Skip to content
This repository has been archived by the owner on Dec 5, 2024. It is now read-only.

are-we-cool-yet/declipt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
src
src
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
rust-toolchain.toml
rust-toolchain.toml
 
 

Repository files navigation

Declipt is now defunct. There is a fork of Declipt called Debird where development has continued.

Declipt

Special Thanks

…to WitherOrNot for researching and cracking Warbird.

Usage

To use Declipt, clone the Git repository, create a folder called emu64 in the project root, and put ClipSp.sys into emu64. Make sure you adjust the addresses in declipt::constants to match your version of ClipSp.sys.

Important

For ClipSp.sys

You must patch ClipSp.sys's true main entrypoint (you can find this in IDA Pro using CTRL+E) to return 1. The patched bytes are available in declipt::hook::CANCEL_DRIVER_ENTRY. Then, you need to create fake kernel imports for NTOSKRNL.EXE, FLTMGR.SYS, HAL.DLL, and KSECDD.SYS. Next, put the fake kernel imports in emu64. Finally, set the 0x2000 (File is a DLL) flag in ClipSp.sys. You can use PE Bear for this.

About

Decrypt ClipSp Warbird segments.

Resources

Readme

License

EUPL-1.2 license
Activity
Custom properties

Stars

7 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages