Kas Ob.

One small addition to Remy detailed answer, There is zero guarantee that DllMain will be called from the the Main Thread or even the the same thread that called LoadLibrary ! So all bets are off using VCL, while RTL should be OK if thread safety used with it (locking/synchro..)

I never went above 0, for my personal usage and my recommendation for my clients, though some went for extra functionality and paid more. CF free plan is pretty damn good, and it does protect and isolate many if not all of these DoS or DDoS, from their infrastructure capability it is negligible for a site or two. Pretty good damn protection, as you don't even want to care or think about any attacks on all layers up to 5, to understand these and as reminder about layers refer to Wikipedia https://en.wikipedia.org/wiki/OSI_model#Layer_architecture Up layer 3 it is really hard to protect yourself, this involve many raw sockets and very low level networking which even harder on Windows without involving Drivers and Filter Drivers. as for 4 and 5, these are were CF can offload this huge pain in the back to manage, then you will be left with the last two layers 6 and 7, these are absolutely your job to protect against, to explain, if your server miss handling a JSON payload that cause a crash, or freeze .... these are your job as developer to handle and protect against. There is many can be written here, but i hope i gave a good start point to start your own research about these layers how things can go wrong with them, as Denial of Service (Dos) and Distributed DoS (DDoS), can be to deplete server resources or just cause havoc and instability for the service, in this case with Angus, the hackers were using DoS but after blocking by IPs they switched to DDoS, still the attack target itself is not clear for me, is it brute forcing a password or just scraping data or.... this must be handled by Angus, and again most cases need a login, hence session come to play, and delegate this to CF is nice, and please be careful here and don't confuse the session for the HTTP(s) CF established and your server session for logged/not logged aka your own server session, these are two different sessions, but can be combined or in other words co-exist and utilized. It is unlimited, at least from i witnessed, and yes it was wild traffic and CF chewed it like nothing for static/cached/cdn content and for dynamic, yet your server was hidden and relaxing. Also there is these features/APIs like https://www.cloudflare.com/application-services/solutions/api-security/ https://developers.cloudflare.com/api-shield/ You can have a look at these case-studies which i rarely trust or believe in almost even read, but with CF it is true and it is everywhere and doing it job, https://www.cloudflare.com/case-studies/ With that being said about CF, i used OVH and my own server redirections, OVH filtered DDoS attacks up to level 4, my server was free from needing to handle those, and for higher level i didn't use captcha but utilized some redirection, to filter out any bots, see most bots even the sophisticated ones can be fooled or identified by this redirection, redirect to a page on sub domain use your own headers and cookies then return them to another one, if you ever watched what Microsoft does for web Outlook/Hotmail login (it was their standard in not so long past), you will get the idea, though this practice is dying due to cross origin policy on browsers. Anyway, the whole thing of stopping such attacks will comes to identify what is their target, simply put the server/service out of work ? grabbing public data ? grabbing valuable data ? brute forcing to gain access ?.... for each case you need build a solution, But in general such just repeated http requests, CF will filter them out, most of them, see CF does know what each and every IP does and to whom it belongs, so VPN and proxies are the easiest to block. Also i wouldn't suggest to block IP(s) by /24, that is excessive, i always use limit per second per one IP no ranges, and combine it with minutes, the more ip connect and request the more delay to keep blocking and unblock after one hour no matter what, of course if the HTTP server is handling keep-connection right and doesn't trigger the auto block by dropping the connection itself, in other words will not allow HTTP/1.0 and old browsers, these will block them selves. Most valuable tool to identify and block is dynamic cookies, not static ones, for established connection dynamic is good, for new will be handled as suspect under provision, combining these with IP(s), see, let say /24 range so i can allow 255 different cookies for that range and start to block, even go after them all, but if one still having my cookie and updating it consequently then it is fine, but this include keep tracking cookies at least as the server is running, unless the login cookie is kept in DB then the infrastructure is there to expand and track them all.

Hi, Well there is nothing much i can suggest here that you already doesn't know, but i can give an idea, CloudFlare, this can stop it or at least remove %99 of these connections, this from experience, but of course you thought about that and didn't use for reason or two, also we known, My suggestion is utilize CloudFlare as a step, meaning redirect all connections into subdomain this sub domain is the one with CF or vice versa, i am trying to give you an idea about sieving the connection with CF, so it one of these as example(s) "->" means HTTP redirect 1) Your server on main domain -> subdomain on CF -> return main domain after checking cookies and what CF can offer here 2) Your main domain on CF -> your actual server on sub domain, after white listing the connection, 3) combine both (1) and (2) and use CF worker to handle whitelisting and let CF handle the blacklisting. Just thoughts and hope that helps.

Also i witnessed this behavior on many Windows and Linux servers hosted on dedicated servers, it is almost was the host problem or a specific ISP, you needed to study the dropped connections, if we are talking about dropped connection not accepted ones, does your host have some sort of DDoS protection, because it might be triggered on their hardware before your server by unrelated server attack happens to be the same switch and this could lead to such dropping/losing connection or refusing new connections for few minutes then everything come back as normal, and the load return to its normal. For this case, track and record the time of this and ask your host technical support to confirm if that is the case, also record these IP(s) refused or dropped connections, and try to geo locate them see if they belongs to one or more than one but close ISP(s).

Remy listed few things, and i will list more thought to follow on this, Windows OS has its own DDoS protection implemented, it almost useless or more like very naïve as any more advanced one will cause wide range of problems and require more advanced knowledge to tweak so Microsoft kept it as simple as possible with very limited settings to tweak, anyway 1) start with this link and see your dynamic port with "show dynamicport" before changing and adjusting https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting 2) It is disgusting how Microsoft manage to just lose links to 404, valuable information and documentation, for stupid site miss-manage, i have very little time to write and search and searching almost always land me on 404 !, found this though https://serverfault.com/questions/43252/how-can-i-harden-the-tcp-ip-stack-in-windows-server-2008 ECN can play a role, and there was some more registry settings , later will look for them if your couldn't find the problem, but in general more information is needed, like how many new connection established per second and average time for connection staying connected ...

@Roger Cigol Here another thing to try Download and run Api Monitor from http://www.rohitab.com/apimonitor Use the correct bit version with your EXE and put the filter as shown in this screenshot Run your exe or you can attach it at anytime, so you are not limited to monitor everything, you can leave the exe running alone until the problem manifest, then attach the monitor and capture the log. After capturing the log, compare it with log from your own device and see where the failure exist after that you can share with us important pieces of the failure. Give extra attention to the failed API calls and their passed parameters, this is important, also as the monitor log record the handles and result so a comparison might narrow the failure origin. Feel free to expand the the API logging list for your own running EXE and that one device, you might find it useful reporting many failed API or wrong doing or repeated calls, also you can record SyncObjs API like Low Level APIs eg.RtlCriticalSectionxxxx... Mutex,Events... like these

The blackout is striking again, two days out of power, now back to 3 hours on and something between 3-6 or even 9 hours off. Defender easily can do it and even worse. What is standout for me, is why it is not verified ?!! while other are OK, but yet it might not be a big deal https://security.stackexchange.com/questions/224829/does-a-lack-of-verified-signatures-for-windows-defender-indicate-malware https://learn.microsoft.com/en-us/archive/msdn-technet-forums/a7e41613-43aa-4c9b-b117-46d0f9420bf7#986960c6-d417-4747-8020-e06f3bf6e1fb As what could go wrong ? the answer here makes sense (pun intended) https://answers.microsoft.com/en-us/windows/forum/all/is-it-okay-if-the-windows-defender-service-is-not/2d1dbf86-06cc-4c5c-a415-75fa0b878cff So, as a theory, Sense at some point was allowed to upload samples in such case it could marked/flagged your application and may be your certificate too, and waiting for a response to either red or green flag it, in mean time it will be allowed to work under inspection with full logging/tracking/tracing up to a point where it deplete a specific amount of resources, it shouldn't be reaching such limit but it is, though it is a theory. Try to change the name of the EXE and how it does reach that device, i mean if you have self updating exe then override it, build a new exe with different paths if possible, and try again. OR, allow defender to take its samples if case it is misconfigured or had some policy changes, ask if someone tweaked defender, or even just try to stop it and restart it.

This is it a driver running out resource, either by being a buggy/outdated or it does belong to bigger software like an antivirus but the rest of the software is not there to continue processing something, it could be uninstalled software that had a driver leftover, running rouge. I can say something around 100% sure. for more testing please Run (As Administrator) AutoRuns https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns with Then see what reside in the both sections Services and Drivers, easy to check the Provider/Publisher.

Well this means, it is definitely a broken driver, and again such driver is there to perform a job, it could be attached to another service like (just as example) System Restore or it might have its own configuration/policy like security and its access. So what i suggest is to go back to my first post in this thread, and run SFC, yes as dumb as it sound, also check if compatibility service is running and the application doesn't have any, also check the target file path (location and upper directory(s)) have security, see i know it work sometimes but, is there something had changed it dynamically ? like at this moment causing such resource to be wrongly handled, Handles are stored in kernel in tables and cloned there, but it could depend on filters on the way (in and out), and that what you want to pin point if a buggy driver (yes it is a driver or filter driver) caused this and depleted its own resources.

Expanding a little on drivers and services, internally all drivers are called services and they configured and launched from one location in the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Except the OS kernel itself which loaded and hardcoded to load at very first step of boot, all are defined there. So when an error says service it could be a driver.

It doesn't matter, and yes it will help if no object with that name exist then the problem is in the middle between use mode and user-mode driver.

Sorry i forgot to mention to search and find your MyMutex1

Not mentioned is enough for this one, it does confirm it is coming form a driver, low level one.

No not healthy at all. But this one could be the running out resource ! Yes handles has limit and still the same as i mentioned above, the handle is wrongly handled, Please, download WinObjEx64 https://github.com/hfiref0x/WinObjEx64/releases Then share screenshots of the three tabs like this

TO be honest it is not exactly a service but stapled to one, see this cryptic error most likely caused and reported from User-Mode Driver, as kernel mode driver are more detailed error, yet in both cases these drivers belong and part of to an OS service as mentioned above, i think it is between System Restore, Defender or some network mapped drive.

Use Process Monitor without filter(s), them see what is trying figure who reported the Resource Error.

Well, this clear few things Service ! , so the cause is not your application, i am of course assuming your application is not a service, as you didn't mention that and that is very relevant. My logic thinking about this, is that a service very relevant to your application and in this case very relevant to reading/accessing files failed to resources or other causes, here keep in mind many service error are mistakenly reported as resources deficiency due how it is structured to communicate by direct IPC or other method, these belongs to OS IPC designs. So an OS service caused this, how this can be ? OS Services interact and interfere in [a/any] application in directly or indirectly 1) Directly, as example, DNS Cache, TWAIN, or some .NET freak service,.... if your application is depending on something like OS DNS resolving and the service is misconfigured (something broken hosts file) it could lead all sort of such unexplained errors, yes i know i am bringing dns example to file but the idea i want to convey. 2) Indirectly, and this is the most relevant and may be the cause of your problem, see, there is services within OS are built to hook and intercept IO, example Volume Shadow Copy, System Remedy (or something), System Restore, Defender..etc all of these capable to stop your IO from completion, and on top of that if they failed for some reason, and your application is done and gone, and you are left with cryptic error message like yours. Also there is one in particular not mentioned in 1 and 2, Application Verifier, though it is low probability to be your problem, but checking does worth it, https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/application-verifier Make sure if it is exist on the target device, if yes then open it and remove/delete any thing in that list, yes delete them and you will know how once you see it. Anyway back to suggestions and shooting darts in the dark, try to find the service attached to that error, and delete system restore check points, disable then enable... just try to figure what service is interfering and try to remedy it, one of them could have broken policy or setting or just really out of resources.

You landed on the holy grail of bugs ! If you can make smallest demo to reproduce this bug then it is great for reporting, these Variant handling exception/bugs/AV are fatal in the IDE and debugger and there quite few of them, not all do show error messages, many leads to silent IDE crash or just freeze, there is bugs is many places but it could shed light on this Variant mishandle in IDE/Debugger in general.

Well, i don't have a idea about such case per se, but i witnessed many of these when i broke my OS kernel debugging and fooling around, so i have thoughts here But first let me say what is different in LSTC from the normal, they are the same, except LTSC comes with slightly different default policies, policies that are not even listed in GP editor, some of them need to be added using ADMX files to be accessible, to have an idea look here these https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-storage They mostly are documented though, yet many need to be added, so your OS might need some restoring its default. That being said, now to what i think might be the cause, also while we shooting darts in the dark: 1) Storage handling layer and its drivers run in two layers User mode part and Kernel mode part, in some cases i caused a corruption in user mode, this triggered an exception, yet that exception wasn't critical to crash the system as it happened after returning form the kernel system calls (drivers), the exception marked the file handle as corrupted and left it in locked mode, or just the handle tables were faulty and the system couldn't add another handle or even try to read part of that table, sometimes many files locked, so no more file access with strange errors or simply freeze, yet the file(s) were accessible from from different processes, this due the user process sandboxing which start in kernel and extend to user mode. 2) LTSC does have delayed update policy, meaning fewer fixes will be pushed, so if there is a bug it could be simply fixed by update your LTSC to the latest and in case you can't then really running SFC 🙂 (as they always suggest) can help, the more info about running SFC is literally everywhere ! 3) Your disk have a problem, i saw these on Server 2003, also have them on my old XP, the disk wasn't aligned, yes it is a thing and there is few tools to check disk aligning and fix it, https://superuser.com/questions/132296/how-to-check-the-partition-alignment-on-an-ssd-drive Notice that searching the net now gives me only SSD result, but that is not the only case, it might happen with any disk type as it with mine, and also it increase the speed, and linger for trouble in accessing disks, which might be your case, One thing though don't use any non official application or method from any where on the net to align your disk, first check your disk manufacturer if they have such a tool, WD, Intel, Samsung ... they wither have tools or their software will check and prompt you to fix the alignment. And with 3rdpary tools like the one mentioned here https://www.diskpart.com/windows-10/ssd-alignment-windows-10-3889.html It could be fine yet i wouldn't recommended it. Hope that helps !

Standards, specifications and their accuracy ! https://www.di-mgt.com.au/x942testvectors.html

On side note KDF(x) are key driving functions, but these functions are old and mainly used for specific purposes, which generating a key from a key or sufficient and accepted entropy, they never meant to be used for passwords and for that they had the seed added, they should have have been designed better to focus on this issue, not like PBKDF which is Password Based Key Deriving Function, which designed to be get a key from low entropy sources like password and it compensate with arbitrary rounds of HMAC.

Hi, I looked at the implementation at https://github.com/MHumm/DelphiEncryptionCompendium/blob/master/Source/DECHashAuthentication.pas#L997-L1049 and lets say this one https://github.com/MHumm/DelphiEncryptionCompendium/blob/master/Source/DECHashAuthentication.pas#L1067-L1074 class function TDECHashAuthentication.KDF1(const Data, Seed: TBytes; MaskSize: Integer): TBytes; begin if (length(Seed) > 0) then Result := KDFInternal(Data[0], length(Data), Seed[0], length(Seed), MaskSize, ktKDF1) else Result := KDFInternal(Data[0], length(Data), NullStr, 0, MaskSize, ktKDF1); end; The problem is easy to see and and easy to fix here, but lets point the cause Data is TBytes, in other words managed type and if Data is empty then Data is nil, and that is it, accessing Data from class function TDECHashAuthentication.KDFInternal(const Data; DataSize: Integer; const Seed; SeedSize, MaskSize: Integer; KDFType: TKDFType): TBytes; var I, n, Rounds, DigestBytes : Integer; Count : UInt32; HashInstance : TDECHashAuthentication; begin SetLength(Result, 0); DigestBytes := DigestSize; Assert(MaskSize >= 0); Assert(DataSize >= 0); Assert(SeedSize >= 0); Assert(DigestBytes >= 0); HashInstance := TDECHashAuthenticationClass(self).Create; try Rounds := (MaskSize + DigestBytes - 1) div DigestBytes; SetLength(Result, Rounds * DigestBytes); if (KDFType = ktKDF2) then n := 1 else n := 0; for I := 0 to Rounds-1 do begin Count := SwapUInt32(n); HashInstance.Init; if (KDFType = ktKDF3) then begin HashInstance.Calc(Count, SizeOf(Count)); HashInstance.Calc(Data, DataSize); // <-------- here Data can't be nil end else begin HashInstance.Calc(Data, DataSize); HashInstance.Calc(Count, SizeOf(Count)); // <-------- here Data can't be nil end; HashInstance.Calc(Seed, SeedSize); HashInstance.Done; Move(HashInstance.Digest[0], Result[(I) * DigestBytes], DigestBytes); Also as designed, i mean KDFx it does hash the concatenation of Data with the seed, if data is nil then just skip it, and that is the fix. As for your request the specification, then check your private messages, as i attached IEEE 1363-2000 and an old draft of ISO/IEC 18033-2.

Hi, I tried the following to address the overloading and it work, yet the problem you are speaking of is real problem, interface uses Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics, Vcl.Controls, Vcl.Forms, Vcl.Dialogs, rtti, Vcl.StdCtrls; type TMyColor = type Cardinal; type TForm10 = class(TForm) Memo1: TMemo; procedure FormCreate(Sender: TObject); private { Private declarations } public procedure AddNumberToMemo(Value: string); overload; procedure AddNumberToMemo(Value: TMyColor); overload; procedure AddMyColorToMemo(Value: TMyColor); end; var Form10: TForm10; implementation {$R *.dfm} function ExecuteInstanceMethod(Reference: Pointer; const AName: string; const Args: array of TValue): TValue; var context: TRttiContext; instType: TRttiInstanceType; obj: TObject; meth: TRttiMethod; parameters: TArray<TRttiParameter>; MethodIsFound, ArgumentTypesAreEqual: Boolean; index: Integer; LastError: string; begin context := TRttiContext.Create; try meth := nil; MethodIsFound := false; obj := TObject(Reference); instType := (context.GetType(obj.ClassType) as TRttiInstanceType); for meth in instType.GetMethods do begin MethodIsFound := SameText(meth.Name, AName); if MethodIsFound then begin parameters := meth.GetParameters; ArgumentTypesAreEqual := False; if Length(Args) = Length(parameters) then begin for index := 0 to Length(parameters) - 1 do begin ArgumentTypesAreEqual := parameters[index].ParamType.Handle.Kind = Args[index].TypeInfo.Kind; if not ArgumentTypesAreEqual then begin LastError := 'Argument type of ' + parameters[index].Name + ' is not ' + parameters[index].ParamType.Name + ', it is ' + Args[index].TypeInfo.NameFld.ToString; //raise Exception.CreateFmt('Argument type of %s is not %s, is %s', [parameters[index].Name, parameters[index].ParamType.Name, Args[index].TypeInfo.NameFld.ToString]); //Break; end; end; end; if MethodIsFound and ArgumentTypesAreEqual then Break; end; end; if (LastError <> '') and not (MethodIsFound and ArgumentTypesAreEqual) then Form10.Memo1.Lines.Add(LastError); //raise Exception.Create(LastError); if (meth <> nil) and MethodIsFound and ArgumentTypesAreEqual then begin result := meth.Invoke(obj, Args); end else Form10.Memo1.Lines.Add('method ' + AName + ' not found'); //raise Exception.CreateFmt('method %s not found', [AName]); finally context.Free; end; end; procedure TForm10.AddNumberToMemo(Value: string); begin Memo1.Lines.Add(Value); end; procedure TForm10.AddNumberToMemo(Value: TMyColor); begin Memo1.Lines.Add(IntToStr(Value)); end; procedure TForm10.AddMyColorToMemo(Value: TMyColor); begin Memo1.Lines.Add(IntToStr(Value)); end; procedure TForm10.FormCreate(Sender: TObject); var T: TMyColor; begin // addressing overload ExecuteInstanceMethod(Self, 'AddNumberToMemo', [100]); ExecuteInstanceMethod(Self, 'AddNumberToMemo', ['Color3']); T := 99; ExecuteInstanceMethod(Self, 'AddMyColorToMemo', [55]); ExecuteInstanceMethod(Self, 'AddMyColorToMemo', [T]); // T handled as Int64 ! end; end. the result in memo is 100 Color3 55 Argument type of Value is not TMyColor, it is Int64 method AddMyColorToMemo not found Now, my IDE is XE8, and i have %50 confidence that this behavior might have changed overtime for RTTI, yet i didn't tested it with my older IDEs, i will assume it irrelevant for any of you, yet you may want to make sure that the compiler behavior with RTTI is consistent for newer versions. As for the exact problem i saw above which i assume is your question to begin with (i might be wrong and missed that), if RTTI only will return TMyColor then you need to search and globally of the included/shipped RTTI to try and resolve TMyColor to its base (origin), if that work then it could be resolvable by building a table then cache it for multiple reuse. That is the problem with RTTI, once you typed a type then there is few moving parts, hidden and silent done by the compiler.

Can you confirm the assertion code is there ? (i mean the compiler did add the code ) I ran of something similar but it was the IDE fault, sometimes disabling the assertion in project options, and then re-enabling them is not enough for some reason the compiler will not add them until calling clean on the project or closing the project and re-open it, this happen on XE8. In all cases put a break point and see if the assert code in assembly is there, also it could be a forgotten directive somewhere.

Hi, I waited for someone else to add an answer for you as i don't use LockBox, and have no experience with it, sources i looked at https://github.com/TurboPack/LockBox https://github.com/TurboPack/LockBox3 Now to what i see (without building or compiling anything): 1) Extracted the private key from your post and pasted it on ASN1 decoder and here the result https://lapo.it/asn1js/#MIICXAIBAAKBgQDFoP5AJIv1KFGRpv_Uw7drFXjWbZG6wNsO7P58ocZIcxyKGU6uTgXw8N1IvTmd9yXRSdcb2fCWB7J_QUQDJQ3YuuXSOQCVOdi8Wy9UoZ5jNdqtZ6CMCvnK_v4Wy38ZhrB0CRkeiuyjmUdfQhe8mh3pE3iFBusYd1TVCxQt3VBkqQIDAQABAoGAaYBaeo-ID6YodWL7a-_XeNkLmxz_EP1nc_5clNgf7AlXkPmVoUORtGBBIVWy7ntDuwh6Ryn_X3hYd8q1riAX1UwVuUduOENmgyzmO1rRIoB_17vzYwVMYOB2h-qbxEqjg4dUfk_1occyDwpehWel-1NIgvQLNYLcn2JXxkAyrMkCQQD37-3Y8sjYxwApgiIClsCjrla73cS_QwzArGEnOjBs86LyzCc0pNzmP2OD0a9VlD3k6dMnhT2Oj-2knZs8dUlHAkEAzA4_mQeFvdiKIkzUBECn3w9Ylu2IfpKnQt_0EFUENxS9ONZ1jj4pzDBfZosgwnE1GiECELM3R_6Pzl-uIGrajwJBALm5HG3az-CykMiHFnrh-kOiII5xvSOYUkEx30THLecvSeyeSPACXwaKjTz9IV31wbdsACQmhsn3vogFF3feU5kCQARP9MYeI5RshBbPeteQKjwLjfq6kFzkaoZ-RyElOs6TMKCH37oe1DFNgGahYBLb45xmwC1sLCnoVk-tM_fZaj8CQGQyIlxwbgNBBdV3wnmtX9yPDflOsjpo3FuBMOu3nZADKEpmTXFgdwP4oMMbCmDvH3dav92LE5JN1cPik9z0Piw And that is correct and valid RSA key, yet clicked and browsed the sources on github, there is no ASN1 decoder in the sources, the closest thing is using OpenSSL to do the loading of the private key, or to be more accurate to decode the private key to usable format by TP. 2) searching for KJUR.crypto.Cipher.decrypt, found this https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html So the encryption indeed is RSAOAEP, (RSA encryption is completely different from RSAOAEP for future references don't mix them), also check the sources and its look like TP can do RSAOAEP https://github.com/TurboPack/LockBox3/blob/master/run/RSA/uTPLb_RSA_Primitives.pas#L116 And that what you should use, so your code is using "Signatory: TSignatory" in complete wrong path 3) Also important the JS code does the decryption, and as usual decryption parameters way less than encryption, to perform RSAOAEP encryption and decryption sometimes you need the default parameters and sometimes you need to figure if there is some default must be set before the decryption. 3) Couldn't find useful examples for you but, so others may help here, or you can start by looking at https://github.com/TurboPack/LockBox3/blob/master/test/uLockBox_RSA_TestCases.pas#L466 Notice there codec and no TSignatory, but the most important (for me at least) these keys are not decodable as they are not ASN1, from the sources they look like custom format specific to LockBox Here SO question, close enough to your problem https://stackoverflow.com/questions/68186850/lockbox-3-encrypt-rsa-with-public-certyficate Again couldn't find what can solve your problem in full Suggestion With above i hope you have better understanding what is your problem actually is, it is loading the private key as first step, then perform the right decryption with RSAOAEP, and that is it, so either try with OpenSSL to load and decrypt or look for different library. And good luck !