Confessions of a Windows 7 "pirate" 2/2

Categories:  Windows
Labels:  OS

Fooling Windows by tinkering with the BIOS

The other popular approach toward cracking Windows activation takes advantage of the difference between retail and OEM copies of Windows. Retail copies have to be activated using a unique serial number. OEM copies from large system makers (Dell, Toshiba, HP, and so on, collectively known as Royalty OEMs) use a technique called System Locked Preinstallation (SLP). The preinstalled copy of Windows uses a single master product key tied to specific information in the system BIOS that is unique to that manufacturer’s systems. If the encrypted licensing information in the preinstalled copy of Windows matches the information in the BIOS, no activation is required.

Windows pirates figured out how to exploit this hack around the time Windows Vista was launched. The Windows 7 Loader program, which I used on a test system, looks at your PC’s BIOS to see whether it contains an ACPI_SLIC table with software licensing information (“markers” for the Windows operating system and the name of the computer maker). If the SLIC table is present, the tool installs the correct product key for your Windows 7 edition along with a digital certificate; the combination mimics a legitimate OEM preinstallation. For systems with a BIOS that doesn’t contain the proper SLIC tables (a scenario I didn’t test), it uses an alternate boot loader (typically some variant of GRUB) and installs BIOS emulation code to fool the system into thinking your system is a legitimate OEM installation. You can use the one-click installer or select from advanced options to personalize your PC by choosing a particular brand.

In this case, I had installed a retail copy of Windows 7 Home Premium on a relatively new system (purchased in mid-2009) that was originally licensed for Windows Vista. I didn’t enter a product key during setup, and I had gone more than 30 days without activating. Here’s what I saw when I ran W7Loader:


The installer correctly detected the brand (Dell) and Windows 7 edition. When I clicked the Install Certificate and Serial button on the right, I was greeted with this message:


The system, which had never been activated, had previously been nagging me with “non-Genuine” warning messages. As soon as the pirate tool completed its work, the watermark on the black desktop went away and the System properties dialog box told me I was activated with a Dell OEM product ID.

The Empire strikes back

The two exploits I describe in this post are certainly not the only ones out there. Indeed, Windows pirates have been playing a cat-and-mouse game with Microsoft for years. In the Windows XP era, pirates focused most often on stealing legitimate product keys, especially Volume License keys. Beginning with Windows Vista, Microsoft has begun building anti-piracy components directly into the operating system, and pirates have aimed their hacking skills at those components with increasing sophistication.

The latest salvo from Microsoft in the war against pirates is the Windows Activation Technologies Update (KB971033). In its default configuration, it performs an initial validation check and then repeats the process every 90 days, downloading new signatures to detect exploits that flew under the radar in the previous scan. When I initially wrote about this subject last month, the question I heard most often was, “Why does it need to keep checking? If I get validated, shouldn’t that be good enough?”

Unfortunately, the experiences I’ve written about here prove why that strategy doesn’t work. If you used a copy of RemoveWAT that was created in 2009, you were able to fool Microsoft validation servers with a 100% success rate. However, as the anguished cries of forum participants proved, the KB971033 update in February exposed all of those hacks, restoring the correct license files and causing the systems to (correctly) fail validation. As a result, the RemoveWAT developer modified his code and released a version last week that trumped the new update and once again allowed hacked machines to pass the activation test.

In the past, that would have been counted as a win for the pirates. But with its new signature-based system, Microsoft can improve its exploit-detection code and, at least in theory, identify the updated hacks in 90 days (or, in the worst case, 90 days after that). The point is that pirates can’t count on getting a permanent free pass on activation. If you’re a hobbyist obsessed with pirating Windows, you have to put up with the nuisance of updating your hacking tools every few months. But if you’re selling pirated software (in a box or preloaded on a system), you risk getting put out of business and maybe sent to jail when the systems you sold in March are detected as pirated in June or July.

The other question I hear on the subject is, “Why pick on legitimate customers? Why not go after the real pirates?”

There’s a common misconception that only diehard hackers mess around with pirated software. The reality is that anyone can be a victim, especially if they ever need help reinstalling Windows or repairing some sort of hardware problem. I have lost count of the number of times I have seen a PC that contains a pirated copy of Windows installed by a nephew or a neighbor or even a local computer tech who was trying to share the cool thing he found on the Internet. Back in 2007, I wrote about a firsthand experience with a PC repair tech for a major national chain who used a pirated copy of Windows to “repair” my friend’s PC.

In that case, I was able to spot the unauthorized copy quickly and help my friend undo the damage (and get his money back from the crooked tech). If that were to happen today, the tech might be lucky enough to get away with the deception for a few months, but he would eventually be caught out.

One thing I learned while researching this piece is the phenomenal determination of pirates. They’ve become increasingly sophisticated and are able to react extremely fast to changes from Microsoft. For Microsoft, responding to those fast-moving targets without inadvertently inflicting collateral damage on its customers is a tremendous challenge.


Social Profiles


This web accept cryptocoin donations
BTC address, LTC, ETH, Uphold:
Why donations?