MSKey Readme

Abstract
Microsoft Windows Server 2003 VLK requires a VLK key to install. Commonly for ille!al users t"is key is a leaked key and t"ousands of #iracy users use t"e same key to install t"eir Windows. $"e #ro%lem is t"at t"e #iracy users can use t"e #roduct now %ut not forever %ecause Microsoft would #ro%a%ly include t"e leaked key list in t"e furt"er service #acks &e.!. Microsoft #ro"i%ited several Windows '( VLK keys in service #ack )*. So it is necessary to install Windows wit" different keys for different ille!al users. +y tracin! Windows #roduct key verification #ro!ram , successfully e-tracted t"e al!orit"m MS uses &some (u%lic Key ,nfrastructure* and %roke t"e #rivate key uses to !enerate #roduct keys.

Validation Process 1. Decode

$"e followin! com#utations are %ased on t"is #roduct key. JCF8T-2MG8G-Q6BBK-MQKGT-X3GBB $"e c"aracter /0/ does not contain any information so t"e MS #roduct key is com#osed of 210 di!it0c"aracter. Microsoft only uses /+C23456KM(78$VW'923:;<=>? to encode #roduct key in order to avoid am%i!uous c"aracters &e.!. /,? and /)? /0? and /@?*. $"e quantity of information t"at a #roduct key contain is at most lo! 2 2: 21 )):bits . $o convert a 210di!it key to %inary data we need to a. convert /JCF8T2MG8GQ6BBKMQKGTX3GBB to /; ) 3 22 ....../ w"ere A+BC0 ACBC) A2BC2 D we call t"e array /; ) 3 22D? base24[] %. com#ute decoded C

2:
i =0

2:

2: i

base 2:Fi E t"e result is. 00 C5 31

!8 "D B! 3 2C

c.

55 " 35 BD 8D 01 00 &little0endian* $"e decoded result can %e divided into )2%it G 3)%it G ;2%it G >%it and we call t"eses : #arts )2%it. OS Family 3)%it. Hash ;2%it. Signature and >%it. Prefix.

2. #e$%&y
,f you want to understand w"at , am talkin! a%out in t"is section #lease refer to some Hlli#tic Curve Cry#to!ra#"y materials. +efore verifyin! a #roduct key we need to com#ute t"e : #arts mentioned a%ove. OS Family Hash Signature and Prefix. Microsoft (roduct0key ,dentification #ro!ram uses a #u%lic key stored in (,24HI.2LLBs +,IK resource w"ic" is an Hlli#tic Curve Cry#to!ra#"y #u%lic key w"ic" is com#osed of. p a b construct an elli#tic curve y 2 = x 3 + ax + b&mod p * G x!y" re#resents a #oint on t"e curve and t"is #oint is so called /!enerator? # x!y" re#resents a #oint on t"e curve and t"is #oint is t"e #roduct of inte!er $ and t"e !enerator G. Wit"out knowin! t"e #rivate key $ we cannot #roduce a valid key %ut we can validate a key usin! #u%lic key.Jp a b G #K ). com#ute HCS5L0)&12 OS Family!Hash prefix 00 00* t"e total len!t" is )) %yte. 5 is );00%it lon! and we only need t"e first 2 words. 8i!"t lift 5Bs second word %y 2 %its. H.!. if S5L0)&* returns 3H 2C +L >= <; 1: 32 )0 5C 3H 2C +L >= )2 >1 0C 0:. 2. com#ute % rx!ry"C Signature M &SignatureMG G HM#* &mod #* 3. com#ute S5L0)&<> OS Family rx ry* t"e total in#ut len!t" C )G2G;:M2C)3) %ytes. Lnd com#are Hash and result and if identical t"e key is valid.

Producing A Valid Key!

We assume t"e #rivate key $ is known &sure Microsoft wonBt #u%lic t"is value so we "ave to %reak it %y ourselves*. $"e equation in t"e #roduct key validation system is as %elow. HashCS5L&SignatureM&SignatureMGGS5L&Hash*M#* &mod p** W"at we need is to calculate a Signature w"ic" satisfies t"e a%ove equation. ). 8andomly c"oose an inte!er r and com#ute % rx!ry"Cr M G 2. Com#ute HashC S5L0)&<> OS Family rx ry* t"e total in#ut len!t" C )G2G;:M2C)3) %ytes and we !et t"e first ;2%it result. 3. com#ute HCS5L0)&12 OS Family!Hash prefix 00 00* t"e total len!t" is )) %yte and we

need first 2 words and ri!"t lift 5Bs second word %y 2 %its. Lnd now we !et an equation as %elow. SignatureM&SignatureMGGHM#* C r M G &mod p* +y re#lacin! # wit" $ M G we !et t"e ne-t equation. SignatureM&SignatureMGGHM$&G* C r M G &mod p*

Signature 2 + H $ Signature r = 0&mod n* w"ere n is t"e order of #oint G on t"e curve H $ & H $ * 2 + :r &mod n* 2

Signature =

Iote. not every num%er "as a square root so may%e we need to !o %ack to ste# ) for several times.

Get Private-key From Public Key

,Bve mentioned t"at t"e #rivate key $ is not included in t"e +,IK resource so we need to %reak it out %y ourselves. ,n t"e #u%lic key. # x!y" C $ M G we only know t"e !enerator G and t"e #roduct # %ut it is "ard to !et $. $"e effective met"od of !ettin! $ from # x!y" C $ M G is (ollardBs 8"o &or its variation* met"od w"ose com#le-ity is merely O & n * w"ere n is t"e order of G. &n is not included in #u%lic key resource so we need to !et n %y Sc"oofBs al!orit"m* +ecause a user cannot suffer a too lon! #roduct key t"e Signature must %e s"ort enou!" to %e convenient. Lnd Microsoft c"ooses ;2 %it as t"e len!t" of signature "ence n is merely ;20%it lon!. $"erefore t"e com#le-ity of com#utin! t"e #rivate key $ is @&2N3)*.