Well, what a weekend that has been. Ever since the reports started emerging online of a brute force attack on the Vista activation code using a modified version of the original software license manager script file I have been, shall we say, dubious as to the authenticity of the claim. Not least because amongst all my contacts in the security research business, on both sides of the industry fence, I failed to find a single one who could verify the crack through their own personal experience.
Oh, there have been plenty of reports online of people finding legitimate code keys in a matter of minutes, sometimes hours, appearing but not from anyone I know as a trusted source of such information. If, as was claimed, the script could run through around 5,000 keys every hour (of itself not the most powerful of brute force attacks it has to be said) I would have expected to have seen hundreds of these keys being offered for sale via the usual suspects on the dark underbelly of the web.
But no, that was not the case. So I was left with just the one option: try the keygen script for myself. In two days of constant running it returned the grand total of, well, no valid keys at all in fact. There was little shocking me when I read that the original poster of the keygen code was now claiming it had all been a hoax.
Here’s what ‘Computer User’ had to say: “fact is the brute force keygen is a joke, i never intended for it to work. I have never gotten it to work, everyone should stop using it! everyone who said they got a key a probably lying or mistaken!”
Of course, the story does not stop there. This posting was then quickly followed by plenty of folk claiming to have used the script, or slightly modified versions thereof, to generate valid licenses. One chap even posted a video as supposed evidence of the keygen working as described. But read the comments to that posting and it soon becomes clear that the video posted to squash the hoax claim was, while not exactly a hoax not exactly evidence of anything either. It is just generating keys that are not valid, indeed they even contain illegal digits that are not used in Microsoft activation keys.
What’s more, even if the thing had been working as advertised it is not at all certain that the keys so generated would pass as legitimate once they get to the next stage of the process: the Microsoft product activation servers.
According to Alex Kochis, the Senior Product Manager of Windows Genuine Advantage at Microsoft, these servers “perform a more rigorous analysis of the keys that are sent up for activation than the local key logic does. For this reason producing keys that will ultimately activate is less likely than just hitting upon one that will pass the local logic."