Quantcast
Channel: OSnews
Viewing all articles
Browse latest Browse all 484

Keyhole: a highly effective Windows DRM bypass also present on the Xbox One

$
0
0

The MAS project, a group of people working on an open source Windows and Office activator featuring HWID, Ohook, KMS38, and Online KMS activation methods, discovered quite a neat and interesting bug in the code responsible for licensing in Windows.

In our ongoing work to bypass Windows licensing checks, we occasionally stumble upon bugs that we choose to keep secret. This decision allows us to preserve potential future activation methods by avoiding bug fixes, while also giving us valuable tools for testing or developing new methods.

One such discovery, which we’ve named “Keyhole”, turned out to be a highly effective DRM bypass. It gave users the ability to license any Microsoft Store app or any modern Windows edition with ease.

↫ The MAS project

There were quite a number of roadblocks to overcome here, such as Microsoft’s code obfuscation tool, called Warbird, which was already done by someone else, after which they could really start digging into the code responsible for handling Microsoft Store and Windows licenses. They then discovered that circumventing the license blocks that hold the actual license information was dead simple – every license block is followed by a signature block covering all the data that comes before it. It turns out that messing with the licensing system was as simple as… Adding data after that signature block.

That was it.

As it turns out, data after the signature block isnt checked at all… and it can even override data that came before it. Whenever two blocks of the same type are stored together, the last one overrides all the others before it. So, if we want to change any license data, we can just make a block for it and put it after the signature block!

This method lets us make licenses for anything sold on the Microsoft Store, including Windows, from any other Microsoft Store license. And since there are so many free apps with licenses, we now had the ability to make as many as we wanted for whatever we wanted. This bug essentially punched a hole straight through CLiP’s DRM, so we decided to name it “Keyhole”.

↫ The MAS project

This opened up a massive hole in Microsoft’s licensing tools and DRM, and allowed the MAS project to pretty much do whatever they wanted. They could even do things that used to be impossible, such as “activating Enterprise LTSC with a digital license, or even activating a legitimate KMS server with a generic key”. Sadly, the fun didn’t last long, as right around the same time, Cisco TALOS discovered this same bug, reported it to Microsoft, who then proceeded to fix it.

the MAS project also discovered something else incredibly interesting, something which further highlights the seemingly terrible lack of quality assurance and code quality inside Microsoft. They noted that the kernel driver responsible for licensing looked incredibly shoddy, full of what they call “odd choices and compromises”. In fact, they soon realised that they had seen this code before: it was a straight-up copy/paste job from the licensing DRM found on the Xbox One.

And there’s the same bug that’s in CLiP, but in Xbox code. In fact, we weren’t too surprised to find this, as we found that almost all of CLiP, from the XML format of the licenses to the TLV-based license blocks, is copy-pasted straight from the Xbox One’s DRM system.

↫ The MAS project

Code reuse obviously makes sense in some situations, but the fact Microsoft even copy/pasted entire sections of code from the Xbox One straight into the Windows kernel as a kernel driver seems rather irresponsible. Shouldn’t code added to the Windows kernel and installed on billions of devices be vetted a little better than this?


Viewing all articles
Browse latest Browse all 484

Trending Articles