Mouse Cracks Cat

These folks have been poking about Windows XP figuring out how to crack it. Oh yes, this could find some legitimate use,
but it’s sort of like bong manufacturers saying they make them for all those tobacco smokers. 🙂

I suppose it’s a good piece of logical work, but it just glosses over some serious difficulties for some people, and MS countermeasures.


The basic concept is as follows:

  • MS uses up to eleven items to create code for the PA.
  • You can get up to three changes without having to tell Redmond.
  • One way or the other, you can neutralize most of these elements, and a couple of those remaining are generic enough so that you
    could have, for instance, a file that would work with a certain type of CPU, or with a certain amount of memory.

    Why Those Mouseholes Look Shaky


    This is more than a little involved, and for many legitimate users, the effort required to handle this will end up roughly the same as calling Redmond. There is no “one crack fits all” here. You could easily end up with dozens of different formulations even if MS takes no countermeasures.


    Let’s see what they did, and see what MS can do to thwart this particular effort:

    Change the volume ID of the computer: Not worth the effort to change.

    Change the MAC address of the network card: The authors point out that some ISPs require the MAC address. If they do, they must do something with it, and having multiple identical MAC addresses in their system is bound to cause some real problems.

    Switch off the CPU ID number: Microsoft could simply require a number.

    Have no SCSI controller: This may be fine if you don’t have any sort of SCSI controller, but keep in mind that if you have RAID on your mobo, you have a SCSI controller. Either you disable it, or your “magic file” has to get more specific (see below).

    Call your computer a notebook If you do this, not only does it take care of this factor, it wipes out two others. Calling your computer a notebook also turns off looking for the graphics card, and any IDE or SCSI controller. This is the gaping hole in the defense that makes the rest possible. If MS goes back to the drawing board on this one (and this shouldn’t be too tricky), they effectively block the mechanism.

    Assuming you can do all of the above, that leaves four items:

  • Hard disk ID
  • CPU type
  • CD-ROM Identifier
  • RAM size

    Since you’re allowed up to three changes, any “magic file” you come up with has to set one of those four parameters which any later user has to match for it to work. Otherwise, you have four changes, and PA goes into effect.

    Given this specific circumstance, this wouldn’t be too hard to do, since there are two fairly generic identifiers: CPU type and RAM size.

    What this means is that you could have two sets of “magic files,” one set based on processor type (to oversimplify, you’d have a Duron file, a TBird file, a PIII file, etc.)

    The other set would be a set of “magic files” based on the amount of RAM in the machine; so you’d have a 128MB file, a 256Mb file, a 512Mb file, etc.

    The Cat Response

    Let’s go back to those who have a SCSI controller and need to use it. Those people would have not four, but five items left:

  • Hard disk ID
  • CPU type
  • CD-ROM Identifier
  • RAM size
  • SCSI controller

    These people would need a “magic file” which would require that their computer match the originator’s in two aspects. So now you couldn’t have a “Duron file,” you’d have to have a “Duron with 128Mb RAM” file, a “Duron with 256Mb RAM” file, etc.

    That alone would multiply the number of needed “magic files” by at least a factor of five.

    More importantly, you’ve run out of generic identifiers. Add any more “unresolved” items, and now you have to figure out how to fake hardware identifiers.

    Can MS add more items? Sure can.

    The most obvious change they could make is the “notebook or not” field.

    If MS plugged that gap, you then have a minimum six “unresolved items.”

  • Hard disk ID
  • CPU type
  • CD-ROM Identifier
  • RAM size
  • IDE and/or SCSI controller
  • Graphics card ID

    This would mean you’d have to be able to somehow fake at least one of the component IDs in a way that wouldn’t prevent actual operation. It’s probably doable, but now we’ve really raised the level of complexity.

    Is All This Just Moot?

    Will MS do something to plug these holes? I wouldn’t be surprised if they didn’t, simply because the cat-and-mouse game isn’t going to occur here.

    There’s a far more glaring weakness to PA that was overlooked by the authors, but certainly will not be overlooked by any competent cracker. Probably will be harder to break than this approach, but once done, it would be easier for leeches to implement.

    On the other hand, it may well be that many people who want to use the same copy of XP on other home machines might consider this a “legitimate tweak” as opposed to a Dark Side crack.

    Closing the notebook loophole looks pretty doable at first glance, though it would complicate the activation procedure, and raise the likelihood of problems for notebook users.

    MS will have to decide which is the lesser of the two evils.

    Email Ed

  • Be the first to comment

    Leave a Reply