@jarod... About SBOXes: There is ONLY ONE SBOX (yes, standard Rijndael SBOX) and FFMUL2 permutation table (used in rijndael too). What u wrote about disassembly, really is precomputed keyschedule (it isn't derived prom password as in standard approach, rather stored in precomputed form with only one mission - add as much possible complexity to dumping process ... table bytes are NOT stored directly, but decrypted in runtime one by one only when used) This looks like byte[0x10] hash; static byte[6, 0x10, 0x100] KEY = .... //this part is VERY GOOD protected void AddRoundKey(int round) { for(int i = 0; i < 0x10; i++) hash = KEY[round, i, hash]; } And another difference from original Rijndael spec (compare it yourself): void TransformHash() //called for each of 128 bit block of original data { AddRoundKey(0); for (var r = 1; r < 6; r++) { ShiftRows(); MixColumns(); SubBytes(); ShiftRows(); MixColumns(); AddRoundKey(r); } ShiftRows(); } ShiftRows, MixColumns, SubBytes are same as in Rijndael.... feedback between blocks is defined as 'hash ^= data' before transform, last block is padded with '0x80, 0, ..... 0' if needed And ... sppsvc IS very difficult target, so don't blame others, simple investigation with debugger there won't help P.S. This is hash signature generation code, not encryption
I blame nobody except GarbelloTheNoobs! I know that sppsvc is complex. that why I try to help ... It really interessting to compare the routine with WZT keygen !!! So similar but so different (for the result ....) Take a look to these monster offuscator Function: sub_5BE565, sub_5BEC7A & sub_5BF38F They are just basic SBOX defacto but to debug, you can spend two life to do it ... The spiderFunction !
Nothing to compare ... this keygen (really a small part of old sppsvc) has no more code protection functions, only junk code left from them. Standalone debugger there is almost useless ... but for this purpose we have IDA With simple idc script you can extract full permutation table, even without debugging
Yes, interesting However for me more convenient way for this purpose is to create some simple .net application in visual studio or linqpad...
Create a RPC server in c# is something like a torture ! In C++, it's quite simple! A IDL for the interface and just some code to create/manage the RPC interface
Some details about these functions. As explained, these functions are just SBOX but ofuscated by Microsoft with a subtitution routine (in sub_5BE565, No subtitution for 0x2B then sub_5BE565(0x2B)=default case=0x00. in sub_5BEC7A, No subtitution for 0x8E then sub_5BEC7A(0x8E)=default case=0x00. in sub_5BF38F, No subtitution for 0x8E then sub_5BF38F(0x64)=default case=0x00) In Fact, there are 28 functions of this type during the process ... + more than 40 SBOX ! For sure, it's quite ofuscated and strongly mixed