Skip to content

Instantly share code, notes, and snippets.

View lava1879's full-sized avatar

lava1879

View GitHub Profile
@WitherOrNot
WitherOrNot / heap_exec.c
Last active February 21, 2026 09:02
Demonstration of Warbird Heap Execute, see https://github.com/WitherOrNot/warbird-docs/blob/main/WarbirdModern.md
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#pragma comment(lib, "bcrypt.lib")
#pragma comment(lib, "ntdll.lib")
typedef struct _FEISTEL64_ROUND_DATA {
DWORD FunctionID;
DWORD Rand0;
@BxOxSxS
BxOxSxS / WhyNotWin11.cmd
Created December 9, 2025 17:48
Simple Script to force Windows 10 Update to recheck Win 11 requirments for offering upgrade. By @lava1879
@echo off
setlocal EnableDelayedExpansion
fltmc >nul 2>&1
if errorlevel 1 (
echo This script needs admin rights.
powershell -Command "Start-Process cmd -ArgumentList '/c \"%~f0\"' -Verb RunAs"
exit /b
)
@WitherOrNot
WitherOrNot / htpec.md
Last active February 21, 2026 14:35
asdasd

Notes

These are very disorganized because I wrote these as I reversed various bits and pieces. If I'm wrong about something, please let me know so I can forget to update this.

Logging

For me this was the Achilles' heel, Crackproof creates a debug log if a certain folder in %temp% is present. The folder name is 12 hex characters long, and different between executables. The easiest way to find it is to break on/hook CreateFileW.

Once you create it, any Crackproofed modules will spit out logs as they unpack. Lines contain status codes, indicating roughly what the unpacker is doing at a given time (see below). Lines with additional debug information are also included, sometimes they can be very handy.

@WitherOrNot
WitherOrNot / spp_key_deriv.md
Created September 10, 2025 06:26

Physical Store Private Key Derivation

Background

As described in the TSforge blogpost, the AES key needed to decrypt the physical store's contents is encrypted using an RSA whitebox located in a component known as the blackbox/secure processor (spsys.sys on Windows Vista/7, part of sppsvc.exe on Windows 8+). Luckily, with a debugger and a basic understanding of the math behind RSA, the private key of this whitebox can be easily extracted, allowing exploits like ZeroCID to be carried out on an unmodified system.

SpModExpPrv

In the symbols for spsys.sys in Windows 8 build 7850, the whitebox is named SpModExpPrv. This function only implements plain RSA decryption with a constant private key, and other code is used to implement operations such as padding and RSA encryption.

@WitherOrNot
WitherOrNot / a.md
Last active February 1, 2026 18:00
Disable S Mode without disabling secure boot or using MS account

S Mode Escape

Requirements

  • Access to Administrator-level account
  • Does not require MS account
  • Does not require disabling secure boot

How to Use