Merge pull request #10 from LukeFZ/dev

LukeFZ · web-flow · commit 66d54e72f193 · 2025-02-25T01:25:26.000+01:00
Update to .NET 8 + Support 24H2
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        dotnet-version: [ '6.0.x' ]
+        dotnet-version: [ '8.0.x' ]
         rid: ['win-x64']
 
     steps:
diff --git a/CikExtractor/CikExtractor.csproj b/CikExtractor/CikExtractor.csproj
@@ -2,16 +2,16 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net6.0-windows</TargetFramework>
+    <TargetFramework>net8.0-windows7.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="BouncyCastle.Cryptography" Version="2.2.1" />
-    <PackageReference Include="Registry" Version="1.3.4" />
-    <PackageReference Include="Spectre.Console.Cli" Version="0.47.1-preview.0.11" />
-    <PackageReference Include="System.Management" Version="6.0.0" />
+    <PackageReference Include="BouncyCastle.Cryptography" Version="2.5.1" />
+    <PackageReference Include="Registry" Version="1.5.0" />
+    <PackageReference Include="Spectre.Console.Cli" Version="0.49.2-preview.0.75" />
+    <PackageReference Include="System.Management" Version="9.0.2" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/CikExtractor/Emulation/clep_vault.py b/CikExtractor/Emulation/clep_vault.py
@@ -7,105 +7,156 @@
 
 import argparse
 
+
 @winsdkapi(cc=STDCALL)
 def hook_chkstk(ql, addr, params):
-	return ql.arch.regs.rax
+    return ql.arch.regs.rax
+
 
 def parse_args():
-	parser = argparse.ArgumentParser(description="decrypts a ClepV4 encrypted device key.")
-	parser.add_argument("--license", required=True, help="base64 encoded encrypted device license (Required length: 4094)")
-	parser.add_argument("--smbios", required=True, help="base64 encoded SMBIOS system struct.")
-	parser.add_argument("--driveser", required=True, help="base64 encoded null-terminated root drive serial number.")
-	args = parser.parse_args()
-	return (args.license, args.smbios, args.driveser)
-
-if __name__ == '__main__':
-	enc_license_b64, smbios_b64, driveser_b64 = parse_args()
-	encrypted_device_license = b64decode(enc_license_b64)
-	smbiosSystem = b64decode(smbios_b64)
-	driveSer = b64decode(driveser_b64)
-
-	assert len(encrypted_device_license) == 4094, "Error: Encrypted Device License length mismatch. (Expected: 4094)"
-
-	max_smbios = 256
-	max_driveser = 64
-	max_tpminfo = 901
-
-	if (len(smbiosSystem) > max_smbios):
-		smbiosSystem = smbiosSystem[:max_smbios]
-
-	if (len(driveSer) > max_driveser):
-		driveSer = driveSer[:max_driveser]
-
-	ql = Qiling(["./clipsp.sys"], ".\\x8664_windows", libcache=True, console=False)
-
-	ql.os.set_api("__chkstk", hook_chkstk)
-
-	clep_vault_func_pattern = b"\x4C\x8B\xDC\x49\x89\x4B\x08"
-	clep_vault_size = 0x4e
-	clep_vault_func = ql.mem.search(clep_vault_func_pattern, begin=0x1c0000000, end=0x1d0000000)[0]
-	if clep_vault_func is None:
-		print("Error: Failed to find vault function using pattern.")
-		exit()
-
-	# Gets the cached request memory location through a bit of trickery:
-	# Basically pattern matching a part of a vault function, navigating to the lea request opcode, then reading the operand for the offset
-	clep_request_pattern = b"\xC6\x45\x00\x19\x8A\x45\x00\x8B\x04\x24\x48\x83\xEC\x10\x8B\x04\x24\x8B\x04\x24\x48\x83\xEC\x50\x48\x8D\x4C\x24\x20\x8B\x01\x41\x0F\x10\x02\x33\xC0\x48\x8D\x59\x0F\x48\x83\xE3\xF0\xF3\x0F\x7F\x43\x28"
-	clep_request_opcode_offset = 0x4e # actually 0x4b, but + 3 to get the operand directly
-	clep_request_func = ql.mem.search(clep_request_pattern, begin=0x1c0000000, end=0x1d0000000)[0]
-	if clep_request_func is None:
-		print("Error: Failed to find request function using pattern.")
-		exit()
-
-	clep_request_opcode = clep_request_func + clep_request_opcode_offset
-	clep_request_ptr_offset = struct.unpack("<I", ql.mem.read(clep_request_opcode, 4))[0]
-	clep_request_ptr = clep_request_opcode + clep_request_ptr_offset + 4 # To offset the operand size
-
-	req_version = clep_request_ptr
-	req_smbios = req_version + 4
-	req_driveser = req_smbios + max_smbios
-	req_tpmstatus = req_driveser + max_driveser
-	req_tpminfo = req_tpmstatus + 1
-	req_istogo = req_tpminfo + max_tpminfo
-	req_debuggerEnabled = req_istogo + 1
-	req_debuggerAttached = req_debuggerEnabled + 4
-	req_remdata = req_debuggerAttached + 4
-
-	ql.mem.write(req_version, struct.pack("<I", 0x4))
-	ql.mem.write(req_smbios, smbiosSystem)
-	ql.mem.write(req_driveser, driveSer)
-
-	ql.mem.write(req_tpmstatus, struct.pack("<B", 0x0))
-	ql.mem.write(req_istogo, struct.pack("<B", 0x0))
-
-	ql.mem.write(req_debuggerEnabled, struct.pack("<I", 0x7ffe02d4))
-	ql.mem.write(req_debuggerAttached, struct.pack("<I", 0x7ffe02d4))
-
-	try:
-		ql.os.KUSER_SHARED_DATA
-	except:
-		# We are running in a Qiling version that does not have KUSER_SHARED_DATA, set debugger var manually
-		ql.mem.map(0x7ffe02d4 // 4096*4096, 4096)
-		ql.mem.write(0x7ffe02d4, struct.pack("<I", 0x00000010)) # 0x0 - Debugger not enabled | 0x10 - Debugger not attached
-
-	pb_secret = ql.os.heap.alloc(32)
-	license_buffer = ql.os.heap.alloc(len(encrypted_device_license))
-	ql.mem.write(license_buffer, encrypted_device_license)
-
-	# sp_cache = 0x1C0043600 --- If needed this could also be done through pattern matching, but we can just use our own buffer
-	sp_cache = ql.os.heap.alloc(64)
-
-	#clep_vault_v4_begin = 0x1C000B234
-	#clep_vault_v4_end = 0x1C000B282
-
-	ql.arch.regs.rcx = 0x0
-	ql.arch.regs.rdx = license_buffer + 4
-	ql.arch.regs.r8 = pb_secret
-	ql.arch.regs.r9 = license_buffer + 516
-
-	ql.stack_write(0x30, sp_cache)
-
-	ql.run(begin=clep_vault_func, end=clep_vault_func + clep_vault_size)
-
-	buffer = ql.mem.read(pb_secret, 16)
-	print(binascii.hexlify(buffer).decode("utf-8"))
+    parser = argparse.ArgumentParser(
+        description="decrypts a ClepV4 encrypted device key."
+    )
+    parser.add_argument(
+        "--license",
+        required=True,
+        help="base64 encoded encrypted device license (Required length: 4094)",
+    )
+    parser.add_argument(
+        "--smbios", required=True, help="base64 encoded SMBIOS system struct."
+    )
+    parser.add_argument(
+        "--driveser",
+        required=True,
+        help="base64 encoded null-terminated root drive serial number.",
+    )
+    args = parser.parse_args()
+    return (args.license, args.smbios, args.driveser)
+
+
+if __name__ == "__main__":
+    enc_license_b64, smbios_b64, driveser_b64 = parse_args()
+    encrypted_device_license = b64decode(enc_license_b64)
+    smbiosSystem = b64decode(smbios_b64)
+    driveSer = b64decode(driveser_b64)
+
+    assert len(encrypted_device_license) == 4094, (
+        "Error: Encrypted Device License length mismatch. (Expected: 4094)"
+    )
+
+    max_smbios = 256
+    max_driveser = 64
+    max_tpminfo = 901
+
+    if len(smbiosSystem) > max_smbios:
+        smbiosSystem = smbiosSystem[:max_smbios]
+
+    if len(driveSer) > max_driveser:
+        driveSer = driveSer[:max_driveser]
+
+    ql = Qiling(["./clipsp.sys"], ".\\x8664_windows", libcache=True, console=False)
+
+    ql.os.set_api("__chkstk", hook_chkstk)
+
+    clep_vault_func_pattern = b"\x4c\x8b\xdc\x49\x89\x4b\x08"
+    clep_vault_size = 0x4E
+    clep_vault_func = ql.mem.search(
+        clep_vault_func_pattern, begin=0x1C0000000, end=0x1D0000000
+    )[0]
+    if clep_vault_func is None:
+        print("Error: Failed to find vault function using pattern.")
+        exit()
+
+    # Gets the cached request memory location through a bit of trickery:
+    # Basically pattern matching a part of a vault function, navigating to the lea request opcode, then reading the operand for the offset
+    # tuple of (pattern, offset to address)
+    patterns_to_try = [
+        # actually 0x4b, but + 3 to get the operand directly
+        (
+            b"\xc6\x45\x00\x19\x8a\x45\x00\x8b\x04\x24\x48\x83\xec\x10\x8b\x04\x24\x8b\x04\x24\x48\x83\xec\x50\x48\x8d\x4c\x24\x20\x8b\x01\x41\x0f\x10\x02\x33\xc0\x48\x8d\x59\x0f\x48\x83\xe3\xf0\xf3\x0f\x7f\x43\x28",
+            0x4E,
+        ),
+        (b"\xc6\x45\x00\x19\x0f\xb6\x45", 0x50),
+    ]
+
+    clep_request_ptr = 0
+
+    for pattern, offset in patterns_to_try:
+        results = ql.mem.search(pattern, begin=0x1C0000000, end=0x1D0000000)
+        if len(results) == 0:
+            continue
+
+        if len(results) != 1:
+            print(
+                "Error: Ambiguous request function references found: "
+                + str(hex(x) for x in results)
+            )
+            continue
+
+        clep_request_opcode = results[0] + offset
+        clep_request_ptr_offset = struct.unpack(
+            "<I", ql.mem.read(clep_request_opcode, 4)
+        )[0]
+
+        clep_request_ptr = (
+            clep_request_opcode + clep_request_ptr_offset + 4
+        )  # To offset the operand size
+
+        break
+
+    if clep_request_ptr == 0:
+        print("Error: Failed to find request location using pattern.")
+        exit()
+
+    req_version = clep_request_ptr
+    req_smbios = req_version + 4
+    req_driveser = req_smbios + max_smbios
+    req_tpmstatus = req_driveser + max_driveser
+    req_tpminfo = req_tpmstatus + 1
+    req_istogo = req_tpminfo + max_tpminfo
+    req_debuggerEnabled = req_istogo + 1
+    req_debuggerAttached = req_debuggerEnabled + 4
+    req_remdata = req_debuggerAttached + 4
+
+    ql.mem.write(req_version, struct.pack("<I", 0x4))
+    ql.mem.write(req_smbios, smbiosSystem)
+    ql.mem.write(req_driveser, driveSer)
+
+    ql.mem.write(req_tpmstatus, struct.pack("<B", 0x0))
+    ql.mem.write(req_istogo, struct.pack("<B", 0x0))
+
+    ki_debugger_addr = 0x7FFE02D4
+
+    ql.mem.write(req_debuggerEnabled, struct.pack("<I", ki_debugger_addr))
+    ql.mem.write(req_debuggerAttached, struct.pack("<I", ki_debugger_addr))
+
+    try:
+        ql.os.KUSER_SHARED_DATA
+    except Exception:
+        # We are running in a Qiling version that does not have KUSER_SHARED_DATA, set debugger var manually
+        ql.mem.map(ki_debugger_addr // 4096 * 4096, 4096)
+        ql.mem.write(
+            ki_debugger_addr, struct.pack("<I", 0x00000010)
+        )  # 0x0 - Debugger not enabled | 0x10 - Debugger not attached
+
+    pb_secret = ql.os.heap.alloc(32)
+    license_buffer = ql.os.heap.alloc(len(encrypted_device_license))
+    ql.mem.write(license_buffer, encrypted_device_license)
+
+    # sp_cache = 0x1C0043600 --- If needed this could also be done through pattern matching, but we can just use our own buffer
+    sp_cache = ql.os.heap.alloc(64)
+
+    # clep_vault_v4_begin = 0x1C000B234
+    # clep_vault_v4_end = 0x1C000B282
+
+    ql.arch.regs.rcx = 0x0
+    ql.arch.regs.rdx = license_buffer + 4
+    ql.arch.regs.r8 = pb_secret
+    ql.arch.regs.r9 = license_buffer + 516
+
+    ql.stack_write(0x30, sp_cache)
+
+    ql.run(begin=clep_vault_func, end=clep_vault_func + clep_vault_size)
+
+    buffer = ql.mem.read(pb_secret, 16)
+    print(binascii.hexlify(buffer).decode("utf-8"))
