Add files via upload

16 files changed, 434 insertions, 0 deletions

diff --git a/bin/PPLcontrol.exe b/bin/PPLcontrol.exe
new file mode 100644
index 0000000..576af86
--- /dev/null
+++ b/bin/PPLcontrol.exe
diff --git a/bin/pssuspend64.exe b/bin/pssuspend64.exe
new file mode 100644
index 0000000..2789d69
--- /dev/null
+++ b/bin/pssuspend64.exe
diff --git a/drivers/RTCore/RTCore64.sys b/drivers/RTCore/RTCore64.sys
new file mode 100644
index 0000000..e95b936
--- /dev/null
+++ b/drivers/RTCore/RTCore64.sys
diff --git a/drivers/RTCore/install.cmd b/drivers/RTCore/install.cmd
new file mode 100644
index 0000000..deb90c7
--- /dev/null
+++ b/drivers/RTCore/install.cmd
@@ -0,0 +1,4 @@
+copy "%~dp0RTCore64.sys" %systemdrive%\RTCore64.sys

+sc.exe create RTCore64 type= kernel start= auto binPath= %systemdrive%\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner"

+net.exe start RTCore64

+pause

diff --git a/drivers/RTCore/remove.cmd b/drivers/RTCore/remove.cmd
new file mode 100644
index 0000000..a348411
--- /dev/null
+++ b/drivers/RTCore/remove.cmd
@@ -0,0 +1,4 @@
+net.exe stop RTCore64

+sc.exe delete RTCore64

+del %systemdrive%\RTCore64.sys

+pause

diff --git a/drivers/StartSuspended/StartSuspended.sys b/drivers/StartSuspended/StartSuspended.sys
new file mode 100644
index 0000000..934cb80
--- /dev/null
+++ b/drivers/StartSuspended/StartSuspended.sys
diff --git a/drivers/StartSuspended/install.cmd b/drivers/StartSuspended/install.cmd
new file mode 100644
index 0000000..e47632b
--- /dev/null
+++ b/drivers/StartSuspended/install.cmd
@@ -0,0 +1,5 @@
+copy "%~dp0StartSuspended.sys" %systemdrive%\StartSuspended.sys

+sc.exe create StartSuspended type= kernel start= auto binPath= %systemdrive%\StartSuspended.sys

+reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StartSuspended /v Target /t REG_SZ /d sppsvc.exe /f

+net.exe start StartSuspended

+pause

diff --git a/drivers/StartSuspended/remove.cmd b/drivers/StartSuspended/remove.cmd
new file mode 100644
index 0000000..a348411
--- /dev/null
+++ b/drivers/StartSuspended/remove.cmd
@@ -0,0 +1,4 @@
+net.exe stop RTCore64

+sc.exe delete RTCore64

+del %systemdrive%\RTCore64.sys

+pause

diff --git a/keyderiv.py b/keyderiv.py
new file mode 100644
index 0000000..fb45608
--- /dev/null
+++ b/keyderiv.py
@@ -0,0 +1,49 @@
+import re

+import json

+import sys

+

+"""

+Set all following breakpoints on sppsvc.exe in x64dbg with Break Condition 0, Command Condition 1, and the associated Command Text:

+

+For prod key, works on 19041.1266 -> 19044.3803

+

+`sppsvc+1957F4` - `log "MODULUS {mem;0x80@rdx}"`

+`sppsvc+195A80` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`

+`sppsvc+1A36F1` - `log "MUL PROD {mem;0x80@rbx}"`

+`sppsvc+198CEC` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x440198]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x440198]]]}"`

+`sppsvc+199E07` - `log "MPMUL PROD {mem;0x80@[rax-[[sppsvc+0x440198]]]}"`

+`sppsvc+19561C` - `log "LAST MPMODMUL"`

+

+For test key, works on 20221.1000

+

+`sppsvc+1DD940` - `log "MODULUS {mem;0x80@rdx}"`

+`sppsvc+1DDFF0` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`

+`sppsvc+1DD8B1` - `log "MUL PROD {mem;0x80@rdi}"`

+`sppsvc+1D2050` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x483178]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x483178]]]}"`

+`sppsvc+1D30F4` - `log "MPMUL PROD {mem;0x80@[[rbp-0x69]-[[sppsvc+0x483178]]]}"`

+`sppsvc+1CEDE2` - `log "LAST MPMODMUL"`

+

+Right-click in Log tab, select "Redirect Log File" and choose path before unsuspending, once LAST MPMODMUL is shown then save log file and use with this script.

+"""

+

+pows = {}

+

+mul_log = open(sys.argv[1], "r").read()

+

+muls = re.finditer(r"\s*(?:MPMUL|MUL) F1 (\w+)\s*(?:MPMUL|MUL) F2 (\w+)\s*(?:MPMUL|MUL) PROD (\w+)\s*", mul_log, re.DOTALL | re.MULTILINE)

+fs_mul = muls.__next__()

+

+assert fs_mul[1] == fs_mul[2]

+

+pows[fs_mul[1]] = 1

+pows[fs_mul[3]] = 2

+

+last_pow = 0

+

+for mul in muls:

+    print(mul[1][:8], mul[2][:8], mul[3][:8])

+    pows[mul[3]] = pows[mul[1]] + pows[mul[2]]

+    

+    last_pow = pows[mul[3]]

+

+print("Derived private key: ", hex(last_pow))
\ No newline at end of file
diff --git a/splog.py b/splog.py
new file mode 100644
index 0000000..c2e36b1
--- /dev/null
+++ b/splog.py
@@ -0,0 +1,16 @@
+# Decrypt C:\Windows\System32\spsys.log from Windows 7

+# Can be used to trace functions executed in spsys

+

+from Crypto.Cipher import AES

+from struct import unpack

+

+aeskey = bytes([0x5B, 0x68, 0x49, 0x25, 0x79, 0x7B, 0x81, 0xFE, 0x5C, 0x44, 0x1B, 0x08, 0x2B, 0xEA, 0xEC, 0x4E])

+

+log_data = b""

+

+with open("spsys.log", "rb") as f:

+    aes = AES.new(aeskey, AES.MODE_ECB)

+    log_data = aes.decrypt(f.read()[0x28:])

+

+with open("spsys_log_d.bin", "wb") as f:

+    f.write(log_data)
\ No newline at end of file
diff --git a/spp_prod.pem b/spp_prod.pem
new file mode 100644
index 0000000..642fa80
--- /dev/null
+++ b/spp_prod.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie
+lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5
+FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB
+AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd
+FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6
+6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1
+3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8
+zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK
+DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF
+jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ
+EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A
+4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M
+60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/spp_test.pem b/spp_test.pem
new file mode 100644
index 0000000..8fdd208
--- /dev/null
+++ b/spp_test.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQD2nHchRdHpsxBrJhmBFbOxIa8tw+JXQb42rnz4cOYjaFEGeM7Q
+wydMfOOumFxQ/Jg9yl64N9mVduFpvcGzZdbz2/Td5ZDTnJ3PHo6178NgkmdyUzo3
+nv06m1+zgHrZ6Qi3thRXP+1RND1tqzUWDBYeP9ETxGYX1GfdNlTduHe+DwIDAQAB
+AoGBAPFt/LL2R6sjQs+jXRSiymh/MaD8RHpoQnAGIxKWdLf1SF2tp8t5Qt/+5Gfp
+gXdH00Oq+1AeXUWWPNfojdmzudrXYgAv750Vf5TdPMb9gPZZkc1d5ksw3n3h103V
+0Wp0fX3sJavF5WiEN8GeByr+4c+naeQQm8+jacHQMmjTEWgBAkEA/CnRmlNCe7lF
+BiDMrFCHBHWa7bJRkZWoZhwOCYIEk2Sfrl1+WMWFMF7UkANtCU8ZECQH+4bbK7xh
+Mh2deLbd4QJBAPpdBVPcGDHCiPWAiSSEpVrXADEacJ8MuzE4ux48oXj6E8c4mmu/
+S+mxoZLsa9PeEo5QLSGcVMsrhwVpdRZHue8CQDaHZIgW0R2oJsD4fsoUb94LAIG+
+Od1dm5jZID/2Gb8110IBfbz8mZyoJRcvZnjI3gabhA5kTyjaB7qqpM7h3IECQQC+
+ooHh/t71VLlQplTG17HI35knyogis2D988KXHXeeVF0m/vSmQn0dLsJmy1q3cosS
+jf4vb4gpQ7WF62zaUDdFAkBv/Lk1yuGX2Yx1f6a+BK4tC/EfJSTi2ojyvSH6IjgI
+2eXEW4fB1vpiz0cf7maWHO2iPSFducHYF7OkuC//SJ+B
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/sppdebug.reg b/sppdebug.reg
new file mode 100644
index 0000000..5691617
--- /dev/null
+++ b/sppdebug.reg
diff --git a/tokens_rebuild_v2.py b/tokens_rebuild_v2.py
new file mode 100644
index 0000000..a91697a
--- /dev/null
+++ b/tokens_rebuild_v2.py
@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+
+import struct
+import sys
+import os
+import hashlib
+
+TOKENS_VERSION = 3
+
+BLOCK_SIZE = 16384
+ENTRY_SIZE = 158
+MAX_ENTRIES = (BLOCK_SIZE - 8) // ENTRY_SIZE
+
+ENTRY_CONTENTS_HEADER = b'\x55' * 32
+ENTRY_CONTENTS_FOOTER = b'\xAA' * 32
+
+def parse_entry(f, offset):
+    f.seek(offset)
+    unpacked = struct.unpack('<lllll', f.read(20))
+
+    if unpacked[0] != offset or unpacked[1] == 0 or unpacked[2] == 0:
+        return None
+
+    (name_b, ext_b) = struct.unpack('<130s8s', f.read(138))
+
+    name = (
+        name_b.decode('utf-16-le').rstrip('\0'),
+        ext_b.decode('utf-16-le').rstrip('\0')
+    )
+
+    return (unpacked[2], unpacked[3], name)
+
+
+def parse_block_entries(f, offset):
+    o_entry = offset + ((MAX_ENTRIES - 1) * ENTRY_SIZE)
+    entries = []
+
+    for i in range(MAX_ENTRIES):
+        entry = parse_entry(f, o_entry)
+        o_entry -= ENTRY_SIZE
+
+        if entry != None:
+            entries.append(entry)
+
+    return entries
+
+
+def parse_block(f, offset):
+    f.seek(offset)
+    unpacked = struct.unpack('<ll', f.read(8))
+
+    if unpacked[0] != offset:
+        return None
+
+    entries = parse_block_entries(f, f.tell())
+    return (entries, unpacked[1])
+
+
+def get_token(f, entry):
+    (offset, length, name) = entry
+    f.seek(offset)
+
+    if f.read(32) != ENTRY_CONTENTS_HEADER:
+        return None
+
+    (h_len, h_sha256) = struct.unpack('<l32s', f.read(36))
+
+    if length != h_len:
+        return None
+
+    contents = f.read(h_len)
+
+    if f.read(32) != ENTRY_CONTENTS_FOOTER:
+        return None
+
+    return (name, contents)
+
+
+def get_tokens(f):
+    f.seek(0)
+
+    if struct.unpack('<l32xl', f.read(40)) != (TOKENS_VERSION, 36):
+        return None
+
+    offset = 36
+    all_entries = []
+
+    while offset != 0:
+        (entries, offset) = parse_block(f, offset)
+        all_entries += entries
+
+    tokens = []
+
+    for entry in all_entries:
+        token = get_token(f, entry)
+        if token != None:
+            tokens.append(token)
+
+    return tokens
+
+
+def build_entry_value(data):
+    d_len = len(data).to_bytes(4, "little")
+    d_sha256 = hashlib.sha256(data).digest()
+
+    value = ENTRY_CONTENTS_HEADER
+    value += d_len
+    value += d_sha256
+    value += data
+    value += ENTRY_CONTENTS_FOOTER
+
+    return (value, len(value))
+
+
+def build_entry_meta(o_meta, populated, o_value, vd_len, name):
+    return struct.pack(
+            "<IIIII130s8s",
+            o_meta,
+            populated,
+            o_value,
+            vd_len,
+            vd_len,
+            name[0].encode('utf-16-le'),
+            name[1].encode('utf-16-le')
+        )
+
+
+def build_entry(o_meta, o_value, entry):
+    value, v_len = build_entry_value(entry[1])
+
+    vd_len = len(entry[1])
+    meta = build_entry_meta(o_meta, True, o_value, vd_len, entry[0])
+
+    return (value, v_len, meta)
+
+
+def build_entries_block(entries, o_start):
+    meta_block = b''
+    data_block = b''
+
+    o_meta = o_start + 8 + ((MAX_ENTRIES - 1) * ENTRY_SIZE)
+    o_data = o_start + BLOCK_SIZE + 32
+
+    next_block = 0
+    write_entries = len(entries)
+    write_next_block_offset = False
+
+    if len(entries) > MAX_ENTRIES:
+        write_entries = MAX_ENTRIES
+        write_next_block_offset = True
+
+    for _ in range(write_entries):
+        data, data_len, meta = build_entry(o_meta, o_data, entries.pop(0))
+
+        meta_block = meta + meta_block
+        o_meta -= ENTRY_SIZE
+
+        data_block += data
+        o_data += data_len
+
+    for _ in range(MAX_ENTRIES - write_entries):
+        meta = build_entry_meta(o_meta, False, 0, 0xFFFFFFFF, ('', ''))
+
+        meta_block = meta + meta_block
+        o_meta -= ENTRY_SIZE
+
+    if write_next_block_offset:
+        next_block = o_data
+
+    finished_block = struct.pack("<II", o_start, next_block)
+    finished_block += meta_block
+    finished_block += b'\0' * (BLOCK_SIZE - (MAX_ENTRIES * ENTRY_SIZE) - 8)
+    finished_block += hashlib.sha256(finished_block).digest()
+    finished_block += data_block
+
+    return (finished_block, next_block, entries)
+
+
+def build_tokens(entries):
+    tokens_data = b''
+    header = TOKENS_VERSION.to_bytes(4, "little")
+
+    o_next = 36
+    entries_l = entries
+
+    while o_next != 0:
+        block, o_next, entries_l = build_entries_block(entries_l, o_next)
+        tokens_data += block
+
+    tokens_hash = hashlib.sha256(header + tokens_data).digest()
+
+    finished_tokens = header
+    finished_tokens += tokens_hash
+    finished_tokens += tokens_data
+
+    return finished_tokens
+
+
+if __name__ == '__main__':
+    if len(sys.argv) != 3:
+        print(f'Usage: {sys.argv[0]} source_tokens_file destination_tokens_file')
+        exit(1)
+
+    source = sys.argv[1]
+    destination = sys.argv[2]
+
+    if not os.path.isfile(source):
+        print(f'Source {source} is not a file')
+        exit(1)
+
+    if os.path.isdir(destination):
+        print(f'Source {source} is a directory')
+        exit(1)
+
+    with open(source, 'rb') as f:
+        tokens = get_tokens(f)
+
+    with open(destination, 'wb') as f:
+        f.write(build_tokens(tokens))
diff --git a/tsdecrypt.py b/tsdecrypt.py
new file mode 100644
index 0000000..dbaf760
--- /dev/null
+++ b/tsdecrypt.py
@@ -0,0 +1,55 @@
+from Crypto.PublicKey import RSA

+from Crypto.Cipher import AES, PKCS1_v1_5

+from Crypto.Signature import PKCS1_v1_5 as PKCS1_v1_5s

+from Crypto.Util.Padding import unpad

+from Crypto.Hash import SHA1, HMAC

+from sys import argv

+

+SPP_PROD_KEY = """-----BEGIN RSA PRIVATE KEY-----

+MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie

+lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5

+FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB

+AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd

+FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6

+6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1

+3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8

+zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK

+DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF

+jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ

+EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A

+4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M

+60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj

+-----END RSA PRIVATE KEY-----"""

+

+ciph = PKCS1_v1_5.new(RSA.import_key(SPP_PROD_KEY))

+sig = PKCS1_v1_5s.new(RSA.import_key(SPP_PROD_KEY))

+

+f = open(argv[1], "rb")

+f.seek(0x10)

+

+aesk_sig = f.read(0x80)

+

+f.seek(0x90)

+aes_data = f.read(0x80)

+

+if sig.verify(SHA1.new(aes_data), aesk_sig):

+    aeskey = ciph.decrypt(aes_data, 0)

+    aes = AES.new(aeskey, AES.MODE_CBC, b"\x00" * 16)

+

+    f.seek(0x110)

+    decr_data = unpad(aes.decrypt(f.read()), AES.block_size)

+    

+    hmac_key = decr_data[:0x10]

+    hmac_sig = decr_data[0x10:0x24]

+    ts_data = decr_data[0x28:]

+    

+    try:

+        hmac = HMAC.new(hmac_key, ts_data, SHA1)

+        #hmac.verify(hmac_sig)

+        

+        with open(argv[2], "wb") as fw:

+            fw.write(ts_data)

+    except ValueError:

+        print("!!! BAD HMAC !!!")

+else:

+    print("!!! BAD SIGNATURE !!!")
\ No newline at end of file
diff --git a/tsencrypt.py b/tsencrypt.py
new file mode 100644
index 0000000..86e952a
--- /dev/null
+++ b/tsencrypt.py
@@ -0,0 +1,48 @@
+from Crypto.PublicKey import RSA

+from Crypto.Cipher import AES, PKCS1_v1_5

+from Crypto.Signature import PKCS1_v1_5 as PKCS1_v1_5s

+from Crypto.Util.Padding import pad

+from Crypto.Hash import SHA1, HMAC

+from Crypto.Random import get_random_bytes

+from sys import argv

+

+SPP_PROD_KEY = """-----BEGIN RSA PRIVATE KEY-----

+MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie

+lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5

+FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB

+AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd

+FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6

+6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1

+3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8

+zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK

+DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF

+jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ

+EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A

+4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M

+60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj

+-----END RSA PRIVATE KEY-----"""

+

+VERSION = 5

+

+ciph = PKCS1_v1_5.new(RSA.import_key(SPP_PROD_KEY))

+sig = PKCS1_v1_5s.new(RSA.import_key(SPP_PROD_KEY))

+

+f = open(argv[1], "rb")

+ts_data = f.read()

+

+aeskey = b"massgrave.dev :3"

+hmackey = b"untrustedstore  "

+

+enc_aeskey = ciph.encrypt(aeskey)

+aeskey_sig = sig.sign(SHA1.new(enc_aeskey))

+hmac = HMAC.new(hmackey, ts_data, SHA1)

+hmac_sig = hmac.digest()

+

+header = VERSION.to_bytes(4, "little") + b"UNTRUSTSTORE" + aeskey_sig + enc_aeskey

+data = hmackey + hmac_sig + b"\x00\x00\x00\x00" + ts_data

+

+aes = AES.new(aeskey, AES.MODE_CBC, b"\x00" * 16)

+encr_data = aes.encrypt(pad(data, AES.block_size))

+

+with open(argv[2], "wb") as g:

+    g.write(header + encr_data)
\ No newline at end of file