Apparently the programmers of the Windows Product Activation did not work carefully enough. In the course of our experiments with several hardware components, product keys and especially the central file wpa.dbl some interesting weak points showed up. Together with peculiarities in generating the id of the hardware this will open the way for hackers to avoid the Activation completely.
To find out how in detail the Activation works and how Windows XP calls up the hardware to force the Activation please read this. A review of Windows XP, RC1 ist found with this article (German only, please bear with us).
Basic Issues
The file wpa.dbl in the directory system32 contains information on the system at the time of the Activation. If more than three hardware components are changed, Windows XP will notice it and delete wpa.dbl. With that the user shall be forced to activate XP anew. You do not get another 30 days of time, though, to activate again (in RC1 it is a fortnight). Instead XP takes the date of the installation as a basis. That means you have to activate immediately to run XP again, if the installation took place 30 days ago.
For an overall view please find here again the list of the hardware components we call up:
Volume serial number of the system volumes (displayed with dir-command)
MAC address of the network card (displayed with netstat -r -n)
Identification string of the CD ROM drive
Identification string of the displays
CPU serial number
Identification string of the system's hard disk
Identification string of the SCSI host adapter
Identification string of the IDE controller
String of the processor model
RAM size
1 = docking station, 0 = without docking station
First Tests
For a beginning we first of all saved the file wpa.dbl and then replaced the graphics card and the network card. As expected Windows XP was cooperative, so we could work without any disturbance. The first surprise showed up as we replaced the Celeron with a Pentium III: Suddenly Windows XP wanted to activate anew although we only changed three components.
The answer to the riddle is to be found in the serial number of the processor. Replacing the processor did not only change one but already changed two pieces of hardware information. For us that means to restart the computer and to switch off the serial number in the BIOS. Nonetheless XP insists on the Activation. A glance at wpa.dbl shows the reason why: Apparently XP put the file back in a non-activated condition. We again restart the computer, boot into DOS and copy the saved wpa.dbl back into the system directory of XP. With the next start of XP, the demand for Activation has disappeared. Evidently, wpa.dbl is the central authority to decide whether or not Activation already took place.
We re-install Windows XP on our computer from the ground up, using the very same product key. Nevertheless, the computer gets another product ID, as the last three digits are generated randomly. Although the product ID changed, Windows can be activated by copying the saved file wpa.dbl into the appropriate directory. Our next try brings an even bigger surprise: The Activation still works although we use a completely new product key for the installation.
Forged Hardware
These results kept in the back of our minds we try to activate Windows XP on another computer by copying the file wpa.dbl. First of all we adapt the volume ID of the new computer by means of freeware tools. The command line volumeid c: 3333-3333 changes the corresponding coefficient of the new system: The first component of Microsoft's protection is canceled.
With some network cards it is possible to adjust the MAC manually by means of the driver. The corresponding option in the register Advanced is called "Network Address" or "Locally administered Network Address".
So meanwhile we succeeded in switching off two components of the Activation by pretending another network address to the new system. The CPU serial number is switched off anyway, both computers do not have a SCSI host adapter and the memory is of the same size with both of them. With that altogether five sections of the hardware ID are identical.
Six actually, for both computers are not "to be docked". The latter gives us a bold plan ...
Notebook of Eight Kilogrammes
What would happen if we tell the operating system that the computer is a notebook?. This option can be toggled in the hardware profile of the device manager.
Can Microsoft be tricked that easily? Yes it can! After the next restart of the computer the analysis of the installation ID makes clear that suddenly the graphics card and the IDE/SCSI controller are no longer used to calculate the hardware ID.
So only three more differences in the configuration of the hardware remain:
Identification of the hard disk
Identification of the CPU
Identification of the CD-ROM drive
Because these three components are allowed to be different without XP insisting on a new Activation, this should be sufficient. So we copy the file wpa.dbl into the system32 directory of the second computer and start Windows XP. In the start menu it still says "Activate Windows". But when you call it up, you get your just reward though:
Summary
Windows XP enlists ten hardware components to calculate the installation ID, but six of them can be canceled without any problems:
Component | To be canceled by |
|---|---|
Important: A LAN does not tolerate two computers with the same MAC address. | |
Volume ID | Adapted by means of tool |
MAC address | Tuned by means of driver |
Graphics card | Switch over to docking station |
CPU serial number | Switch off in BIOS |
SCSI host adapter | Switch over to docking station |
IDE controller | Switch over to docking station |
Only four components are working almost effectively:
Component | Size of bit field |
|---|---|
| |
Hard disk | 7 |
CPU type | 3 |
CD ROM | 7 |
RAM size | 3 |
Two fields are coded with three bits and two with seven bits. Because in each field the coefficient 0 is impossible, 7*7*127*127=790321 possibilities remain for the file wpa.dbl. As only three components are allowed to change from the moment of Activation onwards, you can take the weakest fixed component for a "Universal Activation".
The CPU type or the RAM size present themselves here as the best solution. It is more than sufficient to only once activate a computer with 128 MBytes of RAM at Microsoft's. With its file wpa.dbl you can then "activate" all other computers of the same memory size.
Conclusion
With its technology of Activation Microsoft wants to thwart the user who occasionally copies software. Up to a certain degree this may still work. But by means of the above described steps nearly everybody can activate his own XP merely by getting a corresponding wpa.dbl file. There certainly will exist some web sites in the near future where the user can comfortably download "his" wpa.dbl.
Should the current procedure of Activation remain, then Microsoft will spend a lot of money like water for technology, web servers and call centers without any considerable success. It would be much more lucrative to drop the Activation and to lower the price for XP.
Microsoft did not comment on the weak points of the Activation until now. But probably their statement goes as follows: "In its finaI version WPA will look completely different. We did not implement these steps in the RC1 for only one reason, that is not to annoy the testers."
But it definitely is a fact that inbetween the Release Candidates and the real Release normally only bugs are rectified. May sharp tongues call the WPA itself a bug, in our opinion it is nothing more but an example of bad programming. (mha)/(bmu)