├── README.md
├── bin
    ├── PPLcontrol.exe
    └── pssuspend64.exe
├── drivers
    ├── RTCore
    │   ├── RTCore64.sys
    │   ├── install.cmd
    │   └── remove.cmd
    └── StartSuspended
    │   ├── StartSuspended.sys
    │   ├── install.cmd
    │   └── remove.cmd
├── keyderiv.py
├── patterns
    ├── README.md
    ├── tokenstore.pat
    ├── variablebag.pat
    ├── win7_physstore.pat
    └── winmodern_physstore.pat
├── splog.py
├── spp_prod.pem
├── spp_test.pem
├── sppdebug.reg
├── tokens_rebuild_v2.py
├── tsdecrypt.py
└── tsencrypt.py


/README.md:
--------------------------------------------------------------------------------
 1 | # spp-stuff
 2 | 
 3 | Collection of random stuff
 4 | 
 5 | ## Debugging """Guide"""
 6 | 
 7 |  - Put machine into testsigning (`bcdedit /set testsigning on`)
 8 |  - Install drivers under `drivers/` by running `install.cmd` in each folder
 9 |  - Install `sppdebug.reg` to have SPPSvc auto-suspend on startup
10 |  - Use PPLcontrol to set debugger to `PP Windows` protection level
11 |  - Use [ScyllaHide](https://github.com/x64dbg/ScyllaHide/releases/tag/v1.4) with VMProtect profile for debugging
12 |  - Take care to avoid having debugger attached at the end of a [heap execute](https://github.com/WitherOrNot/warbird-docs/blob/main/WarbirdModern.md#heap-executes), or sppsvc will crash with Fast Fail Exception
13 | 
14 | ## Credits
15 | 
16 | - asdcorp, abbodi, Lyssa - ImHex patterns
17 | - asdcorp - SPP debug setup, `tokens_rebuild_v2.py`
18 | 


--------------------------------------------------------------------------------
/bin/PPLcontrol.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/massgravel/spp-stuff/9de7d4195f2590df3f9f0eff27d2036ff95b7977/bin/PPLcontrol.exe


--------------------------------------------------------------------------------
/bin/pssuspend64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/massgravel/spp-stuff/9de7d4195f2590df3f9f0eff27d2036ff95b7977/bin/pssuspend64.exe


--------------------------------------------------------------------------------
/drivers/RTCore/RTCore64.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/massgravel/spp-stuff/9de7d4195f2590df3f9f0eff27d2036ff95b7977/drivers/RTCore/RTCore64.sys


--------------------------------------------------------------------------------
/drivers/RTCore/install.cmd:
--------------------------------------------------------------------------------
1 | copy "%~dp0RTCore64.sys" %systemdrive%\RTCore64.sys
2 | sc.exe create RTCore64 type= kernel start= auto binPath= %systemdrive%\RTCore64.sys DisplayName= "Micro - Star MSI Afterburner"
3 | net.exe start RTCore64
4 | pause
5 | 


--------------------------------------------------------------------------------
/drivers/RTCore/remove.cmd:
--------------------------------------------------------------------------------
1 | net.exe stop RTCore64
2 | sc.exe delete RTCore64
3 | del %systemdrive%\RTCore64.sys
4 | pause
5 | 


--------------------------------------------------------------------------------
/drivers/StartSuspended/StartSuspended.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/massgravel/spp-stuff/9de7d4195f2590df3f9f0eff27d2036ff95b7977/drivers/StartSuspended/StartSuspended.sys


--------------------------------------------------------------------------------
/drivers/StartSuspended/install.cmd:
--------------------------------------------------------------------------------
1 | copy "%~dp0StartSuspended.sys" %systemdrive%\StartSuspended.sys
2 | sc.exe create StartSuspended type= kernel start= auto binPath= %systemdrive%\StartSuspended.sys
3 | reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StartSuspended /v Target /t REG_SZ /d sppsvc.exe /f
4 | net.exe start StartSuspended
5 | pause
6 | 


--------------------------------------------------------------------------------
/drivers/StartSuspended/remove.cmd:
--------------------------------------------------------------------------------
1 | net.exe stop RTCore64
2 | sc.exe delete RTCore64
3 | del %systemdrive%\RTCore64.sys
4 | pause
5 | 


--------------------------------------------------------------------------------
/keyderiv.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import json
 3 | import sys
 4 | 
 5 | """
 6 | Set all following breakpoints on sppsvc.exe in x64dbg with Break Condition 0, Command Condition 1, and the associated Command Text:
 7 | 
 8 | For prod key, works on 19041.1266 -> 19044.3803
 9 | 
10 | `sppsvc+1957F4` - `log "MODULUS {mem;0x80@rdx}"`
11 | `sppsvc+195A80` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
12 | `sppsvc+1A36F1` - `log "MUL PROD {mem;0x80@rbx}"`
13 | `sppsvc+198CEC` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x440198]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x440198]]]}"`
14 | `sppsvc+199E07` - `log "MPMUL PROD {mem;0x80@[rax-[[sppsvc+0x440198]]]}"`
15 | `sppsvc+19561C` - `log "LAST MPMODMUL"`
16 | 
17 | For test key, works on 20221.1000
18 | 
19 | `sppsvc+1DD940` - `log "MODULUS {mem;0x80@rdx}"`
20 | `sppsvc+1DDFF0` - `log "MUL F1 {mem;0x80@rdx}"; log "MUL F2 {mem;0x80@r8}"`
21 | `sppsvc+1DD8B1` - `log "MUL PROD {mem;0x80@rdi}"`
22 | `sppsvc+1D2050` - `log "MPMUL F1 {mem;0x80@[[arg.get(2)]-[[sppsvc+0x483178]]]}"; log "MPMUL F2 {mem;0x80@[[arg.get(3)]-[[sppsvc+0x483178]]]}"`
23 | `sppsvc+1D30F4` - `log "MPMUL PROD {mem;0x80@[[rbp-0x69]-[[sppsvc+0x483178]]]}"`
24 | `sppsvc+1CEDE2` - `log "LAST MPMODMUL"`
25 | 
26 | Right-click in Log tab, select "Redirect Log File" and choose path before unsuspending, once LAST MPMODMUL is shown then save log file and use with this script.
27 | """
28 | 
29 | pows = {}
30 | 
31 | mul_log = open(sys.argv[1], "r").read()
32 | 
33 | muls = re.finditer(r"\s*(?:MPMUL|MUL) F1 (\w+)\s*(?:MPMUL|MUL) F2 (\w+)\s*(?:MPMUL|MUL) PROD (\w+)\s*", mul_log, re.DOTALL | re.MULTILINE)
34 | fs_mul = muls.__next__()
35 | 
36 | assert fs_mul[1] == fs_mul[2]
37 | 
38 | pows[fs_mul[1]] = 1
39 | pows[fs_mul[3]] = 2
40 | 
41 | last_pow = 0
42 | 
43 | for mul in muls:
44 |     print(mul[1][:8], mul[2][:8], mul[3][:8])
45 |     pows[mul[3]] = pows[mul[1]] + pows[mul[2]]
46 |     
47 |     last_pow = pows[mul[3]]
48 | 
49 | print("Derived private key: ", hex(last_pow))


--------------------------------------------------------------------------------
/patterns/README.md:
--------------------------------------------------------------------------------
 1 | # ImHex Patterns
 2 | 
 3 | You can use these pattern files with [ImHex](https://github.com/WerWolv/ImHex) to view contents of various SPP-related files.
 4 | 
 5 | ## Pattern List
 6 | 
 7 |  - `variablebag` - For product key blobs in physical store/`cache.dat`
 8 |  - `tokenstore` - For `tokens.dat`
 9 |  - `win7_physstore`/`winmodern_physstore` - For decrypted Windows 7/Windows 8+ physical store
10 | 
11 | Physical store can be decrypted with TSforge `/dump` option, ex. `tsforge /dump out.dat` on live system or `tsforge /dump out.dat in.dat` for physical store from offline system.
12 | 


--------------------------------------------------------------------------------
/patterns/tokenstore.pat:
--------------------------------------------------------------------------------
 1 | struct EntryContent {
 2 |     u8 header[32];
 3 |     u32 data_len;
 4 |     u8 sha256[32];
 5 |     u8 data[data_len];
 6 |     u8 footer[32];
 7 | };
 8 | 
 9 | struct Metadata {
10 |     u32 entry_off;
11 |     u32 populated;
12 |     u32 content_off;
13 |     u32 content_len;
14 |     u32 alloc_len;
15 |     char16 name[65];
16 |     char16 ext[4];
17 | 
18 |     if (populated == 1) {
19 |         EntryContent content @ content_off;
20 |     }
21 | };
22 | 
23 | struct Block {
24 |     u32 self_off;
25 |     u32 next_off;
26 |     Metadata metadata[103];
27 |     padding[16384 - sizeof(self_off) - sizeof(next_off) - sizeof(metadata)];
28 |     u8 sha256[32];
29 | 
30 |     if (next_off != 0) {
31 |         Block next @ next_off;
32 |     }
33 | };
34 | 
35 | struct FileHeader {
36 |     u32 version;
37 |     u8 sha256[32];
38 |     Block block;
39 | };
40 | 
41 | FileHeader fileheader @ 0x00;


--------------------------------------------------------------------------------
/patterns/variablebag.pat:
--------------------------------------------------------------------------------
 1 | #include <std/mem.pat>
 2 | 
 3 | struct varbag_entry {
 4 |     u32 crc32;
 5 |     u32 unk1;
 6 |     u32 len_name;
 7 |     u32 len_val;
 8 |     char16 name[len_name/2];
 9 |     padding[-$&7];
10 |     u8 value[len_val];
11 |     padding[-$&7];
12 | };
13 | 
14 | varbag_entry entries[while($ < std::mem::size())] @ 0x0;


--------------------------------------------------------------------------------
/patterns/win7_physstore.pat:
--------------------------------------------------------------------------------
 1 | #include <std/mem.pat>
 2 | 
 3 | struct tsd_data {
 4 |     u32 val_type; // 0 None, 1 Named, 2 Attribute, 3 Timer
 5 |     u32 flags;
 6 |     u32 len_key;
 7 |     u32 len_val;
 8 |     u32 len_data;
 9 |     char16 key[len_key/2];
10 |     u8 value[len_val];
11 |     u8 data[len_data];
12 |     padding[-$&3];
13 | };
14 | 
15 | tsd_data store[while($ < std::mem::size())] @ 0x8;


--------------------------------------------------------------------------------
/patterns/winmodern_physstore.pat:
--------------------------------------------------------------------------------
 1 | struct tsd_header {
 2 |     u32 len_name;
 3 |     char16 name[len_name/2];
 4 |     u32 num_entries;
 5 |     padding[-$&3];
 6 | };
 7 | 
 8 | struct tsd_data {
 9 |     u32 unk1;
10 |     u32 unk2;
11 |     u32 len_name;
12 |     u32 len_val;
13 |     u32 unk3;
14 |     char16 name[len_name/2];
15 |     u8 value[len_val];
16 |     padding[-$&3];
17 | };
18 | 
19 | struct tsentry {
20 |     tsd_header header;
21 |     tsd_data data[header.num_entries];
22 | };
23 | 
24 | struct data_store {
25 |     u32 num_entries;
26 |     tsentry entries[num_entries];
27 | };
28 | 
29 | data_store store @ 0x8;


--------------------------------------------------------------------------------
/splog.py:
--------------------------------------------------------------------------------
 1 | # Decrypt C:\Windows\System32\spsys.log from Windows 7
 2 | # Can be used to trace functions executed in spsys
 3 | 
 4 | from Crypto.Cipher import AES
 5 | from struct import unpack
 6 | 
 7 | aeskey = bytes([0x5B, 0x68, 0x49, 0x25, 0x79, 0x7B, 0x81, 0xFE, 0x5C, 0x44, 0x1B, 0x08, 0x2B, 0xEA, 0xEC, 0x4E])
 8 | 
 9 | log_data = b""
10 | 
11 | with open("spsys.log", "rb") as f:
12 |     aes = AES.new(aeskey, AES.MODE_ECB)
13 |     log_data = aes.decrypt(f.read()[0x28:])
14 | 
15 | with open("spsys_log_d.bin", "wb") as f:
16 |     f.write(log_data)


--------------------------------------------------------------------------------
/spp_prod.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie
 3 | lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5
 4 | FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB
 5 | AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd
 6 | FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6
 7 | 6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1
 8 | 3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8
 9 | zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK
10 | DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF
11 | jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ
12 | EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A
13 | 4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M
14 | 60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj
15 | -----END RSA PRIVATE KEY-----


--------------------------------------------------------------------------------
/spp_test.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIICXQIBAAKBgQD2nHchRdHpsxBrJhmBFbOxIa8tw+JXQb42rnz4cOYjaFEGeM7Q
 3 | wydMfOOumFxQ/Jg9yl64N9mVduFpvcGzZdbz2/Td5ZDTnJ3PHo6178NgkmdyUzo3
 4 | nv06m1+zgHrZ6Qi3thRXP+1RND1tqzUWDBYeP9ETxGYX1GfdNlTduHe+DwIDAQAB
 5 | AoGBAPFt/LL2R6sjQs+jXRSiymh/MaD8RHpoQnAGIxKWdLf1SF2tp8t5Qt/+5Gfp
 6 | gXdH00Oq+1AeXUWWPNfojdmzudrXYgAv750Vf5TdPMb9gPZZkc1d5ksw3n3h103V
 7 | 0Wp0fX3sJavF5WiEN8GeByr+4c+naeQQm8+jacHQMmjTEWgBAkEA/CnRmlNCe7lF
 8 | BiDMrFCHBHWa7bJRkZWoZhwOCYIEk2Sfrl1+WMWFMF7UkANtCU8ZECQH+4bbK7xh
 9 | Mh2deLbd4QJBAPpdBVPcGDHCiPWAiSSEpVrXADEacJ8MuzE4ux48oXj6E8c4mmu/
10 | S+mxoZLsa9PeEo5QLSGcVMsrhwVpdRZHue8CQDaHZIgW0R2oJsD4fsoUb94LAIG+
11 | Od1dm5jZID/2Gb8110IBfbz8mZyoJRcvZnjI3gabhA5kTyjaB7qqpM7h3IECQQC+
12 | ooHh/t71VLlQplTG17HI35knyogis2D988KXHXeeVF0m/vSmQn0dLsJmy1q3cosS
13 | jf4vb4gpQ7WF62zaUDdFAkBv/Lk1yuGX2Yx1f6a+BK4tC/EfJSTi2ojyvSH6IjgI
14 | 2eXEW4fB1vpiz0cf7maWHO2iPSFducHYF7OkuC//SJ+B
15 | -----END RSA PRIVATE KEY-----


--------------------------------------------------------------------------------
/sppdebug.reg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/massgravel/spp-stuff/9de7d4195f2590df3f9f0eff27d2036ff95b7977/sppdebug.reg


--------------------------------------------------------------------------------
/tokens_rebuild_v2.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import struct
  4 | import sys
  5 | import os
  6 | import hashlib
  7 | 
  8 | TOKENS_VERSION = 3
  9 | 
 10 | BLOCK_SIZE = 16384
 11 | ENTRY_SIZE = 158
 12 | MAX_ENTRIES = (BLOCK_SIZE - 8) // ENTRY_SIZE
 13 | 
 14 | ENTRY_CONTENTS_HEADER = b'\x55' * 32
 15 | ENTRY_CONTENTS_FOOTER = b'\xAA' * 32
 16 | 
 17 | def parse_entry(f, offset):
 18 |     f.seek(offset)
 19 |     unpacked = struct.unpack('<lllll', f.read(20))
 20 | 
 21 |     if unpacked[0] != offset or unpacked[1] == 0 or unpacked[2] == 0:
 22 |         return None
 23 | 
 24 |     (name_b, ext_b) = struct.unpack('<130s8s', f.read(138))
 25 | 
 26 |     name = (
 27 |         name_b.decode('utf-16-le').rstrip('\0'),
 28 |         ext_b.decode('utf-16-le').rstrip('\0')
 29 |     )
 30 | 
 31 |     return (unpacked[2], unpacked[3], name)
 32 | 
 33 | 
 34 | def parse_block_entries(f, offset):
 35 |     o_entry = offset + ((MAX_ENTRIES - 1) * ENTRY_SIZE)
 36 |     entries = []
 37 | 
 38 |     for i in range(MAX_ENTRIES):
 39 |         entry = parse_entry(f, o_entry)
 40 |         o_entry -= ENTRY_SIZE
 41 | 
 42 |         if entry != None:
 43 |             entries.append(entry)
 44 | 
 45 |     return entries
 46 | 
 47 | 
 48 | def parse_block(f, offset):
 49 |     f.seek(offset)
 50 |     unpacked = struct.unpack('<ll', f.read(8))
 51 | 
 52 |     if unpacked[0] != offset:
 53 |         return None
 54 | 
 55 |     entries = parse_block_entries(f, f.tell())
 56 |     return (entries, unpacked[1])
 57 | 
 58 | 
 59 | def get_token(f, entry):
 60 |     (offset, length, name) = entry
 61 |     f.seek(offset)
 62 | 
 63 |     if f.read(32) != ENTRY_CONTENTS_HEADER:
 64 |         return None
 65 | 
 66 |     (h_len, h_sha256) = struct.unpack('<l32s', f.read(36))
 67 | 
 68 |     if length != h_len:
 69 |         return None
 70 | 
 71 |     contents = f.read(h_len)
 72 | 
 73 |     if f.read(32) != ENTRY_CONTENTS_FOOTER:
 74 |         return None
 75 | 
 76 |     return (name, contents)
 77 | 
 78 | 
 79 | def get_tokens(f):
 80 |     f.seek(0)
 81 | 
 82 |     if struct.unpack('<l32xl', f.read(40)) != (TOKENS_VERSION, 36):
 83 |         return None
 84 | 
 85 |     offset = 36
 86 |     all_entries = []
 87 | 
 88 |     while offset != 0:
 89 |         (entries, offset) = parse_block(f, offset)
 90 |         all_entries += entries
 91 | 
 92 |     tokens = []
 93 | 
 94 |     for entry in all_entries:
 95 |         token = get_token(f, entry)
 96 |         if token != None:
 97 |             tokens.append(token)
 98 | 
 99 |     return tokens
100 | 
101 | 
102 | def build_entry_value(data):
103 |     d_len = len(data).to_bytes(4, "little")
104 |     d_sha256 = hashlib.sha256(data).digest()
105 | 
106 |     value = ENTRY_CONTENTS_HEADER
107 |     value += d_len
108 |     value += d_sha256
109 |     value += data
110 |     value += ENTRY_CONTENTS_FOOTER
111 | 
112 |     return (value, len(value))
113 | 
114 | 
115 | def build_entry_meta(o_meta, populated, o_value, vd_len, name):
116 |     return struct.pack(
117 |             "<IIIII130s8s",
118 |             o_meta,
119 |             populated,
120 |             o_value,
121 |             vd_len,
122 |             vd_len,
123 |             name[0].encode('utf-16-le'),
124 |             name[1].encode('utf-16-le')
125 |         )
126 | 
127 | 
128 | def build_entry(o_meta, o_value, entry):
129 |     value, v_len = build_entry_value(entry[1])
130 | 
131 |     vd_len = len(entry[1])
132 |     meta = build_entry_meta(o_meta, True, o_value, vd_len, entry[0])
133 | 
134 |     return (value, v_len, meta)
135 | 
136 | 
137 | def build_entries_block(entries, o_start):
138 |     meta_block = b''
139 |     data_block = b''
140 | 
141 |     o_meta = o_start + 8 + ((MAX_ENTRIES - 1) * ENTRY_SIZE)
142 |     o_data = o_start + BLOCK_SIZE + 32
143 | 
144 |     next_block = 0
145 |     write_entries = len(entries)
146 |     write_next_block_offset = False
147 | 
148 |     if len(entries) > MAX_ENTRIES:
149 |         write_entries = MAX_ENTRIES
150 |         write_next_block_offset = True
151 | 
152 |     for _ in range(write_entries):
153 |         data, data_len, meta = build_entry(o_meta, o_data, entries.pop(0))
154 | 
155 |         meta_block = meta + meta_block
156 |         o_meta -= ENTRY_SIZE
157 | 
158 |         data_block += data
159 |         o_data += data_len
160 | 
161 |     for _ in range(MAX_ENTRIES - write_entries):
162 |         meta = build_entry_meta(o_meta, False, 0, 0xFFFFFFFF, ('', ''))
163 | 
164 |         meta_block = meta + meta_block
165 |         o_meta -= ENTRY_SIZE
166 | 
167 |     if write_next_block_offset:
168 |         next_block = o_data
169 | 
170 |     finished_block = struct.pack("<II", o_start, next_block)
171 |     finished_block += meta_block
172 |     finished_block += b'\0' * (BLOCK_SIZE - (MAX_ENTRIES * ENTRY_SIZE) - 8)
173 |     finished_block += hashlib.sha256(finished_block).digest()
174 |     finished_block += data_block
175 | 
176 |     return (finished_block, next_block, entries)
177 | 
178 | 
179 | def build_tokens(entries):
180 |     tokens_data = b''
181 |     header = TOKENS_VERSION.to_bytes(4, "little")
182 | 
183 |     o_next = 36
184 |     entries_l = entries
185 | 
186 |     while o_next != 0:
187 |         block, o_next, entries_l = build_entries_block(entries_l, o_next)
188 |         tokens_data += block
189 | 
190 |     tokens_hash = hashlib.sha256(header + tokens_data).digest()
191 | 
192 |     finished_tokens = header
193 |     finished_tokens += tokens_hash
194 |     finished_tokens += tokens_data
195 | 
196 |     return finished_tokens
197 | 
198 | 
199 | if __name__ == '__main__':
200 |     if len(sys.argv) != 3:
201 |         print(f'Usage: {sys.argv[0]} source_tokens_file destination_tokens_file')
202 |         exit(1)
203 | 
204 |     source = sys.argv[1]
205 |     destination = sys.argv[2]
206 | 
207 |     if not os.path.isfile(source):
208 |         print(f'Source {source} is not a file')
209 |         exit(1)
210 | 
211 |     if os.path.isdir(destination):
212 |         print(f'Source {source} is a directory')
213 |         exit(1)
214 | 
215 |     with open(source, 'rb') as f:
216 |         tokens = get_tokens(f)
217 | 
218 |     with open(destination, 'wb') as f:
219 |         f.write(build_tokens(tokens))
220 | 


--------------------------------------------------------------------------------
/tsdecrypt.py:
--------------------------------------------------------------------------------
 1 | from Crypto.PublicKey import RSA
 2 | from Crypto.Cipher import AES, PKCS1_v1_5
 3 | from Crypto.Signature import PKCS1_v1_5 as PKCS1_v1_5s
 4 | from Crypto.Util.Padding import unpad
 5 | from Crypto.Hash import SHA1, HMAC
 6 | from sys import argv
 7 | 
 8 | SPP_PROD_KEY = """-----BEGIN RSA PRIVATE KEY-----
 9 | MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie
10 | lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5
11 | FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB
12 | AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd
13 | FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6
14 | 6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1
15 | 3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8
16 | zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK
17 | DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF
18 | jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ
19 | EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A
20 | 4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M
21 | 60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj
22 | -----END RSA PRIVATE KEY-----"""
23 | 
24 | ciph = PKCS1_v1_5.new(RSA.import_key(SPP_PROD_KEY))
25 | sig = PKCS1_v1_5s.new(RSA.import_key(SPP_PROD_KEY))
26 | 
27 | f = open(argv[1], "rb")
28 | f.seek(0x10)
29 | 
30 | aesk_sig = f.read(0x80)
31 | 
32 | f.seek(0x90)
33 | aes_data = f.read(0x80)
34 | 
35 | if sig.verify(SHA1.new(aes_data), aesk_sig):
36 |     aeskey = ciph.decrypt(aes_data, 0)
37 |     aes = AES.new(aeskey, AES.MODE_CBC, b"\x00" * 16)
38 | 
39 |     f.seek(0x110)
40 |     decr_data = unpad(aes.decrypt(f.read()), AES.block_size)
41 |     
42 |     hmac_key = decr_data[:0x10]
43 |     hmac_sig = decr_data[0x10:0x24]
44 |     ts_data = decr_data[0x28:]
45 |     
46 |     try:
47 |         hmac = HMAC.new(hmac_key, ts_data, SHA1)
48 |         #hmac.verify(hmac_sig)
49 |         
50 |         with open(argv[2], "wb") as fw:
51 |             fw.write(ts_data)
52 |     except ValueError:
53 |         print("!!! BAD HMAC !!!")
54 | else:
55 |     print("!!! BAD SIGNATURE !!!")


--------------------------------------------------------------------------------
/tsencrypt.py:
--------------------------------------------------------------------------------
 1 | from Crypto.PublicKey import RSA
 2 | from Crypto.Cipher import AES, PKCS1_v1_5
 3 | from Crypto.Signature import PKCS1_v1_5 as PKCS1_v1_5s
 4 | from Crypto.Util.Padding import pad
 5 | from Crypto.Hash import SHA1, HMAC
 6 | from Crypto.Random import get_random_bytes
 7 | from sys import argv
 8 | 
 9 | SPP_PROD_KEY = """-----BEGIN RSA PRIVATE KEY-----
10 | MIICXQIBAAKBgQDXsWBAi5fZLtghWfw8h436oA2jj9NRtXwIflPNtfCZajhZUjie
11 | lWojg02FFWw/QgKAymqXWOACbvl1kME9PNFMKP42LQNci+TpaGWj8KUr9+llQ7c5
12 | FD1WYETdxd5BAB6GBWVRQjM6YbgR4/WL3U8IZ/k7sjhrJhLYV5BSP7qHKQIDAQAB
13 | AoGBAL84RIHUf9GOYxPmR+WNs4RuosjPuGOnBogtHrSvyNbpwX0GlKWbBxbm0DHd
14 | FTNbnQZ67Vax9x6RLd1ZcMeOhGljjawdN1J69svKdGEfLgk6ZjwY/IK1R+lhcNm6
15 | 6wq7lGZubHks+v4bfoIgNU6PSyrVguMUKyCIZI9UmNLXISbVAkEA2BvXsM7ByJx1
16 | 3UgjmQIIoYJLihaJxxR7VIXZG7k4Q5IE89tSUxNqgPr/KF5MlOBc4U1a3LfkV7E8
17 | zFC1YG4KKwJBAP+B4YPO+6233rd/Ua73QyXVAAp1rY/ZD/LYnfV/x5tew6HutDIK
18 | DeDwQ+FAnpbOH6e6MzBEaSn2SxinRy6nLfsCQAK15rCrBzcy7y+FVhz3L5CHB9eF
19 | jNjYYuueeiik3BXM4Q8F8zRji/RuMYEaHa/IWKHizH70N4L6EB8n6/53ot0CQFhQ
20 | EB564Eq/Dt/lxdnv5OmioYz7962MnRKXBKHiNJ/jNUM3OllBWGKzKQMmTqpZPF/A
21 | 4AiC3MaANpyi1NuvNRkCQQCr+LBFMuA05e901DwL24dMQsHsd3IDaXaf+ZBImg+M
22 | 60aHSrllG6RLV/Sk5lgKWCUvrIJ97Yza156wV/7U4VFj
23 | -----END RSA PRIVATE KEY-----"""
24 | 
25 | VERSION = 5
26 | 
27 | ciph = PKCS1_v1_5.new(RSA.import_key(SPP_PROD_KEY))
28 | sig = PKCS1_v1_5s.new(RSA.import_key(SPP_PROD_KEY))
29 | 
30 | f = open(argv[1], "rb")
31 | ts_data = f.read()
32 | 
33 | aeskey = b"massgrave.dev :3"
34 | hmackey = b"untrustedstore  "
35 | 
36 | enc_aeskey = ciph.encrypt(aeskey)
37 | aeskey_sig = sig.sign(SHA1.new(enc_aeskey))
38 | hmac = HMAC.new(hmackey, ts_data, SHA1)
39 | hmac_sig = hmac.digest()
40 | 
41 | header = VERSION.to_bytes(4, "little") + b"UNTRUSTSTORE" + aeskey_sig + enc_aeskey
42 | data = hmackey + hmac_sig + b"\x00\x00\x00\x00" + ts_data
43 | 
44 | aes = AES.new(aeskey, AES.MODE_CBC, b"\x00" * 16)
45 | encr_data = aes.encrypt(pad(data, AES.block_size))
46 | 
47 | with open(argv[2], "wb") as g:
48 |     g.write(header + encr_data)


--------------------------------------------------------------------------------