Decrypting oembios.dat

Allthough the area of Windows XP and Windows Server 2003 is long passed I recently stumbled on some XP recovery discs. Because I had no idea for what systems they where intended for I searched the internet and found something interesting here. By decrypting the oembios.dat file I now can easily see which preactivated systems the recovery discs support, or at least could.
 

enum KeyType
{
  WindowsXP,
  Windows2003
}

void DecryptOembios(byte[] data, KeyType keyType)
{
  // select keys
  byte[] key0;
  uint[] key1;

  if (keyType == KeyType.WindowsXP)
  {
    key0 = new byte[] { 0x65, 0x48, 0x73, 0xb3, 0x19, 0x81, 0x67, 0xca, 0xbf, 0x02, 0xfd, 0x2e, 0xb7, 0xe3, 0x3d, 0x17 };
    key1 = new uint[] { 0x6bef9812, 0xe4ccc512, 0x08714298, 0x3ed2ee96 };
  }
  else
  {
    key0 = new byte[] { 0x76, 0xd0, 0xe7, 0x70, 0xf6, 0xb4, 0xd1, 0x76, 0x13, 0xcd, 0x6e, 0x06, 0xd7, 0x28, 0x2c, 0xce };
    key1 = new uint[] { 0xf3462a5d, 0xc605e0d6, 0x0e524b90, 0x80649049 };
  }

  // initialize keystream (using key0)
  byte[] keystream = new byte[256];
  for (int i = 0; i < 256; ++i)
    keystream[i] = (byte)i;

  byte swapIndex = 0;
  for (int i = 0; i < 256; ++i)
  {
    swapIndex += (byte)(keystream[i] + key0[i & 0xf]);
    byte swap = keystream[i];
    keystream[i] = keystream[swapIndex];
    keystream[swapIndex] = swap;
  }

  // first step (using keystream)
  byte keystreamIndex0 = 0, keystreamIndex1 = 0;
  for (int offset = 0; offset < data.Length; ++offset)
  {
    keystreamIndex1 += keystream[++keystreamIndex0];
    byte swap = keystream[keystreamIndex1];
    keystream[keystreamIndex1] = keystream[keystreamIndex0];
    keystream[keystreamIndex0] = swap;
    data[offset] ^= keystream[(byte)(keystream[keystreamIndex0] + keystream[keystreamIndex1])];
  }

  // second step (using key1)
  for (int offset = data.Length - 8; offset >= 0; --offset)
  {
    uint data0 = BitConverter.ToUInt32(data, offset);
    uint data1 = BitConverter.ToUInt32(data, offset + 4);
    uint tmp = 0xc6ef3720;
    for (int i = 0; i < 32; ++i)
    {
      data1 -= tmp + key1[tmp >> 11 & 3] ^ data0 + (data0 << 4 ^ data0 >> 5);
      tmp += 0x61c88647;
      data0 -= tmp + key1[tmp & 3] ^ data1 + (data1 << 4 ^ data1 >> 5);
    }
    BitConverter.GetBytes(data0).CopyTo(data, offset);
    BitConverter.GetBytes(data1).CopyTo(data, offset + 4);
  }
}

Using the above code, i crafted up a simple console application that can decrypt Windows XP and Windows Server 2003 oembios.dat files.




Other resources on OEM preactivation:
 

• The Windows XP OEMBIOS Archive
• Server 2003 OEMBIOS & OEM SLP Keys archive
• OEMBIOS tool for Windows 2003 and XP

Requirements:
 

• Microsoft Windows
• Microsoft .NET Framework 2.x

Download:
DecryptOembios.zip

 
Last edited Jul 14 2017