diff options
| author | WitherOrNot | 2025-02-13 23:37:59 +0000 |
|---|---|---|
| committer | GitHub | 2025-02-13 23:37:59 +0000 |
| commit | a617f59a992a1d56328f0c32e3e303db3fef975d (patch) | |
| tree | 1fa65b0b728e8787a6cccd138712281c63006414 /keyderiv.py | |
| parent | 634b353ebbfc6f465b13a18ae178f0bfd96510f8 (diff) | |
| download | spp-stuff-a617f59a992a1d56328f0c32e3e303db3fef975d.zip | |
Add files via upload
Diffstat (limited to 'keyderiv.py')
| -rw-r--r-- | keyderiv.py | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/keyderiv.py b/keyderiv.py new file mode 100644 index 0000000..fb45608 --- /dev/null +++ b/keyderiv.py @@ -0,0 +1,49 @@ +import re
+import json
+import sys
+
+"""
+Set all following breakpoints on sppsvc.exe in x64dbg with Break Condition 0, Command Condition 1, and the associated Command Text:
+
+For prod key, works on 19041.1266 -> 19044.3803
+
+`sppsvc+1957F4` - `log "MODULUS {mem;0x80@rdx}"`
+`sppsvc+195A80` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
+`sppsvc+1A36F1` - `log "MUL PROD {mem;0x80@rbx}"`
+`sppsvc+198CEC` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x440198]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x440198]]]}"`
+`sppsvc+199E07` - `log "MPMUL PROD {mem;0x80@[rax-[[sppsvc+0x440198]]]}"`
+`sppsvc+19561C` - `log "LAST MPMODMUL"`
+
+For test key, works on 20221.1000
+
+`sppsvc+1DD940` - `log "MODULUS {mem;0x80@rdx}"`
+`sppsvc+1DDFF0` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
+`sppsvc+1DD8B1` - `log "MUL PROD {mem;0x80@rdi}"`
+`sppsvc+1D2050` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x483178]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x483178]]]}"`
+`sppsvc+1D30F4` - `log "MPMUL PROD {mem;0x80@[[rbp-0x69]-[[sppsvc+0x483178]]]}"`
+`sppsvc+1CEDE2` - `log "LAST MPMODMUL"`
+
+Right-click in Log tab, select "Redirect Log File" and choose path before unsuspending, once LAST MPMODMUL is shown then save log file and use with this script.
+"""
+
+pows = {}
+
+mul_log = open(sys.argv[1], "r").read()
+
+muls = re.finditer(r"\s*(?:MPMUL|MUL) F1 (\w+)\s*(?:MPMUL|MUL) F2 (\w+)\s*(?:MPMUL|MUL) PROD (\w+)\s*", mul_log, re.DOTALL | re.MULTILINE)
+fs_mul = muls.__next__()
+
+assert fs_mul[1] == fs_mul[2]
+
+pows[fs_mul[1]] = 1
+pows[fs_mul[3]] = 2
+
+last_pow = 0
+
+for mul in muls:
+ print(mul[1][:8], mul[2][:8], mul[3][:8])
+ pows[mul[3]] = pows[mul[1]] + pows[mul[2]]
+
+ last_pow = pows[mul[3]]
+
+print("Derived private key: ", hex(last_pow))
\ No newline at end of file |