Hackers around the world are hoping to find the "Life Gate" of the operating system software that developers call "the safest in history". At present, the network has revealed three ways to crack the vista activation mechanism:
Rationale: Exploit the vulnerability of Microsoft OEM to the SLP (system-locked Preinstallation) technology that is used to assist activation (no interest can be ignored), To obtain permanent activation and genuine authentication by modifying the information in the BIOS and cooperating with the imported genuine OEM certificate files. The highest risk factor, but after the crack can be the same as Vista genuine upgrade services.
Flaw: The risk of damage to the motherboard or loss of functionality.
"People are smashing windows Vista with a hammer."
Jeffermos, the initiator of Defcon, the world's largest hacker organization, is intriguing. In Redmond, a suburb of Seattle, a windowless conference room in building 22nd, a large Microsoft campus, Windows developers gather to solve the system's vulnerabilities every day.
January 30, 2007, the Vista Retail edition officially released. Unlike Microsoft and its partners, the Pirates are already eyeing and stirring. Just a week after Vista was released, two Chinese engineers, Aeno and Binbin, officially announced that they had modified the motherboard BIOS to enable the system to have the same free activation effect as the brand computer OEM license, and Vista broke again. Microsoft did not comment on this.
In the crack message from the forum after the scattered broadcast, in a short period of one months, the network on the use of the BIOS to modify the system to crack the vista information has been overwhelming, of course, there are many netizens posted on the forum to show off their so-called record. "Any product protection technology will eventually be broken, it's only a matter of time," said Allen Nieman, head of Microsoft's Product Activation department. Who dares to break "Windows" in Microsoft Windows? Why is the vista of "anti-theft net" again cracked? In order to get the truth out as quickly as possible and to confirm the authenticity of the leaks, we started a half-month investigation and in-depth thinking.
A Microsoft "admits" of pirated Vista was born
Since Microsoft began introducing Product Activation protection in Windows XP, national technicians have begun to take pride in overcoming Microsoft's activation protections. After the advent of Microsoft's new desktop operating system, Windows Vista, various methods of cracking activation protection are emerging. The illegal KMS servers used for bulk activation are all over the network, followed by the Russian way of time stop method and so on.
Using the method of modifying the BIOS to activate the piracy, the reason that this is Microsoft's recognition of pirated Vista, because the successful activation of the pirated system can also be on the official website of Microsoft through genuine certification. This is the official website of Microsoft recognized "genuine".
Using the method of modifying the BIOS to activate the piracy, the reason that this is Microsoft's recognition of pirated Vista, because the successful activation of the pirated system can also be on the official website of Microsoft through genuine certification. This is the official website of Microsoft recognized "genuine".
Three ways to break Vista activation mechanism
Hackers around the world are hoping to find the "Life Gate" of the operating system software that developers call "the safest in history". At present, the network has revealed three ways to crack the vista activation mechanism:
1. Time Stop method
principle: Timestop (Time to stop) method, first change the system time is December 31, 2099 (Vista support last time), after the break to change to the current time, by stopping the counters in Vista to force the freezing of vista verification time purposes, The final system activation time is fixed at 30 days. The hacker organization has provided a dummy activation download on the Web, and the latest version 2.0 can activate 64-bit operating systems.
defects: No Automatic Updates and other Microsoft services, once the machine is set to Automatic Update, timestop failure, and may even cause system paralysis.
2. KMS activation method
Rationale: This approach is primarily for activating Windows Vista Enterprise (Enterprise Edition). To prevent the release of the enterprise version from the XP era, Vista requires collective users to activate each copy of the operating system. By connecting to the KMS (key Management service, Key Management Services) server, users can activate Vista systems on their computers, and the crackers are using a virtual machine software such as VMware Workstation 5.5.3, Replicating a local KMS using VMware mirroring and VBS scripts allows the Vista system to be successfully activated by bypassing the anti-piracy mechanism of Microsoft enterprise Vista.
defects: The home and Ultimate editions cannot accept KMS keys and can only be used under Business (Business Edition) or Enterprise (Enterprise Edition), and must be restarted every 6 months for KMS server activation.
3. OEM Activation method
Rationale: exploit the vulnerability of Microsoft OEM to the SLP (system-locked Preinstallation) technology that is used to assist activation (no interest can be ignored), To obtain permanent activation and genuine authentication by modifying the information in the BIOS and cooperating with the imported genuine OEM certificate files. The highest risk factor, but after the crack can be the same as Vista genuine upgrade services.
flaw: the risk of damage to the motherboard or loss of functionality.
For the first and second methods, Microsoft released the update patch named Windows Vista Validation Update KB929391 last December, but within 3 hours after the patch was released, the method was broken again! At present, the OEM activation method is the most fiery, because the highest success rate and after the successful solution can truly achieve the original function. For the current major forums in the most hot discussion of the OEM Activation Law, the network provides "tricks" and "services" is unprecedented.
then the hacker tease the online explosion "one-stop" service
And Microsoft in the major computer stores in the bustling Vista activities the same, in the major forums on the use of BIOS to crack the activation of Vista information is already in full swing. From tutorials to already modified BIOS downloads, from video commentary to "one-stop" free belt change services, to crack the vista system has even been unprecedented.
The Miracle One: the others change good, you download becomes
Miracle two: web-discovered free revision tutorial
Miracle three: You will not change, users have free service
According to the survey, the current online only found ASUS three complete: Each version of key, Acpislic.bin, Oemcert. Lenovo's OEM lack of acpislic.bin, in addition to HP version key without other key, and other individual brands only Hpkey, not even oemcert. The bios of the AMI is more difficult than the cracked modified award BIOS.
Why does the common DIY compatible machine not successfully activate the OEM version of Vista?
Because DIY compatible machine in the BIOS is missing ACPI_SLIC table, can not meet SLP 2.0 authentication. All that matters is the BIOS. At present, the most important process is to add SLP 2.0 support in the BIOS, in the absence of BIOS source code, add a SLP Certificate public key and SLP flag ACPI_SLIC table into the BIOS. Currently, it is only possible to match the OEM version of the BIOS by replacing the existing, less-functional ACPI tables, and it is still difficult to implement dynamic modification additions. The problem with static substitution is that the capacity of the content can no longer be changed after the BIOS has been updated.
Some private FTP in China to provide the solution to download the resources, or even more than crack XP momentum
What is the difference between an ordinary version of the BIOS and an OEM version of the BIOS?
Research has found that the BIOS in the OEM version has the SLP Certificate public key and the SLP flag, which are stored in the OEM hardware and written in the BIOS's ACPI_SLIC table, which are not available in the OEM version BIOS.
In the player's vulnerability verification process for Vista, by using Mmtool to detach the BIOS file, it is found that the OEM BIOS contains 534c4943 (hexadecimal) fields, which are slic table tags. They can generally join the Slp20pubkey and Slp20marker two module 338 byte address space. If you are satisfied with more than 338 bytes of free space and slic table tags, the OEM version of the BIOS. SLIC (System liscensed Internal Code) is translated into Chinese, which is the internal inherent code of the preinstallation System license.
How can vista be cracked and activated? Three simple steps to go
After reading a lot of pictures and the user cracked a successful screenshot, then how Vista was successfully cracked and successfully activated it? Let's take a few simple steps to illustrate the entire process that a third party technician cracked.
First step: Overwrite bios, meet OEM information requirements
Vista will require product activation, depending on whether the BIOS contains OEMID strings and OEMTableID strings to determine whether SLP validation has failed SLP validation. The ACPI slic table information is 374 bytes, the first 36 bytes are the header, and the latter 338 bytes are information that the OEM version requires authentication. As long as the BIOS is satisfied with the Slic table, the RSDT table, and the correct modification, then the BIOS can generally be considered to be modified successfully.
• Change the primary BIOS module
• Change the ACPI table
After overwriting the BIOS, refresh the changed BIOS file in DOS. Some motherboard bios after refreshing to a modified version of the BIOS, the BIOS will not be able to save after the installation of the phenomenon, you can go to the use of the system to refresh the BIOS program to refresh the original BIOS. After modifying the BIOS, you can activate the Vista system by replacing the OEM license certificate and the OEM key method.
Step Two: Change the system to OEM serial number and OEM certificate
Windows Vista OEM version Authentication mechanism Overview: Unlike only DMI information in Windows XP, Microsoft has deployed more stringent authentication mechanisms within Windows Vista. During the boot process, the first certification of the installation sequence number, and then through the OEM manufacturer's own certificate file to the BIOS of the public key and identity files are verified, if the verification through version and is recognized as the activation of the OEM version.
"The next installation process is exactly the same as the normal Vista installation," said a successful user. Do not enter the serial number, and then select the Home Premium version, the installation is free of activation. ”
Step three: Restart the computer to successfully activate vista!
Restart the machine into Vista, the right mouse button on the desktop computer-properties, will appear in the Windows activated words, indicating the success of the modification. You can also view Vista status by running the SLMGR.VBS-DLV and slmgr.vbs-xpr commands.
What is the probability of a successful solution to Vista? According to a survey from a domestic Vista forum poll results, 38% of users have successfully modified and activated the Vista system through this method, 14% of users have successfully modified but can not be activated, and there are 20.3% of users because of the failure to modify the BIOS, the motherboard Repair and return to the factory.
June 29, 2001, Microsoft first elaborated on the Windows system "activation" concept, but it is from then on, cracked the movement of the Organization has become more crazy. has been cracked vista system, what is the loophole so that the opportunity to crack, Microsoft in this Vista system, in the anti-piracy mechanism has done what improvement?
What has Microsoft done for Vista to prevent piracy?
In the official white paper Microsoft talks about the meaning of the activation program, "Microsoft Product Activation is an anti-piracy technology that can verify that software products are reasonably licensed." The aim is to reduce the piracy caused by inadvertent copying. Activation also helps protect the hard drive from being replicated. Activation is quick, simple, and unobtrusive, and it protects your privacy. ”
After the lessons of this anti-piracy mechanism, Microsoft has made more stringent activation conditions in the next generation of software Windows Vista:
1, strengthen the retail product key activation verification;
2, Volume Licensing is no longer completely free of activation, but to authorize large clients to use the activation server , many computers connected to the server for activation, and periodically reactivated.
Microsoft, in the principle of OEM Activation license, said that the OEM version system does not need to activate the operation, OEM Activation can only be used for royalty OEMs. There is no limit to the number of reset activations for an activated Key Management Service (KMS) client. For a KMS client that is not activated, the activation clock can only be reset three times, the same as using a single license.
• In xp/2003 systems, OEMs adopt SLP1.0 validation mechanisms:
The specific performance is:
1, OEM manufacturer of the factory machine BIOS contains the brand string (string)
2, the operating system contains the oembios.* file should be brand
3, the installation of serial number for the brand should be the OEM KEY
If the above 3 conditions are available, then the xp/2003 system can be free of activation, otherwise, equivalent to the retail version, must be activated within 30 days (such as using the COA key to activate xp/2003)
• In Vista systems, OEMs adopt SLP2.0 validation mechanisms:
The specific performance is:
1, OEM manufacturer's machine BIOS contains the brand's OEM license digital signature
2, OEM manufacturer's machine BIOS contains the brand's OEM key digital signature
3, the operating system contains the brand should be OEM licensing certificate
4, install the serial number of the corresponding authorized certificate version of the OEM KEY
If the above 4 conditions are available, then the Vista OEM system is free of activation, otherwise, equivalent to the retail version, must be activated within 30 days (such as using the COA key to activate Vista)
What is SLP?
The Chinese translation of SLP (System Lock Preinstall) is "activation protection for preinstalled systems." It is a kind of agreement between Microsoft and OEM, SLP is to guarantee the interests of OEM manufacturer and avoid the rampant piracy.
Microsoft has introduced SLP (system-locked Preinstallation) technology from Windows XP for auxiliary activation of OEM products. SLP is used only for OEM products and will not appear in retail or volume licensed products. Windows XP is SLP version 1.0, which is based on detecting whether a specific SLP string is set up by an OEM hardware manufacturer in the BIOS and, if so, that the software is licensed as an OEM, or that the user is required to enter the COA number that shipped with the OEM hardware. and activate the software over a network or phone. Because the principle is simple, quickly be familiar with the BIOS principle and the related software operation of the person cracked, random in the non-OEM hardware-diy compatible machine to achieve the same effect. The popular practice is to use DMI editing software to add SLP strings to the DMI data area of the BIOS so that Windows XP believes that OEM licensing is legitimate and becomes active.
Microsoft has stipulated that a successful OEM version of Vista must have a valid Windows tag on the ACPI_SLIC table in its system BIOS by the original equipment manufacturer (OEM) access computer. The presence of Windows tags is important for planning a large number of authorized customers to upgrade OEMs by using a large number of authorized media in Windows Vista to re-imaging, or by providing a large number of licensing contracts for remapping permissions.
Since SLP is the key to this certification, then where is the SLP loophole? This is what we are going to discuss here.
How to successfully activate a system by deceiving SLP 2.0 Technology
The specific process for verifying the SLP 2.0 technology is as follows:
1. If the SLP Product Key (SLP and Cd-key) is detected, the SLP verification process starts.
2. Windows confirms that the OEM certificate that it contains (imported) is signed by Microsoft. If an OEM certificate is detected, SLP verification continues to be in line. If the OEM certificate is not detected, the SLP validation fails and the product activation is required.
3. The OEM certificate will be compared with the OEM public key in the ACPI_SLIC BIOS table. If the OEM certificate matches the OEM public key in the BIOS, the SLP verification process continues. If the OEM certificate and the OEM public key in the BIOS do not match, the SLP validation fails and the product activation is required.
4. The ACPI_SLIC BIOS table also contains SLP flags. Verify the SLP flag through the OEM public key, such as through, the SLP verification process continues. Otherwise, the SLP validation fails and the product activation is required.
5. The SLP flag includes OEMID strings and OEMTableID strings, compared to ACPI_XSDT and oemid of ACPI_RSDT and OEMTableID, if one of them does not match the string in the SLP flag, then SLP validates the pass. Otherwise, the SLP validation fails and the product activation is required.
where is the flaw in SLP 2.0 technology?
Through the above authentication information, you can understand that the current Vista system relies on the OEM certificate that exists in the system to compare with the information that exists in the BIOS in the OEM public key. As long as the information is the same, the system considers the hardware used as a legitimate OEM hardware to activate the system. So the current compatible machine, as long as the fake running system and the BIOS in the mutual authentication relationship, cheat SLP 2.0 authentication, piracy system may be considered as the official version of the OEM, and ultimately achieve the purpose of successful activation. Currently, both the Phoenix BIOS and the Phoenix-award BIOS have been officially cracked.
Modify the ACPI Table name index in the original BIOS so that the BIOS without the SLIC table becomes a table called "SLIC" (so "support for Vista BIOS" is not necessary because the BIOS already has the SLIC table). Only the table name is not, of course, add the corresponding slic content, so use Cbrom to isolate the ACPI data area in the BIOS, that is, Acpitbl.bin. Modify the RSDT table Oemid and OEMTableID fields in the data area to the OEM manufacturer's SLP flag, and then add the OEM manufacturer's SLP certificate public key at the end of the data area, then add the ACPI data area and return to the BIOS after the completion. The ACPI_RDST and ACPI_XSDT Oemid and OEMTableID in the compatible BIOS are modified to match the strings in the SLP flag.
Finally, we conducted a tentative test to verify the existence of the SLP 2.0 technical vulnerabilities.
Vulnerability Verification Platform
In verifying the existence of the vulnerability, we chose the asus p5b Deluxe motherboard to build the platform with the motherboard BIOS version 1004.
Players use the analysis of the original Windows Vista system pre-installed to extract the full BIOS information, analysis of the authentication information, thus extracting the SLP 2.0 certification ASUS SLIC Segment (slic segment is 374 bytes. The table header 36 bytes, public key 156 bytes, Windows identity 182 bytes, extracted the public key and Windows identity information respectively, produced the complete slic authentication information.
SLP 2.0 Technical Vulnerability Verification
First step: Flash the BIOS
Step Two: Change the system to OEM serial number and OEM certificate
After joining the ASUS OEM license file and joining the ASUS OEM's key, let's activate the system to see if it can be activated successfully to see if the leak really exists.
Activation Successful! Verify that the vulnerability exists
Unlimited upgrades through Microsoft Official verification
After the activation of the pseudo genuine Vista system and genuine Vista, like the service, without the activation time limit can also be unimpeded experience upgrade services. Such a vulnerability exists in all retail versions of Vista systems, and hackers can even use the same OEM information to inject it into any motherboard and achieve a successful break.
After we passed a series of validation tests, we were amazed by the existence of vulnerabilities. This may be the beginning of Vista's long "patch Path". Microsoft has not taken any action on this hack until the time of the test.
Earlier, according to Microsoft's legitimate software verification technology engineer Anderson revealed that the OEM cracking method will be released in the second half of this year Windows Vista SP1 was blocked. Windows Vista SP1 will then integrate the verification program for Windows Vista product key. All vendors ' Windows Vista OEM versions of generic installed keys will fail, and Windows Vista random users must authenticate to the Windows Vista SP1 with the only COA key that verifies their authenticity. Pirated users will be prevented from upgrading to Windows Vista SP1 because they do not have a legitimate installation key.
"Come out, always have to return", experiencing the crisis after the piracy
"Out of the mix, always to return", the film "Infernal Affairs" of this line quite a bit of the taste of the lake. In cracking software in the way of today, in the beautiful "successful activation" under the cover of the system after the crack has also emerged in a variety of problems.
After the revision of the program announced, we also received a large number of netizens feedback, including a lot of complaints, such as Hyper-threading CPU and multi-core CPU does not work, many sound cards , network cards do not work properly, can not overclocking, After exiting the game resulting in a blue screen and so on, more serious is that the refresh modification failed BIOS back to factory repair. "So many people have been sent to repair, it seems that they are lucky." A lot of people brush hang, wait a few years before they can be sent to repair "a netizen so talked about the changes after the experience."
As the first engineer to succeed in breakthrough validation and the SLP2.0 of technical weaknesses, Binbin said: "There is no positive and evil in technology, the key to see the use of people for what purpose to use the technology." We analyze the weaknesses of SLP 2.0 technology and open Breakthrough validation demo, completely in the purpose of technical discussion. We believe that the demonstration of breakthrough test validation is only for the lab environment. Both myself and my partner, Aeno, are using a branded machine that is pre-installed with Windows Vista, giving them the opportunity to study the technology. Windows Vista is an excellent operating system and I am also a technical person who loves Microsoft products. ”
A blow or a guide? The Nightmare of Microsoft Empire
A key step in Microsoft's anti-piracy campaign is not to crack down on piracy, but it is clear that how to steer users away from pirated software is a priority. For years, Microsoft has been widely criticized for its "monopoly of high prices" in global markets, including China, and Microsoft is apparently afraid of being followed by this "infamy". We have received information from Microsoft China Company's main retail channel, Lian Bang software business store, which has already arrived in Vista including home and Chinese flagship editions, priced at $1530 per set and 2760 yuan respectively.
"Look at China's mobile sales and penetration are already very high, three thousand or four thousand Yuan mobile phone Even students who go to school can afford to buy, which is still a matter of consumption concept. If you really want to buy, the Chinese can say that half will be able to afford it, but there is a large number of piracy, and now said the system to spend money to buy, we are not very adaptable. "A civil crack organization members said to us," I think or more should support the genuine, I personally think, Vista this price should still be reasonable, look at the Chinese software: Ufida. A set of network net brings several clients to be a hundred thousand of, by contrast, Vista Price is very low very low. If the ship version can be reduced to about 2300, the advanced family version to 1500 yuan, I think there may be more people choose genuine. The