XPloiting XP

Remember the good old days when a good way to get the latest software was to get a group together to buy it and then make copies for everyone? You thought M$ had killed that with their one-activation-per-license scheme for the XP suite, didn't you?

Don't they wish. In this article the author will show a realistic way that the average user can, with the aid of good peer-to-peer file sharing software and a CD writer, create copies of Windows XP Professional Edition that act just like the genuine article. The information presented in this article is presented only to show the weaknesses of Microsoft's latest copy prevention scheme. Do not come crying to the author if you use this information inapporpriately and a massive horde of gray-suited attorneys descends upon you and pick your bones clean.

First a little background on Windows XP, which comes in many forms. The Professional Edition comes in (at least) these flavors: Academic for students, MSDN for developers and consultants, Retail for average consumers, Branded OEM for major computer makers like Dell and Gateway, Un-branded OEM for small computer makers, and Volume License (or "Corporate") for companies that buy hundreds or thousands of copies at a time to distribute across their enterprises. All the various editions need a product key in order to be installed and activated; we've all seen that little yellow label on the back of an M$ product with five groups of five characters.

Most of the flavors of XP require the installer to contact M$ for permission to use the software - the infamous "product activation" step of the install. When you activate Windows XP you send them a long number and they send you  a long number in return. The long number you send them is generated by doing some math on the CD key as well as some generalized information about your computer (no, they can't identify your individual machine). The long number they send you is called the Activation Key. Previous to the second release of Service Pack 1 for Windows XP, one could activate a copy of Windows XP Pro by using a key generator (e.g. the famous Blue List key gen) to generate a product key and walking through the activation process just like you had the little yellow label. However, after Service Pack 1 was released, M$ began validating the product keys submitted for activation against a database of all the product keys that had actually been shipped to resellers, and it became impossible to use a fake key to activate most copies of Windows XP.

There are, however, two flavors of Windows XP that do not require the installer to activate. One is the branded OEM flavor, which often comes pre-installed and pre-activated on various mass-market hardware, such as the latest Dell PCs. This flavor is not so good if you wanted to install the software on multiple PCs. It often won't recognize hardware other than that which it came with, and most major maufacturers don't even ship a Windows XP CD as such with their machines; they instead merge it with the other bundled software.

The other flavor of XP Pro that doesn't reequire activation is the Volume License, or Corporate, flavor. The story behind it is that admins at large installations don't want to make 1000 calls to M$ every time they roll out 1000 new PCs. Increasingly, when a user reports a problem with his PC, the admins simply replace all the software on the machine, OS included, to avoid having to do any messy troubleshooting or walk over to the user's desk. The way the installation works for XP Pro Corporate is that the installer enters the Volume License Key and that in itself is enough to install and activate the software - M$ is never contacted. The installation process can then be automated and made invisible to the user, saving the admin a lot of time.

It ought to go wihout saying that anyone who wants to install Windows XP on multiple PCs wants the Corporate flavor. The problem is that the average Joe simply doesn't have access to a CD that contains the Corporate flavor of Windows XP. But most people know someone who's bought a retail copy, or could find several people who'd be willing to pay for a share of a copy at a local retailer. The trick is making the software available to more than one computer.

1. Obtain an off-the-shelf copy of Windows XP Pro and copy every file on the CDinto a holding directory. This is the easiest, if not the quickest, step. Obviously, you have to be careful to keep the directory structure intact.
2. Obtain the files that are different between the off-the-shelf retail version of Windows XP and the corporate flavor. This is one of the harder steps. There are 11 files that are different between the two flavors of XP:
1. DPCDLL.DL_
2. EULA.TXT
3. NT5INFO.CA_
4. OEMBIOS.BI_
5. OEMBIOS.CA_
6. OEMBIOS.DA_
7. OEMBIOS.SI_
8. PIDGEN.DLL
9. SETUPP.INI
10. SETUPREG.HIV
11. WIN9XUPG\WIN95UPG.INF
    All the files are located in the I386 directory on the Windows XP CD, other than the last one, which is in the WIN9XUPG subdirectory of I386.
    The "corporate" versions of these files are not widely available, but they can be had from various peer-to-peer file sharing services, often in a package named corpfiles.something. Sometimes the package will come with handy instructions.
    
3. Merge the corporate files into the holding directory. You can usually just extract the .ZIP right into your holding directory and the files will go where they should. In order to help me verify that the package actually contained different files than I already had, I extracted mine to a temporary directory, then copied them one by one to their final destinations. Note that not all of these files are absolutely necessary - EULA.TXT, for example, has no bearing at all on whether you can make a copy of the software, except to advise you of how illegal it might be.
4. Download the Service Pack 1 Installer from M$'s web site and slipstream it into the holding directory. This step is not necessary if you just want to get a copy of Windows XP. But if you're going to burn it to a CD, why not do it right? Doing this step will save you the long process of applying SP1 after you install. To slipstream the service pack, execute this command:
   XPSP1_EN_X86.EXE -s:C:\HOLD\XPPR
   I assume here that your copy of Service Pack 1 is called XPSP1_EN_X86.EXE (it is if you download it from M$ and don't change the name), and that your file set is in the C:\HOLD\XPPRO directory. You have to supply the complete path for the root directory of your file set or the service pack installer will just copy a huge number of files to a temporary directory and then error out.
5. Add any other files you might think are handy into the holding directory. I made a subdirectory called "Tools" in mine and put all the PowerTools for XP into it, along with the Blue List key generator, a text file that contains a few known good product keys, instructions for making another copy, and any utilities I might need with a fresh install of Windows XP Professional Edition.
   The Windows XP install routine does not care if there are additional files on the CD. There is a large file called TXTSETUP.SIF that contains a huge list of every file that the installer knows about and where it will belong when XP is all set up. Any file not listed is ignored by the installer, so feel free to keep other things handy on the disk.
6. Obtain the Blue  List key generator for the Windows XP suite and use it to generate a few keys for "Windows XP Corp." This step is also not easy. It could take a few hours of careful searching to finally get this program off the net, or long waits to obtain it with a file sharing service. It is almost fruitless to search for the program by name, but it usually can be found packaged in .ZIP files with names like "Windows XP Crack" or the like. It is a small executable of about 49,000 bytes.
   The Blue List key generator (named for the group that produced it) makes one candidate key at a time and then trys to validate it by using an algorithm like the one Microsoft's software uses. The real keys have a limited character set - some letters and numbers are never used in Microsoft product keys - but the key space is still very large (greater than 10^25). Only about five percent of the candidate keys pass the program's test, and only about half of those will be accepted by Windows XP's product key softare.
   It could take the better part of an hour to generate enough product keys to guarantee success. On my AthlonXP 1700+ it takes about 30 seconds for the program to generate one candidate key.
   In the Blue List key generator, pick "WINDOWS XP CORP" from the drop-down. Set the number of keys to generate (i.e., the number of candidates to try) and number of keys to stop after (i.e., the number of keys it finds that it believes to be valid) pretty high. I set each to 100 and ended up with four keys that I could try during the installation.
   It's a very good idea if you only have one computer (that is, only one means to generate keys), to generate 10 or 12 keys so that you'll be sure to have at least one that works.
7. Use your favorite burning software to create a bootable CD-ROM using your file set. I used a neat little utility that generates a bootable ISO on some of the literature I mention in the Links section so that you have an awareness of what's going on in this step. It is possible to use Nero or any other common CD burn utility that supports making bootable CDs. Be aware, though, that there are certain files that you must have in order to make a bootable CD, and that they don't come with some CD-burning software packages.
8. Install Windows XP Professional Edition, and note that when you're asked for a product key, it's referred to as a "Volume License Key." This step is pretty much sit back, relax, and enjoy the show. Windows XP takes about half an hour to install on a moderately fast system, and much longer on older hardware. It took about 45 minutes on a 750 MHz Athlon with 128 MB RAM and about 25 minuteson an Athlon XP 1700+ with 256 MB DDR and a 48x CDROM drive.
   One of the nice things about having a bootable CD-ROM is that you can install Windows XP onto a completely blank hard drive. Without the bootable CD, Windows XP will want you to already have formatted the hard drive, and if you don't have XP or Windows 2000, you'll have to convert the file system later on from FAT32 to NTFS, if that's what you want to use. With a bootable CD you can format the drive NTFS from the beginning.
   Another nice thing you can do is create a plain text file in the I386 directory called WINNT.SIF and put these lines in it:
   [UserData]
   ProductID=FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8
   Replace the series of characters that starts with FCK with your good product key. Beware doing this before you know for sure that your product key will work, as it could cause you to waste a CD or two. If you have this line, you will not be asked to input the product key during install. This is what admins do to save themselves 25 keystrokes every time they install Windows XP.
   Note: Do not attempt to use the above product key. It will not work. Microsoft specifically targeted that key with Service Pack 1, disabling it.
9. Verify that your copy of Windows XP is already activated. There are three ways to do this. The first way is to note that there is no blinking icon in the system tray that indicates your copy isn't activated. Another way is to use the copy of Internet Explorer that comes with Windows XP and visit http://www.windowsupdate.com, which will not offer updates to a copy of Windows XP that is not activated. While you're at it, apply all the security-related updates that are waiting. Even if you don't ever use Internet Explorer, Outlook, or Media Player again, ther are many applications that use components of Internet Explorer behind the scenes and therefore share its notorious vunlerability to attack.
   The third way to verify your activation status is to execute the command:
   c:\winnt\system32\oobe\msoobe.exe /a
   MSOOBE is the program that determines whether Windows XP is activated and leads you through the activation process if not. Rather than prompting you for your location and beginning the activation process, the resulting window should simply say, "Your copy of Windows XP is already activated." I like to run this command every so often, just for the warm, fuzzy feeling I get.
10. Enjoy! But beware of a few things. Normally, changing more than three or four components in a Windows XP computer will cause it to want to be reactivated. If that were the case here, the usser most likely would have to find a way around the activation process again. There are several ways to do that. Finding them out I leave as an excersize for the reader.

Bear in mind that the actions described above could be counter to US and international copyright law, and to actually do them could lead to legal trouble. Furthermore, I do not know what will happen to a machine that is running a copy of Windows XP that was obtained by the method described above if M$ should beef up their copy-prevention efforts. A lot of people who used the famously leaked product keys to install Windows XP were left out in the cold when Service Pack 1 was released and have not been able to enjoy its benefits. Microsoft would  certainly be within their rights to engineer Service Pack 2 to leave everyone with illegitimate copies out in the cold, or even to destroy such software.

Microsoft has for years depended on other large compaines for the bulk of its profit and only recently began even to try to rein in the massive amounts of copyright violation that had been going on between individual users. Meanwhile they had to keep their original customer base, the corporations, happy. The beauty of this whole thing is that it is possible to use these huge corporations against each other. Microsoft's dependency on other massive companies has left its newest, most copy-protected software with an Achilles heel that the little guy can XPloit.

Bibliography/Links

http://www.nu2.nu/bootcd/ is a well-maintained page that describes bootable CDs in detail, and includes the instructions and software the author used to make his CDs bootable.

http://www.licenturion.com/xp/fully-licensed-wpa.txt is an older page that describes the algorithm that Windows XP uses to generate activation keys, and tells why they aren't the enormous threat to privacy that some believe them to be.

http://www.extremetech.com/article2/0,3973,11222,00.asp is the best description of the ins and outs of Windows Product Activation that this author has seen, even though the article predates Service Pack 1.

http://www.microsoft.com/piracy/basics/activation/windowsxpsp1.asp is telling if you read between the lines, and also a good source for "the other side" of the piracy/WPA issue.