diff options
| author | WitherOrNot | 2025-02-13 23:56:24 +0000 |
|---|---|---|
| committer | GitHub | 2025-02-13 23:56:24 +0000 |
| commit | bfc74e9d1958397620f332f9c9ec3eeaf439a6ca (patch) | |
| tree | 3007999ee5cadf89f14c3fb73822fa8bb0ce1954 | |
| parent | ce01862459c73609e1a25666af6dc6aa74aec3df (diff) | |
| download | spp-stuff-bfc74e9d1958397620f332f9c9ec3eeaf439a6ca.zip | |
Create README.md
| -rw-r--r-- | patterns/README.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/patterns/README.md b/patterns/README.md new file mode 100644 index 0000000..5e86e41 --- /dev/null +++ b/patterns/README.md @@ -0,0 +1,11 @@ +# ImHex Patterns + +You can use these pattern files with [ImHex](https://github.com/WerWolv/ImHex) to view contents of various SPP-related files. + +## Pattern List + + - `variablebag` - For product key blobs in physical store/`cache.dat` + - `tokenstore` - For `tokens.dat` + - `win7_physstore`/`winmodern_physstore` - For decrypted Windows 7/Windows 8+ physical store + +Physical store can be decrypted with TSforge `/dump` option, ex. `tsforge /dump out.dat` on live system or `tsforge /dump out.dat in.dat` for physical store from offline system. |