With early builds of Windows 8 leaking, increased attention has been focused on understanding a new 16 character string affixed to the end of the build watermark. Some have speculated the characters identify the original installer (Microsoft employee) while others have dismissed the importance altogether.
After installing the leaked Windows 8 7955 build, in plain sight are the characters a1b6210f837a32cf. Digging through shell32.dll, housing code to paint the desktop watermark, I found code that sources from HKLM\SYSTEM\WPA\478C035F-04BC-48C7-B324-2462D786DAD7-5P-9. More specifically, the Default value, comprising of 128 bytes, is read and run through a XOR-based function producing a 64-bit (8 byte) hash. I’ve included a rough translation of the algorithm (from assembly to C++) for review. (If this is an implementation of a well-known algorithm, I’d love to know.)
view sourceprint?
01 BYTE wpa[128] = {
02 0x37, 0xc5, 0xcf, 0x49, 0x33, 0xc8, 0xe4, 0x73,
03 0xad, 0x45, 0xe1, 0x7e, 0x23, 0xb7, 0xa4, 0xfe,
04 0xc5, 0xff, 0x25, 0xcc, 0x4c, 0xd7, 0x3e, 0x66,
05 0x92, 0x9b, 0x92, 0xe3, 0x1b, 0x43, 0xa3, 0x25,
06 0xd5, 0x7a, 0xc0, 0xe5, 0xd7, 0x4a, 0xf7, 0xa4,
07 0x0e, 0xc2, 0x6c, 0xf1, 0xc2, 0xd0, 0x8d, 0xab,
08 0x30, 0x50, 0xcd, 0xd3, 0xc7, 0x2e, 0x88, 0x62,
09 0x45, 0xe3, 0x06, 0x3e, 0x0a, 0x1d, 0x24, 0xdf,
10 0x1b, 0x4c, 0x93, 0xae, 0x33, 0x91, 0xfd, 0x1d,
11 0x3a, 0x73, 0xf7, 0x56, 0x01, 0xad, 0xec, 0x03,
12 0x98, 0x2b, 0x6b, 0x0d, 0x05, 0x8f, 0xee, 0xf1,
13 0x35, 0x1a, 0xf3, 0x6d, 0x33, 0x3e, 0x6a, 0xec,
14 0xd0, 0x04, 0xfa, 0xc7, 0xa4, 0xd3, 0xae, 0x4a,
15 0x70, 0x3c, 0xd8, 0x38, 0x3d, 0xf9, 0x34, 0x14,
16 0x54, 0x7d, 0x03, 0x65, 0x42, 0xc5, 0xdb, 0xfc,
17 0x98, 0x03, 0xc6, 0x29, 0xab, 0x73, 0x51, 0xdd
18 };
19
20 BYTE hash[8] = {0};
21
22 for(int i = 0; i < 16; i++) {
23 BYTE* v6 = &wpa
;
24
25 for(int j = 0; j < 8; j++) {
26 hash[j] ^= *v6;
27 v6 += 16;
28 }
29 }
Without knowing if Windows 8 requires a product key for installation, it’s hard to pinpoint how this hash is used. (The leaked ISOs thus far have all been homemade wrappers around installed and resealed copies of Windows.) Assuming a product key is required for installation internally, one can see the dangers with leaking a build of Windows 8. The hash could be given to an issuing authority and checked against a list of employees, for swift termination. If a product key is not required for fresh installation, however, one could assume the hash is a deterrent to those thinking about leaking genuine Windows 8 keys.
In either case, leaking Microsoft Confidential assets is a risky business. (Don’t be stupid.)
@WithinWindows
