Skip to content

Instantly share code, notes, and snippets.

View WitherOrNot's full-sized avatar
🚱

WitherOrNot

🚱
223 followers · 63 following
View GitHub Profile
@WitherOrNot
WitherOrNot / spp_key_deriv.md
Created September 10, 2025 06:26

Physical Store Private Key Derivation

Background

As described in the TSforge blogpost, the AES key needed to decrypt the physical store's contents is encrypted using an RSA whitebox located in a component known as the blackbox/secure processor (spsys.sys on Windows Vista/7, part of sppsvc.exe on Windows 8+). Luckily, with a debugger and a basic understanding of the math behind RSA, the private key of this whitebox can be easily extracted, allowing exploits like ZeroCID to be carried out on an unmodified system.

SpModExpPrv

In the symbols for spsys.sys in Windows 8 build 7850, the whitebox is named SpModExpPrv. This function only implements plain RSA decryption with a constant private key, and other code is used to implement operations such as padding and RSA encryption.

@WitherOrNot
WitherOrNot / a.md
Last active September 9, 2025 01:25
Disable S Mode without disabling secure boot or using MS account

S Mode Escape

Requirements

  • Access to Administrator-level account
  • Does not require MS account
  • Does not require disabling secure boot

How to Use

@WitherOrNot
WitherOrNot / ios_on_linux.md
Last active June 15, 2025 19:04
Emulate iOS on Linux

Emulate iOS on Linux

This is a set of notes, meant to serve as a companion to the primary instruction set.

Companion VM

Use Arch Boxes basic images for the VM.

For installing dependencies, you can use AUR to install usbmuxd-git and libirecovery-git, then manually build patched idevicerestore.

@WitherOrNot
WitherOrNot / launchd.plist
Last active June 15, 2025 19:04
This file has been truncated, but you can view the full file.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppExtensions</key>
<dict>
<key>/private/var/staged_system_apps/Shortcuts.app/PlugIns/RunShortcut.appex</key>
<dict>
<key>_executablePath</key>
<string>/private/var/staged_system_apps/Shortcuts.app/PlugIns/RunShortcut.appex/RunShortcut</string>
@WitherOrNot
WitherOrNot / tspkgen.py
Last active August 20, 2025 07:38
Terminal Services License Server ID + License Key Pack generator
from Crypto.Cipher import ARC4
from hashlib import sha1, md5
from random import randint
from ecutils.core import Point, EllipticCurve
from sys import argv
KCHARS = "BCDFGHJKMPQRTVWXY2346789"
SPK_ECKEY = {
"a": 1,
@WitherOrNot
WitherOrNot / system_applets.csv
Created March 20, 2024 00:13
WiiU System Titles
Title ID Description Notes (?) Versions Region
00050030-10010009 HOME Menu (OSv9) v0 JPN
00050030-10010109 HOME Menu (OSv9) v0 USA
00050030-10010209 HOME Menu (OSv9) v0 EUR
00050030-10011009 Error (OSv9) v0 JPN
00050030-10011109 Error (OSv9) v0 USA
00050030-10011209 Error (OSv9) v0 EUR
00050030-1001000A HOME Menu (OSv10) v0, v24, v35, v72, v84, v116, v117, v129, v151, v153, v169, v180 JPN
00050030-1001010A HOME Menu (OSv10) v0, v24, v35, v72, v84, v116, v117, v129, v151, v153, v169, v180, v197 USA
00050030-1001020A HOME Menu (OSv10) v0, v24, v35, v72, v84, v116, v117, v129, v151, v153, v169, v180 EUR
@WitherOrNot
WitherOrNot / GenerateCIDOffice0307.sage
Last active November 24, 2023 06:43
Office 2K3/2K7 confirmation ID generation (by david4599)
import hashlib
def add_pid_cksum(pid):
sumPID = 0
val = pid
while val != 0:
sumPID += val % 10
val //= 10
@WitherOrNot
WitherOrNot / pidgenx.ipynb
Last active February 16, 2025 03:27
PIDGENX validation implementation in SageMath (works on SageMath 9.0)
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@WitherOrNot
WitherOrNot / parse_pubkey.py
Last active September 2, 2023 22:24
Parse PIDGENX public keys
from struct import pack, unpack, calcsize
from json import dumps
from os.path import basename
import sys
def readint(f):
return unpack("<I", f.read(4))[0]
def readstc(f, s):
s = "<" + s
@WitherOrNot
WitherOrNot / mpc_index.py
Created August 8, 2023 01:23
index mpcs of office 2007 copies
import re
from glob import glob
from subprocess import run, PIPE
from os.path import basename
from os import remove
from shutil import rmtree
def text_scan(text, pattern, flags=0):
return re.findall(pattern, text, re.MULTILINE | re.IGNORECASE)