From a617f59a992a1d56328f0c32e3e303db3fef975d Mon Sep 17 00:00:00 2001
From: WitherOrNot
Date: Thu, 13 Feb 2025 18:37:59 -0500
Subject: Add files via upload

---
 keyderiv.py | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 keyderiv.py

(limited to 'keyderiv.py')

diff --git a/keyderiv.py b/keyderiv.py
new file mode 100644
index 0000000..fb45608
--- /dev/null
+++ b/keyderiv.py
@@ -0,0 +1,49 @@
+import re
+import json
+import sys
+
+"""
+Set all following breakpoints on sppsvc.exe in x64dbg with Break Condition 0, Command Condition 1, and the associated Command Text:
+
+For prod key, works on 19041.1266 -> 19044.3803
+
+`sppsvc+1957F4` - `log "MODULUS {mem;0x80@rdx}"`
+`sppsvc+195A80` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
+`sppsvc+1A36F1` - `log "MUL PROD {mem;0x80@rbx}"`
+`sppsvc+198CEC` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x440198]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x440198]]]}"`
+`sppsvc+199E07` - `log "MPMUL PROD {mem;0x80@[rax-[[sppsvc+0x440198]]]}"`
+`sppsvc+19561C` - `log "LAST MPMODMUL"`
+
+For test key, works on 20221.1000
+
+`sppsvc+1DD940` - `log "MODULUS {mem;0x80@rdx}"`
+`sppsvc+1DDFF0` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
+`sppsvc+1DD8B1` - `log "MUL PROD {mem;0x80@rdi}"`
+`sppsvc+1D2050` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x483178]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x483178]]]}"`
+`sppsvc+1D30F4` - `log "MPMUL PROD {mem;0x80@[[rbp-0x69]-[[sppsvc+0x483178]]]}"`
+`sppsvc+1CEDE2` - `log "LAST MPMODMUL"`
+
+Right-click in Log tab, select "Redirect Log File" and choose path before unsuspending, once LAST MPMODMUL is shown then save log file and use with this script.
+"""
+
+pows = {}
+
+mul_log = open(sys.argv[1], "r").read()
+
+muls = re.finditer(r"\s*(?:MPMUL|MUL) F1 (\w+)\s*(?:MPMUL|MUL) F2 (\w+)\s*(?:MPMUL|MUL) PROD (\w+)\s*", mul_log, re.DOTALL | re.MULTILINE)
+fs_mul = muls.__next__()
+
+assert fs_mul[1] == fs_mul[2]
+
+pows[fs_mul[1]] = 1
+pows[fs_mul[3]] = 2
+
+last_pow = 0
+
+for mul in muls:
+    print(mul[1][:8], mul[2][:8], mul[3][:8])
+    pows[mul[3]] = pows[mul[1]] + pows[mul[2]]
+    
+    last_pow = pows[mul[3]]
+
+print("Derived private key: ", hex(last_pow))
\ No newline at end of file
-- 
cgit v1.2.3