massgrave/massgrave.dev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update docs

Browse Source
This commit is contained in:
WindowsAddict
2025-03-28 05:46:29 +05:30
parent b533083a41
commit 24b93c98f5
7 changed files with 144 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
blog/2024-09-06-Keyhole/index.md
View File

@ -11,7 +11,7 @@ image: /img/blog_card.png
# Keyhole
By WitherOrNot
Edited by May, Lyssa, & SpCreatePackaedLicense
Edited by May, Lyssa
## Introduction
@ -174,7 +174,6 @@ The research covered in this blogpost was made possible by the following people/
- May - Initial discovery, testing, reverse engineering
- asdcorp - Testing, reverse engineering
- SpCreatePackaedLicense - Testing, reverse engineering, bugfix analysis
- WitherOrNot - Tool development, testing, reverse engineering, bugfix analysis
- emoose, LukeFZ - License Block format documentation
- KiFilterFiberContext - ClipSp unpacking

3
blog/2025-02-14-TSforge/index.md
View File

@ -100,7 +100,7 @@ From all of this work, we learned the following things:
- The trusted store's data is held in encrypted files
- This data is somehow linked with seemingly encrypted registry keys under `HKLM\SYSTEM\WPA`
Unfortunately, we didn't know much more than this for quite a long time. My work on deobfuscating both [older](https://github.com/UMSKT/peacestone) and [newer](https://github.com/WitherOrNot/warbird-docs) versions of sppsvc helped us in confirming some of our theories, but without an understanding of `spsys.sys`, they didn't contribute much. In the meantime, SpCreatePackaedLicense built an automated version of the CID trick, using a custom kernel driver to patch sppsvc without adjusting its [protected process](https://www.alex-ionescu.com/why-protected-processes-are-a-bad-idea/) status, which helped greatly with testing CID trick.
Unfortunately, we didn't know much more than this for quite a long time. My work on deobfuscating both [older](https://github.com/UMSKT/peacestone) and [newer](https://github.com/WitherOrNot/warbird-docs) versions of sppsvc helped us in confirming some of our theories, but without an understanding of `spsys.sys`, they didn't contribute much. In the meantime, we built an automated version of the CID trick, using a custom kernel driver to patch sppsvc without adjusting its [protected process](https://www.alex-ionescu.com/why-protected-processes-are-a-bad-idea/) status, which helped greatly with testing CID trick.
![image](./assets/tsf/miieow1.png)
@ -249,7 +249,6 @@ Even with the amount of damage we were able to do to SPP with a debugger and a h
#### Other Contributions
- SpCreatePackaedLicense - Tool development, testing
- May - Code formatting, build setup
#### Special Thanks