://www.microsoft.com/downloads/sync.aspx
Cache-Control: private
Expires: Mon, 28 Mar 2005 18:26:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 161

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='http://www.microsoft.com/downloads/sync.aspx'>here</a>.</h2>
</body></html>


GenuineCheck.exe--> microsoft
Code:

GET /downloads/sync.aspx HTTP/1.1
Accept: */*
User-Agent: LegitCheck
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MC1=GUID=845b0a3e74ff68459a25db4a431a8610&HASH=3e0a&LV=20053&V=3
Host: www.microsoft.com

GenuineCheck.exe <-- microsoft
Code:

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 38
Content-Type: text/html; charset=utf-8
Expires: Mon, 28 Mar 2005 14:00:00 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 1.1.4322
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Mon, 28 Mar 2005 18:27:52 GMT

1:2b4fbbe0-b95b-7ff2-bbd9-8dcd4211787f


Well, it's pretty much clear that GenuineCheck.exe IS sending something to ms at this stage...
It's
Code:
MC1=GUID=845b0a3e74ff68459a25db4a431a8610&HASH=3e0a&LV=20053&V=3

After all that I checked once more with Opera that link
and received same code back: 1:2b4fbbe0-b95b-7ff2-bbd9-8dcd4211787f

So it's seams that cookie is not so important coz my opera didn't send it...

After that stage is completed GenuineCheck.exe started
communication with 131.107.97.95:443 which i blocked.
After few exceptions it tryed mpa.one.microsoft.com:443 which i also blocked.
At the end GenuineCheck.exe presented me with this code : WXPWK6D
and instructing me to validate it at their's pages.

That's all for now. Im going to debug it later this week...

Hope to hear from you guys soon...

regards

JMI
March 28th, 2005, 14:38
Of course you could just download their Anti-Spyware off the net and skip their "GenuineCheck.exe" all together , but I recognize the point was to figure out what the heck they were checking.

Besides, you all do have "Genuine" Windo$ws products, don't you? You do know how to have M$ give you a "Genuine" authentication if you've "misplaced" yours, don't you?

Regards,

naides
March 28th, 2005, 15:26
MS anti Spyware is not all that good JMI. I am looking at this out of curiosity. I just think it is ironic that the anti Spyware software function is to protect one's privacy from sneaky infomation exchange over the net.

This particular file did not include the 'reassuring' disclaimer: no personal information will be sent to MS server. . .

TBone
March 28th, 2005, 19:47
Heh, if you poke around a little, you'll find the infamous WINE check. No updates for joo!

JMI
March 29th, 2005, 02:14
"Nobody" should have thought that a program labled "GenuineCheck.exe" might actually need to check if one had "Genuine" M$ products, and that to do that, it might need to send and/or receive some information to determine one has such products.

The Anti-Spyware page has this statement:

Before obtaining the requested download, please take a moment to validate your genuine Microsoft Windows installation. Validation assures that you are running an authentic and fully-licensed copy of Windows. Validating now will enable faster access to genuine Windows downloads upon future visits to the Download Center. Please see the Why Validate? page to learn more about the Windows Genuine Advantage program and why validation is recommended.

When you select Yes below you will be guided through the short validation process. If you see a Security Warning dialog box from Microsoft, click Yes to install and run the Windows Genuine Validation tool automatically.

On the Why Validate? page:

http://www.microsoft.com/genuine/downloads/whyValidate.aspx?familyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displayLang=en

You will find the following:

What is genuine Windows validation?

Validation is a short process that enables you to verify that your copy of Windows is genuine. If you request a genuine Windows download from the Microsoft Download Center, you will be prompted to complete the validation process. You may choose not to validate your Windows and still obtain your requested download. However, validating now will enable faster access to the Download Center in the future when validation may be required. After successful validation, a Microsoft Windows Download Key will be stored on your system for future use. Following the validation process, you'll be returned to your original page to obtain your requested download.

How are validation and Windows activation related?

The validation process determines if you have activated your copy of Windows. If you have not activated Windows, you will be asked to enter the 25-character Product Key printed on the Certificate of Authenticity (COA) you received with your PC or software purchase. If you have already activated Windows, the validation process will sense that the PC has been activated, and will not request Product Key entry.

Will I be asked to provide personal information?

During the validation and activation processes, Microsoft does not collect any information, such as your name or email address, that can be used to identify you or contact you. These processes simply enable Microsoft to create a match between your PC's hardware profile and your 25-character Product Key (located on the COA), which we then store and check against future activation and validation attempts. We do this to ensure that your Product Key cannot be used by another person in a malicious manner, such as activating a pirated or non-genuine copy of Windows.

There is a FAQ here:

http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en&FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671

So it is clear that reading the info associated with the "GenuineCheck.exe" does "include the 'reassuring' disclaimer: no personal information will be sent to MS server." It also tells you something is going to be checked (a Hardware profile hash?) and whether the OS is "Activated" and then a hash is going to be downloaded to your machine for "future use" by M$.

And now we also all know babar0ga"s "activation check" download key and can just use his.

Of course, now all they will have to do is figure out what to do when our hardware changes and that changes the Hardware Profile.

Regards,

naides
March 29th, 2005, 06:27
Hardware signatures associated with IP addresses are private, personal, identifying information, which could be used and or abused, and should not be collected without consent, or probable cause. Even under the guise of a good deed.
Is this a private infringement of the Fourth Amendment, Counselor?

JMI
March 29th, 2005, 10:02
"Nobody" who checks with Mr. Google (or watches to much TV) could be confused about whether or not this procedure conflicts with the "Fourth Amendment" of the U.S. Constitution for at least two reasons.

The Fourth Amendment states:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

First, the Fourth Amendment seems to apply only to "governmental" searches and seizures . Second, there is a doctrine apparently applied to those governmental searches called "implied consent."

"Fourth Amendment rights, like other constitutional rights, may be waived, and one may consent to search of his person or premises by officers who have not complied with the Amendment."

Mr. Google does not suggest that the Fourth Amendment applies to "searches" by private individuals and/or companies at all. In this instance, we do not have "governmental action" (although one could argue M$ IS bigger than the government ) and there is "express consent" for the search which apparently occurres here.

Also, it is not apparent, from babar0ga's information, that the IP is at all relevant, except maybe for the cookie he received at times. It also would not seem to be useful for the purposes of such a check, since the "hardware" might well be a laptop computer, with "genuine" software, which is mobile and more than likely to connect from different IPs at various times. If IPs were part of the "profile," such a machine would report a "different hardware profile" simply when connected from a different location, and M$'s "match between your PC's hardware profile and your 25-character Product Key" would not work as described. You would not be "validated" or able to download updates requiring "validation", except from that first IP where your original "validation" occurred.

Regards,

naides
March 29th, 2005, 10:17
Quote:
[Originally Posted by JMI]

First, the Fourth Amendment seems to apply only to "governmental" searches and seizures .
Regards,



So, as long as I am not the goverment, I can search and seize your property?
Or even prevent you form excersizing your freedom of speech and assembly?

The bill of rights protects your right to privacy from every person or agency, including the goverment, not exclusively from the goverment.

JMI
March 29th, 2005, 10:56
Sorry, that is not correct.

The Bill of Rights only protects individuals and individual rights from the Government. Violations of "privacy" by non-governmental action is generally only a "civil" lawsuit issue. I remember newspaper accounts of people being kidnapped from other countries and brought back to the U.S. for criminal trial here. The government was permitted to convict them, despite the fact they had been "seized" without a warrant in a foreign country. I have also read about private individuals "seizing" materials "without a warrant" and turning it over to the government and such materials were allowed to be used for criminal trial against the person whose materials were "stolen".

For example, you can not charge your Boss with violating your "free speech" rights under the Constitution for firing you for exercising your "right' to tell him/her your "opinion" of their character. And you can be fired for "assemblying" around the water cooler to discuss basketball all day, instead of working.

If someone (or some company) violates your "privacy rights," you might be able to sue them in civil court, depending on where you live and what "privacy" they violated, but this is not a "right" guaranteed by the Constitution, but by State or Federal law.

But again, here you have to consent to M$'s access to your computer to do this "search" and that would probably be a problem even in a civil lawsuit.

Regards,

SiGiNT
March 29th, 2005, 12:29
Implied/express consent, when entering into a contract for employment.
Only by subpoena or owner's consent give any individual the right to violate my possessions or property outside the workplace or utilize any of the information gained during that violation with out possible criminal prosecution, IE identity theft. The EULA we all never read when installing products including M$ OS's grants consent or implied consent.

SiGiNT

TBone
March 29th, 2005, 12:56
Quote:
[Originally Posted by JMI]"Nobody" should have thought that a program labled "GenuineCheck.exe" might actually need to check if one had "Genuine" M$ products, and that to do that, it might need to send and/or receive some information to determine one has such products.

Fair enough, but IIRC, the big hubub about the WINE thing was that people were trying to get updates for legitimate copies of MS Office, which they were running via WINE. They had a genuine copy of the software, they just weren't running it on MS Windows(TM)(R), which is apparently in Microsoft's big book of Things Thou Shalt Not Do.

Of course, if you "search" the box, you'll find this magical "system requirements" box, which says the program requires Windows. So, it's still stupid to get bent out of shape about it, but it's still kind of funny. If you modify the code to skip the WINE check, it works just fine under WINE. So it's not like there's actually a technical reason why the needed to check for it.

JMI
March 29th, 2005, 14:50
http://news.zdnet.co.uk/software/linuxunix/0,39020390,39188944,00.htm

Wine maker relaxed over Microsoft's 'blockade'

ZDNet UK
February 23, 2005, 13:00 GMT

Microsoft's anti-piracy tool appears to block users who run a Windows emulator on Linux

A company that sells products based on Wine, an open source application that allows users to run Windows applications under Linux, said it isn't worried that Microsoft's anti-piracy application appears to be blocking the emulation software.

Jeremy White, chief executive at CodeWeavers, which sells Wine-based products, said this week that he wasn't worried about the issue because Microsoft would face legal action if it attempted to tie Office and Windows too tightly together.

I think people have blown it out of proportion because it's not a problem," said White. "If they [Microsoft] start saying you can only get Microsoft Office updates if you are running the Windows operating system then that would expose them to legal repercussions as they would be tying one monopoly product to another. We would be delighted if they did this -- we could sue them and become rich."

Last month Microsoft said from the middle of 2005 customers will need to verify that their copies of Windows are genuine before downloading updates and add-on tools, through a programme, called Windows Genuine Advantage (WGA). WGA uses a validation tool to check whether a particular version of Windows is genuine, which is already running on the Microsoft site.

Wine developer Ivan Leo Puoti subsequently warned on a mailing list that the WGA validation program appears to be blocking Wine. The problem affected Wine users emulating various versions of Windows, apart from Windows XP.

This appears to be a deliberate attempt to block Wine, as a Wine configuration key was found in an application used as part of the validation process, according to Puoti. "Even if this is only an initial attempt, they [Microsoft] appear to want to discriminate Wine users," said Puoti.

Web site Slashdot posted information on the this issue last week, which lead to concerned postings from some Wine users who were worried they would not be able to download updates to their licensed version of Microsoft Office.

"I don't use Wine to run Windows OS [operating system], I run it to run some (work required) Office apps and some games," said one posting. "The Office apps were purchased and presumably have rights to be updated the same as any other user of Office apps. Same with the games. But Microsoft is saying that, because I am using a valid purchased version of their software on an OS other than Windows (by using Wine) they will not allow updates from their servers."

White believes this issue shows that Microsoft is worried about Wine, which he believes is good news for his company.

"The reason we love this is because this shows that Microsoft is aware of Wine at very high levels," said White. "For us it's exciting -- it is an acknowledgement of us as a threat. Microsoft does not want the world to know how terrified of Wine they are."

White's main concern is that people who hear about this issue may think that they cannot run Microsoft Office on Linux, which would discourage people from moving to the open source operating system. "Microsoft would love it if people thought that," said White.

http://news.zdnet.co.uk/0,39020330,39189180,00.htm

Microsoft admits targeting Wine users

ZDNet UK
February 25, 2005, 12:30 GMT

The software giant has admitted specifically excluding users of the popular Windows compatibility toolkit with its update tool

Microsoft prioritised making its anti-piracy tool prevent users of Wine, an open source toolkit that allows users to run Windows applications under Linux, from downloading Windows updates, the software giant said on Friday.

A Microsoft spokesperson told ZDNet UK it made sure the validation tool used by its Windows Genuine Advantage (WGA) programme identified Wine users, so that only users are running a genuine version of Windows could download updates and add-on tools.

"As the most popular third-party translation technology in use, Wine was the first emulator to be specifically tested for via WGA," said the spokesperson. "Microsoft does not knowingly provide copyrighted Microsoft Windows OS files to users of third-party emulators or cross-platform API translation technologies such as Wine."

The spokesperson said users who are not running Windows XP or Windows 2000 natively can still download updates for Microsoft Office from the Office Update Web site.

Microsoft's public acknowledgement of Wine suggests a shift in corporate policy. Earlier this week Jeremy White, chief executive at CodeWeavers, which sells products based on Wine, said that Microsoft has until now had "a clear corporate policy to not talk about Wine".

Plus 'ca change, plus ce' la meme chose.

Regards,

Virus
June 1st, 2005, 07:21
Quote:
[Originally Posted by babar0ga]
After all that I checked once more with Opera that link
and received same code back: 1:2b4fbbe0-b95b-7ff2-bbd9-8dcd4211787f

So it's seams that cookie is not so important coz my opera didn't send it...
There is no need to send any information to M$ to retrieve proper code - "sync code" from their site is same for all.
I wrote simple proggie that gets "sync code" from M$ site and generates code u want:
hxxp://forum.exetools.com/showthread.php?t=7638

Regards!

CluelessNoob
June 1st, 2005, 15:05
Virus: Would you mind posting it here as well? Not all of us have permission to download attachments from exetools forum...


Virus
June 1st, 2005, 15:22
Quote:
[Originally Posted by CluelessNoob]Virus: Would you mind posting it here as well?
Sure, here it is. It's huge because it's coded in Delphi ;-)

disavowed
June 1st, 2005, 23:45
Hmm... I don't have a pirated copy of Windows to test this on... will this generate a valid download code when run on pirated copies of Windows with pirated keys?

Virus
June 2nd, 2005, 00:56
Hi! this should work on any Windows (incl. 9x). Looks like original GenuineCheck gets some info of ur Windows (produckt key, activation status etc.) and does "something" with this data in "some" routine. Unfortunatelly this routine returns only dword like 0, 1, 2 and only this result and "sync code" from MS server are used to compute final hash. So u can path GenuineCheck to always return proper value (same about ActiveX version).

Finally u don't need to have pirated Windows to test this. U can as well generate some "wrong" code ;-)

Regards!

omega_red
June 3rd, 2005, 02:13
Quote:
http://www.microsoft.com/downloads/sync.aspx

returns
Quote:
1:92dbd9f0-6994-864e-327d-0ecffd9d5d6c

for me

Added: GenuineCheck.exe crashed on my os with error 0x8007007a (ERROR_INSUFFICIENT_BUFFER). Hah!

Virus
June 3rd, 2005, 04:21
@omega_red

> http://www.microsoft.com/downloads/sync.aspx
> returns
> 1:92dbd9f0-6994-864e-327d-0ecffd9d5d6c
> for me

Sync code from MS changes frequently (daily?) but is same for all between changes.

> Added: GenuineCheck.exe crashed on my os with error 0x8007007a (ERROR_INSUFFICIENT_BUFFER). Hah!

Original GenuineCheck.exe has crashed?

omega_red
June 3rd, 2005, 04:30
Quote:
[Originally Posted by Virus]Original GenuineCheck.exe has crashed?

Yes. I experienced a svchost crash on startup, so I sent them a bugreport. Then I was told that "we have a fix for it", so I went to download it. Of course the Genuine Check (tm) was there. So I downloaded and run it out of curiosity (my OS is legal . But guess what, it displayed that couldn't obtain the code with abovementioned error. Luckily the genuine check was not mandatory to download the patch. I suppose that it could fail due to our corporate AV/firewall or something. OS - xp sp2 polish with all Windows Update patches.