A fancy C program for decrypting the ClipSp.sys driver in Windows.

ClipSp is a kernel driver that is responsible for managing and verifying licenses on the system, among a few other things. It is part of the larger CLiP (Client Licensing Platform) DRM system introduced with Windows 10 and 11.

You can read this blog post describing a vulnerability in ClipSp if you want to learn more about it.

There's a configuration file (offsets.txt) that you need to make according to the ClipSp version you're trying to decrypt. The format is a comma-separated list of 3 offsets. The last two offsets should point to the data sections (DataConst & DataRW), and the first offset should correspond to the function responsible for decrypting the data sections. An example configuration file for ClipSp.sys version 19041.1741 is included in the repository.

Check GUIDE.md for instructions on finding these offsets for your version of ClipSp.

After figuring out the offsets, place the driver next to CLiPExploder. CLiPExploder by default looks for a file called clipsp.sys and outputs to clipsp_decrypted.sys, but you can specify both of these things with command line arguments:

CLiPExploder.exe <input path> <output path>

Run one of these in an MSYS2 CLANG64 environment:

make release
make debug
make relsym

make clean will clean up the artifacts.