Skip to content

Instantly share code, notes, and snippets.

View abbodi1406's full-sized avatar

abbodi1406 abbodi1406

2.2k followers · 0 following
View GitHub Profile
@WitherOrNot
WitherOrNot / spp_key_deriv.md
Created September 10, 2025 06:26

Physical Store Private Key Derivation

Background

As described in the TSforge blogpost, the AES key needed to decrypt the physical store's contents is encrypted using an RSA whitebox located in a component known as the blackbox/secure processor (spsys.sys on Windows Vista/7, part of sppsvc.exe on Windows 8+). Luckily, with a debugger and a basic understanding of the math behind RSA, the private key of this whitebox can be easily extracted, allowing exploits like ZeroCID to be carried out on an unmodified system.

SpModExpPrv

In the symbols for spsys.sys in Windows 8 build 7850, the whitebox is named SpModExpPrv. This function only implements plain RSA decryption with a constant private key, and other code is used to implement operations such as padding and RSA encryption.

@WitherOrNot
WitherOrNot / tspkgen.py
Last active January 16, 2026 21:09
Terminal Services License Server ID + License Key Pack generator
from Crypto.Cipher import ARC4
from hashlib import sha1, md5
from random import randint
from ecutils.core import Point, EllipticCurve
from sys import argv
KCHARS = "BCDFGHJKMPQRTVWXY2346789"
SPK_ECKEY = {
"a": 1,
@WitherOrNot
WitherOrNot / pidgenx.ipynb
Last active February 16, 2025 03:27
PIDGENX validation implementation in SageMath (works on SageMath 9.0)
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.