TSforge: Reverse Engineering the Windows Software Protection Platform

by fraXison 2/13/2025, 9:01:46 PM with 2 comments
  • by mmastracon 2/14/2025, 3:58:59 AM

    Looks like this is the private key. They only had the image in the blog post, but the source on github has an RSA CAPI blob that has a well-known format, and I was able to get p and q from that and then rebuild the rest:

       >>> p 11318534160529108036253485236383567956736051114291832384964860497483944138627767735644927194447604146200949263506648764691264005869856504888238541661669931
   >>> q 13382005616182000286249448571069734158379697330449348896524695032496827828874510151220386742349656465839102989731103334890387932783643584970264741776141819
    This key appears to match the text in the image:

      openssl asn1parse -in /tmp/key.pem

    0:d=0  hl=4 l= 605 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=3 l= 129 prim: INTEGER           :D7B160408B97D92ED82159FC3C878DFAA00DA38FD351B57C087E53CDB5F0996A385952389E956A23834D85156C3F420280CA6A9758E0026EF97590C13D3CD14C28FE362D035C8BE4E96865A3F0A52BF7E96543B739143D566044DDC5DE41001E8605655142333A61B811E3F58BDD4F0867F93BB2386B2612D85790523FBA8729
  139:d=1  hl=2 l=   3 prim: INTEGER           :010001
  144:d=1  hl=3 l= 129 prim: INTEGER           :BF384481D47FD18E6313E647E58DB3846EA2C8CFB863A706882D1EB4AFC8D6E9C17D0694A59B0716E6D031DD15335B9D067AED56B1F71E912DDD5970C78E8469638DAC1D37527AF6CBCA74611F2E093A663C18FC82B547E96170D9BAEB0ABB94666E6C792CFAFE1B7E8220354E8F4B2AD582E3142B2088648F5498D2D72126D5
  276:d=1  hl=2 l=  65 prim: INTEGER           :D81BD7B0CEC1C89C75DD4823990208A1824B8A1689C7147B5485D91BB938439204F3DB5253136A80FAFF285E4C94E05CE14D5ADCB7E457B13CCC50B5606E0A2B
  343:d=1  hl=2 l=  65 prim: INTEGER           :FF81E183CEFBADB7DEB77F51AEF74325D5000A75AD8FD90FF2D89DF57FC79B5EC3A1EEB4320A0DE0F043E1409E96CE1FA7BA3330446929F64B18A7472EA72DFB
  410:d=1  hl=2 l=  64 prim: INTEGER           :02B5E6B0AB073732EF2F85561CF72F908707D7858CD8D862EB9E7A28A4DC15CCE10F05F334638BF46E31811A1DAFC858A1E2CC7EF43782FA101F27EBFE77A2DD
  476:d=1  hl=2 l=  64 prim: INTEGER           :5850101E7AE04ABF0EDFE5C5D9EFE4E9A2A18CFBF7AD8C9D129704A1E2349FE33543373A59415862B32903264EAA593C5FC0E00882DCC680369CA2D4DBAF3519
  542:d=1  hl=2 l=  65 prim: INTEGER           :ABF8B04532E034E5EF74D43C0BDB874C42C1EC77720369769FF990489A0F8CEB46874AB9651BA44B57F4A4E6580A58252FAC827DED8CDAD79EB057FED4E15163

  • by ChocolateGodon 2/14/2025, 7:31:59 PM

    I recall a former Microsoft employee stating that outside of enterprise Microsoft has stopped caring about pirated copies of Windows.

    It's easy to believe given HWID give or take has worked since the release of Windows 10.