TSforge: Reverse Engineering the Windows Software Protection Platform

66 points by fraXis 10 months ago · 3 comments

Reader

Looks like this is the private key. They only had the image in the blog post, but the source on github has an RSA CAPI blob that has a well-known format, and I was able to get p and q from that and then rebuild the rest:

   >>> p 11318534160529108036253485236383567956736051114291832384964860497483944138627767735644927194447604146200949263506648764691264005869856504888238541661669931
   >>> q 13382005616182000286249448571069734158379697330449348896524695032496827828874510151220386742349656465839102989731103334890387932783643584970264741776141819

This key appears to match the text in the image:

  openssl asn1parse -in /tmp/key.pem

    0:d=0  hl=4 l= 605 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=3 l= 129 prim: INTEGER           :D7B160408B97D92ED82159FC3C878DFAA00DA38FD351B57C087E53CDB5F0996A385952389E956A23834D85156C3F420280CA6A9758E0026EF97590C13D3CD14C28FE362D035C8BE4E96865A3F0A52BF7E96543B739143D566044DDC5DE41001E8605655142333A61B811E3F58BDD4F0867F93BB2386B2612D85790523FBA8729
  139:d=1  hl=2 l=   3 prim: INTEGER           :010001
  144:d=1  hl=3 l= 129 prim: INTEGER           :BF384481D47FD18E6313E647E58DB3846EA2C8CFB863A706882D1EB4AFC8D6E9C17D0694A59B0716E6D031DD15335B9D067AED56B1F71E912DDD5970C78E8469638DAC1D37527AF6CBCA74611F2E093A663C18FC82B547E96170D9BAEB0ABB94666E6C792CFAFE1B7E8220354E8F4B2AD582E3142B2088648F5498D2D72126D5
  276:d=1  hl=2 l=  65 prim: INTEGER           :D81BD7B0CEC1C89C75DD4823990208A1824B8A1689C7147B5485D91BB938439204F3DB5253136A80FAFF285E4C94E05CE14D5ADCB7E457B13CCC50B5606E0A2B
  343:d=1  hl=2 l=  65 prim: INTEGER           :FF81E183CEFBADB7DEB77F51AEF74325D5000A75AD8FD90FF2D89DF57FC79B5EC3A1EEB4320A0DE0F043E1409E96CE1FA7BA3330446929F64B18A7472EA72DFB
  410:d=1  hl=2 l=  64 prim: INTEGER           :02B5E6B0AB073732EF2F85561CF72F908707D7858CD8D862EB9E7A28A4DC15CCE10F05F334638BF46E31811A1DAFC858A1E2CC7EF43782FA101F27EBFE77A2DD
  476:d=1  hl=2 l=  64 prim: INTEGER           :5850101E7AE04ABF0EDFE5C5D9EFE4E9A2A18CFBF7AD8C9D129704A1E2349FE33543373A59415862B32903264EAA593C5FC0E00882DCC680369CA2D4DBAF3519
  542:d=1  hl=2 l=  65 prim: INTEGER           :ABF8B04532E034E5EF74D43C0BDB874C42C1EC77720369769FF990489A0F8CEB46874AB9651BA44B57F4A4E6580A58252FAC827DED8CDAD79EB057FED4E15163

witherornot 10 months ago

That's the production key, and you have it right!
Production and testing keys are uploaded here in PEM format: https://github.com/massgravel/spp-stuff

ChocolateGod 10 months ago

I recall a former Microsoft employee stating that outside of enterprise Microsoft has stopped caring about pirated copies of Windows.

It's easy to believe given HWID give or take has worked since the release of Windows 10.

Settings

TSforge: Reverse Engineering the Windows Software Protection Platform

Keyboard Shortcuts