Walker News

On 9th of Feb, Chinese duo pseudo-named Binbin and Aeno written SLP 2.0 weakness and cracking guide, which lead to a most successful Windows Vista activation crack as of today!

The SLP 2.0 (System Locked Preinstallation 2.0), also known as OA 2.0 (OEM Activation 2.0) is supposed the improved OEM activation technique of Microsoft, which allows most branded OEM computer manufacturers (such as Dell, HP, IBM, ASUS, etc) to pre-activate Windows Vista in factory before shifting to the market. So, the end users will not have to go through Windows Vista activation process, either by toll-free phone or activation online to Microsoft network.

The original SLP 2.0 cracking guide of Binbin and Aeno details the steps required to flash and modify motherboard BIOS - embed the Windows Vista SLP 2.0 data segments - in order to perfectly activate all Windows Vista editions! The authors thought to share their finding of cracking SLP 2.0 as academic references for those who interested in the topic of BIOS technology and security.


However, the SLP 2.0 weakness or cracking guide turns out be sweet and honey of pirated vista camp. The guide leads them to develop and adopt in mass the BIOS emulator software that works easier to “legally” activate Windows Vista Ultimate - the most expensive Vista edition that built with all the Vista features, but the pirated Vista copy is available in a flat price of less than 5 bucks!

The Paradox OEM BIOS Emulation Tool-kits For Windows Vista, is believed the first of its kind.

Thereafter, there are more OEM BIOS emulators for Windows Vista activation available for download from most torrent P2P networks and warez sites, such as STRO One Click Windows Vista Emulator or Windows Vista Activation And OEM Information version FF2.1.2.1.1 by sTRo, Windows XP and Windows Vista Crack By Mobile Latham, Rajpreet Singh Windows Vista Activator 2007 , etc.

Unlike the Binbin and Aeno guide that involves flashing and modifying physical BIOS, these OEM Vista BIOS emulator may not working well after Vista SP1 or KB released. Moreover, many of the new coming Vista activator may end up with bundled virus / malware or malicious code!

Hence, the Binbin and Aeno SLP 2.0 cracking demonstrate a more reliable Vista activation crack to permanently activate Windows Vista, even with release of Vista SP1, unless the SLP 2.0 activation will be abandoned by Microsoft at later stage. But, this is NOT likely to happen until the next Windows OS code-named Windows Vienna is introduced, as this will affecting millions of OEM computers installed with Windows Vista that have been sold out to the market as of today!

So, how technical is the Binbin and Aeno SLP 2.0 cracking guide works to activate Windows Vista permanently?

Follow is my attempt to briefly English-translate Binbin original guide (Mandarin version). For full resolution of pictures below, please refer to Binbin original guide. Corrections of this translated version are welcome. To contact Binbin, the original author and cracker of SLP 2.0, please email him at binbin123.cn@gmail.com.

Quoted Binbin as mentioning in his original guide, this SLP 2.0 cracking guide is meant as an academic reference and demonstration for those who are interest on the topic of BIOS technology and security. However, different readers will have different mind of using this guide, which is out of the author control and against the author intention!

Part One : SLP Introduction

Starting with Windows XP, Microsoft introduced SLP (System-locked Preinstallation) technology to activate Microsoft OEM Windows products.

SLP 1.0 works by detecting OEM hardware SLP-related data string that embedding into the BIOS DMI table - activate Windows if it is valid. Otherwise, it will prompt the end users to enter COA product key and activate Windows XP by calling to Microsoft toll-free activation number or online activation by connecting to Microsoft activation center.

SLP 1.0 is pretty simple in theory and immediately cracked by hackers who know well about BIOS and BIOS-editing related software. The most widely adopted XP activation crack is by using the DMI editor to add in SLP-related license certificate in BIOS DMI table, and fools Windows XP to activate as it is running on legit OEM hardware computer system!

While Windows Vista introduced, Microsoft upgrade SLP 1.0. to SLP 2.0 to tackle the security flaws. Instead of using DMI table, SLP 2.0 adding SLIC structure to the BIOS ACPI table, which is used to store SLP Pubkey (SLP Public key) and SLP Marker. Overall, Microsoft SLP 2.0, or OA 2.0, working concept is summarized as this:

1. If the Windows licensing module detects SLP private key - the special Vista Product key or CD Key used with SLP 2.0 - then the SLP activation process will be executed.
    
2. Windows activation module verify the loaded OEM certificate. If the Microsoft certified OEM certificate is not found, then SLP 2.0 activation will be failed, and in turn require end user to activate Windows Vista via toll free phone number or online to Microsoft network.
    
3. Next, the Microsoft certified OEM certificate is compared and matched with SLP Public Key stored in the BIOS ACPI_SLIC table.
    
4. Now, both of the SLP 2.0 Public Key and SLP Marker that stored in the BIOS ACPI_SLIC table are verified. The
    
5. Then, the OEMID and OEMTableID data string that found in the SLP Marker, ACPI_RSDT, and ACPI_XSDT are compared and matched.

Part Two: SLP 2.0 weakness and vulnerability study

As the BIOS of all DIY motherboards (such as Asus P5B or Gigabyte motherboard) doesn’t contain the ACPI_SLIC table that storing Microsoft SLP 2.0 related data string, installing Windows Vista on these computers will not be activated via SLP 2.0 mechanism.

However, the technical weakness of SLP 2.0 allows cracker to extract SLP 2.0 data segments from genuine OEM BIOS of DELL, ASUSTEK, HP, FUJITSU, etc. Next, the BIOS of DIY motherboard will be modified to add in APCI_SLIC table that storing the SLP 2.0 data segments!

A branded OEM computer that pre-install Windows Vista comes with Recovery CD that used by end user to restore the corrupted Windows Vista.

The OEM Vista product key (known as SLP 2.0 private key) and Microsoft certified OEM certificate are both found in this Windows Vista recovery CD.

The SLP Public Key, SLP Marker, OEMTableID, and OEMID are also found in the ACPI_SLIC table of this OEM BIOS.

Technically, it’s quite impossible to add a new SLIC table to the BIOS of DIY motherboard. So, Binbin and Aeno SLP 2.0 cracking demonstration is actually attempt to replace the existing ACPI table for SLIC table.


Part Three: The generic technical guide demonstration of cracking SLP 2.0 to permanently activate Windows Vista

Award BIOS is the most common BIOS used among DIY motherboard. So, Binbin and Aeno SLP 2.0 cracking guide demonstrate how to add in SLP 2.0 data segments in Award BIOS version 6.0, to permanently activate the OEM Windows Vista.

The tools and utilities used in this guide:

• CBROM 2.19 - used to add and replace Award BIOS ACPI table contents.
• MODBIN6 2.01.01 - used to modify Award BIOS data strings and options.
• WinHEX - used to modify the contents of ACPI table.
• Windows Vista - the newest Windows OS used to execute the tools and perform this demo.

1. Put the target motherboard BIOS template, MODBIN 6, CBROM in one folder.

   
    

2. MODBIN 6 only recognize BIOS template that end with BIN file extension. Rename the BIOS template to end with BIN extension if it’s currently not.
    
3. Double-click MODBIN6.EXE and choose the target BIOS template.

   
    

4. Now, there are some temporarily files created in the working directory. The ORIGINAL.BIN is the target file of editing.

   
    

5. Execute WinHEX editor to open ORIGINAL.BIN file and search for RSDT data string.

   
    

6. Press OK to find the ACPI table index. Each 4-byte words representing a BIOS ACPI table entry. Find out the less useful ACPI table entry and convert it for SLIC table to store SLP 2.0 data string.

   

   There are four possibilities of ACPI table entries found in most BIOS of DIY motherboard:

   • The longest ACPI index is found, such as this RSDTFACPDSDTAPICSSDTSRATFACS. Binbin suggests that replace and convert SRAT table entry as SLIC table entry, since this table entry is not used by default.
      
   • Shorter ACPI index is found, such as RSDTFACPDSDTAPICMCFGFACS. Binbin suggests to convert MCFG table entry. If MCFG is not found, then ACPI is the last resource.

     However, converting ACPI table entry for SLIC might cause the installed OS failed to operate. A re-installation is needed to resolve the problem after this step. This situation is similar when the ACPI function is disable / enable in the normal BIOS configuration screen.
      

   • Again shorter ACPI index is found, such as this one RSDTFACPDSDTFACS. You can stop here, as all these table entries are must-have entries and are not possible to convert any one of them to SLIC table.
      
   • None of the ACPI entries has been found, especially with those newest motherboard BIOS that released after the Binbin SLP 2.0 cracking guide.
7. Replace the SRAT table entry as SLIC and save the changes made.

   
    

8. Switch back to MODBIN6 window, click the save option of File menu to save the edited BIOS template file.

   
    

9. Next, the CBROM219 will be used to extract the ACPI data structure, add in SLP 2.0 data segments to ACPI SLIC table that has been added successfully, and modify the OEMID and OEMTABLEID found in the RSDT table entry.
    
10. Open Windows Vista Command prompt from the working directory and execute this line of command

    cbrom219 8hmx6323.bin /acpitbl extract

    Press Enter to accept the default when prompt for file name.

    

11. Switch to WinHEX editor and open the extracted acpitbl.bin BIOS template.
     
12. Modify the OEMID and OEMTableID in RSDT table as the SLP Marker matching data string. OEMID is fixed as 6-byte words, while OEMTableID is fixed as 8-byte words. Fill up the empty byte with space (0×20). Save the change when done.

    
     

13. Appends the SLIC table to ACPI data structure. In the opened Windows Vista Command Prompt, type this command

    copy acpitbl.bin /b + acpislic.bin /b acpitbl.bin /b

    The acpislic.bin is the SLIC table that containing both the SLP Public Key and SLP Marker.
     

14. Now, restore the extracted ACPI table structure back to BIOS template. In the Command Prompt, execute

    cbrom219 8hmx6323.bin /acpitbl acpitbl.bin

    
     

15. Lastly, flash (update) the existing BIOS with the new BIOS template that containing ACPI_SLIC table. Reinstall Windows Vista or boot into the existing installed Windows Vista, to verify that the OEM Windows Vista has been successfully activated as a genuine copy!

Part Five : Verify the BIOS modification result.

Binbin suggests to use Everest Ultimate v3.50.888 Beta to verify the modified BIOS.

1. Execute Everest and locate the Motherboard entry in the left panel.
    
2. Double-click the ACPI entry and take a look on the SLIC table. The length of SLIC table entry should be 374-byte words.

   
    

3. Next, verify that the OEMID and OEMTableID in RSDT table are matched with those in SLP Marker.

   
    

4. Should the SLIC and RSDT table verification are passed, proceed to install Windows Vista with OEM Vista product key that specifically for SLP Private key and load in the OEM BIOS certificate.

Topic - Howto, Windows Vista   Search - ACPI_SLIC, Activation, Activator, Aeno, Binbin, OEM, SLP 2, Windows Vista

Similar Articles:
» STRO Vista Activator VS Binbin SLP 2.0 Technical Guide
» STRO Activator Still Works In Vista SP1
» Paradox Crack Windows Vista OEM With SLP 2.0
» Windows Vista Activation Cracks Comparison
» How To Add An OEM Logo To Vista System Properties
» Replace Windows Vista OEM Logo With Pirates Of Caribbean Poster
» Video Guide: How To Show Hidden System Files In Windows Vista?

↑ Grab this Headline Animator

Navigation:
» HOME - WalkerNews.net
« PREV  - Enable Windows Aero Interface In Vista Home Basic Edition
» NEXT  - Retrieve Flash Movie In IE7 Cache Folder Of Windows Vista