Skip to content

Instantly share code, notes, and snippets.

@Reisyukaku
Last active April 14, 2018 13:19
Show Gist options
  • Save Reisyukaku/012fd524f1597377d2b916eba773f280 to your computer and use it in GitHub Desktop.
Save Reisyukaku/012fd524f1597377d2b916eba773f280 to your computer and use it in GitHub Desktop.
Dump ClCert+Privk
var bufPrivk = sc.malloc(0x134);
var bufCert = sc.malloc(0x804);
var bufOut = sc.malloc(0x100);
sc.ipcMsg(16).bDescriptor(bufPrivk, 0x134, 0).sendTo('set:cal').assertOk(); //set:cal#GetSslKey
utils.log('Obtained SSL key.');
sc.ipcMsg(17).bDescriptor(bufCert, 0x804, 0).sendTo('set:cal').assertOk(); //set:cal#GetSslCert
utils.log('Obtained SSL cert.');
sc.memdump(utils.add2(bufCert, 4), 0x800, 'clcert.der');
var keyx = sc.ipcMsg(2).data([0x84b05b7f, 0x67aa257b], [0xe24bc8fa, 0x03697b3d], [0, 0x20]).sendTo('spl:').assertOk().dataBuffer; //spl:#GenerateAesKek
utils.log('Generated KEK (KeyX)');
var dec = sc.ipcMsg(13).xDescriptor(utils.add2(bufPrivk, 4), 0x130, 1).cDescriptor(bufOut, 0x100).data([keyx[0], keyx[1]], [keyx[2], keyx[3]], [0xF43B389A, 0x81BDD031], [0xA94B5332, 0xE37D3964], [1]); //spl:#DecryptPrivk
dec.packed = dec.pack();
dec.packed[0x4 >> 2] = 0xC12;
dec.packed[0x48 >> 2] = 0;
dec.packed[0x4C >> 2] = 0;
dec.packed[0x54 >> 2] = 0x100;
dec.packed[0x58 >> 2] = (bufOut[0])
dec.packed[0x5C >> 2] = (bufOut[1] & 0xFFFF) | (0x100 << 16)
sc.ipcBuf.set(dec.packed); //Thanks to SciresM for help with cDescriptor meme hell
dec = dec.sendTo('spl:');
dec.show();
utils.log('Decrypted key!');
sc.memdump(bufOut, 0x130, 'privk.bin');
sc.free(bufPrivk);
sc.free(bufCert);
sc.free(bufOut);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment