The MAS project, a group of people working on an open source Windows and Office activator featuring HWID, Ohook, KMS38, and Online KMS activation methods, discovered quite a neat and interesting bug in the code responsible for licensing in Windows.
In our ongoing work to bypass Windows licensing checks, we occasionally stumble upon bugs that we choose to keep secret. This decision allows us to preserve potential future activation methods by avoiding bug fixes, while also giving us valuable tools for testing or developing new methods.
One such discovery, which we’ve named “Keyhole”, turned out to be a highly effective DRM bypass. It gave users the ability to license any Microsoft Store app or any modern Windows edition with ease.
↫ The MAS project
There were quite a number of roadblocks to overcome here, such as Microsoft’s code obfuscation tool, called Warbird, which was already done by someone else, after which they could really start digging into the code responsible for handling Microsoft Store and Windows licenses. They then discovered that circumventing the license blocks that hold the actual license information was dead simple – every license block is followed by a signature block covering all the data that comes before it. It turns out that messing with the licensing system was as simple as… Adding data after that signature block.
That was it.
As it turns out, data after the signature block isnt checked at all… and it can even override data that came before it. Whenever two blocks of the same type are stored together, the last one overrides all the others before it. So, if we want to change any license data, we can just make a block for it and put it after the signature block!
This method lets us make licenses for anything sold on the Microsoft Store, including Windows, from any other Microsoft Store license. And since there are so many free apps with licenses, we now had the ability to make as many as we wanted for whatever we wanted. This bug essentially punched a hole straight through CLiP’s DRM, so we decided to name it “Keyhole”.
↫ The MAS project
This opened up a massive hole in Microsoft’s licensing tools and DRM, and allowed the MAS project to pretty much do whatever they wanted. They could even do things that used to be impossible, such as “activating Enterprise LTSC with a digital license, or even activating a legitimate KMS server with a generic key”. Sadly, the fun didn’t last long, as right around the same time, Cisco TALOS discovered this same bug, reported it to Microsoft, who then proceeded to fix it.
the MAS project also discovered something else incredibly interesting, something which further highlights the seemingly terrible lack of quality assurance and code quality inside Microsoft. They noted that the kernel driver responsible for licensing looked incredibly shoddy, full of what they call “odd choices and compromises”. In fact, they soon realised that they had seen this code before: it was a straight-up copy/paste job from the licensing DRM found on the Xbox One.
And there’s the same bug that’s in CLiP, but in Xbox code. In fact, we weren’t too surprised to find this, as we found that almost all of CLiP, from the XML format of the licenses to the TLV-based license blocks, is copy-pasted straight from the Xbox One’s DRM system.
↫ The MAS project
Code reuse obviously makes sense in some situations, but the fact Microsoft even copy/pasted entire sections of code from the Xbox One straight into the Windows kernel as a kernel driver seems rather irresponsible. Shouldn’t code added to the Windows kernel and installed on billions of devices be vetted a little better than this?
Microsoft is the McDonald’s of the software industry. It is everywhere, but the quality sucks.
Nairou,
Don’t make me defend Microsoft, but one does not become the largest company on Earth (on occasion) by writing bad code.
You can actually see their codes from the open source repositories (and also leaks).
https://opensource.microsoft.com/projects/
For example:
https://github.com/microsoft/calculator/blob/main/src/CalcManager/UnitConverter.cpp
@Sukru:
Running a software company myself, I believe its about finding the “sweet spot”:
a) if you always wait for the perfect code and solution, you will never deliver anything and will break commercially
b) if you always rush shoddy crap, you will never win customer’s heart and will break your reputation
I believe that you will need to come up with some really strong, robust and high performance tiles made for eternity. Then you can glue those tiles together one the site rather hasty as a temporary quick fix and then solidify it later when the customer starts to understand the details. This also gives you the flexibility to quickly adapt to the ever changing requirements and moving objectives.
Don’t make me defend Microsoft but I believe they ride that sweet spot to perfection.
Andreas Reichel,
It is called legacy code, but most people have a distain for it.
If some piece of code has survived 20 years in production, it is very likely all known bugs are already solved, and it is pretty much optimized as much as possible (given the interface restrictions).
That is why when we see a bug in such a code, it is a newsworthy extremely rare event:
https://engineering.skroutz.gr/blog/uncovering-a-24-year-old-bug-in-the-linux-kernel/
Your assertion runs counter to decades of thought leadership on this topic. The most important aspect to software development is and has always been time to market. Microsoft used to be very good at that. Quality was always a secondary concern. Security (to the extent it isn’t just an aspect of “quality”) is a distant third consideration. DRM is way down the list, as just a thing that some vendors demand, but anyone who might have to implement it cannot possibly take seriously, given the waste of effort it represents (that’s why their are always holes – the people who have to implement that crap cannot ever take it seriously).
CaptainN-,
Don’t get me wrong, I might have completely misunderstood you. So help me follow.
I think here Microsoft themselves are “that vendor”, as they needed to secure the Xbox One, and they did it successfully.
https://www.reddit.com/r/xboxone/comments/ib3nrz/xbox_one_is_about_to_end_its_life_cycle_and_is/
Its only hack came after they stopped selling the console.
Or did I completely miss the topic?
The main problem is not that the quality sucks, it’s that most major design decisions are made in the interest of the company’s bottom line, not in the interest of the user/consumer.
With mcdonalds the result is that they and other food companies are a major contributor to our current obesity/diabetes crisis, with microsoft the result is likely to include worsened productivity and I will go as far as to claim that the adversarial design is not good for our mental health either.
Another way to look at it is despite over a decade of constant scrutiny and attempted exploits. The service help up.
When, after all that time, someone Did find an an exploit, Microsoft immediately patched it. And the fallout was that you could install an app without paying for it.. after considerable effort.. something people have been doing outside the app store for decades.
Adurbe,
It’s impossible to tell how many others have access to a vulnerability if they don’t come forward and don’t trigger microsoft/research honeypots. For example government spy agencies including the NSA are known to use exploits for targeted espionage.
Hypothetically the exploit could provide a jumping board to other attacks as the authors mention here
I haven’t investigated it personally, but CVE-2024-38184 itself links to the following weaknesses.
https://cwe.mitre.org/data/definitions/125.html
Alfman,
Yes, it looks like this makes exploiting the buffer overruns easier, even though the hack itself is not a security issue by itself.
But it is cool that people spend so much efforts trying to understand how things work behind the scenes, and push the envelope forward.
I’m not so sure.
Given Xbox OS is basically a stripped down Windows NT, it is not very surprising to share code between them. After all we almost never rewrite entire codebases when we port between platforms.
This would be similar to: “They copy-pasted ZFS from Solaris to BSD, and even copied some bugs, that is very irresponsible”
(I’m not sure how much of the original Solaris code was kept, and how many had to be adopted for ZFS, but I would guess about 90% would be a direct copy).
And it makes sense to use the platform advances in Xbox One (which was not hacked in its lifetime, which is extremely rare, maybe unique for a gaming console).
Bottom line, this is not the gotcha against Microsoft.
Lets face it: Commercial success often means to be just good enough, like in holding up long enough.
This applies to just every business sector: civil engineering, banking , insurance and software, medicine …
Exactly this. You only spend the time and effort to change the code if there is need to do so. If you have an existing code base that works and has been proven robust, why reinvent the wheel?
sukru,
I found some xbox one jailbreaking/hacking links. Obviously there’s the hardware methods, no surprise there, but this talks about a kernel exploit too.
https://wololo.net/2024/06/10/xbox-one-is-getting-a-software-based-kernel-exploit-but-latest-firmware-update-probably-patched-it-already/
https://www.partitionwizard.com/partitionmagic/xbox-one-jailbreak.html
Alfman,
I know about the first one, which was announced this year. They stopped Xbox One production just before that. Hence it came ex post facto.
I have never seen the second one, or any mentions of it. And the site has no details, or downloads for the “Jailbreak Tool”. I’m not sure that is legitimate. But I might be mistaken.
sukru,
I’m not part of the xbox community and I don’t know how much of an impact this makes, but my understanding is that xbox one allows owners to pay $20 to unlock a developer/homebrew mode. This may have disincentived hackers who previously hacked earlier xbox consoles to run 3rd party emulators / homebrew games. Paying $20 to unlock homebrew may be preferable to risking bricking & voiding a warranty.
This could be true for jailbreaking devices in general. Without owner restrictions in the first place, I would expect the need/desire to jailbreak goes down. Fewer restrictions -> less motivated kernel hacking scene -> fewer public exploits? Ironic, but in a way it makes sense.
Alfman,
Yes. That had an effect. We have emulators on Xbox One and Xbox Series, ironically running Sony PlayStation catalog that their machines cannot.
That being said, you can even get that for free for students. Which is extra nice.
Yet… there is always an itch. Some hacker, somewhere in the world would take this security as a challenge.
What is not clear to me –
If you use this with an earlier version of a product, before it was patched, and then update to current version – will you lose the license?