Windows XP defeated
Product Activation is beaten by German enthusiasts
When we looked at Windows XP a fortnight ago, one of the things we thought most fascinating about it was Product Activation. The reason it seemed so interesting wasn't so much how it worked, but that nobody had managed to crack it. However, much to Microsoft's disappointment no doubt, somebody now has, and with that it loses a little of its intrigue. The key to Product Activation according to German website tecChannel, is a file called 'wpa.dbl' stored in the system32 Windows directory. This file is singularly responsible for telling Windows whether or not it has been activated. You'll recall having read our article that Windows XP will only allow a finite number of hardware changes before it demands re-activation. In practice, tecChannel's latest research tells us, what it does is delete wpa.dbl, which puts the system into Activation mode, effectively barring you from normal usage until you re-activate. The 30 day (14 in the beta) grace period does not reset itself, it just resumes, so that if it has been more than 14 days since installation, you get no more free time. As we said, re-activating is a doddle if you're a genuine owner of Windows XP, because Microsoft is anxious not to set the wrong sort of precedents. However, tecChannel tells us that it is not necessary to re-activate. If you backup wpa.dbl, all you have to do is fool your system into thinking less than three things are different than they were beforehand and it will go on functioning. tecChannel now knows the various things Product Activation looks for, too. In their research, they changed the graphics card, and a network card. These were both picked up by WPA, but it didn't mind since two changes is acceptable. A third would also be acceptable, but a fourth (changing the CPU) triggered the deletion of wpa.dbl, and demanded the system be re-activated. Instead of doing so however, tecChannel dropped into the BIOS and switched off the CPU serial number, meaning that the operating system could no longer determine whether or not it was a different CPU to the original. They then copied their backed up wpa.dbl file into its system32 directory. On a subsequent reboot, the demand for activation was gone, because wpa.dbl could only identify two changes, which was within its boundaries of operation. Bingo. The trick then, is fooling the system. tecChannel's next objective was to use the wpa.dbl file on another computer. To do this, they put the same amount of RAM in it (one point discounted), they changed the volume ID of the new computer at the command line (two points discounted) and they used an advanced network card driver to specify the same MAC address as the previously activated network card (three points discounted). Finally, they used a bit of wit and cunning and switched the computer's hardware profile to that of a notebook. After this, the graphics card and IDE/SCSI controllers are no longer used to calculate the product ID. In effect, they have disabled or faked enough of the hardware in the old wpa.dbl that it doesn't mind running. With that, tecChannel had two computers running on the same activation, and Microsoft was slain. Given that the company is now between Release Candidates 1 and 2, it will be difficult for them to knock Product Activation into shape in time to do hackers and crackers any mischief. All it will take is one compromised Windows XP Product Activation and millions of software crackers will have a field day. Related Feature - The Next Windows