March 2nd, 2007

The Vista brute force keygen - Updated

Posted by Adrian Kingsley-Hughes @ 7:34 am

Categories: DRM, Microsoft

Tags:

Follow-up post here. 

[Updated: Mar 4, 2007 @ 16.45 pm] Note to Engadget writers who didn't read this article before commenting …
I never claimed to have found "activation keys," all I saw what that after running the script for some time that the Magical Jellybean applications showed that the keys had changed.  I didn't use these to activate Windows and I made that clear in the article.  It was pretty obvious from the type of crack that this wasn't reliable by a long shot. 
Looking at the VBScript code it's clear that the script is capable of generating valid keys, but as I said, the hard part is not getting keys past Windows but getting them past the activation servers.
However, what this incident has done is generate interest among hacker circles in generating a keygen for Windows.  Microsoft could well find itself having to fend off a number of cracks over the next few months.
Maybe I should take the approach that the Mythbusters do and state whether this is "plausible" "busted" or "confirmed."  Using that criteria the keygen is plausible and I saw the default keygen change twice.  It can generate keys that are in the format required by Vista (certainly they "look" like Vista keys) but the chances of getting past the Microsoft activation servers are slim at best.

[Updated: Mar 2, 2007 @ 2.45 am] A lot of tech sites seem to have totally misunderstood how this works.  Many seems to think that this crack somehow relies on hammering Microsoft's activation servers 20,000 times an hours.  This is inaccurate.  This crack uses Vista itself to check that the key is in an acceptable format.  Only after a key that's accepted by Vista does the user have to attempt activation.  Limiting how many times an IP address can access the activations servers would have no effect on this.  The real weakness here is that Microsoft has relied on a script to control licensing and as a result it makes this kind of attack easier because the script can be easier modified and tampered with.

Over on KezNews.com a brute force method for acquiring a usable product key for Microsoft's Vista platform has been released.  I can confirm that this method works (for now at any rate), but I don't think that Microsoft has much to worry about.

Gallery here.

Bottom line is buy Windows or go LinuxThe brute force keygen relies on replacing the software license manager script slmgr.vbs with one that's been modified to search for valid 25-character product keys. Periodically you have to check manually to see if they key has changed and then manually use that key to attempt to activate Windows.

I can confirm that the scheme works.  I've had the script running on Windows Vista Ultimate inside Virtual PC 2007 and already netted two product keys.  Now I've not used these keys to try to activate Windows, but others have reported successfully activating their copies of Windows Vista using keys found in this way.  There are, however, some drawbacks to the keygen that will probably prevent it from becoming widespread.

First, the process can take a long time and consumes a lot of system resources while running.  Anyone expecting to net a key needs to spend hours or maybe even days running this script.  This is not a  "click the button and a key is generated instantly" kind of key generator. 

You also need some smarts to use it.  A lot of people start running the script and then use the Magical Jelly Bean Keyfinder (included with the download package - those hackers think of everything!) to check the key but a lot of people seem to be trying to activate using the default trial keys.  You have to be able to tell the difference between a valid key and the default key that is assigned during installation if you choose not to enter a key.

There's another thing to bear in mind here too.  A system activated using a key procured in this way might not remain activated for long.  As WGA is updated it may be reprogrammed to seek out keys generated using this technique (remember, Microsoft knows what keys it has issued).  Microsoft can also tighten up the activation servers to only accept keys from within the range Microsoft has issued.  Given the fact that a Windows product key is 25 characters long and that people have used the key generator to generate a valid key in a few hours, I'm starting to think that either Microsoft has made the mistake of issuing too many keys so far (thus making a 25 character product key randomly easier to guess) or that the activation server is too sloppy.  Either way, Microsoft could quickly and easily fix this issue.  However, as more and more people run key generators like this, the chances of them hitting valid keys increases.  This could mean problems later for people trying to activate legally acquired keys because their key has already been used. 

I predict that pretty soon there will be a GUI version of the key generator making it easier to use than the current script (script is pretty inefficient and a key generator based on the same principal as the VBScript script but written in C++ would inevitably be a lot faster).  But, at the same time I see Microsoft taking steps to make it a lot more difficult  to activate a key generated in this way.  Microsoft might also release an updated WGA that makes an attempt at uncovering illegal keys.  At any time Microsoft could pull the plug on these illegally activated machines.  Bottom line is buy Windows or go Linux.

Either way, the race is now on between the crackers and Microsoft.