Allthough the area of Windows XP and Windows Server 2003 is long passed I recently stumbled on some XP recovery discs. Because I had no idea for what systems they where intended for I searched the internet and found something interesting here. By decrypting the oembios.dat file I now can easily see which preactivated systems the recovery discs support, or at least could.
enum KeyType
{
WindowsXP,
Windows2003
}
void DecryptOembios(byte[] data, KeyType keyType)
{
// select keys
byte[] key0;
uint[] key1;
if (keyType == KeyType.WindowsXP)
{
key0 = new byte[] { 0x65, 0x48, 0x73, 0xb3, 0x19, 0x81, 0x67, 0xca, 0xbf, 0x02, 0xfd, 0x2e, 0xb7, 0xe3, 0x3d, 0x17 };
key1 = new uint[] { 0x6bef9812, 0xe4ccc512, 0x08714298, 0x3ed2ee96 };
}
else
{
key0 = new byte[] { 0x76, 0xd0, 0xe7, 0x70, 0xf6, 0xb4, 0xd1, 0x76, 0x13, 0xcd, 0x6e, 0x06, 0xd7, 0x28, 0x2c, 0xce };
key1 = new uint[] { 0xf3462a5d, 0xc605e0d6, 0x0e524b90, 0x80649049 };
}
// initialize keystream (using key0)
byte[] keystream = new byte[256];
for (int i = 0; i < 256; ++i)
keystream[i] = (byte)i;
byte swapIndex = 0;
for (int i = 0; i < 256; ++i)
{
swapIndex += (byte)(keystream[i] + key0[i & 0xf]);
byte swap = keystream[i];
keystream[i] = keystream[swapIndex];
keystream[swapIndex] = swap;
}
// first step (using keystream)
byte keystreamIndex0 = 0, keystreamIndex1 = 0;
for (int offset = 0; offset < data.Length; ++offset)
{
keystreamIndex1 += keystream[++keystreamIndex0];
byte swap = keystream[keystreamIndex1];
keystream[keystreamIndex1] = keystream[keystreamIndex0];
keystream[keystreamIndex0] = swap;
data[offset] ^= keystream[(byte)(keystream[keystreamIndex0] + keystream[keystreamIndex1])];
}
// second step (using key1)
for (int offset = data.Length - 8; offset >= 0; --offset)
{
uint data0 = BitConverter.ToUInt32(data, offset);
uint data1 = BitConverter.ToUInt32(data, offset + 4);
uint tmp = 0xc6ef3720;
for (int i = 0; i < 32; ++i)
{
data1 -= tmp + key1[tmp >> 11 & 3] ^ data0 + (data0 << 4 ^ data0 >> 5);
tmp += 0x61c88647;
data0 -= tmp + key1[tmp & 3] ^ data1 + (data1 << 4 ^ data1 >> 5);
}
BitConverter.GetBytes(data0).CopyTo(data, offset);
BitConverter.GetBytes(data1).CopyTo(data, offset + 4);
}
}
Using the above code, i crafted up a simple console application that can decrypt Windows XP and Windows Server 2003 oembios.dat files.
Other resources on OEM preactivation:
- The Windows XP OEMBIOS Archive
- Server 2003 OEMBIOS & OEM SLP Keys archive
- OEMBIOS tool for Windows 2003 and XP
Requirements:
- Microsoft Windows
- Microsoft .NET Framework 2.x
Download:
DecryptOembios.zip
Last edited Jul 14 2017