Making public so other people can save the time I wasted. It may apply to other similar boards/PCs with 2011-ish era AMI BIOS as well.
Both guides here need a dump of BIOS ROM.
Same as this guide: https://gist.github.com/en4rab/550880c099b5194fbbf3039e3c8ab6fd
| Name | Min Service Pack | Max Service Pack | BINK | Start | End | Type | Days to Activate | Days Evaluation | |
|---|---|---|---|---|---|---|---|---|---|
| Windows Compute Cluster Server 2003 | 1 | ? | 64 | 1000000 | 1999999 | Evaluation | 14 | 185 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 64 | 2000000 | 2499999 | Evaluation | 14 | 185 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 64 | 2500000 | 2999999 | Evaluation | 14 | 185 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 6A | 5000000 | 14999999 | Evaluation | 14 | 185 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 6A | 101000000 | 110999999 | Evaluation | 14 | 185 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 6A | 112000000 | 113999999 | Evaluation | 120 | 60 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 6A | 114000000 | 133999999 | Evaluation | 14 | 185 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 6A | 134000000 | 135999999 | Evaluation | 120 | 60 | |
| Windows Compute Cluster Server 2003 | 1 | ? | 6A | 136000000 | 145999999 | Evaluation | 14 | 185 |
| from sys import argv | |
| from x64dbg_automate import X64DbgClient | |
| client = X64DbgClient(argv[1]) | |
| client.attach_session(X64DbgClient.list_sessions()[0].pid) | |
| base_addr = client.eval_sync(argv[2])[0] | |
| start_rva = int(argv[3], 16) | |
| end_rva = start_rva + int(argv[4], 16) |
| import subprocess | |
| import tempfile | |
| import struct | |
| import zlib | |
| import sys | |
| import os | |
| import csv | |
| from pydantic import BaseModel | |
| from pydantic.dataclasses import dataclass |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <winternl.h> | |
| #pragma comment(lib, "bcrypt.lib") | |
| #pragma comment(lib, "ntdll.lib") | |
| typedef struct _FEISTEL64_ROUND_DATA { | |
| DWORD FunctionID; | |
| DWORD Rand0; |
These are very disorganized because I wrote these as I reversed various bits and pieces. If I'm wrong about something, please let me know so I can forget to update this.
For me this was the Achilles' heel, Crackproof creates a debug log if a certain folder in %temp% is present. The folder name is 12 hex characters long, and different between executables. The easiest way to find it is to break on/hook CreateFileW.
Once you create it, any Crackproofed modules will spit out logs as they unpack. Lines contain status codes, indicating roughly what the unpacker is doing at a given time (see below). Lines with additional debug information are also included, sometimes they can be very handy.
| from fractions import Fraction | |
| def invert(n): | |
| if n == 0: | |
| return None | |
| return Fraction(1, n) | |
| def solve(r, x): | |
| if x == 0 or x is None: |
As described in the TSforge blogpost, the AES key needed to decrypt the physical store's contents is encrypted using an RSA whitebox located in a component known as the blackbox/secure processor (spsys.sys on Windows Vista/7, part of sppsvc.exe on Windows 8+). Luckily, with a debugger and a basic understanding of the math behind RSA, the private key of this whitebox can be easily extracted, allowing exploits like ZeroCID to be carried out on an unmodified system.
In the symbols for spsys.sys in Windows 8 build 7850, the whitebox is named SpModExpPrv. This function only implements plain RSA decryption with a constant private key, and other code is used to implement operations such as padding and RSA encryption.
This is a set of notes, meant to serve as a companion to the primary instruction set.
Use Arch Boxes basic images for the VM.
For installing dependencies, you can use AUR to install usbmuxd-git and libirecovery-git, then manually build patched idevicerestore.
