|
NTLM挑战模式散列认证加密协议过程,算法实现与一些想法
转摘请注明作者和安全焦点
作者:FLASHSKY
SITE:WWW.XFOCUS.NET,WWW.SHOPSKY.COM
邮件:flashsky@xfocus.org
作者单位:启明星辰积极防御实验室
说明:
本来先从看见小四的《LM/NTLM验证机制》就没准备发的,但是从如下几点考虑还是发:
1。给出完全的算法实现代码
2。小四的关于NTLM,LM的过程针对返回会话KEY的有效,针对完全挑战模式下说明并非完全
3。一些新的思路和思考
4。安全BLOB的结构说明
一:NTLM认证算法过程
1。客户端申请挑战
安全BLOB的结构如下:
{
CHAR DESC[8]=“NTLMSSP”;
DWORD NO=1; //顺序号
DWORD FLAG;
WORD DOMAINNAMELEN; //域名长度
WORD DOMAINNAMEMAXLEN;//域名最大长度
DWORD DOMAINNAMEOFFSET;//域名便移
WORD HOSTNAMELEN; //主机名长度
WORD HOSTNAMEMAXLEN; //主机名最大长度
DWORD HOSTNAMEOFFSET; //主机名便移
CHAR HOSTNAME[HOSTNAMELEN];//主机名
CHAR DOMAINNAME[DOMAINNAMELEN];//域名
}
2。服务器返回挑战,这个挑战是一个8字节的随机数
安全BLOB的结构如下:
{
CHAR DESC[8]=“NTLMSSP”;
DWORD NO=2; //顺序号,必须为2
WORD DOMAINNAMELEN; //帐户域名长度
WORD DOMAINNAMEMAXLEN; //帐户域名最大长度
DWORD DOMAINNAMEOFFSET;////帐户域名偏移
DWORD FLAG;
BYTE CHALLAGE[8]; //8字节挑战
BYTE RE[8]; //保留8字节,必须为0
WORD HOSTNAMELISTLEN; //主机名列表长度
WORD HOSTNAMELISTMAXLEN;//主机名列表最大长度
DWORD HOSTNAMELISTOFFSET;//主机名列表偏移
CHAR DOMAINNAME[DOMAINNAMELEN];
CHAR HOSTLISTNAME[HOSTNAMELISTLEN];
//这里是多个结构组成
//每个结构如下:
//WORD ITEMNO;索引
//WORD HOSTNAMELEN;主机名长度
//BYTE HOSTNAME[HOSTNAMELEN]:主机名
}
3。客户端加密密码散列
其实这个过程还是很复杂的
如果是明文口令,先将此口令转化成散列,如果是系统用户则直接根据令牌从SESSION表中取出散列。
这下面就是小四的文章中没提到的过程
客户端先生成一个随机KEY,然后和服务器端的挑战使用MD5算法生成16字节的散列,但MS只取前8字节做为加密KEY,其实后面的散列加密并非是使用挑战直接加密的,而是
使用此加密KEY进行加密的。
这个算法的代码如下:romkey就是客户端生成的一个随机KEY,challage就是服务器挑战
void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey)
{
unsigned char LM[0x58];
md5init(LM);
*(DWORD *)LM=0x200;
memcpy(LM+0X18,challage,8);
memcpy(LM+0X20,romkey,8);
*(DWORD *)(LM+0x28)=0x80;
*(DWORD *)(LM+0x50)=0x80;
md5final(LM);
memcpy(enkey,LM+8,8);
}
然后再使用生成的加密KEY加密MD4生成的NTLM散列,具体的过程在下四的文章中有详细介绍,这里就不再讲了,后面给出了完全实现的代码。
同时还会先选择一个RC4的KEY,对MD4生成的NTLM散列用MD4再生成一个散列,再用HMACMD5算法,加密KEY,这个散列计算出一个0X10字节的散
列,用此散列和rc4_key函数生成rc4的key表,最后用这个KEY表和先选择的RC4的KEY生成一个0X10字节的RC的结果出来。
但要注意的是:通常情况下,这个RC4的结果并没用于认证。
安全BLOB的结构如下:
{
CHAR DESC[8]=“NTLMSSP”;
DWORD NO=3; //顺序号,必须为3
WORD RANDOMKEYLEN; //客户端随机KEY长度,固定为0X18
WORD RANDOMKEYMAXLEN; //客户端随机KEY最大长度,固定为0X18
//其实客户端随机KEY只有8字节,但是后面补0添满0X18字节
DWORD RANDOMKEYOFFSET;////客户端随机KEY偏移
WORD ENNTLMLEN; //加密的NTLM散列长度,固定为0X18
WORD ENNTLMMAXLEN; //加密的NTLM散列最大长度,固定为0X18
DWORD ENNTLMOFFSET; //加密的NTLM散列偏移
WORD HOSTNAMELEN; //主机名长度
WORD HOSTNAMEMAXLEN;//主机名最大长度
DWORD HOSTNAMEOFFSET;//主机名偏移
WORD USERNAMELEN; //用户名长度
WORD USERNAMEMAXLEN;//用户名最大长度
DWORD USERNAMEOFFSET;//用户名偏移
WORD USERDOMAINLEN; //帐户域名长度
WORD USERDOMAINMAXLEN;//帐户域名最大长度
DWORD USERDOMAINOFFSET;//帐户域名偏移
WORD ENNTLMRC4LEN; //加密的RC4 NTLM散列长度,固定为0X10
WORD ENNTLMRC4MAXLEN; //加密的RC4 NTLM散列最大长度,固定为0X10
DWORD ENNTLMRC4OFFSET; //加密的RC4 NTLM散列偏移
DWORD FLAG;
CHAR HOSTNAME[HOSTNAMELEN];//主机名
CHAR USERNAME[HOSTNAMELEN];//用户名
CHAR USERDOMAINNAME[HOSTNAMELEN];//帐户域名
RANDOMKEY[0X18];//其实客户端随机KEY只有8字节,但是后面补0添满0X18字节
ENNTLM[0X18];
ENRC4NTLM[0X10];
}
4。服务器认证
服务器获得客户端随即KEY以后,也和挑战运算获得此加密KEY,然后计算加密的NTLM散列做对比进行判断。
5。一些思考
主要是关于重放攻击的,其实真正的加密KEY是挑战和客户端随机KEY做MD5运算的结果,那么如果我们嗅探出了一个挑战,随机KEY就
能计算出加密KEY,如果我们发起一个请求获得一个挑战2,如果能计算一个随即KEY2(这个可由我们自己控制),满足MD5(挑战2,随即KEY2)
=加密KEY,那么我们就能发送我们修探获得的安全BLOB中的加密散列的内容来获得认证。
当然MD5的算法本事就是要防碰撞的,但是在MS的SMB实现中,由于MD5生成的是16字节的散列,但是用来做加密KEY的只是前8个字节,那
么对于寻找只满足部分(前8字节)碰撞的算法复杂度就会大大的降低,当然我们在MD5中唯一能控制的东西就是随即KEY,但是挑战KEY已知,其实
针对加密算发是常量(因为加密内容固定为0X1O字节,其他的内容可以常量),应该来说还是很有希望的。不过就我的数学水平而已,尝试了
一下就被难到了,希望对MD5碰撞有研究的人给予指教。下面就是给出的一个针对其挑战,随即KEY到加密KEY的替代函数:
void challagetorkey(unsigned long c1,unsigned long c2,unsigned long r1,unsigned long r2)
{
//我们把挑战看做2个unsigned long的数C1,C2,客户端随即KEY也看做2个unsigned long的数R1,R2
//最后生成的是B1,D1,S1,D2,但其实用做加密KEY的只是B1,D1而已
//如果我们知道B1,D1,C1,C2,是否能找过一个R1,R2,使得满足这个函数呢?
//按照概率是针对每个B1,D1都有可能找到对应的R1,R2,因为MD5的算发要求是每个字节的变化都应该平均分布的
//我们可控的是256的8次方,结果也是256的8次方
//即使不是完全平均分布的,在测试100个挑战中总会有满足的吧?
//而算法复杂度对于16字节的256的16次方应该降低了不少
//那么再退一步说,如果我们知道B1,D1,C1,C2,R1,如果能解出R2也行,我们对R1实行穷举
//R1是256的4次方,4亿左右的穷举对现在的机器不应该是负担吧?当然真正实现工具由于认证要求,可能要求在10分钟以内
//但是如果我们在2天内能找到结果,也能说明很多问题
DWORD a1,d1,d2,s1;
DWORD b1;
b1=(((0x10325476^0x98badcfe)&0xefcdab89)^0x10325476)+c1;
b1=b1+0x67452301+0xd76aa478;
b1=((b1<<0x7)|(b1>>0x19))+0xefcdab89;
//第一轮
a1=(((0x98badcfe^0xefcdab89)&b1)^0x98badcfe)+0xe8c7b756;
d2=0x10325476+c2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
a1=(((0xefcdab89^b1)&d2)^0xefcdab89)+0x242070db;
s1=0x98badcfe+r1+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
a1=(((d2^b1)&s1)^b1)+0xc1bdceee;
d1=0xefcdab89+r2+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
a1=(((d2^s1)&d1)^d2)+0xf57c0faf;
b1=b1+0x80+a1;
b1=((b1<<0x7)|(b1>>0x19))+d1;
a1=(((s1^d1)&b1)^s1)+0x4787C62A;
d2=d2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
a1=(((d1^b1)&d2)^d1)+0xA8304613;
s1=s1+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
a1=(((d2^b1)&s1)^b1)+0xFD469501;
d1=d1+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
a1=(((d2^s1)&d1)^d2)+0x698098D8;
b1=b1+a1;
b1=((b1<<0x7)|(b1>>0x19))+d1;
a1=(((s1^d1)&b1)^s1)+0x8B44F7AF;
d2=d2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
a1=(((d1^b1)&d2)^d1)+0xFFFF5BB1;
s1=s1+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
a1=(((d2^b1)&s1)^b1)+0x895CD7BE;
d1=d1+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
a1=(((d2^s1)&d1)^d2)+0x6B901122;
b1=b1+a1;
b1=((b1<<0x7)|(b1>>0x19))+d1;
a1=(((s1^d1)&b1)^s1)+0xFD987193;
d2=d2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
a1=(((d1^b1)&d2)^d1)+0xA679438E;
s1=s1+0x80+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
a1=(((d2^b1)&s1)^b1)+0x49B40821;
d1=d1+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
//第二轮
a1=(((s1^d1)&d2)^s1)+0xF61E2562;
b1=b1+c2+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
a1=(((d1^b1)&s1)^d1)+0xC040B340;
d2=d2+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
a1=(((d2^b1)&d1)^b1)+0x265E5A51;
s1=s1+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
a1=(((d2^s1)&b1)^d2)+0xE9B6C7AA;
d1=d1+c1+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
a1=(((s1^d1)&d2)^s1)+0xD62F105D;
b1=b1+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
a1=(((d1^b1)&s1)^d1)+0x2441453;
d2=d2+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
a1=(((d2^b1)&d1)^b1)+0xD8A1E681;
s1=s1+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
a1=(((d2^s1)&b1)^d2)+0xE7D3FBC8;
d1=d1+0x80+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
a1=(((s1^d1)&d2)^s1)+0x21E1CDE6;
b1=b1+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
a1=(((d1^b1)&s1)^d1)+0xC33707D6;
d2=d2+0x80+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
a1=(((d2^b1)&d1)^b1)+0xF4D50D87;
s1=s1+r2+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
a1=(((d2^s1)&b1)^d2)+0x455A14ED;
d1=d1+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
a1=(((s1^d1)&d2)^s1)+0xA9E3E905;
b1=b1+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
a1=(((d1^b1)&s1)^d1)+0xFCEFA3F8;
d2=d2+r1+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
a1=(((d2^b1)&d1)^b1)+0x676F02D9;
s1=s1+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
a1=(((d2^s1)&b1)^d2)+0x8D2A4C8A;
d1=d1+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
//第三轮
a1=((d2^s1)^d1)+0xFFFA3942;
b1=b1+a1;
b1=((b1<<0x4)|(b1>>0x1c))+d1;
a1=((s1^d1)^b1)+0x8771F681;
d2=d2+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
a1=(d2^d1)^b1;
s1=s1+0x6D9D6122+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
a1=d2^s1;
d1=d1+0x80+0xFDE5380C+(b1^a1);
d1=((d1<<0x17)|(d1>>0x9))+s1;
b1=b1+c2+0xA4BEEA44+(d1^a1);
b1=((b1<<0x4)|(b1>>0x1c))+d1;
a1=((s1^d1)^b1)+0x4BDECFA9;
d2=d2+0x80+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
a1=(d2^d1)^b1;
s1=s1+0xF6BB4B60+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
a1=(d2^s1);
d1=d1+0xBEBFBC70+(b1^a1);
d1=((d1<<0x17)|(d1>>0x9))+s1;
b1=b1+0x289B7EC6+(d1^a1);
b1=((b1<<0x4)|(b1>>0x1c))+d1;
a1=((s1^d1)^b1)+0xEAA127FA;
d2=d2+c1+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
a1=(d2^d1)^b1;
s1=s1+r2+0xD4EF3085+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
a1=d2^s1;
d1=d1+0x4881D05+(b1^a1);
d1=((d1<<0x17)|(d1>>0x9))+s1;
a1=d1^a1;
b1=b1+a1+0xD9D4D039;
b1=((b1<<0x4)|(b1>>0x1c))+d1;
a1=((s1^d1)^b1)+0xE6DB99E5;
d2=d2+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
a1=((d2^d1)^b1);
s1=s1+0x1FA27CF8+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
a1=((d2^s1)^b1);
d1=d1+r1+0xC4AC5665+a1;
d1=((d1<<0x17)|(d1>>0x9))+s1;
//第4轮
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF4292244;
b1=b1+c1+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x432AFF97;
d2=d2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xAB9423A7;
s1=s1+0x80+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
a1=(((b1^0xFFFFFFFF)|s1)^d2);
d1=d1+0xFC93A039+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x655B59C3;
b1=b1+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x8F0CCC92;
d2=d2+r2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xFFEFF47D;
s1=s1+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x85845DD1;
d1=d1+c2+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x6FA87E4F;
b1=b1+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xFE2CE6E0;
d2=d2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xA3014314;
s1=s1+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x4E0811A1;
d1=d1+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF7537E82;
b1=b1+0x80+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xBD3AF235;
d2=d2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0x2AD7D2BB;
s1=s1+r1+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
a1=(((b1^0xFFFFFFFF)|s1)^d2)+0xEB86D391;
d1=d1+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
b1=b1+0x67452301;
d1=d1+0xefcdab89;
s1=s1+0x98badcfe;
d2=d2+0x10325476;
}
6。实现代码的说明
这个代码是完全在TCP只上实现NTLM挑战认证的,密码的计算不调用任何加密的API。
如果知道散列也可以去掉口令到散列的部分直接使用散列进行处理。
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <wincrypt.h>
#include <process.h>
#include <string.h>
#include <winbase.h>
# include <wincrypt.h>
#define SECURITY_WIN32
# include <Security.h>
# include <Ntsecapi.h>
# include "smb.h"
void SmbNegotiate(SMBP * psmbp);
void SmbSessionSetupAndX1(SMBP * psmbp);
void SmbSessionSetupAndX2(SMBP * psmbp,wchar_t * username,wchar_t * domainname,wchar_t * password);
void deskey(char * LmPass,unsigned char * desecb);
void passtoowf(wchar_t * password,unsigned char * paswdowf);
void initLMP(char * pass,unsigned char * LM);
void deskey(char * LmPass,unsigned char * desecb);
void des(unsigned char * LM,char * magic,unsigned char * ecb,long no);
void md4init(unsigned char * LM);
void md4(unsigned char * LM);
void md5init(unsigned char * LM);
void md5final(unsigned char * LM);
void initMDP(PLSA_UNICODE_STRING pass,unsigned char * LM);
void hashtocread(unsigned char * enkey,unsigned char * hash,unsigned char * cread);
void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey);
void hmacmd5(unsigned char * rc4key,unsigned char * enkey);
void rc4_key(unsigned char * rc4keylist,unsigned char * rc4key,int keylen);
typedef DWORD (CALLBACK* RTLUPCASEUNICODESTRINGTOOEMSTRING)(PLSA_UNICODE_STRING, PLSA_UNICODE_STRING, DWORD);
RTLUPCASEUNICODESTRINGTOOEMSTRING RtlUpcaseUnicodeStringToOemString;
typedef struct _SMBNBT
{
unsigned char nbtsmb;
unsigned char flag;
short smbpacketlen;
}SMBNBT,* PSMBNBT;
typedef struct _SMBINFO
{
unsigned char magic[4];
BYTE smbtoken;
BYTE errcodeclass;
BYTE dosaherrcode;
unsigned char errcode[2];
BYTE flagsummary;
short flagsummary2;
short unuse[6];
short treeid;
short callprocessid;
short userid;
short multiplexid;
unsigned char info[2048];
}SMBINFO,* PSMBINFO;
typedef struct _SMBP
{
SMBNBT smbnbt;
SMBINFO smbinfo;
}SMBP,* PSMBP;
wchar_t navos[]=L"windows 2000 2195";
wchar_t lanman[]=L"windows 2000 5.0";
unsigned char challage[8]={0x53,0xe6,0x97,0x53,0xfb,0x97,0x7c,0x19};
unsigned char romkey[8]={0xc7,0x91,0xdd,0xe8,0x5c,0xcd,0xc8,0xde};
unsigned char DESParity[]={0,1,1,2,1,2,2,3,1,2,2,3,2,3,3,4};
unsigned char DESDShift[]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0,
0x64,0xCC,0xF9,0x29,0xDF,0xDE,0x86,0x4A,0x81,0x84,9,0x3C,0,0,0,0,
0xFB,0x99,0xE9,8,0xEC,0x87,0x67,0x2F,0x59,0x0FD,0x22,0xF1};
DWORD DESKEY1[]={
0x00000000,0x00000010,0x20000000,0x20000010,0x00010000,0x00010010,0x20010000,0x20010010,
0x00000800,0x00000810,0x20000800,0x20000810,0x00010800,0x00010810,0x20010800,0x20010810,
0x00000020,0x00000030,0x20000020,0x20000030,0x00010020,0x00010030,0x20010020,0x20010030,
0x00000820,0x00000830,0x20000820,0x20000830,0x00010820,0x00010830,0x20010820,0x20010830,
0x00080000,0x00080010,0x20080000,0x20080010,0x00090000,0x00090010,0x20090000,0x20090010,
0x00080800,0x00080810,0x20080800,0x20080810,0x00090800,0x00090810,0x20090800,0x20090810,
0x00080020,0x00080030,0x20080020,0x20080030,0x00090020,0x00090030,0x20090020,0x20090030,
0x00080820,0x00080830,0x20080820,0x20080830,0x00090820,0x00090830,0x20090820,0x20090830};
DWORD DESKEY2[]={
0x00000000,0x02000000,0x00002000,0x02002000,0x00200000,0x02200000,0x00202000,0x02202000,
0x00000004,0x02000004,0x00002004,0x02002004,0x00200004,0x02200004,0x00202004,0x02202004,
0x00000400,0x02000400,0x00002400,0x02002400,0x00200400,0x02200400,0x00202400,0x02202400,
0x00000404,0x02000404,0x00002404,0x02002404,0x00200404,0x02200404,0x00202404,0x02202404,
0x10000000,0x12000000,0x10002000,0x12002000,0x10200000,0x12200000,0x10202000,0x12202000,
0x10000004,0x12000004,0x10002004,0x12002004,0x10200004,0x12200004,0x10202004,0x12202004,
0x10000400,0x12000400,0x10002400,0x12002400,0x10200400,0x12200400,0x10202400,0x12202400,
0x10000404,0x12000404,0x10002404,0x12002404,0x10200404,0x12200404,0x10202404,0x12202404};
DWORD DESKEY3[]={
0x00000000,0x00000001,0x00040000,0x00040001,0x01000000,0x01000001,0x01040000,0x01040001,
0x00000002,0x00000003,0x00040002,0x00040003,0x01000002,0x01000003,0x01040002,0x01040003,
0x00000200,0x00000201,0x00040200,0x00040201,0x01000200,0x01000201,0x01040200,0x01040201,
0x00000202,0x00000203,0x00040202,0x00040203,0x01000202,0x01000203,0x01040202,0x01040203,
0x08000000,0x08000001,0x08040000,0x08040001,0x09000000,0x09000001,0x09040000,0x09040001,
0x08000002,0x08000003,0x08040002,0x08040003,0x09000002,0x09000003,0x09040002,0x09040003,
0x08000200,0x08000201,0x08040200,0x08040201,0x09000200,0x09000201,0x09040200,0x09040201,
0x08000202,0x08000203,0x08040202,0x08040203,0x09000202,0x09000203,0x09040202,0x09040203};
DWORD DESKEY4[]={
0x00000000,0x00100000,0x00000100,0x00100100,0x00000008,0x00100008,0x00000108,0x00100108,
0x00001000,0x00101000,0x00001100,0x00101100,0x00001008,0x00101008,0x00001108,0x00101108,
0x04000000,0x04100000,0x04000100,0x04100100,0x04000008,0x04100008,0x04000108,0x04100108,
0x04001000,0x04101000,0x04001100,0x04101100,0x04001008,0x04101008,0x04001108,0x04101108,
0x00020000,0x00120000,0x00020100,0x00120100,0x00020008,0x00120008,0x00020108,0x00120108,
0x00021000,0x00121000,0x00021100,0x00121100,0x00021008,0x00121008,0x00021108,0x00121108,
0x04020000,0x04120000,0x04020100,0x04120100,0x04020008,0x04120008,0x04020108,0x04120108,
0x04021000,0x04121000,0x04021100,0x04121100,0x04021008,0x04121008,0x04021108,0x04121108};
DWORD DESKEY5[]={
0x00000000,0x10000000,0x00010000,0x10010000,0x00000004,0x10000004,0x00010004,0x10010004,
0x20000000,0x30000000,0x20010000,0x30010000,0x20000004,0x30000004,0x20010004,0x30010004,
0x00100000,0x10100000,0x00110000,0x10110000,0x00100004,0x10100004,0x00110004,0x10110004,
0x20100000,0x30100000,0x20110000,0x30110000,0x20100004,0x30100004,0x20110004,0x30110004,
0x00001000,0x10001000,0x00011000,0x10011000,0x00001004,0x10001004,0x00011004,0x10011004,
0x20001000,0x30001000,0x20011000,0x30011000,0x20001004,0x30001004,0x20011004,0x30011004,
0x00101000,0x10101000,0x00111000,0x10111000,0x00101004,0x10101004,0x00111004,0x10111004,
0x20101000,0x30101000,0x20111000,0x30111000,0x20101004,0x30101004,0x20111004,0x30111004};
DWORD DESKEY6[]={
0x00000000,0x08000000,0x00000008,0x08000008,0x00000400,0x08000400,0x00000408,0x08000408,
0x00020000,0x08020000,0x00020008,0x08020008,0x00020400,0x08020400,0x00020408,0x08020408,
0x00000001,0x08000001,0x00000009,0x08000009,0x00000401,0x08000401,0x00000409,0x08000409,
0x00020001,0x08020001,0x00020009,0x08020009,0x00020401,0x08020401,0x00020409,0x08020409,
0x02000000,0x0A000000,0x02000008,0x0A000008,0x02000400,0x0A000400,0x02000408,0x0A000408,
0x02020000,0x0A020000,0x02020008,0x0A020008,0x02020400,0x0A020400,0x02020408,0x0A020408,
0x02000001,0x0A000001,0x02000009,0x0A000009,0x02000401,0x0A000401,0x02000409,0x0A000409,
0x02020001,0x0A020001,0x02020009,0x0A020009,0x02020401,0x0A020401,0x02020409,0x0A020409};
DWORD DESKEY7[]={
0x00000000,0x00000100,0x00080000,0x00080100,0x01000000,0x01000100,0x01080000,0x01080100,
0x00000010,0x00000110,0x00080010,0x00080110,0x01000010,0x01000110,0x01080010,0x01080110,
0x00200000,0x00200100,0x00280000,0x00280100,0x01200000,0x01200100,0x01280000,0x01280100,
0x00200010,0x00200110,0x00280010,0x00280110,0x01200010,0x01200110,0x01280010,0x01280110,
0x00000200,0x00000300,0x00080200,0x00080300,0x01000200,0x01000300,0x01080200,0x01080300,
0x00000210,0x00000310,0x00080210,0x00080310,0x01000210,0x01000310,0x01080210,0x01080310,
0x00200200,0x00200300,0x00280200,0x00280300,0x01200200,0x01200300,0x01280200,0x01280300,
0x00200210,0x00200310,0x00280210,0x00280310,0x01200210,0x01200310,0x01280210,0x01280310};
DWORD DESKEY8[]={
0x00000000,0x04000000,0x00040000,0x04040000,0x00000002,0x04000002,0x00040002,0x04040002,
0x00002000,0x04002000,0x00042000,0x04042000,0x00002002,0x04002002,0x00042002,0x04042002,
0x00000020,0x04000020,0x00040020,0x04040020,0x00000022,0x04000022,0x00040022,0x04040022,
0x00002020,0x04002020,0x00042020,0x04042020,0x00002022,0x04002022,0x00042022,0x04042022,
0x00000800,0x04000800,0x00040800,0x04040800,0x00000802,0x04000802,0x00040802,0x04040802,
0x00002800,0x04002800,0x00042800,0x04042800,0x00002802,0x04002802,0x00042802,0x04042802,
0x00000820,0x04000820,0x00040820,0x04040820,0x00000822,0x04000822,0x00040822,0x04040822,
0x00002820,0x04002820,0x00042820,0x04042820,0x00002822,0x04002822,0x00042822,0x04042822};
DWORD DESSpBox1[]={
0x02080800,0x00080000,0x02000002,0x02080802,0x02000000,0x00080802,0x00080002,0x02000002,
0x00080802,0x02080800,0x02080000,0x00000802,0x02000802,0x02000000,0x00000000,0x00080002,
0x00080000,0x00000002,0x02000800,0x00080800,0x02080802,0x02080000,0x00000802,0x02000800,
0x00000002,0x00000800,0x00080800,0x02080002,0x00000800,0x02000802,0x02080002,0x00000000,
0x00000000,0x02080802,0x02000800,0x00080002,0x02080800,0x00080000,0x00000802,0x02000800,
0x02080002,0x00000800,0x00080800,0x02000002,0x00080802,0x00000002,0x02000002,0x02080000,
0x02080802,0x00080800,0x02080000,0x02000802,0x02000000,0x00000802,0x00080002,0x00000000,
0x00080000,0x02000000,0x02000802,0x02080800,0x00000002,0x02080002,0x00000800,0x00080802};
DWORD DESSpBox2[]={
0x40108010,0x00000000,0x00108000,0x40100000,0x40000010,0x00008010,0x40008000,0x00108000,
0x00008000,0x40100010,0x00000010,0x40008000,0x00100010,0x40108000,0x40100000,0x00000010,
0x00100000,0x40008010,0x40100010,0x00008000,0x00108010,0x40000000,0x00000000,0x00100010,
0x40008010,0x00108010,0x40108000,0x40000010,0x40000000,0x00100000,0x00008010,0x40108010,
0x00100010,0x40108000,0x40008000,0x00108010,0x40108010,0x00100010,0x40000010,0x00000000,
0x40000000,0x00008010,0x00100000,0x40100010,0x00008000,0x40000000,0x00108010,0x40008010,
0x40108000,0x00008000,0x00000000,0x40000010,0x00000010,0x40108010,0x00108000,0x40100000,
0x40100010,0x00100000,0x00008010,0x40008000,0x40008010,0x00000010,0x40100000,0x00108000};
DWORD DESSpBox3[]={
0x04000001,0x04040100,0x00000100,0x04000101,0x00040001,0x04000000,0x04000101,0x00040100,
0x04000100,0x00040000,0x04040000,0x00000001,0x04040101,0x00000101,0x00000001,0x04040001,
0x00000000,0x00040001,0x04040100,0x00000100,0x00000101,0x04040101,0x00040000,0x04000001,
0x04040001,0x04000100,0x00040101,0x04040000,0x00040100,0x00000000,0x04000000,0x00040101,
0x04040100,0x00000100,0x00000001,0x00040000,0x00000101,0x00040001,0x04040000,0x04000101,
0x00000000,0x04040100,0x00040100,0x04040001,0x00040001,0x04000000,0x04040101,0x00000001,
0x00040101,0x04000001,0x04000000,0x04040101,0x00040000,0x04000100,0x04000101,0x00040100,
0x04000100,0x00000000,0x04040001,0x00000101,0x04000001,0x00040101,0x00000100,0x04040000};
DWORD DESSpBox4[]={
0x00401008,0x10001000,0x00000008,0x10401008,0x00000000,0x10400000,0x10001008,0x00400008,
0x10401000,0x10000008,0x10000000,0x00001008,0x10000008,0x00401008,0x00400000,0x10000000,
0x10400008,0x00401000,0x00001000,0x00000008,0x00401000,0x10001008,0x10400000,0x00001000,
0x00001008,0x00000000,0x00400008,0x10401000,0x10001000,0x10400008,0x10401008,0x00400000,
0x10400008,0x00001008,0x00400000,0x10000008,0x00401000,0x10001000,0x00000008,0x10400000,
0x10001008,0x00000000,0x00001000,0x00400008,0x00000000,0x10400008,0x10401000,0x00001000,
0x10000000,0x10401008,0x00401008,0x00400000,0x10401008,0x00000008,0x10001000,0x00401008,
0x00400008,0x00401000,0x10400000,0x10001008,0x00001008,0x10000000,0x10000008,0x10401000};
DWORD DESSpBox5[]={
0x08000000,0x00010000,0x00000400,0x08010420,0x08010020,0x08000400,0x00010420,0x08010000,
0x00010000,0x00000020,0x08000020,0x00010400,0x08000420,0x08010020,0x08010400,0x00000000,
0x00010400,0x08000000,0x00010020,0x00000420,0x08000400,0x00010420,0x00000000,0x08000020,
0x00000020,0x08000420,0x08010420,0x00010020,0x08010000,0x00000400,0x00000420,0x08010400,
0x08010400,0x08000420,0x00010020,0x08010000,0x00010000,0x00000020,0x08000020,0x08000400,
0x08000000,0x00010400,0x08010420,0x00000000,0x00010420,0x08000000,0x00000400,0x00010020,
0x08000420,0x00000400,0x00000000,0x08010420,0x08010020,0x08010400,0x00000420,0x00010000,
0x00010400,0x08010020,0x08000400,0x00000420,0x00000020,0x00010420,0x08010000,0x08000020};
DWORD DESSpBox6[]={
0x80000040,0x00200040,0x00000000,0x80202000,0x00200040,0x00002000,0x80002040,0x00200000,
0x00002040,0x80202040,0x00202000,0x80000000,0x80002000,0x80000040,0x80200000,0x00202040,
0x00200000,0x80002040,0x80200040,0x00000000,0x00002000,0x00000040,0x80202000,0x80200040,
0x80202040,0x80200000,0x80000000,0x00002040,0x00000040,0x00202000,0x00202040,0x80002000,
0x00002040,0x80000000,0x80002000,0x00202040,0x80202000,0x00200040,0x00000000,0x80002000,
0x80000000,0x00002000,0x80200040,0x00200000,0x00200040,0x80202040,0x00202000,0x00000040,
0x80202040,0x00202000,0x00200000,0x80002040,0x80000040,0x80200000,0x00202040,0x00000000,
0x00002000,0x80000040,0x80002040,0x80202000,0x80200000,0x00002040,0x00000040,0x80200040};
DWORD DESSpBox7[]={
0x00004000,0x00000200,0x01000200,0x01000004,0x01004204,0x00004004,0x00004200,0x00000000,
0x01000000,0x01000204,0x00000204,0x01004000,0x00000004,0x01004200,0x01004000,0x00000204,
0x01000204,0x00004000,0x00004004,0x01004204,0x00000000,0x01000200,0x01000004,0x00004200,
0x01004004,0x00004204,0x01004200,0x00000004,0x00004204,0x01004004,0x00000200,0x01000000,
0x00004204,0x01004000,0x01004004,0x00000204,0x00004000,0x00000200,0x01000000,0x01004004,
0x01000204,0x00004204,0x00004200,0x00000000,0x00000200,0x01000004,0x00000004,0x01000200,
0x00000000,0x01000204,0x01000200,0x00004200,0x00000204,0x00004000,0x01004204,0x01000000,
0x01004200,0x00000004,0x00004004,0x01004204,0x01000004,0x01004200,0x01004000,0x00004004};
DWORD DESSpBox8[]={
0x20800080,0x20820000,0x00020080,0x00000000,0x20020000,0x00800080,0x20800000,0x20820080,
0x00000080,0x20000000,0x00820000,0x00020080,0x00820080,0x20020080,0x20000080,0x20800000,
0x00020000,0x00820080,0x00800080,0x20020000,0x20820080,0x20000080,0x00000000,0x00820000,
0x20000000,0x00800000,0x20020080,0x20800080,0x00800000,0x00020000,0x20820000,0x00000080,
0x00800000,0x00020000,0x20000080,0x20820080,0x00020080,0x20000000,0x00000000,0x00820000,
0x20800080,0x20020080,0x20020000,0x00800080,0x20820000,0x00000080,0x00800080,0x20020000,
0x20820080,0x00800000,0x20800000,0x20000080,0x00820000,0x00020080,0x20020080,0x20800000,
0x00000080,0x20820000,0x00820080,0x00000000,0x20000000,0x20800080,0x00020000,0x00820080};
void main(int argc,char ** argv)
{
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
int len;
char serverip[]="192.168.13.211";
short port=445;
WORD olen,nlen;
unsigned char buf1[0x1000];
SMBP smbp;
HMODULE hNtdll = NULL;
hNtdll = LoadLibrary( "ntdll.dll" );
if ( !hNtdll )
{
printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
return ;
}
RtlUpcaseUnicodeStringToOemString = (RTLUPCASEUNICODESTRINGTOOEMSTRING)
GetProcAddress( hNtdll, "RtlUpcaseUnicodeStringToOemString");
if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(port);
addr_in.sin_addr.S_un.S_addr=inet_addr(serverip);
if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
{
printf("Socket failed.Error:%d\n",WSAGetLastError());
return;
}
if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
printf("Connect failed.Error:%d",WSAGetLastError());
return;
}
SmbNegotiate(&smbp);
if (send(sock,(unsigned char *)&smbp,ntohs(smbp.smbnbt.smbpacketlen)+4,0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
len=recv(sock,buf1,1024,NULL);
SmbSessionSetupAndX1(&smbp);
if (send(sock,(unsigned char *)&smbp,ntohs(smbp.smbnbt.smbpacketlen)+4,0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
len=recv(sock,buf1,1024,NULL);
if((buf1[0]==0xff)&&(buf1[1]=='S')&&(buf1[2]=='M')&&(buf1[3]=='B'))
olen=0x20;
else if((buf1[4]==0xff)&&(buf1[5]=='S')&&(buf1[6]=='M')&&(buf1[7]=='B'))
olen=0x24;
else
return;
smbp.smbinfo.userid = *(WORD *)(buf1+olen-0x4);
nlen=*(WORD *)(buf1+olen+1+2*3);//BLOB的长度
olen=olen+1+2*buf1[olen]+2;
memcpy(challage,buf1+olen+0x18,8);
SmbSessionSetupAndX2(&smbp,L"administrator",L"FXNB",L"asdasd");
if (send(sock,(unsigned char *)&smbp,ntohs(smbp.smbnbt.smbpacketlen)+4,0)==SOCKET_ERROR)
{
printf("Send failed.Error:%d\n",WSAGetLastError());
return;
}
len=recv(sock,buf1,1024,NULL);
if((buf1[0]==0xff)&&(buf1[1]=='S')&&(buf1[2]=='M')&&(buf1[3]=='B'))
olen=0x20;
else if((buf1[4]==0xff)&&(buf1[5]=='S')&&(buf1[6]=='M')&&(buf1[7]=='B'))
olen=0x24;
else
return;
if(buf1[olen]==0)
printf("error username and password\n");
else
printf("login ok\n");
WSACleanup();
return;
}
void SmbSessionSetupAndX1(SMBP * psmbp)
{
unsigned char sb[0x20]={
0x4E,0x54,0x4C,0x4D,0x53,0x53,0x50,0x00,0x01,0x00,0x00,0x00,0x97,0x82,0x08,0xE0,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
psmbp->smbinfo.smbtoken =0x73;
memset(psmbp->smbinfo.info,0,0x200);
psmbp->smbinfo.flagsummary2 = 0xc807;
*(DWORD *)(psmbp->smbinfo.info+21) = 0x800000D4;
//指定使用加密的FLAG
psmbp->smbinfo.info[0]=0xc;//WORD 参数个数
*(WORD *)(psmbp->smbinfo.info+1)=0Xff;//无下一个命令
*(WORD *)(psmbp->smbinfo.info+3)=0Xb0;//下一命令偏移
*(WORD *)(psmbp->smbinfo.info+5)=0X4104;//最大缓冲
*(WORD *)(psmbp->smbinfo.info+7)=0X32;//最大的MPX
*(WORD *)(psmbp->smbinfo.info+9)=0X0;//虚拟通道
*(DWORD *)(psmbp->smbinfo.info+11)=0X0;//虚拟通道
*(DWORD *)(psmbp->smbinfo.info+17)=0X0;//保留
*(WORD *)(psmbp->smbinfo.info+15)=0x20; //BLOB的长度
memcpy(psmbp->smbinfo.info+27,sb,0x20);//放入BLOB
memcpy(psmbp->smbinfo.info+28+0x20,navos,36);//
memcpy(psmbp->smbinfo.info+66+0x20,lanman,32);//
*(WORD *)(psmbp->smbinfo.info+25)=73+0x20;
psmbp->smbnbt.smbpacketlen = htons(132+0x20);
}
void SmbSessionSetupAndX2(SMBP * psmbp,wchar_t * username,wchar_t * domainname,wchar_t * password)
{
unsigned char enkey[8];
unsigned char cread[0x40];
unsigned char passwordhash[0x20];
unsigned char creaded[0x100];
int ulen;
int dlen;
int i;
for(i=0;i<0x20;i++)
{
if(username[i]==0)
break;
}
ulen=2*i;
for(i=0;i<0x20;i++)
{
if(domainname[i]==0)
break;
}
dlen=2*i;
memset(creaded,0,0x100);
memcpy(creaded,"NTLMSSP",8);
*(DWORD *)(creaded+8)=3;
*(WORD *)(creaded+0xc)=0x18;
*(WORD *)(creaded+0xe)=0x18;
*(DWORD *)(creaded+0x10)=0x40+ulen+dlen+dlen;
*(WORD *)(creaded+0x14)=0x18;
*(WORD *)(creaded+0x16)=0x18;
*(DWORD *)(creaded+0x18)=0x40+ulen+dlen+dlen+0x18;
*(WORD *)(creaded+0x1c)=dlen;
*(WORD *)(creaded+0x1e)=dlen;
*(DWORD *)(creaded+0x20)=0x40;
*(WORD *)(creaded+0x24)=ulen;
*(WORD *)(creaded+0x26)=ulen;
*(DWORD *)(creaded+0x28)=0x40+dlen;
*(WORD *)(creaded+0x2c)=dlen;
*(WORD *)(creaded+0x2e)=dlen;
*(DWORD *)(creaded+0x30)=0x40+dlen+ulen;
*(WORD *)(creaded+0x34)=0x10;
*(WORD *)(creaded+0x36)=0x10;
*(DWORD *)(creaded+0x38)=0x40+ulen+dlen+dlen+0x30;
*(DWORD *)(creaded+0x3C)=0XE0888215;
//放如用户名等信息
memcpy(creaded+0x40,domainname,dlen);
memcpy(creaded+0x40+dlen,username,ulen);
memcpy(creaded+0x40+dlen+ulen,domainname,dlen);
psmbp->smbinfo.smbtoken =0x73;
memset(psmbp->smbinfo.info,0,0x200);
psmbp->smbinfo.flagsummary2 = 0xc807;
*(DWORD *)(psmbp->smbinfo.info+21) = 0x800000D4;
//指定使用加密的FLAG
psmbp->smbinfo.info[0]=0xc;//WORD 参数个数
*(WORD *)(psmbp->smbinfo.info+1)=0Xff;//无下一个命令
*(WORD *)(psmbp->smbinfo.info+3)=0X12e;//下一命令偏移
*(WORD *)(psmbp->smbinfo.info+5)=0X4104;//最大缓冲
*(WORD *)(psmbp->smbinfo.info+7)=0X32;//最大的MPX
*(WORD *)(psmbp->smbinfo.info+9)=0X0;//虚拟通道
*(DWORD *)(psmbp->smbinfo.info+11)=0X0;//虚拟通道
*(DWORD *)(psmbp->smbinfo.info+17)=0X0;//保留
passtoowf(password,passwordhash); //口令到散列
challagetorkey(romkey,challage,enkey); //把挑战和任意一个本地随机KEY通过MD5计算出加密KEY
memset(cread,0,0x40);
memcpy(cread,romkey,0x8); //BLOB中放入本地随机KEY,好让服务器知道能计算出加密KEY
hashtocread(enkey,passwordhash,cread); //通过加密KEY计算NTLM的加密形式
memcpy(creaded+0x40+ulen+dlen+dlen,cread,0x40);
*(WORD *)(psmbp->smbinfo.info+15)=0x80+ulen+dlen+dlen; //BLOB的长度
memcpy(psmbp->smbinfo.info+27,creaded,0x80+ulen+dlen+dlen);//放入BLOB
memcpy(psmbp->smbinfo.info+28+0x80+ulen+dlen+dlen,navos,36);//
memcpy(psmbp->smbinfo.info+66+0x80+ulen+dlen+dlen,lanman,32);//
*(WORD *)(psmbp->smbinfo.info+25)=73+0x80+ulen+dlen+dlen;
psmbp->smbnbt.smbpacketlen = htons(132+ 0x80+ulen+dlen+dlen);
}
void SmbNegotiate(SMBP * psmbp)
{
unsigned char magic[4]={0xff,'S','M','B'};
short len;
char langitem1[]="PC NETWORK PROGRAM 1.0";
char langitem2[]="LANMAN1.0";
char langitem3[]="Windows for Workgroups 3.1a";
char langitem4[]="LM1.2X002";
char langitem5[]="LANMAN2.1";
char langitem6[]="NT LM 0.12";
char langitem7[]="PCLAN1.0";
char langitem8[]="MICROSOFT NETWORKS 1.03";
char langitem9[]="MICROSOFT NETWORKS 3.0";
char langitem10[]="DOS LM1.2X002";
char langitem11[]="DOS LANMAN2.1";
char langitem12[]="Cairo 0.xa";
memset(psmbp,0,sizeof(SMBP));
psmbp->smbnbt.nbtsmb = 0;
psmbp->smbnbt.flag = 0;
memcpy(psmbp->smbinfo.magic, magic,4);
psmbp->smbinfo.smbtoken = 0x72;
psmbp->smbinfo.errcodeclass = 0x0;
psmbp->smbinfo.dosaherrcode = 0x0;
psmbp->smbinfo.errcode[0] = 0x0;
psmbp->smbinfo.errcode[1] = 0x0;
psmbp->smbinfo.flagsummary = 0x18;
psmbp->smbinfo.flagsummary2 = 0xc853;
//指定了带挑战方式支持的FLAG
psmbp->smbinfo.callprocessid = 0xfeff;
psmbp->smbinfo.multiplexid = 0;
psmbp->smbinfo.info[0]=0x0;
len=3+2*(psmbp->smbinfo.info[0]);
psmbp->smbinfo.info[len]=0x2;
memcpy(psmbp->smbinfo.info+len+1,langitem6,sizeof(langitem6));
len = len+1+sizeof(langitem6);
*(WORD *)(psmbp->smbinfo.info+1) =len-3-2*(psmbp->smbinfo.info[0]);
psmbp->smbnbt.smbpacketlen = htons(len+0x20);
}
void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey)
{
unsigned char LM[0x58];
md5init(LM);
*(DWORD *)LM=0x200;
memcpy(LM+0X18,challage,8);
memcpy(LM+0X20,romkey,8);
*(DWORD *)(LM+0x28)=0x80;
*(DWORD *)(LM+0x50)=0x80;
md5final(LM);
memcpy(enkey,LM+8,8);
}
void hashtocread(unsigned char * enkey,unsigned char * hash,unsigned char * cread)
{
unsigned char LmPass[0x10];
unsigned char rc4keylist[0x102];
LSA_UNICODE_STRING lmhash;
unsigned char desecb[128];
unsigned char lm[0x28];
unsigned char key[0x8];
unsigned char rc4key[0x10];
//加密KEY加密NTLM
initLMP(hash,LmPass);
deskey(LmPass,desecb);
des(lm,enkey,desecb,1);
initLMP(hash+7,LmPass);
deskey(LmPass,desecb);
des(lm+8,enkey,desecb,1);
memset(key,0,8);
memcpy(key,hash+0xe,2);
initLMP(key,LmPass);
deskey(LmPass,desecb);
des(lm+0x10,enkey,desecb,1);
memcpy(cread+0x18,lm,0x18);
//计算NTLM的RC4形式
lmhash.Length=0x10;
lmhash.MaximumLength=0x10;
lmhash.Buffer= hash;
initMDP(&lmhash,rc4key);
hmacmd5(rc4key,enkey);
memcpy(cread+0x30,rc4key,0x10);
rc4_key(rc4keylist,rc4key,0x10);
//由于并未使用此字段认证,下面的函数未实现,就以RC4KEY做其放进去了
// rc4_424(rc4keylist,rc4rom,0x10);
}
void rc4_key(unsigned char * rc4keylist,unsigned char * rc4key,int keylen)
{
int i,j;
DWORD a1=0x03020100;
unsigned char c1,c2,c3;
for(i=0;i<0x40;i++)
{
*(DWORD *)(rc4keylist+4*i)=a1;
a1+=0x04040404;
}
rc4keylist[0x100]=0;
rc4keylist[0x101]=0;
j=0;
i=0;
c3=0;
for(j=0;j<0x100;j++)
{
c1=rc4keylist[j];
c2=rc4key[i];
c3=(c3+c2+c1)%256;
rc4keylist[j]=rc4keylist[c3];
rc4keylist[c3]=c1;
i++;
if(i==keylen)
i=0;
}
}
void hmacmd5(unsigned char * rc4key,unsigned char * enkey)
{
unsigned char Lm1[0x58];
unsigned char Lm2[0x58];
unsigned char k1[0x40];
unsigned char k2[0x40];
int i;
md5init(Lm1);
md5init(Lm2);
memset(k1,0,0x40);
memset(k2,0,0x40);
memcpy(k1,rc4key,0x10);
memcpy(k2,rc4key,0x10);
for(i=0;i<0x10;i++)
{
*(DWORD *)(k1+4*i)=(*(DWORD *)(k1+4*i))^0x36363636;
*(DWORD *)(k2+4*i)=(*(DWORD *)(k2+4*i))^0x5c5c5c5c;
}
*(DWORD *)Lm1=0x200;
memcpy(Lm1+0X18,k1,0x40);
md5final(Lm1);
*(DWORD *)Lm2=0x200;
memcpy(Lm2+0X18,k2,0x40);
md5final(Lm2);
*(DWORD *)Lm1=0x400;
memcpy(Lm1+0X18,challage,0x8);
memcpy(Lm1+0X20,romkey,0x8);
memset(Lm1+0X28,0x80,1);
memset(Lm1+0X29,0,0x2f);
*(DWORD *)(Lm1+0x50)=0x280;
md5final(Lm1);
memcpy(Lm2+0X18,Lm1+8,0x10);
*(DWORD *)Lm2=0x400;
memset(Lm2+0X28,0x80,1);
memset(Lm2+0X29,0,0x2f);
*(DWORD *)(Lm2+0x50)=0x280;
md5final(Lm2);
memcpy(rc4key,Lm2+8,0x10);
}
void passtoowf(wchar_t * password,unsigned char * paswdowf)
{
int len;
int i;
LSA_UNICODE_STRING pass;
LSA_UNICODE_STRING opass;
char magic1[8]="KGS!@#$%";
unsigned char desecb[128];
unsigned char upassword[0x10];
unsigned char LmPass[0x10];
len=0;
for(i=0;i<0x20;i++)
{
if(password[i]==0 )
break;
len=len+2;
}
if(len>28)
{
printf("password <=14");
return;
}
pass.Length=len;
pass.MaximumLength=len;
pass.Buffer=password;
opass.MaximumLength=0xf;
opass.Buffer=upassword;
memset(upassword,0,0x10);
RtlUpcaseUnicodeStringToOemString(&opass,&pass,0);
initLMP(upassword,LmPass);
deskey(LmPass,desecb);
des(paswdowf+0x10,magic1,desecb,1);
initLMP(upassword+7,LmPass);
deskey(LmPass,desecb);
des(paswdowf+0x18,magic1,desecb,1);
initMDP(&pass,paswdowf);
}
void initMDP(PLSA_UNICODE_STRING pass,unsigned char * LM)
{
unsigned char LM1[0x58];
unsigned char s[2]="0";
md4init(LM1);
memcpy(LM1+0x18,pass->Buffer,pass->Length);
memset(LM1+0x18+pass->Length,0x80,1);
memset(LM1+0x18+pass->Length+1,0,0x37-pass->Length);
*(DWORD *)(LM1+0x50)=8*(pass->Length);
memset(LM1+0x51,0x0,7);
*(DWORD *)(LM1+0x10)=0x200;
md4(LM1);
memcpy(LM,LM1,16);
}
void md4init(unsigned char * LM)
{
*(DWORD *)(LM)=0x67452301;
*(DWORD *)(LM+4)=0xefcdab89;
*(DWORD *)(LM+8)=0x98badcfe;
*(DWORD *)(LM+0xc)=0x10325476;
*(DWORD *)(LM+0x10)=0;
*(DWORD *)(LM+0x14)=0;
}
void md4(unsigned char * LM)
{
DWORD d1,d2,d3,d4;
DWORD a1,a2,a3;
//第1轮
d1=*(DWORD *)(LM);
d2=*(DWORD *)(LM+4);
d3=*(DWORD *)(LM+8);
d4=*(DWORD *)(LM+0xc);
a1=*(DWORD *)(LM+0x18);
a2=(((d4^d3)&d2)^d4)+a1+d1;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x1c);
a3=(((d3^d2)&a2)^d3)+a1;
d4=d4+a3;
d4=(d4<<7)|(d4>>0x19);
a1=*(DWORD *)(LM+0x20);
a3=(((d2^a2)&d4)^d2)+a1;
d3=d3+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x24);
a3=(((d4^a2)&d3)^a2)+a1;
d2=d2+a3;
d2=(d2<<0x13)|(d2>>0xd);
a1=*(DWORD *)(LM+0x28);
a3=(((d4^d3)&d2)^d4)+a1;
a2=a2+a3;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x2c);
a3=(((d3^d2)&a2)^d3)+a1;
d4=d4+a3;
d4=(d4<<7)|(d4>>0x19);
a1=*(DWORD *)(LM+0x30);
a3=(((d2^a2)&d4)^d2)+a1;
d3=d3+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x34);
a3=(((d4^a2)&d3)^a2)+a1;
d2=d2+a3;
d2=(d2<<0x13)|(d2>>0xd);
a1=*(DWORD *)(LM+0x38);
a3=(((d4^d3)&d2)^d4)+a1;
a2=a2+a3;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x3c);
a3=(((d3^d2)&a2)^d3)+a1;
d4=d4+a3;
d4=(d4<<7)|(d4>>0x19);
a1=*(DWORD *)(LM+0x40);
a3=(((d2^a2)&d4)^d2)+a1;
d3=d3+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x44);
a3=(((d4^a2)&d3)^a2)+a1;
d2=d2+a3;
d2=(d2<<0x13)|(d2>>0xd);
a1=*(DWORD *)(LM+0x48);
a3=(((d4^d3)&d2)^d4)+a1;
a2=a2+a3;
a2=(a2<<0x3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x4c);
a3=(((d3^d2)&a2)^d3)+a1;
d4=d4+a3;
d4=(d4<<7)|(d4>>0x19);
a1=*(DWORD *)(LM+0x50);
a3=(((d2^a2)&d4)^d2)+a1;
d3=d3+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x54);
a3=(((d4^a2)&d3)^a2)+a1;
d2=d2+a3;
d2=(d2<<0x13)|(d2>>0xd);
//第2轮
a1=*(DWORD *)(LM+0x18);
a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
a2=a2+a3;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x28);
a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
d4=d4+a1+a3;
d4=(d4<<5)|(d4>>0x1b);
a1=*(DWORD *)(LM+0x38);
a3=(((d4|a2)&d2)|(d4&a2))+a1+0x5a827999;
d3=d3+a3;
d3=(d3<<9)|(d3>>0x17);
a1=*(DWORD *)(LM+0x48);
a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
d2=d2+a3;
d2=(d2<<0xd)|(d2>>0x13);
a1=*(DWORD *)(LM+0x1c);
a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
a2=a2+a3;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x2c);
a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
d4=d4+a1+a3;
d4=(d4<<5)|(d4>>0x1b);
a1=*(DWORD *)(LM+0x3c);
a3=(((d4|a2)&d2)|(d4&a2))+a1+0x5a827999;
d3=d3+a3;
d3=(d3<<9)|(d3>>0x17);
a1=*(DWORD *)(LM+0x4c);
a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
d2=d2+a3;
d2=(d2<<0xd)|(d2>>0x13);
a1=*(DWORD *)(LM+0x20);
a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
a2=a2+a3;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x30);
a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
d4=d4+a1+a3;
d4=(d4<<5)|(d4>>0x1b);
a1=*(DWORD *)(LM+0x40);
a3=(((d4|a2)&d2)|(d4&a2))+0x5a827999;
d3=d3+a1+a3;
d3=(d3<<9)|(d3>>0x17);
a1=*(DWORD *)(LM+0x50);
a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
d2=d2+a3;
d2=(d2<<0xd)|(d2>>0x13);
a1=*(DWORD *)(LM+0x24);
a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
a2=a2+a3;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x34);
a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
d4=d4+a1+a3;
d4=(d4<<5)|(d4>>0x1b);
a1=*(DWORD *)(LM+0x44);
a3=(((d4|a2)&d2)|(d4&a2))+a1+0x5a827999;
d3=d3+a3;
d3=(d3<<9)|(d3>>0x17);
a1=*(DWORD *)(LM+0x54);
a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
d2=d2+a3;
d2=(d2<<0xd)|(d2>>0x13);
//第3轮
a1=*(DWORD *)(LM+0x18);
a3=((d4^d3)^d2)+a1;
a2=a2+0x6ed9eba1+a3;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x38);
a3=((d3^d2)^a2)+a1;
d4=d4+0x6ed9eba1+a3;
d4=(d4<<9)|(d4>>0x17);
a1=*(DWORD *)(LM+0x28);
a3=((d4^d2)^a2)+a1;
d3=d3+0x6ed9eba1+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x48);
a3=d4^d3;
d2=d2+a1+0x6ed9eba1+(a2^a3);
d2=(d2<<0xf)|(d2>>0x11);
a1=*(DWORD *)(LM+0x20);
a2=a2+((d2^a3)+a1+0x6ed9eba1);
a3=d3^d2;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x40);
a3=(a3^a2)+a1;
d4=d4+0x6ed9eba1+a3;
d4=(d4<<9)|(d4>>0x17);
a1=*(DWORD *)(LM+0x30);
a3=((d4^d2)^a2)+a1;
d3=d3+0x6ed9eba1+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x50);
a3=d4^d3;
d2=d2+a1+0x6ed9eba1+(a2^a3);
d2=(d2<<0xf)|(d2>>0x11);
a1=*(DWORD *)(LM+0x1c);
a2=a2+0x6ed9eba1+((d2^a3)+a1);
a3=d3^d2;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x3c);
a3=(a3^a2)+a1;
d4=d4+0x6ed9eba1+a3;
d4=(d4<<9)|(d4>>0x17);
a1=*(DWORD *)(LM+0x2c);
a3=((d4^d2)^a2)+a1;
d3=d3+0x6ed9eba1+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x4c);
a3=d4^d3;
d2=d2+a1+0x6ed9eba1+(a2^a3);
d2=(d2<<0xf)|(d2>>0x11);
a1=*(DWORD *)(LM+0x24);
a2=a2+0x6ed9eba1+((d2^a3)+a1);
a3=d3^d2;
a2=(a2<<3)|(a2>>0x1d);
a1=*(DWORD *)(LM+0x44);
a3=(a3^a2)+a1;
d4=d4+0x6ed9eba1+a3;
d4=(d4<<9)|(d4>>0x17);
a1=*(DWORD *)(LM+0x34);
a3=((d4^d2)^a2)+a1;
d3=d3+0x6ed9eba1+a3;
d3=(d3<<0xb)|(d3>>0x15);
a1=*(DWORD *)(LM+0x54);
a3=((d4^a2)^d3)+a1;
d2=d2+0x6ed9eba1+a3;
d2=(d2<<0xf)|(d2>>0x11);
*(DWORD *)(LM)=a2+*(DWORD *)(LM);
*(DWORD *)(LM+4)=d2+*(DWORD *)(LM+4);
*(DWORD *)(LM+8)=d3+*(DWORD *)(LM+8);
*(DWORD *)(LM+0xc)=d4+*(DWORD *)(LM+0xc);
}
void initLMP(char * pass,unsigned char * LM)
{
char LmPass[0x20];
DWORD d1,d2;
unsigned char a1,a2;
char a3[]={1,3,7,0xf,0x1f,0x3f,0x7f};
int i;
for(i=0;i<8;i++)
{
if(i==0)
{
a1=pass[0];
LmPass[0]=a1>>1;
}
else if(i==7)
{
a1=pass[i-1];
a1=a1&a3[i-1];
LmPass[i]=a1;
}
else
{
a1=pass[i-1];
a2=pass[i];
a1=a1&a3[i-1];
a1=a1<<(7-i);
a2=a2>>(i+1);
LmPass[i]=a1|a2;
}
}
d1=*(DWORD *)LmPass;
d2=*(DWORD *)(LmPass+4);
d1=(d1&0xff7f7f7f)<<1;
d2=(d2&0xff7f7f7f)<<1;
*(DWORD *)LmPass=d1;
*(DWORD *)(LmPass+4)=d2;
//
for(i=0;i<8;i++)
{
a1=LmPass[i];
a2=a1;
a1=a1&0xf;
a2=a2>>4;
a2=DESParity[a2];
a1=DESParity[a1];
a2=a1+a2;
a2=a2^a1;
a2=a2-a1;
a2=a2&1;
a2=a2^a1;
a2=a2-a1;
if(a2==0)
LmPass[i]=LmPass[i]^1;
}
memcpy(LM,LmPass,8);
//deskey(LmPass,desecb);
//des(LM,magic1,desecb,1);
}
void deskey(char * LmPass,unsigned char * desecb)
{
int i;
unsigned char a1;
DWORD d1,d2,d3,d4,d5,d6;
d1=*(DWORD *)LmPass;
d2=*(DWORD *)(LmPass+4);
d2=d2>>4;
d1=d1&0xf0f0f0f;
d2=d2&0xf0f0f0f;
d2=d2^d1;
d1=(*(DWORD *)LmPass)^d2;
d2=d2<<4;
d2=(*(DWORD *)(LmPass+4))^d2;
d3=d1&0xfffff333;
d3=d3<<0x12;
d4=d1&0xcccc0000;
d4=d4^d3;
d3=d4;
d3=d3>>0x12;
d3=d3^d4;
d1=d1^d3;
d3=d2&0xfffff333;
d3=d3<<0x12;
d4=d2&0xcccc0000;
d4=d4^d3;
d3=d4>>0x12;
d3=d3^d4;
d2=d2^d3;
d3=d1;
d4=d2>>1;
d3=d3&0x55555555;
d4=d4&0x55555555;
d4=d4^d3;
d1=d1^d4;
d4=d4+d4;
d2=d2^d4;
d4=d1>>8;
d3=d2&0xff00ff;
d4=d4&0xff00ff;
d4=d4^d3;
d2=d2^d4;
d4=d4<<8;
d1=d1^d4;
d4=d2>>1;
d3=d1;
d3=d3&0x55555555;
d4=d4&0x55555555;
d4=d4^d3;
d1=d1^d4;
d4=d4+d4;
d2=d2^d4;
d3=d1&0xf000000f;
d4=(d2>>0xc)&0xff0;
d1=d1&0x0fffffff;
d3=(d3|d4)>>4;
d4=d2&0xff00;
d2=(d2&0xff)<<0x10;
d3=d3|d4;
d3=d3|d2;
for(i=0;i<16;i++)
{
d2=d1;
a1=DESDShift[i];
if(a1==0)
{
d2=d2>>1;
d1=d1<<0x1b;
d4=d3>>1;
d3=d3<<0x1b;
d1=d1|d2;
}
else
{
d2=d2>>2;
d1=d1<<0x1a;
d4=d3>>2;
d3=d3<<0x1a;
d1=d1|d2;
}
d1=d1&0x0fffffff;
d3=d3|d4;
d2=d1>>1;
d4=d1&0xc00000;
d4=d4|(d2&0x07000000);
d4=(d4>>1)|(d1&0x00100000);
//d6=d2&0x00060000;
d5=(d1&0x0001e000)|(d2&0x00060000);
d2=d2&0x00000f00;
d3=d3&0x0fffffff;
d5=d5>>0xd;
d4=d4>>0x14;
d6=DESKEY3[d5];
d5=d1&0xc0;
d4=DESKEY4[d4];
d5=(d5|d2)>>6;
d4=d4|d6;
d2=d1&0x3f;
d6=DESKEY2[d5];
d5=d3&0x180;
d4=d4|d6;
d6=DESKEY1[d2];
d2=d3>>1;
d4=d4|d6;
d6=d2&0x1e00;
d2=d2&0x6000000;
d5=(d5^d6)>>7;
d6=(d3&0x1e00000)|d2;
d6=d6>>0x15;
d2=DESKEY6[d5];
d5=DESKEY8[d6];
d2=d2^d5;
d5=d3&0x3f;
d6=DESKEY5[d5];
d5=(d3>>0xf)&0x3f;
d2=d2|d6;
d6=DESKEY7[d5];
d5=d4&0xffff;
d2=d2|d6;
d6=d2<<0x10;
d2=d2&0xffff0000;
d5=d5|d6;
d5=(d5<<2)|(d5>>0x1e);
d4=d4>>0x10;
d2=d2|d4;
d2=(d2<<6)|(d2>>0x1a);
*(DWORD *)(desecb+8*i)=d5;
*(DWORD *)(desecb+8*i+4)=d2;
}
}
void des(unsigned char * LM,char * magic,unsigned char * ecb,long no)
{
DWORD d1,d2,d3,d4;
DWORD a1,a2,a3;
int i;
d1= *(DWORD *)magic;
d2= *(DWORD *)(magic+4);
d1 = (d1<<4)|(d1>>0x1c);
d3 = d1;
d1 = (d1^d2)&0xf0f0f0f0;
d3 = d3^d1;
d2 = d2^d1;
d2 =(d2<<0x14)|(d2>>0xc);
d1 = d2;
d2 = (d2^d3)&0xfff0000f;
d1 = d1 ^ d2;
d3 = d3^d2;
d1 = (d1<<0xe)|(d1>>0x12);
d2 = d1;
d1 = (d1 ^ d3) & 0x33333333;
d2 = d2 ^ d1;
d3 = d3^d1;
d3 = (d3<<0x16)|(d3>>0xa);
d1 = d3;
d3 = (d3 ^ d2)&0x3fc03fc;
d1 = d1^d3;
d2 = d2^d3;
d1 = (d1<<9)|(d1>>0x17);
d3 = d1;
d1 = (d1^d2)&0xaaaaaaaa;
d3 = d3^d1;
d2 = d2^d1;
d2 = (d2<<1)|(d2>>0x1f);
if(no!=0)
{
for(i=0;i<8;i++)
{
a1=0;
d1=*(DWORD *)(ecb+16*i);
d4=*(DWORD *)(ecb+16*i+4);
d1=(d1^d3)&0xfcfcfcfc;
d4=(d4^d3)&0xcfcfcfcf;
a1=d1&0xff;
a2=(d1>>8)&0xff;
d4=(d4>>4)|(d4<<0x1c);
a3=DESSpBox1[a1/4];
a1=d4&0xff;
d2=d2^a3;
a3=DESSpBox3[a2/4];
d2=d2^a3;
a2=(d4>>8)&0xff;
d1=d1>>0x10;
a3=DESSpBox2[a1/4];
d2=d2^a3;
a1=(d1>>8)&0xff;
d4=d4>>0x10;
a3=DESSpBox4[a2/4];
d2=d2^a3;
a2=(d4>>8)&0xff;
d1=d1&0xff;
d4=d4&0xff;
a1=DESSpBox7[a1/4];
d2=d2^a1;
a1=DESSpBox8[a2/4];
d2=d2^a1;
a1=DESSpBox5[d1/4];
d2=d2^a1;
a1=DESSpBox6[d4/4];
d2=d2^a1;
a1=0;
d1=*(DWORD *)(ecb+16*i+8);
d4=*(DWORD *)(ecb+16*i+0xc);
d1=(d1^d2)&0xfcfcfcfc;
d4=(d4^d2)&0xcfcfcfcf;
a1=d1&0xff;
a2=(d1>>8)&0xff;
d4=(d4>>4)|(d4<<0x1c);
a3=DESSpBox1[a1/4];
a1=d4&0xff;
d3=d3^a3;
a3=DESSpBox3[a2/4];
d3=d3^a3;
a2=(d4>>8)&0xff;
d1=d1>>0x10;
a3=DESSpBox2[a1/4];
d3=d3^a3;
a1=(d1>>8)&0xff;
d4=d4>>0x10;
a3=DESSpBox4[a2/4];
d3=d3^a3;
a2=(d4>>8)&0xff;
d1=d1&0xff;
d4=d4&0xff;
a1=DESSpBox7[a1/4];
d3=d3^a1;
a1=DESSpBox8[a2/4];
d3=d3^a1;
a1=DESSpBox5[d1/4];
d3=d3^a1;
a1=DESSpBox6[d4/4];
d3=d3^a1;
}
d3=(d3>>1)|(d3<<0x1f);
d1=d2;
d2=(d2^d3)&0XAAAAAAAA;
d1=d1^d2;
d3=d3^d2;
d1=(d1<<0x17)|(d1>>9);
d2=d1;
d1=(d1^d3)&0x3fc03fc;
d2=(d2^d1);
d3=d3^d1;
d2=(d2<<0xa)|(d2>>0x16);
d1=d2;
d2=(d2^d3)&0x33333333;
d1=d1^d2;
d3=d3^d2;
d3=(d3<<0x12)|(d3>>0xe);
d2=d3;
d3=(d3^d1)&0xfff0000f;
d2=d2^d3;
d1=d1^d3;
d2=(d2<<0xc)|(d2>>0x14);
d3=d2;
d2=(d2^d1)&0xf0f0f0f0;
d3=d3^d2;
d1=d1^d2;
d1=(d1>>4)|(d1<<0x1c);
*(DWORD *)LM=d1;
*(DWORD *)(LM+4)=d3;
}
else
{
}
}
void md5init(unsigned char * LM)
{
memset(LM,0,0x58);
*(DWORD *)(LM+8)=0x67452301;
*(DWORD *)(LM+0xc)=0xefcdab89;
*(DWORD *)(LM+0x10)=0x98badcfe;
*(DWORD *)(LM+0x14)=0x10325476;
*(DWORD *)(LM+0x0)=0;
*(DWORD *)(LM+0x0)=0;
}
void md5final(unsigned char * LM)
{
DWORD a1,d1,d2,s1;
DWORD b1,b2;
d1=*(DWORD *)(LM+0XC);
s1=*(DWORD *)(LM+0X10);
d2=*(DWORD *)(LM+0X14);
b2=*(DWORD *)(LM+0X18);
b1=(((d2^s1)&d1)^d2)+b2;
b2=*(DWORD *)(LM+0X8);
b1=b1+b2+0xd76aa478;
b1=((b1<<0x7)|(b1>>0x19))+d1;
//第一轮
b2=*(DWORD *)(LM+0X1c);
a1=(((s1^d1)&b1)^s1)+0xe8c7b756;
d2=d2+b2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
b2=*(DWORD *)(LM+0X20);
a1=(((d1^b1)&d2)^d1)+0x242070db;
s1=s1+b2+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
b2=*(DWORD *)(LM+0X24);
a1=(((d2^b1)&s1)^b1)+0xc1bdceee;
d1=d1+b2+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
b2=*(DWORD *)(LM+0X28);
a1=(((d2^s1)&d1)^d2)+0xf57c0faf;
b1=b1+b2+a1;
b1=((b1<<0x7)|(b1>>0x19))+d1;
b2=*(DWORD *)(LM+0X2c);
a1=(((s1^d1)&b1)^s1)+0x4787C62A;
d2=d2+b2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
b2=*(DWORD *)(LM+0X30);
a1=(((d1^b1)&d2)^d1)+0xA8304613;
s1=s1+b2+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
b2=*(DWORD *)(LM+0X34);
a1=(((d2^b1)&s1)^b1)+0xFD469501;
d1=d1+b2+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
b2=*(DWORD *)(LM+0X38);
a1=(((d2^s1)&d1)^d2)+0x698098D8;
b1=b1+b2+a1;
b1=((b1<<0x7)|(b1>>0x19))+d1;
b2=*(DWORD *)(LM+0X3c);
a1=(((s1^d1)&b1)^s1)+0x8B44F7AF;
d2=d2+b2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
b2=*(DWORD *)(LM+0X40);
a1=(((d1^b1)&d2)^d1)+0xFFFF5BB1;
s1=s1+b2+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
b2=*(DWORD *)(LM+0X44);
a1=(((d2^b1)&s1)^b1)+0x895CD7BE;
d1=d1+b2+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
b2=*(DWORD *)(LM+0X48);
a1=(((d2^s1)&d1)^d2)+0x6B901122;
b1=b1+b2+a1;
b1=((b1<<0x7)|(b1>>0x19))+d1;
b2=*(DWORD *)(LM+0X4c);
a1=(((s1^d1)&b1)^s1)+0xFD987193;
d2=d2+b2+a1;
d2=((d2<<0xc)|(d2>>0x14))+b1;
b2=*(DWORD *)(LM+0X50);
a1=(((d1^b1)&d2)^d1)+0xA679438E;
s1=s1+b2+a1;
s1=((s1<<0x11)|(s1>>0xf))+d2;
b2=*(DWORD *)(LM+0X54);
a1=(((d2^b1)&s1)^b1)+0x49B40821;
d1=d1+b2+a1;
d1=((d1<<0x16)|(d1>>0xa))+s1;
//第二轮
b2=*(DWORD *)(LM+0X1c);
a1=(((s1^d1)&d2)^s1)+0xF61E2562;
b1=b1+b2+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
b2=*(DWORD *)(LM+0X30);
a1=(((d1^b1)&s1)^d1)+0xC040B340;
d2=d2+b2+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
b2=*(DWORD *)(LM+0X44);
a1=(((d2^b1)&d1)^b1)+0x265E5A51;
s1=s1+b2+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
b2=*(DWORD *)(LM+0X18);
a1=(((d2^s1)&b1)^d2)+0xE9B6C7AA;
d1=d1+b2+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
b2=*(DWORD *)(LM+0X2c);
a1=(((s1^d1)&d2)^s1)+0xD62F105D;
b1=b1+b2+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
b2=*(DWORD *)(LM+0X40);
a1=(((d1^b1)&s1)^d1)+0x2441453;
d2=d2+b2+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
b2=*(DWORD *)(LM+0X54);
a1=(((d2^b1)&d1)^b1)+0xD8A1E681;
s1=s1+b2+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
b2=*(DWORD *)(LM+0X28);
a1=(((d2^s1)&b1)^d2)+0xE7D3FBC8;
d1=d1+b2+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
b2=*(DWORD *)(LM+0X3c);
a1=(((s1^d1)&d2)^s1)+0x21E1CDE6;
b1=b1+b2+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
b2=*(DWORD *)(LM+0X50);
a1=(((d1^b1)&s1)^d1)+0xC33707D6;
d2=d2+b2+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
b2=*(DWORD *)(LM+0X24);
a1=(((d2^b1)&d1)^b1)+0xF4D50D87;
s1=s1+b2+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
b2=*(DWORD *)(LM+0X38);
a1=(((d2^s1)&b1)^d2)+0x455A14ED;
d1=d1+b2+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
b2=*(DWORD *)(LM+0X4c);
a1=(((s1^d1)&d2)^s1)+0xA9E3E905;
b1=b1+b2+a1;
b1=((b1<<0x5)|(b1>>0x1b))+d1;
b2=*(DWORD *)(LM+0X20);
a1=(((d1^b1)&s1)^d1)+0xFCEFA3F8;
d2=d2+b2+a1;
d2=((d2<<0x9)|(d2>>0x17))+b1;
b2=*(DWORD *)(LM+0X34);
a1=(((d2^b1)&d1)^b1)+0x676F02D9;
s1=s1+b2+a1;
s1=((s1<<0xe)|(s1>>0x12))+d2;
b2=*(DWORD *)(LM+0X48);
a1=(((d2^s1)&b1)^d2)+0x8D2A4C8A;
d1=d1+b2+a1;
d1=((d1<<0x14)|(d1>>0xc))+s1;
//第三轮
b2=*(DWORD *)(LM+0X2c);
a1=((d2^s1)^d1)+0xFFFA3942;
b1=b1+b2+a1;
b1=((b1<<0x4)|(b1>>0x1c))+d1;
b2=*(DWORD *)(LM+0X38);
a1=((s1^d1)^b1)+0x8771F681;
d2=d2+b2+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
b2=*(DWORD *)(LM+0X44);
a1=(d2^d1)^b1;
s1=s1+b2+0x6D9D6122+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
b2=*(DWORD *)(LM+0X50);
a1=d2^s1;
d1=d1+b2+0xFDE5380C+(b1^a1);
d1=((d1<<0x17)|(d1>>0x9))+s1;
b2=*(DWORD *)(LM+0X1c);
b1=b1+b2+0xA4BEEA44+(d1^a1);
b1=((b1<<0x4)|(b1>>0x1c))+d1;
b2=*(DWORD *)(LM+0X28);
a1=((s1^d1)^b1)+0x4BDECFA9;
d2=d2+b2+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
b2=*(DWORD *)(LM+0X34);
a1=(d2^d1)^b1;
s1=s1+b2+0xF6BB4B60+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
b2=*(DWORD *)(LM+0X40);
a1=(d2^s1);
d1=d1+b2+0xBEBFBC70+(b1^a1);
d1=((d1<<0x17)|(d1>>0x9))+s1;
b2=*(DWORD *)(LM+0X4c);
b1=b1+b2+0x289B7EC6+(d1^a1);
b1=((b1<<0x4)|(b1>>0x1c))+d1;
b2=*(DWORD *)(LM+0X18);
a1=((s1^d1)^b1)+0xEAA127FA;
d2=d2+b2+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
b2=*(DWORD *)(LM+0X24);
a1=(d2^d1)^b1;
s1=s1+b2+0xD4EF3085+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
b2=*(DWORD *)(LM+0X30);
a1=d2^s1;
d1=d1+b2+0x4881D05+(b1^a1);
d1=((d1<<0x17)|(d1>>0x9))+s1;
b2=d1^a1;
a1=*(DWORD *)(LM+0X3c)+0xD9D4D039;
b1=b1+b2+a1;
b1=((b1<<0x4)|(b1>>0x1c))+d1;
b2=*(DWORD *)(LM+0X48);
a1=((s1^d1)^b1)+0xE6DB99E5;
d2=d2+b2+a1;
d2=((d2<<0xb)|(d2>>0x15))+b1;
b2=*(DWORD *)(LM+0X54);
a1=((d2^d1)^b1);
s1=s1+b2+0x1FA27CF8+a1;
s1=((s1<<0x10)|(s1>>0x10))+d2;
b2=*(DWORD *)(LM+0X20);
a1=((d2^s1)^b1);
d1=d1+b2+0xC4AC5665+a1;
d1=((d1<<0x17)|(d1>>0x9))+s1;
//第4轮
b2=*(DWORD *)(LM+0X18);
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF4292244;
b1=b1+b2+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
b2=*(DWORD *)(LM+0X34);
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x432AFF97;
d2=d2+b2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
b2=*(DWORD *)(LM+0X50);
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xAB9423A7;
s1=s1+b2+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
b2=*(DWORD *)(LM+0X2c);
a1=(((b1^0xFFFFFFFF)|s1)^d2);
d1=d1+b2+0xFC93A039+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
b2=*(DWORD *)(LM+0X48);
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x655B59C3;
b1=b1+b2+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
b2=*(DWORD *)(LM+0X24);
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x8F0CCC92;
d2=d2+b2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
b2=*(DWORD *)(LM+0X40);
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xFFEFF47D;
s1=s1+b2+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
b2=*(DWORD *)(LM+0X1c);
a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x85845DD1;
d1=d1+b2+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
b2=*(DWORD *)(LM+0X38);
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x6FA87E4F;
b1=b1+b2+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
b2=*(DWORD *)(LM+0X54);
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xFE2CE6E0;
d2=d2+b2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
b2=*(DWORD *)(LM+0X30);
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xA3014314;
s1=s1+b2+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
b2=*(DWORD *)(LM+0X4c);
a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x4E0811A1;
d1=d1+b2+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
b2=*(DWORD *)(LM+0X28);
a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF7537E82;
b1=b1+b2+a1;
b1=((b1<<0x6)|(b1>>0x1a))+d1;
b2=*(DWORD *)(LM+0X44);
a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xBD3AF235;
d2=d2+b2+a1;
d2=((d2<<0xa)|(d2>>0x16))+b1;
b2=*(DWORD *)(LM+0X20);
a1=(((d1^0xFFFFFFFF)|d2)^b1)+0x2AD7D2BB;
s1=s1+b2+a1;
s1=((s1<<0xf)|(s1>>0x11))+d2;
b2=*(DWORD *)(LM+0X3c);
a1=(((b1^0xFFFFFFFF)|s1)^d2)+0xEB86D391;
d1=d1+b2+a1;
d1=((d1<<0x15)|(d1>>0xb))+s1;
b2=*(DWORD *)(LM+0X8);
b1=b1+b2;
b2=*(DWORD *)(LM+0Xc);
d1=d1+b2;
b2=*(DWORD *)(LM+0X10);
s1=s1+b2;
b2=*(DWORD *)(LM+0X14);
d2=d2+b2;
*(DWORD *)(LM+0X8)=b1;
*(DWORD *)(LM+0Xc)=d1;
*(DWORD *)(LM+0X10)=s1;
*(DWORD *)(LM+0X14)=d2;
}
|
中搜索