kagebunsher/getbootkey.c

## getbootkey.c
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <windows.h>

#define KEY_DATA_SIZE 16
#define BUFFER_SIZE 4096

typedef struct _REGF_HEADER {
    DWORD Signature;
    DWORD Sequence1;
    DWORD Sequence2;
    FILETIME Timestamp;
    DWORD Major;
    DWORD Minor;
    DWORD Type;
    DWORD Format;
    DWORD RootCell;
    DWORD Length;
} REGF_HEADER;

void xor_arrays(uint8_t *dest, const uint8_t *src, size_t size) {
    for (size_t i = 0; i < size; i++) {
        dest[i] ^= src[i];
    }
}

void print_hex(const uint8_t *data, size_t size) {
    for (size_t i = 0; i < size; i++) {
        printf("%02x", data[i]);
    }
    printf("\n");
}

BOOL read_binary_from_hive(const char* filename, const char* valuename, uint8_t *buffer) {
    FILE *fp = fopen(filename, "rb");
    if (!fp) return FALSE;

    REGF_HEADER header;
    if (fread(&header, 1, sizeof(REGF_HEADER), fp) != sizeof(REGF_HEADER)) {
        fclose(fp);
        return FALSE;
    }

    if (header.Signature != 0x66676572) {
        fclose(fp);
        return FALSE;
    }

    uint8_t chunk[BUFFER_SIZE];
    size_t bytes_read;
    BOOL found = FALSE;

    while ((bytes_read = fread(chunk, 1, BUFFER_SIZE, fp)) > 0) {
        for (size_t i = 0; i < bytes_read - KEY_DATA_SIZE; i++) {
            if (memcmp(chunk + i, valuename, strlen(valuename)) == 0) {
                if (i + KEY_DATA_SIZE <= bytes_read) {
                    memcpy(buffer, chunk + i + strlen(valuename), KEY_DATA_SIZE);
                    found = TRUE;
                    break;
                }
            }
        }
        if (found) break;
    }

    fclose(fp);
    return found;
}

int main() {
    uint8_t bootKey[KEY_DATA_SIZE] = {0};
    uint8_t key_data[KEY_DATA_SIZE];

    if (!read_binary_from_hive("SYSTEM", "JD", key_data)) return 1;
    xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

    if (!read_binary_from_hive("SYSTEM", "Skew1", key_data)) return 1;
    xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

    if (!read_binary_from_hive("SYSTEM", "GBG", key_data)) return 1;
    xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

    if (!read_binary_from_hive("SYSTEM", "Data", key_data)) return 1;
    xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

    print_hex(bootKey, KEY_DATA_SIZE);
    return 0;
}
	#include <stdio.h>
	#include <stdint.h>
	#include <string.h>
	#include <windows.h>

	#define KEY_DATA_SIZE 16
	#define BUFFER_SIZE 4096

	typedef struct _REGF_HEADER {
	DWORD Signature;
	DWORD Sequence1;
	DWORD Sequence2;
	FILETIME Timestamp;
	DWORD Major;
	DWORD Minor;
	DWORD Type;
	DWORD Format;
	DWORD RootCell;
	DWORD Length;
	} REGF_HEADER;

	void xor_arrays(uint8_t dest, const uint8_t src, size_t size) {
	for (size_t i = 0; i < size; i++) {
	dest[i] ^= src[i];
	}
	}

	void print_hex(const uint8_t *data, size_t size) {
	for (size_t i = 0; i < size; i++) {
	printf("%02x", data[i]);
	}
	printf("\n");
	}

	BOOL read_binary_from_hive(const char* filename, const char* valuename, uint8_t *buffer) {
	FILE *fp = fopen(filename, "rb");
	if (!fp) return FALSE;

	REGF_HEADER header;
	if (fread(&header, 1, sizeof(REGF_HEADER), fp) != sizeof(REGF_HEADER)) {
	fclose(fp);
	return FALSE;
	}

	if (header.Signature != 0x66676572) {
	fclose(fp);
	return FALSE;
	}

	uint8_t chunk[BUFFER_SIZE];
	size_t bytes_read;
	BOOL found = FALSE;

	while ((bytes_read = fread(chunk, 1, BUFFER_SIZE, fp)) > 0) {
	for (size_t i = 0; i < bytes_read - KEY_DATA_SIZE; i++) {
	if (memcmp(chunk + i, valuename, strlen(valuename)) == 0) {
	if (i + KEY_DATA_SIZE <= bytes_read) {
	memcpy(buffer, chunk + i + strlen(valuename), KEY_DATA_SIZE);
	found = TRUE;
	break;
	}
	}
	}
	if (found) break;
	}

	fclose(fp);
	return found;
	}

	int main() {
	uint8_t bootKey[KEY_DATA_SIZE] = {0};
	uint8_t key_data[KEY_DATA_SIZE];

	if (!read_binary_from_hive("SYSTEM", "JD", key_data)) return 1;
	xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

	if (!read_binary_from_hive("SYSTEM", "Skew1", key_data)) return 1;
	xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

	if (!read_binary_from_hive("SYSTEM", "GBG", key_data)) return 1;
	xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

	if (!read_binary_from_hive("SYSTEM", "Data", key_data)) return 1;
	xor_arrays(bootKey, key_data, KEY_DATA_SIZE);

	print_hex(bootKey, KEY_DATA_SIZE);
	return 0;
	}