Add files via upload

drivers/RTCore/install.cmd

@@ -0,0 +1,4 @@
+copy "%~dp0RTCore64.sys" %systemdrive%\RTCore64.sys
+sc.exe create RTCore64 type= kernel start= auto binPath= %systemdrive%\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner"
+net.exe start RTCore64
+pause

drivers/RTCore/remove.cmd

@@ -0,0 +1,4 @@
+net.exe stop RTCore64
+sc.exe delete RTCore64
+del %systemdrive%\RTCore64.sys
+pause

drivers/StartSuspended/install.cmd

@@ -0,0 +1,5 @@
+copy "%~dp0StartSuspended.sys" %systemdrive%\StartSuspended.sys
+sc.exe create StartSuspended type= kernel start= auto binPath= %systemdrive%\StartSuspended.sys
+reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StartSuspended /v Target /t REG_SZ /d sppsvc.exe /f
+net.exe start StartSuspended
+pause

drivers/StartSuspended/remove.cmd

@@ -0,0 +1,4 @@
+net.exe stop RTCore64
+sc.exe delete RTCore64
+del %systemdrive%\RTCore64.sys
+pause

keyderiv.py

@@ -0,0 +1,49 @@
+import re
+import json
+import sys
+
+"""
+Set all following breakpoints on sppsvc.exe in x64dbg with Break Condition 0, Command Condition 1, and the associated Command Text:
+
+For prod key, works on 19041.1266 -> 19044.3803
+
+`sppsvc+1957F4` - `log "MODULUS {mem;0x80@rdx}"`
+`sppsvc+195A80` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
+`sppsvc+1A36F1` - `log "MUL PROD {mem;0x80@rbx}"`
+`sppsvc+198CEC` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x440198]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x440198]]]}"`
+`sppsvc+199E07` - `log "MPMUL PROD {mem;0x80@[rax-[[sppsvc+0x440198]]]}"`
+`sppsvc+19561C` - `log "LAST MPMODMUL"`
+
+For test key, works on 20221.1000
+
+`sppsvc+1DD940` - `log "MODULUS {mem;0x80@rdx}"`
+`sppsvc+1DDFF0` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
+`sppsvc+1DD8B1` - `log "MUL PROD {mem;0x80@rdi}"`
+`sppsvc+1D2050` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x483178]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x483178]]]}"`
+`sppsvc+1D30F4` - `log "MPMUL PROD {mem;0x80@[[rbp-0x69]-[[sppsvc+0x483178]]]}"`
+`sppsvc+1CEDE2` - `log "LAST MPMODMUL"`
+
+Right-click in Log tab, select "Redirect Log File" and choose path before unsuspending, once LAST MPMODMUL is shown then save log file and use with this script.
+"""
+
+pows = {}
+
+mul_log = open(sys.argv[1], "r").read()
+
+muls = re.finditer(r"\s*(?:MPMUL|MUL) F1 (\w+)\s*(?:MPMUL|MUL) F2 (\w+)\s*(?:MPMUL|MUL) PROD (\w+)\s*", mul_log, re.DOTALL | re.MULTILINE)
+fs_mul = muls.__next__()
+
+assert fs_mul[1] == fs_mul[2]
+
+pows[fs_mul[1]] = 1
+pows[fs_mul[3]] = 2
+
+last_pow = 0
+
+for mul in muls:
+    print(mul[1][:8], mul[2][:8], mul[3][:8])
+    pows[mul[3]] = pows[mul[1]] + pows[mul[2]]
+    
+    last_pow = pows[mul[3]]
+
+print("Derived private key: ", hex(last_pow))

splog.py

@@ -0,0 +1,16 @@
+# Decrypt C:\Windows\System32\spsys.log from Windows 7
+# Can be used to trace functions executed in spsys
+
+from Crypto.Cipher import AES
+from struct import unpack
+
+aeskey = bytes([0x5B, 0x68, 0x49, 0x25, 0x79, 0x7B, 0x81, 0xFE, 0x5C, 0x44, 0x1B, 0x08, 0x2B, 0xEA, 0xEC, 0x4E])
+
+log_data = b""
+
+with open("spsys.log", "rb") as f:
+    aes = AES.new(aeskey, AES.MODE_ECB)
+    log_data = aes.decrypt(f.read()[0x28:])
+
+with open("spsys_log_d.bin", "wb") as f:
+    f.write(log_data)

spp_prod.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie
+lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5
+FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB
+AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd
+FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6
+6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1
+3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8
+zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK
+DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF
+jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ
+EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A
+4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M
+60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj
+-----END RSA PRIVATE KEY-----

spp_test.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD2nHchRdHpsxBrJhmBFbOxIa8tw+JXQb42rnz4cOYjaFEGeM7Q
+wydMfOOumFxQ/Jg9yl64N9mVduFpvcGzZdbz2/Td5ZDTnJ3PHo6178NgkmdyUzo3
+nv06m1+zgHrZ6Qi3thRXP+1RND1tqzUWDBYeP9ETxGYX1GfdNlTduHe+DwIDAQAB
+AoGBAPFt/LL2R6sjQs+jXRSiymh/MaD8RHpoQnAGIxKWdLf1SF2tp8t5Qt/+5Gfp
+gXdH00Oq+1AeXUWWPNfojdmzudrXYgAv750Vf5TdPMb9gPZZkc1d5ksw3n3h103V
+0Wp0fX3sJavF5WiEN8GeByr+4c+naeQQm8+jacHQMmjTEWgBAkEA/CnRmlNCe7lF
+BiDMrFCHBHWa7bJRkZWoZhwOCYIEk2Sfrl1+WMWFMF7UkANtCU8ZECQH+4bbK7xh
+Mh2deLbd4QJBAPpdBVPcGDHCiPWAiSSEpVrXADEacJ8MuzE4ux48oXj6E8c4mmu/
+S+mxoZLsa9PeEo5QLSGcVMsrhwVpdRZHue8CQDaHZIgW0R2oJsD4fsoUb94LAIG+
+Od1dm5jZID/2Gb8110IBfbz8mZyoJRcvZnjI3gabhA5kTyjaB7qqpM7h3IECQQC+
+ooHh/t71VLlQplTG17HI35knyogis2D988KXHXeeVF0m/vSmQn0dLsJmy1q3cosS
+jf4vb4gpQ7WF62zaUDdFAkBv/Lk1yuGX2Yx1f6a+BK4tC/EfJSTi2ojyvSH6IjgI
+2eXEW4fB1vpiz0cf7maWHO2iPSFducHYF7OkuC//SJ+B
+-----END RSA PRIVATE KEY-----

tokens_rebuild_v2.py

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+
+import struct
+import sys
+import os
+import hashlib
+
+TOKENS_VERSION = 3
+
+BLOCK_SIZE = 16384
+ENTRY_SIZE = 158
+MAX_ENTRIES = (BLOCK_SIZE - 8) // ENTRY_SIZE
+
+ENTRY_CONTENTS_HEADER = b'\x55' * 32
+ENTRY_CONTENTS_FOOTER = b'\xAA' * 32
+
+def parse_entry(f, offset):
+    f.seek(offset)
+    unpacked = struct.unpack('<lllll', f.read(20))
+
+    if unpacked[0] != offset or unpacked[1] == 0 or unpacked[2] == 0:
+        return None
+
+    (name_b, ext_b) = struct.unpack('<130s8s', f.read(138))
+
+    name = (
+        name_b.decode('utf-16-le').rstrip('\0'),
+        ext_b.decode('utf-16-le').rstrip('\0')
+    )
+
+    return (unpacked[2], unpacked[3], name)
+
+
+def parse_block_entries(f, offset):
+    o_entry = offset + ((MAX_ENTRIES - 1) * ENTRY_SIZE)
+    entries = []
+
+    for i in range(MAX_ENTRIES):
+        entry = parse_entry(f, o_entry)
+        o_entry -= ENTRY_SIZE
+
+        if entry != None:
+            entries.append(entry)
+
+    return entries
+
+
+def parse_block(f, offset):
+    f.seek(offset)
+    unpacked = struct.unpack('<ll', f.read(8))
+
+    if unpacked[0] != offset:
+        return None
+
+    entries = parse_block_entries(f, f.tell())
+    return (entries, unpacked[1])
+
+
+def get_token(f, entry):
+    (offset, length, name) = entry
+    f.seek(offset)
+
+    if f.read(32) != ENTRY_CONTENTS_HEADER:
+        return None
+
+    (h_len, h_sha256) = struct.unpack('<l32s', f.read(36))
+
+    if length != h_len:
+        return None
+
+    contents = f.read(h_len)
+
+    if f.read(32) != ENTRY_CONTENTS_FOOTER:
+        return None
+
+    return (name, contents)
+
+
+def get_tokens(f):
+    f.seek(0)
+
+    if struct.unpack('<l32xl', f.read(40)) != (TOKENS_VERSION, 36):
+        return None
+
+    offset = 36
+    all_entries = []
+
+    while offset != 0:
+        (entries, offset) = parse_block(f, offset)
+        all_entries += entries
+
+    tokens = []
+
+    for entry in all_entries:
+        token = get_token(f, entry)
+        if token != None:
+            tokens.append(token)
+
+    return tokens
+
+
+def build_entry_value(data):
+    d_len = len(data).to_bytes(4, "little")
+    d_sha256 = hashlib.sha256(data).digest()
+
+    value = ENTRY_CONTENTS_HEADER
+    value += d_len
+    value += d_sha256
+    value += data
+    value += ENTRY_CONTENTS_FOOTER
+
+    return (value, len(value))
+
+
+def build_entry_meta(o_meta, populated, o_value, vd_len, name):
+    return struct.pack(
+            "<IIIII130s8s",
+            o_meta,
+            populated,
+            o_value,
+            vd_len,
+            vd_len,
+            name[0].encode('utf-16-le'),
+            name[1].encode('utf-16-le')
+        )
+
+
+def build_entry(o_meta, o_value, entry):
+    value, v_len = build_entry_value(entry[1])
+
+    vd_len = len(entry[1])
+    meta = build_entry_meta(o_meta, True, o_value, vd_len, entry[0])
+
+    return (value, v_len, meta)
+
+
+def build_entries_block(entries, o_start):
+    meta_block = b''
+    data_block = b''
+
+    o_meta = o_start + 8 + ((MAX_ENTRIES - 1) * ENTRY_SIZE)
+    o_data = o_start + BLOCK_SIZE + 32
+
+    next_block = 0
+    write_entries = len(entries)
+    write_next_block_offset = False
+
+    if len(entries) > MAX_ENTRIES:
+        write_entries = MAX_ENTRIES
+        write_next_block_offset = True
+
+    for _ in range(write_entries):
+        data, data_len, meta = build_entry(o_meta, o_data, entries.pop(0))
+
+        meta_block = meta + meta_block
+        o_meta -= ENTRY_SIZE
+
+        data_block += data
+        o_data += data_len
+
+    for _ in range(MAX_ENTRIES - write_entries):
+        meta = build_entry_meta(o_meta, False, 0, 0xFFFFFFFF, ('', ''))
+
+        meta_block = meta + meta_block
+        o_meta -= ENTRY_SIZE
+
+    if write_next_block_offset:
+        next_block = o_data
+
+    finished_block = struct.pack("<II", o_start, next_block)
+    finished_block += meta_block
+    finished_block += b'\0' * (BLOCK_SIZE - (MAX_ENTRIES * ENTRY_SIZE) - 8)
+    finished_block += hashlib.sha256(finished_block).digest()
+    finished_block += data_block
+
+    return (finished_block, next_block, entries)
+
+
+def build_tokens(entries):
+    tokens_data = b''
+    header = TOKENS_VERSION.to_bytes(4, "little")
+
+    o_next = 36
+    entries_l = entries
+
+    while o_next != 0:
+        block, o_next, entries_l = build_entries_block(entries_l, o_next)
+        tokens_data += block
+
+    tokens_hash = hashlib.sha256(header + tokens_data).digest()
+
+    finished_tokens = header
+    finished_tokens += tokens_hash
+    finished_tokens += tokens_data
+
+    return finished_tokens
+
+
+if __name__ == '__main__':
+    if len(sys.argv) != 3:
+        print(f'Usage: {sys.argv[0]} source_tokens_file destination_tokens_file')
+        exit(1)
+
+    source = sys.argv[1]
+    destination = sys.argv[2]
+
+    if not os.path.isfile(source):
+        print(f'Source {source} is not a file')
+        exit(1)
+
+    if os.path.isdir(destination):
+        print(f'Source {source} is a directory')
+        exit(1)
+
+    with open(source, 'rb') as f:
+        tokens = get_tokens(f)
+
+    with open(destination, 'wb') as f:
+        f.write(build_tokens(tokens))

tsdecrypt.py

@@ -0,0 +1,55 @@
+from Crypto.PublicKey import RSA
+from Crypto.Cipher import AES, PKCS1_v1_5
+from Crypto.Signature import PKCS1_v1_5 as PKCS1_v1_5s
+from Crypto.Util.Padding import unpad
+from Crypto.Hash import SHA1, HMAC
+from sys import argv
+
+SPP_PROD_KEY = """-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie
+lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5
+FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB
+AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd
+FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6
+6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1
+3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8
+zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK
+DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF
+jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ
+EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A
+4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M
+60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj
+-----END RSA PRIVATE KEY-----"""
+
+ciph = PKCS1_v1_5.new(RSA.import_key(SPP_PROD_KEY))
+sig = PKCS1_v1_5s.new(RSA.import_key(SPP_PROD_KEY))
+
+f = open(argv[1], "rb")
+f.seek(0x10)
+
+aesk_sig = f.read(0x80)
+
+f.seek(0x90)
+aes_data = f.read(0x80)
+
+if sig.verify(SHA1.new(aes_data), aesk_sig):
+    aeskey = ciph.decrypt(aes_data, 0)
+    aes = AES.new(aeskey, AES.MODE_CBC, b"\x00" * 16)
+
+    f.seek(0x110)
+    decr_data = unpad(aes.decrypt(f.read()), AES.block_size)
+    
+    hmac_key = decr_data[:0x10]
+    hmac_sig = decr_data[0x10:0x24]
+    ts_data = decr_data[0x28:]
+    
+    try:
+        hmac = HMAC.new(hmac_key, ts_data, SHA1)
+        #hmac.verify(hmac_sig)
+        
+        with open(argv[2], "wb") as fw:
+            fw.write(ts_data)
+    except ValueError:
+        print("!!! BAD HMAC !!!")
+else:
+    print("!!! BAD SIGNATURE !!!")

tsencrypt.py

@@ -0,0 +1,48 @@
+from Crypto.PublicKey import RSA
+from Crypto.Cipher import AES, PKCS1_v1_5
+from Crypto.Signature import PKCS1_v1_5 as PKCS1_v1_5s
+from Crypto.Util.Padding import pad
+from Crypto.Hash import SHA1, HMAC
+from Crypto.Random import get_random_bytes
+from sys import argv
+
+SPP_PROD_KEY = """-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie
+lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5
+FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB
+AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd
+FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6
+6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1
+3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8
+zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK
+DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF
+jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ
+EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A
+4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M
+60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj
+-----END RSA PRIVATE KEY-----"""
+
+VERSION = 5
+
+ciph = PKCS1_v1_5.new(RSA.import_key(SPP_PROD_KEY))
+sig = PKCS1_v1_5s.new(RSA.import_key(SPP_PROD_KEY))
+
+f = open(argv[1], "rb")
+ts_data = f.read()
+
+aeskey = b"massgrave.dev :3"
+hmackey = b"untrustedstore  "
+
+enc_aeskey = ciph.encrypt(aeskey)
+aeskey_sig = sig.sign(SHA1.new(enc_aeskey))
+hmac = HMAC.new(hmackey, ts_data, SHA1)
+hmac_sig = hmac.digest()
+
+header = VERSION.to_bytes(4, "little") + b"UNTRUSTSTORE" + aeskey_sig + enc_aeskey
+data = hmackey + hmac_sig + b"\x00\x00\x00\x00" + ts_data
+
+aes = AES.new(aeskey, AES.MODE_CBC, b"\x00" * 16)
+encr_data = aes.encrypt(pad(data, AES.block_size))
+
+with open(argv[2], "wb") as g:
+    g.write(header + encr_data)