Skip to content

Instantly share code, notes, and snippets.

@Wunkolo

Wunkolo/Sai2.md

Last active December 30, 2015 03:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Wunkolo/b46daaa36ddefcc07a86 to your computer and use it in GitHub Desktop.
Save Wunkolo/b46daaa36ddefcc07a86 to your computer and use it in GitHub Desktop.
Download ZIP
Sai2 notes
Raw
Sai2.md

Binary arithmetic mask: (0x00010001) Decrypt constant:

80 00 << Size (128 bytes)
83B0BCBC D161AEAE 3A646868 416DB3B3
4887BBBB D72BCACA 89CFC2C2 5C2EBBBB
45223A3A 9C86A7A7 A9058484 C0FA0D0D
03E7BABA 96329696 50A5BDBD EFFFA2A2
EC1FF9F9 39A23D3D 16D76161 DD966565
77B4FEFE 28632F2F 742C1D1D C083BDBD
D89A1515 AF1BAAAA B0BE4C4C C1FD2828
8CD6B6B6 8A86A7A7 576AFFFF A7DF2EBF

31 ints
0000001F 2E2E27C7 7A7AD416 F4F4AD56 0000CD6E 0404CDB1 EEEE3F18 82824EA7
5A5A1FCA 5252E4C8 5151D302 D8D87420 3C3C0D32 99993AD4 C6C6C898 ACACD79C
1C1C082A 2F2F0467 FCFC4C32 1313A560 56563004 6D6D3A53 ADADC83C 7171ADC5
B2B20024 EBEBAC03 3B3BC5A2 3A3A10E4 3A3A33F6 B8B8C4F8 7B7B9756 8C8CC57E
147091D8

gets multiplied by its self

63 ints
0000003F D5B23CB1 FFD10CD1 8CFA7003 B574AF38 F2AB1D62 0C2BE162 406E48EA
26493C71 F2A4209A 2BC5F074 7F723ECD 73354BC3 724E3C71 A334F0D2 7143BB6C
350DA29F 23A2E6EB 107FE5F2 B46BB8E6 7980961D 42A753B1 AB111BA4 D5E432BC
5009E391 E35EDE04 BBC7FF17 B460EBBA 5C3BF729 6CF0BED2 A377F10B 864E5D41
5F08A4C1 82D3CA4D 96EBF288 AAD6D01E 823AD930 D916B261 DB5DD10F C1915B06
682BC546 49578D41 1AD7FE23 8B22F39D 7319C56E 6F88B5DF A6500FB1 F59D7A41
A7D191C0 9FE6251F A327F17A CA0A4A58 F653E7A8 5D4B365D 284DA1AD 2D0BDC97
A55DFD26 BAC8EB02 EC9EB33B 6226637D 8A42322D 4C80454A 84682E87 C688006D
01A1C849 

(operand)
31 ints
0000001F 5CBCB083 1EAE61D1 7C68643A 22B36D41 18BB8748 B0CA2BD7 C6C2CF89
CFBB2E5C 863A2245 CBA7869C 0D8405A9 5C0DFAC0 00BAE703 EC963296 ADBDA550
94A2FFEF 0EF91FEC 213DA239 8561D716 CB6596DD 1CFEB477 752F6328 DB1D2C74
05BD83C0 D1159AD8 AEAA1BAF 174CBEB0 4028FDC1 B7B6D68C 66A7868A EAFF6A57
BF2EDFA7

Division 63 int / (operand)

(result)
31 ints
 0000001F F7497287 2F78703F 75FCE537 32BB9CC9 7103E07E 37179926 59F74547
 86CCA1DA A470963C 2A5F962D F4C109A1 76E9ED35 A2B88B22 3B0F81C3 E969B94C
 B6F1EF3C 438887FB B050B7E5 533C6383 3B064EAD A8039056 BA6F1FA7 0D4E43D6
 57897A45 8D1ADDB9 F0591EF0 E0E32B88 B24C1120 F302E286 DE7ED6F6 E925FA48
 022F6C5F

Process

Square and divide by static key.

BigInts seem to be a total of 528(0x210) bytes

#OLD

Key Info

00 04 << Size
00 01 00 01

0x01000100 1000000010000b Highest bit set is 16 - 1 Acts as a bitflag. For every 0 bit it will skip the secondary Mult and ?Operation.

"Round mask" Most significant bit (usually 16 - 1) defines how many times to run. Last bit set to 1 defines that the license but should be multiplied against the buffer now

Possibly loops by 16 times

Size: 0x0080 ( 128 integers)

80 00 << Size
83B0BCBC D161AEAE 3A646868 416DB3B3
4887BBBB D72BCACA 89CFC2C2 5C2EBBBB
45223A3A 9C86A7A7 A9058484 C0FA0D0D
03E7BABA 96329696 50A5BDBD EFFFA2A2
EC1FF9F9 39A23D3D 16D76161 DD966565
77B4FEFE 28632F2F 742C1D1D C083BDBD
D89A1515 AF1BAAAA B0BE4C4C C1FD2828
8CD6B6B6 8A86A7A7 576AFFFF A7DF2EBF

Int Buffers

Field Offset Size
Size 0x0 0x4
Data 0x4 128(integers)

Large InteArray Buffers are 512 bytes in size (128 integers) + 1(for size) Header = size (in ints) - 1 Data = (size + 1) * 4

GetSystemFirmwareTablePRoc('RSMB', 0, result, v4) IV xor key?

ShortBuffers

Field Offset Size
Size 0x0 0x2
Data 0x2 Size

Notes

Haley License Key

C7272E2E 16D47A7A 56ADF4F4 6ECD0000
B1CD0404 183FEEEE A74E8282 CA1F5A5A
C8E45252 02D35151 2074D8D8 320D3C3C
D43A9999 98C8C6C6 9CD7ACAC 2A081C1C
67042F2F 324CFCFC 60A51313 04305656
533A6D6D 3CC8ADAD C5AD7171 2400B2B2
03ACEBEB A2C53B3B E4103A3A F6333A3A
F8C4B8B8 56977B7B 7EC58C8C D8917014

Decrypted Haley License Key

00000001 3229C576 04010503 02070609
1199E8AC 00000001 00772374 00000001
FFFFFF00 FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFF FFFFFFFF 0001FFFF

The 1s are the checked flags. Second int is the Machine ID. 0x00772374(7807860) gets written into a unicode string: wsprintfW(&SystemIDMisMatch, L"%02d%010d", 1, v8); "010007807860"

Haley machine ID 3229C576 Joey Machine ID 46678A52

Self-mult result

01A1C849 C702A3D8 A880D2CB DCB20BF8
915FA73B F6C21170 2DF84F3F 2F9EF68D
FF6C5684 2C7344FE B864DBDC 5DD1E9D2
0CF4158B A25AAAF6 86A04276 1BAD7768
8AE6A070 5FF643BF 4D0FA88F 46F5331B
B99A8C9A 6D61BEAB 3DC9B82D E333E4EB
F3D19858 71EEACF3 7B0F3797 0074B552
8467FC97 3B219667 00D977A8 AC67EF0F
FC3CEF9C 9534B742 BB10A7A2 13D11D82
9A3E17B4 7913135F A18B8206 1E389A22
FA2139C2 1FFE38FE 134C0FC6 1627E0C8
4C6AA9D8 433CC303 864C852D 344F721D
40F431FD 18525D78 933C332F 1807F6DD
603349EB FFA1A399 8FEA5222 C27761E7
92085136 522DA1BB A8DC9702 C05CBFE7
CEF3F19C 0CFD0022 55129A88 73B23CB1

InputKeyVecStruct

Field | Offset

  •    |   -

IntBufPtr| 0x0 FlagsPtr | 0x4

Pointer to Larger IntBuffer gets passed first Smaller 0x01000100 buffer passed in second

RegisterClipboardFormatW(L"A44EB595-DAFE-40EC-9FA4-628BA75C0B0B"), license struct 0x40 = 1 0x54 = 1 0x5c = 1 0x44 = 1 0x448 size?? Buffer Object? SmallArrays use a short for their size. v13 = &LicenseCountMask_; v12 = (int)&LicensesKeyIV; ProcessLicense(&v12, (int *)FileBuffer, &LicenseFlag1);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment