dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3514

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Can SHA1 values be "faked"?

As the title says, I am wondering if SHA1 values of a file can be "faked" to make it look original, when in fact, a modification has been made to the file.

Example: Microsoft lists the SHA1 values of the released to MSDN/Technet Windows 8 versions. The same ones are also listed on the following webpage.

»www.mydigitallife.info/w ··· technet/

So, no matter what the file is named, I can be 100% sure that the file I have is the same, if the SHA1 values match, right?

Or, is there a way to modify the file, and "reset" the SHA1 value back to what it was before the modification took place? Meaning, that the SHA1 value is not all its cracked up to be.

Thanks,

--Brian

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

Yes, but not easily.

Yet there is a published attack which should find a collision in about 2^63 steps

2^63 is 9,223,372,036,854,775,808 by the way.

PetePuma
How many lumps do you want
MVM
join:2002-06-13
Arlington, VA

PetePuma to plencnerb

MVM

to plencnerb
The SHA1 is a computation on the file contents, not an attribute that's just tied to it. It would be exceedingly very very very difficult to come up with a 2nd file of any kind/size/contents to have a matching SHA1, even harder to have one that matches a similar but not exactly the same file.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Ok that is what I thought.

This brings me to my actual question. And I don't want this to turn into more then it needs to be.

I have a program that I downloaded called "Hash Calc", that will display the SHA1 values of a file.

I "acquired" a file called en_windows_8_x86_dvd_915417.iso, which as most of us know, is the same filename that Microsoft uses for Windows 8 32 bit on the MSDN site.

I burned the ISO to my USB flash drive without making any modifications to it. When I do the install, it of course asks me to enter a license key (as it should..that is now part of the Windows 8 install process).

I know about the EI.CFG file trick (place the file formatted properly into the \source folder, and it won't ask you for a key during install). Since I wanted to just install it, I extracted the contents of the ISO file to a folder, and added the EI.CFG file in the proper place. I then made a 2nd ISO using a program called "Image Burn".

I then used the same method to "burn" that ISO to my USB Drive, and attempt to install Windows 8.

As expected, the install, while it did ask for a key, allowed me to "skip" it and then continue with the install.

However, when all was said and done, I was not expecting to see the following things

1) When I went to register Windows 8, the activation screen indicated that a key was used, and displayed the last 4 digits of it.

2) Magic Jelly Beans displayed a key, that was different from the one displayed on the Activation Screen

3) On every boot, I saw at least 3 errors in the event logs indicating that some kind of "automatic" activation was taking place using the "slmgr" command, and that "automatic" activation failed, due to the key be invalid.

So, that is why I'm asking.

For those that have downloaded the "official" ISO's from Microsoft, if you go ahead and add the EI.CFG file, do you get the same results?

I would think that Microsoft would not "pre-populate" keys in their products, or have it "automatically try to register" on boot up if you skip the actual entering of a product key. I think what I downloaded was a "leaked" or "cracked" version of the install.

So, I went back and looked at the SHA1 value of what I downloaded. I was surprised to see that the value matched exactly to what Microsoft posted. Hence, my question.

Thoughts?

--Brian
plencnerb

plencnerb

Premium Member

I'm posting a reply to my own thread, as I am puzzled about this. It has been a week since I posted my last reply. In that time, 187 people have looked at it, and no new replies have been posted.

I know there are a lot of people on here that have downloaded and installed Windows 8 directly from Microsoft.

All I want to know is for those that have, if you went ahead and performed the steps to modify the ISO to include the EI.CFG file, does your media from Microsoft behave the same way that I describe above?

If it does not perform that way, then I would think that the people who came up with the SHA1 algorithm would love to know this, as it appears someone out there has figured out a way to "hack" or "modify" the SHA1 value on an ISO image after they have made modifications to the files inside of it. From what I have read via a google search, as well as what Kilroy See Profile and PetePuma See Profile have indicated, there is a way to do it, its just not very easy.

I believe what I have is a "hacked" or "Modified" ISO that has the same SHA1 value. As I said in my last post, I don't believe that Microsoft would code a fake key into their OS and have it try to automatically register using the slmgr command if you choose to not enter a key during the install process.

Maybe I'm wrong, and that is what Microsoft has done.

Which is why I'm posting this, to try to figure it out.

Thanks,

--Brian
OZO
Premium Member
join:2003-01-17

OZO to plencnerb

Premium Member

to plencnerb
Brian, theoretically it's always possible to fake any hash. That's by hash definition. The only way to provide you 100% guarantee is to give you another copy of the file to compare with (which, as you could imagine, is not practical at all). Quality of hash depends on the improbability to do so. And the quality of SHA1 is pretty high. So, my bet is - what you see is not related to hash of initial ISO file. The problem is rather with something else. May be the key you put into EI.CFG file is incorrect. Or you put it in a wrong way, using different format that was recommended. Or may be there is some another reason... Wait for someone who actually did it and report you the correct way.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Or, more simply: »en.wikipedia.org/wiki/Pi ··· rinciple
chandom
join:2001-05-23
Tallahassee, FL

chandom to plencnerb

Member

to plencnerb
Did the key that showed up end in J8CK4? If so, that is the KMS Client key. That could be what it defaults to when no key is used.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

said by chandom:

Did the key that showed up end in J8CK4? If so, that is the KMS Client key. That could be what it defaults to when no key is used.

I would have to re-install it again on a 2nd hard drive to verify that. I will do that and report back.

As far as the contents of the EI.CFG file, see the picture I posted.

Thanks for the replies everyone.

--Brian
plencnerb

1 edit

plencnerb

Premium Member


Pic #1
 

Pic #2

Pic #3
 

Pic #4

Pic #5
 
Click for full size
Pic #6

Pic #7

Pic #8
  
Click for full size
Pic #9
Click for full size
Pic #10
Click for full size
Pic #11
Click for full size
Pic #12
Click for full size
Pic #13
Click for full size
Pic #14
OK, got lots of pictures this time. I think I have everything I need to help answer the questions so far, and hopefully figure out what is going on.

Pic #1 shows the details of the file that I acquired. I am showing this for reference only, as it does show the size of the file in both GB and bytes.

Pic #2 shows the information displayed by the program "HashCalc" for the file shown in Pic #1

Pic #3 shows the details of my modified ISO. To make this, I extracted the contents of the ISO shown in Pic #1 to a folder. I then placed the file EI.CFG (shown in my last post) into the \sources folder. Using a program called ImgBurn, I created the modified ISO. Which, I then burned to my USB drive for install.

Pic #4 shows the information displayed by HashCalc for the modified ISO. As expected, the SHA1 values in Pic #2 and Pic #4 are different. As they should be, as I modified and re-built the ISO!

Pic #5 is just for clarification of the SHA1 values to make them easier to read. I copied what was shown from HashCalc into notepad, and also copied the Official Microsoft SHA1 value directly from the web page that I referenced in my first post. The only difference I see between the two SHA1 values (Microsoft and the one reported by HashCal) is Microsoft's is all uppercase, while HashCal is all lowercase. I don't think that matters much, as long as the characters themselves match.

Pic #6 shows the system information screen from inside of Windows 8. I did this to show that the bottom part indicates that Windows is not activated. This would be true, as I did not enter a key during the install process.

Pic #7 shows the Activation Screen. Again, it is indicating that Windows is not activated. The last 5 digits of the key that is showing is CRYQH . However, since I did not enter one during the install, where did this key come from! (if we assume that a true ISO from Microsoft does not have a built-in key)

Pic #8 is again for information, showing the watermark in the bottom right corner of the screen. Again, with Windows not activated, this would be present.

Pic #9 & Pic #10 are screen shots from Magical Jelly Bean Keyfinder v2.0.9.5. The CD Key shown by that application is V3362-PQTMC-PQY2R-9GM8V-R88XV . Of note is that partial key shown in Pic #7 does not appear at all in the key displayed by Magical Jelly Bean. Again, a key was not entered during the install process.

The rest of the pictures (# 11 thru #14) are the detailed Error events that show up every time I reboot.
Event 1014 shows up three times (pic #11).
Event 8200 shows up three times (pic #12).
Event 8198 shows up two times with different data (pic #13 & pic #14)

The partial key of "J8CK4" that chandom See Profile made note to does not show up at all (either from the windows activation screen, or MJB).

I am back now in Windows 7, but if more information is needed, I can always switch hard drives if needed.

My thought here is that I do have a "hacked" or "Modified" ISO image, and whoever did that was able to "fake" or "reset" the SHA1 value to match that of the one supplied by Microsoft. If that is the case, then I would be worried about that, as all signs seem to point to the fact that doing that was suppose to not be an easy process.

Finally, when I say "A key was not entered during the install", I want to make note that I did not enter a key, but the option to enter one was given to me. My understanding of one of the uses for the EI.CFG file is to allow you to install Windows 8, and have the ability to click a button that allows you to skip the entering of a key. So, I did see the box where I could enter a key, but I did not enter one and clicked the "skip" button instead.

Thoughts?

--Brian
chandom
join:2001-05-23
Tallahassee, FL

chandom

Member

The CRYQH key shows a lot of hits on Google. I'm in the process of making my own "no key" image based on the version that I downloaded off of Technet.

Running MJB on the install with key did produce a very diffrent key than what was used for the install.
However, the last 5 on the activation screen did correspond to the one I used during the install.
chandom

chandom

Member

Click for full size
Just got done installing.
Same results as you had posted, the same last 5 activation key and MJB key.

Once again, the ISO I used was direct from the MS Technet site. Only change was to add the EI.CFG file.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

said by chandom:

Just got done installing.
Same results as you had posted, the same last 5 activation key and MJB key.

Once again, the ISO I used was direct from the MS Technet site. Only change was to add the EI.CFG file.

That is interesting. In a way I am glad, but at the same time, it makes me wonder why Microsoft did this.

Could they have done it to try to keep track somehow of the number of installs done using the "add EI.CFG file" method?

Do you also see the same errors in the event logs?

Finally, once installed, if you were to put in your key, do both MJB and the activation screen show the key you used?

--Brian
chandom
join:2001-05-23
Tallahassee, FL

chandom

Member

On the install I used my key with they were different.
The key used was different from what MJB reported.

Didn't bother to review the event logs.