diff --git a/bin/PPLcontrol.exe b/bin/PPLcontrol.exe new file mode 100644 index 0000000..576af86 Binary files /dev/null and b/bin/PPLcontrol.exe differ diff --git a/bin/pssuspend64.exe b/bin/pssuspend64.exe new file mode 100644 index 0000000..2789d69 Binary files /dev/null and b/bin/pssuspend64.exe differ diff --git a/drivers/RTCore/RTCore64.sys b/drivers/RTCore/RTCore64.sys new file mode 100644 index 0000000..e95b936 Binary files /dev/null and b/drivers/RTCore/RTCore64.sys differ diff --git a/drivers/RTCore/install.cmd b/drivers/RTCore/install.cmd new file mode 100644 index 0000000..deb90c7 --- /dev/null +++ b/drivers/RTCore/install.cmd @@ -0,0 +1,4 @@ +copy "%~dp0RTCore64.sys" %systemdrive%\RTCore64.sys +sc.exe create RTCore64 type= kernel start= auto binPath= %systemdrive%\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner" +net.exe start RTCore64 +pause diff --git a/drivers/RTCore/remove.cmd b/drivers/RTCore/remove.cmd new file mode 100644 index 0000000..a348411 --- /dev/null +++ b/drivers/RTCore/remove.cmd @@ -0,0 +1,4 @@ +net.exe stop RTCore64 +sc.exe delete RTCore64 +del %systemdrive%\RTCore64.sys +pause diff --git a/drivers/StartSuspended/StartSuspended.sys b/drivers/StartSuspended/StartSuspended.sys new file mode 100644 index 0000000..934cb80 Binary files /dev/null and b/drivers/StartSuspended/StartSuspended.sys differ diff --git a/drivers/StartSuspended/install.cmd b/drivers/StartSuspended/install.cmd new file mode 100644 index 0000000..e47632b --- /dev/null +++ b/drivers/StartSuspended/install.cmd @@ -0,0 +1,5 @@ +copy "%~dp0StartSuspended.sys" %systemdrive%\StartSuspended.sys +sc.exe create StartSuspended type= kernel start= auto binPath= %systemdrive%\StartSuspended.sys +reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StartSuspended /v Target /t REG_SZ /d sppsvc.exe /f +net.exe start StartSuspended +pause diff --git a/drivers/StartSuspended/remove.cmd b/drivers/StartSuspended/remove.cmd new file mode 100644 index 0000000..a348411 --- /dev/null +++ b/drivers/StartSuspended/remove.cmd @@ -0,0 +1,4 @@ +net.exe stop RTCore64 +sc.exe delete RTCore64 +del %systemdrive%\RTCore64.sys +pause diff --git a/keyderiv.py b/keyderiv.py new file mode 100644 index 0000000..fb45608 --- /dev/null +++ b/keyderiv.py @@ -0,0 +1,49 @@ +import re +import json +import sys + +""" +Set all following breakpoints on sppsvc.exe in x64dbg with Break Condition 0, Command Condition 1, and the associated Command Text: + +For prod key, works on 19041.1266 -> 19044.3803 + +`sppsvc+1957F4` - `log "MODULUS {mem;0x80@rdx}"` +`sppsvc+195A80` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"` +`sppsvc+1A36F1` - `log "MUL PROD {mem;0x80@rbx}"` +`sppsvc+198CEC` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x440198]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x440198]]]}"` +`sppsvc+199E07` - `log "MPMUL PROD {mem;0x80@[rax-[[sppsvc+0x440198]]]}"` +`sppsvc+19561C` - `log "LAST MPMODMUL"` + +For test key, works on 20221.1000 + +`sppsvc+1DD940` - `log "MODULUS {mem;0x80@rdx}"` +`sppsvc+1DDFF0` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"` +`sppsvc+1DD8B1` - `log "MUL PROD {mem;0x80@rdi}"` +`sppsvc+1D2050` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x483178]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x483178]]]}"` +`sppsvc+1D30F4` - `log "MPMUL PROD {mem;0x80@[[rbp-0x69]-[[sppsvc+0x483178]]]}"` +`sppsvc+1CEDE2` - `log "LAST MPMODMUL"` + +Right-click in Log tab, select "Redirect Log File" and choose path before unsuspending, once LAST MPMODMUL is shown then save log file and use with this script. +""" + +pows = {} + +mul_log = open(sys.argv[1], "r").read() + +muls = re.finditer(r"\s*(?:MPMUL|MUL) F1 (\w+)\s*(?:MPMUL|MUL) F2 (\w+)\s*(?:MPMUL|MUL) PROD (\w+)\s*", mul_log, re.DOTALL | re.MULTILINE) +fs_mul = muls.__next__() + +assert fs_mul[1] == fs_mul[2] + +pows[fs_mul[1]] = 1 +pows[fs_mul[3]] = 2 + +last_pow = 0 + +for mul in muls: + print(mul[1][:8], mul[2][:8], mul[3][:8]) + pows[mul[3]] = pows[mul[1]] + pows[mul[2]] + + last_pow = pows[mul[3]] + +print("Derived private key: ", hex(last_pow)) \ No newline at end of file diff --git a/splog.py b/splog.py new file mode 100644 index 0000000..c2e36b1 --- /dev/null +++ b/splog.py @@ -0,0 +1,16 @@ +# Decrypt C:\Windows\System32\spsys.log from Windows 7 +# Can be used to trace functions executed in spsys + +from Crypto.Cipher import AES +from struct import unpack + +aeskey = bytes([0x5B, 0x68, 0x49, 0x25, 0x79, 0x7B, 0x81, 0xFE, 0x5C, 0x44, 0x1B, 0x08, 0x2B, 0xEA, 0xEC, 0x4E]) + +log_data = b"" + +with open("spsys.log", "rb") as f: + aes = AES.new(aeskey, AES.MODE_ECB) + log_data = aes.decrypt(f.read()[0x28:]) + +with open("spsys_log_d.bin", "wb") as f: + f.write(log_data) \ No newline at end of file diff --git a/spp_prod.pem b/spp_prod.pem new file mode 100644 index 0000000..642fa80 --- /dev/null +++ b/spp_prod.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie +lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5 +FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB +AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd +FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6 +6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1 +3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8 +zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK +DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF +jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ +EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A +4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M +60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/spp_test.pem b/spp_test.pem new file mode 100644 index 0000000..8fdd208 --- /dev/null +++ b/spp_test.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQD2nHchRdHpsxBrJhmBFbOxIa8tw+JXQb42rnz4cOYjaFEGeM7Q +wydMfOOumFxQ/Jg9yl64N9mVduFpvcGzZdbz2/Td5ZDTnJ3PHo6178NgkmdyUzo3 +nv06m1+zgHrZ6Qi3thRXP+1RND1tqzUWDBYeP9ETxGYX1GfdNlTduHe+DwIDAQAB +AoGBAPFt/LL2R6sjQs+jXRSiymh/MaD8RHpoQnAGIxKWdLf1SF2tp8t5Qt/+5Gfp +gXdH00Oq+1AeXUWWPNfojdmzudrXYgAv750Vf5TdPMb9gPZZkc1d5ksw3n3h103V +0Wp0fX3sJavF5WiEN8GeByr+4c+naeQQm8+jacHQMmjTEWgBAkEA/CnRmlNCe7lF +BiDMrFCHBHWa7bJRkZWoZhwOCYIEk2Sfrl1+WMWFMF7UkANtCU8ZECQH+4bbK7xh +Mh2deLbd4QJBAPpdBVPcGDHCiPWAiSSEpVrXADEacJ8MuzE4ux48oXj6E8c4mmu/ +S+mxoZLsa9PeEo5QLSGcVMsrhwVpdRZHue8CQDaHZIgW0R2oJsD4fsoUb94LAIG+ +Od1dm5jZID/2Gb8110IBfbz8mZyoJRcvZnjI3gabhA5kTyjaB7qqpM7h3IECQQC+ +ooHh/t71VLlQplTG17HI35knyogis2D988KXHXeeVF0m/vSmQn0dLsJmy1q3cosS +jf4vb4gpQ7WF62zaUDdFAkBv/Lk1yuGX2Yx1f6a+BK4tC/EfJSTi2ojyvSH6IjgI +2eXEW4fB1vpiz0cf7maWHO2iPSFducHYF7OkuC//SJ+B +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/sppdebug.reg b/sppdebug.reg new file mode 100644 index 0000000..5691617 Binary files /dev/null and b/sppdebug.reg differ diff --git a/tokens_rebuild_v2.py b/tokens_rebuild_v2.py new file mode 100644 index 0000000..a91697a --- /dev/null +++ b/tokens_rebuild_v2.py @@ -0,0 +1,219 @@ +#!/usr/bin/env python3 + +import struct +import sys +import os +import hashlib + +TOKENS_VERSION = 3 + +BLOCK_SIZE = 16384 +ENTRY_SIZE = 158 +MAX_ENTRIES = (BLOCK_SIZE - 8) // ENTRY_SIZE + +ENTRY_CONTENTS_HEADER = b'\x55' * 32 +ENTRY_CONTENTS_FOOTER = b'\xAA' * 32 + +def parse_entry(f, offset): + f.seek(offset) + unpacked = struct.unpack(' MAX_ENTRIES: + write_entries = MAX_ENTRIES + write_next_block_offset = True + + for _ in range(write_entries): + data, data_len, meta = build_entry(o_meta, o_data, entries.pop(0)) + + meta_block = meta + meta_block + o_meta -= ENTRY_SIZE + + data_block += data + o_data += data_len + + for _ in range(MAX_ENTRIES - write_entries): + meta = build_entry_meta(o_meta, False, 0, 0xFFFFFFFF, ('', '')) + + meta_block = meta + meta_block + o_meta -= ENTRY_SIZE + + if write_next_block_offset: + next_block = o_data + + finished_block = struct.pack("