Inside Windows-Update

With XML being (more or less) easily readable by humans the analysis of the SOAP-based RPC protocol is easy, once it is possible to look inside the SSL connection. It is obvious without any complicated analysis what the transmitted information, e.g. the PNP IDs, is and from where it originates. The only exception is the PID attribute.

As we have suspected before, the 76 bytes are encrypted. The employed algorithm is the extended version of TEA (Tiny Encryption Algorithm). TEA is a symmetric algorithm and it is very popular in the copy protection community. The choice of this algorithm is not surprising as the PID attribute is generated by parts of Windows XP that are also elementary to Windows Product Activation. To decrypt the PID attribute for further analysis, we can use the following C function.

Code

1

void xtea_decrypt(unsigned char *data, unsigned int *key)

2

{

3

[...]

4

}

5

6

void pid_decrypt(unsigned char *pid)

7

{

8

unsigned int key[4] = { [...] };

9

int i;

10

11

for (i = 68; i >= 0; i--)

12

xtea_decrypt(pid + i, key);

13

}

Textansicht

The decrypted PID attribute consists of three parts. The first eight bytes are a timestamp in FILETIME format (see the Microsoft SDK) that captures the generation time of the attribute. Note that due to the way in which TEA is applied for encryption, two PID attributes that differ in their timestamps and that are otherwise identical still result in two completely different encrypted byte sequences. If we run the tecDump utility twice, we therefore observe two seemingly completely different PID attributes, although the attributes differ only in the timestamps.