BetaArchive Logo
Navigation Home Database Screenshots Gallery Image Uploader Server Info FTP Servers Wiki Forum RSS Feed Rules Please Donate
UP: 11d, 10h, 55m | CPU: 5% | MEM: 5221MB of 11461MB used
{The community for beta collectors}

Post new topic Reply to topic  [ 1 post ] 
Author Message
 PostPost subject: Windows ME OEM BIOS Lock, or: SU0173        Posted: Mon Sep 19, 2016 8:58 pm 
Reply with quote
User avatar

Sat Oct 07, 2006 12:04 pm


Favourite OS
Anything checked :P
In Windows ME, MS implemented their own standard for a BIOS Lock protection in the WinME setup, probably because of OEM demand.

Basically, if setupx.dll is configured to do so, it calls into the 16-bit dll OEMBIOS.DLL (seen in \win9x on the install media), exported function OEMBiosCheck.

Here's the function prototype:

DWORD __export FAR __stdcall OEMBIOSCheck(WORD* a1,WORD* a2,WORD* a3,LPCSTR a4,LPCSTR a5);

*a1 should be 0x1231 on entry.

If the BIOS lock check succeeded, the following should be done:
0x1972 should be placed into *a1
The contents of *a2 and *a3 should be swapped.
The low word of the return value should be *a3 (after the swap); and the high word of the return value should be *a2 (after the swap)

SUWIN.EXE checks that these things have been done upon return of the function, and if things are not OK, then it returns the SU0173 error ("This version of Windows Millennium Edition cannot be installed on your computer. Please obtain the correct version from your computer manufacturer.") that could be called infamous (there's over 3000 results on Google for that error code, most lead to posts from the time WinME was popular, at that time people just dropped in some other PRECOPY1.CAB).

MS seems to have made their own OEMBIOS.DLL and provided it to OEMs, which reads a configuration either from OEMBIOS.INI or encrypted as OEMBIOS.DAT.

The encryption algorithm is implemented below (in PHP as I like PHP one-liners; however what was originally a one-liner has now been expanded here):
function oembioscrypto($ct) {
   $rolling = 0xa5;
   $ct = str_split($ct);
   foreach ($ct as &$al) {
      $al = ord($al);
      $saved = $al;
      $al ^= 0x62;
      $al = ~$al;
      $al -= $rolling;
      $al ^= 0xc5;
      $al &= 0xff;
      $rolling += $saved;
      $al = chr($al);
   $ct = implode('',$ct);
   return $ct;

The CRC= value of the .INI contains a CRC32 over 4096 bytes: the BIOS= value concatenated with the BIOSi= values (where i is from 0 to 99, stopping when there is no value for that iteration), padded with nulls to 4091 bytes, and the last 5 bytes being 0x57494e3958, or, ASCII "WIN9X".
(In the INI, the CRC32 is in hex format, prefixed with the usual hex prefix "0x")

Even though MS made their own OEMBIOS.DLL, some OEMs made their own, so evidently OEMs were given documentation regarding that; which probably means said documentation would be in the Windows ME OPK, along with either documentation or a tool to make the CRC32s for the OEMBIOS.INIs, and either documentation or a tool to encrypt the OEMBIOS.INI files to OEMBIOS.DAT. (see the Microsoft Windows ME (4.90.3000) [Polish] [NTT OEM] on BA FTP for an example of an OEMBIOS.DLL that was made by an OEM)

C H E C K E D . B U I L D S . A R E . A W E S O M E N E S S

Glitch City Laboratories ForumsSoftHistory #softhistory,#galaxy

If you like my posts, donate me Dogecoin: DLnZV8DS3CaZmLKAVxL2aMijY2vUZeyjBi

Last edited by The Distractor on Tue Sep 20, 2016 3:23 pm, edited 2 times in total.
figured out the CRC'd data

Top  Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

All views expressed in these forums are those of the author and do not necessarily represent the views of the BetaArchive site owner.

Powered by phpBB® Forum Software © phpBB Group

Copyright © 2006-2020


Sitemap | XML | RSS