Windows Vista Keygen a Hoax

An anonymous reader writes "The author of the Windows Vista keygen that was reported yesterday has admitted that the program does not actually work. Here is the initial announcement of the original release of the keygen, and here is the followup post in which the same author acknowledges that the program is fake. Apparently, the keygen program does legitimately attack Windows Vista keys via brute force, but the chances of success are too low for this to be a practical method. Quote from the author: 'Everyone who said they got a key is probably lying or mistaken!'"

i thought so

[jrwr00 (1035020)]

I figured it would turn out like that, its just a random number gen that prints a 25 digit number.
a 4 year old using BASIC could do that

you posted to the wrong thread

[DrSkwid (118965)]

I think you meant this one [slashdot.org] and you should have said "I think this is a hoax"

When in reality

[Alien54 (180860)]

The 25 digit key is in base 36 (0-9 plus A-Z), providing 8.08281277e+38 possible keys, without accounting for various error checking and validation schemes

Re:

[Yvanhoe (564877)]

But do we know how many valid keys exist in this domain ? After all we have seen MS releasing a key protection scheme (I believe it was for Win98) where you just had to provide a key where the sum of specific digits would be a multiple of 7. There was something like 36^12 possible keys but 1/7th of them were valid. Or was that also an hoax ?

Anyway, it really depends on how much valid combinations exist. If they tailored the algorithm to only accept a few billions of combination they are safe but if they a

Re:

[jotok (728554)]

Assuming the previous poster's numbers are correct (and I've no reason to believe they're not), there's over 8,082,812,770,000,000,000,000,000,000,000,000,000 combinations...

To a layman, that's about 8 brazilian combinations.

Re:

[jrockway (229604)]

> If a 100 millionth of all possible keys will work, then you will have to produce, on average, 100 million keys before you hit one that works.

Actually, it's 50 million on average.

Re:

[solitas (916005)]

The 25 digit key is in base 36 (0-9 plus A-Z), providing 8.08281277e+38 possible keys, without accounting for various error checking and validation schemes

Actually, there should be a lot less than that since some characters are always letters and some characters are always numbers.

People lie on the internet?

[by Anonymous Coward]

Quote from the author: 'Everyone who said they got a key is probably lying or mistaken!'"

Oh sure. Next I suppose you're going to tell me that the guy who claims he ordered (and received) a 37" LCD TV for $7.99 due to a price mistake is lying, too. Or the kid who swore he put a Beta tape in a VHS deck and it played...Don't you have any faith in people anymore?

Re:

[by Anonymous Coward]

My favorite was always the "If you heat up a needle and put it through this particular spot on your Tomb Raider CD, Lara Croft will be naked!" How many did that one disappoint, I wonder?

=)

Re:

[TheVelvetFlamebait (986083)]

How many did that one disappoint, I wonder?

I wasn't disappointed until I read that!

Re:

[Dogtanian (588974)]

My favorite was always the "If you heat up a needle and put it through this particular spot on your Tomb Raider CD, Lara Croft will be naked!" How many did that one disappoint, I wonder?

An even "better" one was for the Intel 486SX CPU, the cheapo version of the Pentium's predecessor. To quote the Foldoc entry [foldoc.org]:-

All 486SX chips were fabricated with FPUs. If testing showed that the CPU was OK but the FPU was defective, the FPU's power and bus connections were destroyed with a laser and the chip was sold cheaper as an SX, if the FPU worked it was sold as a DX.

The Jargon File claimed that the SX was deliberately disabled crippleware. The German computer magazine, "c't", made this same theory the basis of an April Fools Joke. They claimed that if one drilled a hole of a specified diameter through the right point on a SX chip, this would brake the circuit that disables the FPU. Some people actually tried (and then bought themselves new processors).

Re:

[gEvil (beta) (945888)]

My favorite was always the "If you heat up a needle and put it through this particular spot on your Tomb Raider CD, Lara Croft will be naked!" How many did that one disappoint, I wonder?

But that one really worked. I did it myself. I swear!

Re:

[secolactico (519805)]

My favorite was always the "If you heat up a needle and put it through this particular spot on your Tomb Raider CD, Lara Croft will be naked!" How many did that one disappoint, I wonder?

Uh? Never heard of that hoax. Is there any reference on the web? A cursory google search turns up nothing.

Re:

[antibryce (124264)]

How many did that one disappoint, I wonder?

I know of at least one... :(

Re:

[shawn(at)fsu (447153)]

I don't know about that, but I do know that if I post this message 10 times I will get a free thingamajiggy in the mail. It works, my friend said so.

OEM_BIOS_Emulation_Toolkit

[ekasperc (1070946)]

OEM_BIOS_Emulation_Toolkit_For_Microsoft_Windows_V ista_X86.v1.0-PARADOXThis has been floating around for a few minutes now, and according to the history of this group, i guess this is a bulletproof solution ..
But i don't know what will be the impact for online upgrades since i don't use Vista myself.

Re:OEM_BIOS_Emulation_Toolkit

[by Anonymous Coward]

OEM activation works by having OEM identifiers and SLIC table stored in the BIOS and Microsoft then sign a cert per OEM (also required). The softmod uses vista boot manager to spoof flashed BIOS. Patching a VM should be even easier.

Once again, product activation is only a PITA for legit customers.

Huh?

[encoderer (1060616)]

The atomic number of zinc is 30?

Re:OEM_BIOS_Emulation_Toolkit

[gEvil (beta) (945888)]

Hmmm, I wasn't aware of this. Then again, I haven't been paying much attention to Vista stuff anyways. A few minutes of digging around brought up this site, [mydigitallife.info] which looks to have links to modified BIOS files for quite a few motherboards. Pretty sneaky, sis...

Re:

[by Anonymous Coward]

Links... PARADOX's OEM emulation tool is out on the various torrent sites. Here is the link from Demonoid [demonoid.com].

Pantheon released a full Windows Vista Ulimate CD with their own activation tool using the same principle. Here is the NZB set [yabse.com] (click NZB to download the file) to facilitate downloading from Usenet. Posts are two hours old so they may need a bit longer if you're not using Giganews, Newshosting, etc.

Re:

[Tony Hoyle (11698)]

You just disable the TPM chip - the majority of PCs out there don't have one (this laptop was new in November and doesn't have one for example, so it's not just old ones either) so they can't exactly make it mandatory.

Re:

[Pharmboy (216950)]

While I understand your logic, I disagree with your conclusion. To play some games, you must have Windows at this time. I would rather than people who must have a copy, find a way to get it free. This way they are not financially tied into MS, and they are not any more inclined to invest any money into MS.

Also, since Vista comes with 90% of all computers sold in the US, the fact that they don't have it already means they are building their own boxes instead of buying Dells. Guys that build their own don

Re:

[DarkOx (621550)]

To play some games, you must have Windows at this time. I would rather than people who must have a copy, find a way to get it free. This way they are not financially tied into MS, and they are not any more inclined to invest any money into MS.

Gee -I'd rather then have ABSOULTLY no possibility of running windows without paying for, that way they'd have a financial intrest in finding ways to sever their ties with M$ and might be willing to spend part of what they would have on Vista to facilitate their transi

Not Quite....

[encoderer (1060616)]

I can [not!] speak for myself when I say that even if you don't buy the OS, you can still be very easily financially tied to MS. Both in terms of hardware purchases and software purchases that are windows-only.

I probably have $1k in windows software.

Of course, I don't understand the rabid microsoft-hating to begin with. Their product works fine for me. I can't tell you the last time I had a system crash (opposed to an application crash), or the last time I was infected with spyware or a virus. Also, my comp

Re:

[misleb (129952)]

Also, since Vista comes with 90% of all computers sold in the US, the fact that they don't have it already means they are building their own boxes instead of buying Dells. Guys that build their own don't pirate OS's because it is cheaper, they do it because it is there to be done. Like running apache on an Xbox...it has no practical value, but fun to try anyway, and play a little with it.

No, really, they do it because it is cheaper and easier than going to the store to buy it. I bet if you could legitimat

Re:

[Splab (574204)]

Odd. I got a Vista premium license for free from Microsoft, I haven't tried it and not going to until there is a reason for me to upgrade. Granted I didn't go from win2k to winXP until last year. Getting stuff for free doesn't mean people will magically start using it, they need to have a purpose for doing so.

Why

[JackMeyhoff (1070484)]

.. doesnt somebody actually create a distributed brute force on Windows activation. How many windows machinès in the world? That adds up to some pretty powerful attack.

Re:

[vivaoporto (1064484)]

Because 1) It is not intelligent, brute force was never needed to bypass Windows Activation before 2) It is not subtle enough, and an operation this size would put a big bullseye on whoever did it 3) It is not profitable, people that run those botnets do it for profit, not to "stick it to the man", or to piss off Microsoft.

Re:

[JackMeyhoff (1070484)]

Yes but you will be doing that every time, once you got the algorithm you just have to seed it (most likely a hash of your computer configuration) to generate valid keys. They cannot go and redo the algorithm without impacting a LARGE amount of their customers, they can black list numbers but so what, with the algorithm you just genereate a new valid one. GAME OVER. Isnt that what we want to render it TOTALLY useless FOR GOOD? This is the way, not some bypass thats just temporary. THINK BIGGER!

Re:

[Splab (574204)]

Uhm, a valid key is what, 25 characters? And we got 26 characters in the alphabet and and 10 numbers giving us a 36 possibilities for each character in the key, that is 36^25 "valid" combinations, unless you know their algorithm for picking valid keys you have to search the whole keyspace and that is a mighty big number, the processing power to do so simply doesn't exists.

Re:

[misleb (129952)]

Because 1) It is not intelligent, brute force was never needed to bypass Windows Activation before 2) It is not subtle enough, and an operation this size would put a big bullseye on whoever did it 3) It is not profitable, people that run those botnets do it for profit, not to "stick it to the man", or to piss off Microsoft.

I think originally people started botnets mostly for fun and to display hacking "prowess" and to DDoS people that piss them off (companies such as Microsoft, perhaps). It was only fair

Re:

[wfberg (24378)]

.. doesnt somebody actually create a distributed brute force on Windows activation. How many windows machinès in the world? That adds up to some pretty powerful attack.

Except that you need an activation code for every machine. So adding machines doesn't only add to the processing power by 1, but also increases the workload by 1. This is of course assuming people who don't need to get a copy of windows activated won't feel the urge to join, which seems fairly likely.

Brute force is always the last resort

Re:

[LarsG (31008)]

Done smart you wouldn't need a huge dictionary. You could for example divide the keyspace as a tree and give out small sub-trees to the participants. When sub-trees have been checked, they can be merged.

(simple ex: Divide as a binary tree, when 1.1.1.1 and 1.1.1.2 are done you can mark 1.1.1 as checked. If sub-trees are given out in a smart fashion, the dictionary wouldn't have to become very large.)

Done smart is NOT DONE AT ALL

[Vryl (31994)]

Work out the size of the keyspace.

When you have done that work out how long it would take if you used every computer in the world.

Express it in terms of billions of years, and compare it to the lifetime of the sun.

Then get the cluestick and hit yourself repeatedly on the head.

/.'d

[oDDmON oUT (231200)]

Oh well, didn't really want to read a retraction anyway.

If you're looking for a good laugh...

[dr.badass (25287)]

If you're looking for a good laugh, I would recommend reading some of the responses in that forum thread. People are still running the keygen in hope of getting a valid key, reasoning "its not that its fake.. its just taht you never actually put thought into the logic." and "you look at the invalid keys it produces and check why its invalid so you can come up with a mathimatical equsion to compute valid keys.. "

Warning: Extreme Tolerance for Poor Spelling Required

Good scare for Vista people though

[suso (153703)]

Even thought it turned out to not be true, there are a lot of people who only read Slashdot and other news places during the week and won't see this retraction, so they may never know that it was fake. So they will go off with a further impression that its unsafe to run Vista and you could have your legitimate key compromised at any moment. Its like the tactics that some politicians and corporations use. What is someone going to post next week and retract on Saturday?

Re:

[dhasenan (758719)]

Yes. It's a proven business model!

Might not even have to validate keys at all anymor

[gd23ka (324741)]

I see no reason why they even have an algorithm to check whether
a key is valid before submitting it to their server for signing.

If I were them I would do what prepaid mobile phone has been doing
for years: generate completely random keys and at the signing server
end just check if that key is in the database and if it's not already
used. If that's the case then all they would have to do is sign the
key and the computer configuration and return that to the client code
that would in turn check if the signature is valid.

That way there would be no way to brute force keys because they have
control over the validation server and can put a stop to that and there
is no key validation code exposed from which someone might derive a
key generator or at least get hints at how the keys are distributed
in key space.

Re:Might not even have to validate keys at all any

[Cheesey (70139)]

I think that is exactly how online activation CD keys work. The key has some sort of checksum built into it so that some offline checking is possible. This is to detect typos. But it is not a strong check. The full check is performed online against the list of valid and unused keys, which as you say are generated from random data.

Suppose the key is 125 bits in size. (5 words of 5 characters, with each character representing 5 bits). Say 10 bits are devoted to a checksum, so that there is only a 1 in 1024 ch

Re:Might not even have to validate keys at all any

[maeka (518272)]

If I were them I would do what prepaid mobile phone has been doing
for years: generate completely random keys and at the signing server
end just check if that key is in the database and if it's not already
used

What would stop you from sniffing the traffic of the on-line checking of a legitimate key, and then faking that traffic to "authorize" illegitimate keys?

Re:

[johnlcallaway (165670)]

Same here. I've been to the MS website, read the reviews, even played with it at Staples. Until I have to get it, I ain't getting it.

I'd spend $100 on the upgrade, but not $260 for Ultimate. I could buy a lesser version, but to get both scheduled backups and media center, you have to get Ultimate. For that, I'll wait until SP2 comes out and fixes the first round of bugs.

Re:Key gen or not..

[johnlcallaway (165670)]

You, kind sir, may be expecting SP1 to actually fix the first round of bugs.

I, on the other hand, do not.

(Or I fucked up the post ... both are equally valid options)

Re:If it's actually a brute-force == Solution!

[julesh (229690)]

Based on calculations in the other thread discussing this, we reckoned that if MS hadn't been stupid designing the key system, you'd have to try somewhere in the region of (IIRC) 10^17 keys before getting one that works. Now we can discard the "evidence" that suggested they had been stupid, this is back to being our baseline assumption. Based on speed-of-trial stats reported there, this would take a 65K-node botnet around 14 years to crack a single key.

Re:

[julesh (229690)]

It looks like somebody got The Phone Call. Anyway, why would it be a hoax all of a sudden? It works. Not very fast (the site did specify hours to days, though weeks might be more like it), but does work, hence not a hoax.

If MS weren't morons when they designed the key system, hundreds of thousands of years might be more like it. But you can keep trying if you like.

Re:

[dioscaido (541037)]

I don't have a Vista key handy but lets assume it's 15 characters (or longer, win2k3 is 15 characters). Correct me if I'm wrong, but that would mean that there are 35 (26 letters + 9 numbers) ^ 15 possible combinations, or 144,884,079,282,928,466,796,875? Even if you could test a million keys a second, it would still take 4 billion years to try them all. The product key UI usually takes at least a second to validate the key.

The brute force approach is fundamentally impossible, unless you are the luckiest pe

A Winner Is You!

[vain gloria (831093)]

The brute force approach is fundamentally impossible, unless you are the luckiest person in the world.

Define "lucky". You've beaten amazing odds in a manner unrepeatable even given a million lifetimes and what do you get for it? A copy of Windows Vista.

Probably not even one of the Turbo Hyper Fighting versions either.

Re:

[Splab (574204)]

I think he might have meant 25 characters and 10 numbers - O and 0 can be pretty hard to tell apart. Guess he just chose to include O instead of 0 :)

Re:

[Sethb (9355)]

Then your university didn't follow the rules. VLK media is only supposed to be used by the institution, and the VLKs aren't supposed to be given to end-user types. For media given to students, faculty, and staff for their personal computers, the institution is supposed to buy (and can resell) media that requires activation, and comes with a unique key. It's pretty cheap, under $5/disc if I recall. I know that at one time, the IT staff of the institution could install the VLK version on your machine for

Re:

[stinerman (812158)]

At my university (Wright St.), every campus PC has the exact same Windows XP key. All students up to a certain point were also allowed to check out a copy of XP for free. This "deal" expired (afaik) awhile back.

Part of the license agreement we had to sign was to agree to use the license only so long as we were students of the university. If you wanted a better license, you had to pay for XP (but at a very reduced charge).

To this day, many people on campus can recite the key from memory due to how much it