WitherOrNot

Notes

These are very disorganized because I wrote these as I reversed various bits and pieces. If I'm wrong about something, please let me know so I can forget to update this.

Logging

For me this was the Achilles' heel, Crackproof creates a debug log if a certain folder in %temp% is present. The folder name is 12 hex characters long, and different between executables. The easiest way to find it is to break on/hook CreateFileW.

Once you create it, any Crackproofed modules will spit out logs as they unpack. Lines contain status codes, indicating roughly what the unpacker is doing at a given time (see below). Lines with additional debug information are also included, sometimes they can be very handy.

Physical Store Private Key Derivation

Background

As described in the TSforge blogpost, the AES key needed to decrypt the physical store's contents is encrypted using an RSA whitebox located in a component known as the blackbox/secure processor (spsys.sys on Windows Vista/7, part of sppsvc.exe on Windows 8+). Luckily, with a debugger and a basic understanding of the math behind RSA, the private key of this whitebox can be easily extracted, allowing exploits like ZeroCID to be carried out on an unmodified system.

SpModExpPrv

In the symbols for spsys.sys in Windows 8 build 7850, the whitebox is named SpModExpPrv. This function only implements plain RSA decryption with a constant private key, and other code is used to implement operations such as padding and RSA encryption.

S Mode Escape

Requirements

Access to Administrator-level account
Does not require MS account
Does not require disabling secure boot

How to Use

Emulate iOS on Linux

This is a set of notes, meant to serve as a companion to the primary instruction set.

Companion VM

Use Arch Boxes basic images for the VM.

For installing dependencies, you can use AUR to install usbmuxd-git and libirecovery-git, then manually build patched idevicerestore.

Title ID	Description	Notes (?)	Versions	Region
00050030-10010009	HOME Menu (OSv9)		v0	JPN
00050030-10010109	HOME Menu (OSv9)		v0	USA
00050030-10010209	HOME Menu (OSv9)		v0	EUR
00050030-10011009	Error (OSv9)		v0	JPN
00050030-10011109	Error (OSv9)		v0	USA
00050030-10011209	Error (OSv9)		v0	EUR
00050030-1001000A	HOME Menu (OSv10)		v0, v24, v35, v72, v84, v116, v117, v129, v151, v153, v169, v180	JPN
00050030-1001010A	HOME Menu (OSv10)		v0, v24, v35, v72, v84, v116, v117, v129, v151, v153, v169, v180, v197	USA
00050030-1001020A	HOME Menu (OSv10)		v0, v24, v35, v72, v84, v116, v117, v129, v151, v153, v169, v180	EUR

	from fractions import Fraction

	def invert(n):
	if n == 0:
	return None

	return Fraction(1, n)

	def solve(r, x):
	if x == 0 or x is None:

	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>AppExtensions</key>
	<dict>
	<key>/private/var/staged_system_apps/Shortcuts.app/PlugIns/RunShortcut.appex</key>
	<dict>
	<key>_executablePath</key>
	<string>/private/var/staged_system_apps/Shortcuts.app/PlugIns/RunShortcut.appex/RunShortcut</string>

	from Crypto.Cipher import ARC4
	from hashlib import sha1, md5
	from random import randint
	from ecutils.core import Point, EllipticCurve
	from sys import argv

	KCHARS = "BCDFGHJKMPQRTVWXY2346789"

	SPK_ECKEY = {
	"a": 1,

	import hashlib

	def add_pid_cksum(pid):
	sumPID = 0
	val = pid

	while val != 0:
	sumPID += val % 10
	val //= 10