A significant advancement in the realm of software activation has emerged with the unveiling of TSforge, an innovative exploit crafted by a team of dedicated researchers. This tool boasts the capability to activate every version of Windows dating back to Windows 7, along with all associated Windows add-ons and Office versions since Office 2013.
Background on SPP and the CID Trick
The Software Protection Platform (SPP) serves as a sophisticated framework responsible for overseeing licenses and activation statuses within the Windows ecosystem. It encompasses several essential components, including sppsvc.exe/slsvc.exe for user-mode services and sppobjs.dll for product key validation. The researchers embarked on their journey in 2023, uncovering the “CID trick,” which facilitated the circumvention of confirmation ID (CID) validation.
This ingenious trick involved modifying the CID validation code within sppobjs.dll, allowing for the utilization of a counterfeit CID for activation. Remarkably, this activation remained intact even after service restarts, indicating that once the activation data was recorded, it was not subjected to further validation.
Technical Breakthroughs
The development of TSforge required an in-depth understanding of the storage mechanisms for activation data. Researchers pinpointed critical locations such as C:WindowsSystem32sppstore2.0data.dat and tokens.dat, alongside registry keys located under HKEYLOCALMACHINESYSTEMWPA. According to insights from MASSGRAVE, these files and keys constitute the “trusted store,” which safeguards vital activation data in an encrypted format.
Utilizing leaked Windows beta builds, the team gleaned valuable information regarding the spsys.sys driver, essential for comprehending the operation of the trusted store in earlier Windows iterations. Through reverse engineering and debugging of these components, they unveiled encryption routines, enabling them to derive private RSA keys necessary for both decrypting and re-encrypting the physical store.
Armed with these private keys, the researchers found themselves capable of activating any Windows edition without the need for debuggers or kernel exploits. They also devised strategies to bypass hardware ID (HWID) validation and the PKEY2005 encoding system prevalent in older versions.
TSforge’s functionality transcends mere activation; it exemplifies a profound comprehension of SPP’s intricacies and underscores vulnerabilities that have been leveraged to forge a formidable activation bypass tool. Despite the intricate security measures embedded within SPP, TSforge illustrates that with determination and inventive reverse engineering, even the most robust digital rights management systems can be breached.
