archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/windows/appcompat/shims/specific/money2001.cpp

539 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2002 Microsoft Corporation
  5. Module Name:
  7. Money2001.cpp
  9. Abstract:
  11. Retry passwords at 128-bit encryption if 40-bit fails. Most code from Money
  12. team.
  14. We have to patch the API directly since it is called from within it's own
  15. DLL, i.e. it doesn't go through the import table.
  17. The function we're patching is cdecl and is referenced by it's ordinal
  18. because the name is mangled.
  20. Notes:
  22. This is an app specific shim.
  24. History:
  26. 07/11/2002 linstev Created
  28. --*/
  30. #include "precomp.h"
  32. IMPLEMENT_SHIM_BEGIN(Money2001)
  33. #include "ShimHookMacro.h"
  34. #include <wincrypt.h>
  36. APIHOOK_ENUM_BEGIN
  37. APIHOOK_ENUM_ENTRY(LoadLibraryA)
  38. APIHOOK_ENUM_ENTRY(FreeLibrary)
  39. APIHOOK_ENUM_END
  41. #define Assert(a)
  43. void *crtmalloc(size_t size)
  44. {
  45. HMODULE hMod = GetModuleHandleW(L"msvcrt.dll");
  47. if (hMod) {
  49. typedef void * (__cdecl *_pfn_malloc)(size_t size);
  51. _pfn_malloc pfnmalloc = (_pfn_malloc) GetProcAddress(hMod, "malloc");
  52. if (pfnmalloc) {
  53. return pfnmalloc(size);
  54. }
  55. }
  57. return malloc(size);
  58. }
  60. void crtfree(void *memblock)
  61. {
  62. HMODULE hMod = GetModuleHandleW(L"msvcrt.dll");
  64. if (hMod) {
  66. _pfn_free pfnfree = (_pfn_free) GetProcAddress(hMod, "free");
  67. if (pfnfree) {
  68. pfnfree(memblock);
  69. return;
  70. }
  71. }
  73. free(memblock);
  74. }
  77. //
  78. // This section from the Money team
  79. //
  81. #define MAXLEN (100)
  82. #define ENCRYPT_BLOCK_SIZE (8)
  83. #define ENCRYPT_ALGORITHM CALG_RC2
  84. #define KEY_LENGTH (128)
  85. #define KEY_LENGTH40 (40)
  87. #define LgidMain(lcid) PRIMARYLANGID(LANGIDFROMLCID(lcid))
  88. #define LgidSub(lcid) SUBLANGID(LANGIDFROMLCID(lcid))
  90. BOOL FFrenchLCID()
  91. {
  92. LCID lcidSys=::GetSystemDefaultLCID();
  93. if (LgidMain(lcidSys)==LANG_FRENCH && LgidSub(lcidSys)==SUBLANG_FRENCH)
  94. return TRUE;
  95. else
  96. return FALSE;
  97. }
  99. // the smallest buffer size is 8
  100. #define BLOCKSIZE 8
  102. // process a block, either encrypt it or decrypt it
  103. void ProcessBlock(BOOL fEncrypt, BYTE * buffer)
  104. {
  105. BYTE mask[BLOCKSIZE]; // mask array
  106. BYTE temp[BLOCKSIZE]; // temporary array
  107. int rgnScramble[BLOCKSIZE]; // scramble array
  108. int i;
  110. // initialized scramble array
  111. for (i=0; i<BLOCKSIZE; i++)
  112. rgnScramble[i] = i;
  114. // generate mask and scramble indice
  115. for (i=0; i<BLOCKSIZE; i++)
  116. mask[i] = (BYTE)rand();
  118. for (i=0; i<4*BLOCKSIZE; i++)
  119. {
  120. int temp;
  121. int ind = rand() % BLOCKSIZE;
  122. temp = rgnScramble[i%BLOCKSIZE];
  123. rgnScramble[i%BLOCKSIZE] = rgnScramble[ind];
  124. rgnScramble[ind] = temp;
  125. }
  127. if (fEncrypt)
  128. {
  129. // xor encryption
  130. for (i=0; i<BLOCKSIZE; i++)
  131. mask[i] ^= buffer[i];
  133. // scramble the data
  134. for (i=0; i<BLOCKSIZE; i++)
  135. buffer[rgnScramble[i]] = mask[i];
  136. }
  137. else
  138. {
  139. // descramble the data
  140. for (i=0; i<BLOCKSIZE; i++)
  141. temp[i] = buffer[rgnScramble[i]];
  143. // xor decryption
  144. for (i=0; i<BLOCKSIZE; i++)
  145. buffer[i] = (BYTE) (temp[i] ^ mask[i]);
  146. }
  147. }
  150. BYTE * DecryptFrench(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szPassword)
  151. {
  152. BYTE buffer[BLOCKSIZE];
  153. int i;
  154. unsigned int seed = 0;
  155. unsigned int seedAdd = 0;
  156. BYTE * pb;
  157. BYTE * pbResult = NULL;
  158. unsigned int cBlocks;
  159. unsigned int cbResult = 0;
  160. unsigned int iBlocks;
  162. // make sure blob is at least 1 block long
  163. // and it's an integral number of blocks
  164. Assert(cbEncryptedBlob >= BLOCKSIZE);
  165. Assert(cbEncryptedBlob % BLOCKSIZE == 0);
  166. *pcbDecryptedBlob = 0;
  167. if (cbEncryptedBlob < BLOCKSIZE || cbEncryptedBlob % BLOCKSIZE != 0)
  168. return NULL;
  170. // calculate initial seed
  171. while (*szPassword)
  172. seed += *szPassword++;
  173. srand(seed);
  175. // retrieve the first block
  176. for (i=0; i<BLOCKSIZE; i++)
  177. buffer[i] = *pbEncryptedBlob++;
  178. ProcessBlock(FALSE, buffer);
  180. // find out the byte count and addon seed
  181. cbResult = *pcbDecryptedBlob = *((DWORD*)buffer);
  182. seedAdd = *(((DWORD*)buffer) + 1);
  184. // find out how many blocks we need
  185. cBlocks = 1 + (*pcbDecryptedBlob-1)/BLOCKSIZE;
  187. // make sure we have the right number of blocks
  188. Assert(cBlocks + 1 == cbEncryptedBlob / BLOCKSIZE);
  189. if (cBlocks + 1 == cbEncryptedBlob / BLOCKSIZE)
  190. {
  191. // allocate output memory
  192. pbResult = (BYTE*)crtmalloc(*pcbDecryptedBlob);
  193. if (pbResult)
  194. {
  195. // re-seed
  196. srand(seed + seedAdd);
  197. pb = pbResult;
  199. // process all blocks of data
  200. for (iBlocks=0; iBlocks<cBlocks; iBlocks++)
  201. {
  202. for (i=0; i<BLOCKSIZE; i++)
  203. buffer[i] = *pbEncryptedBlob++;
  204. ProcessBlock(FALSE, buffer);
  205. for (i=0; i<BLOCKSIZE && cbResult>0; i++, cbResult--)
  206. *pb++ = buffer[i];
  207. }
  208. }
  209. }
  211. if (!pbResult)
  212. *pcbDecryptedBlob = 0;
  213. return pbResult;
  214. }
  217. HCRYPTKEY CreateSessionKey(HCRYPTPROV hCryptProv, LPCSTR szPassword, BOOL f40bit)
  218. {
  219. HCRYPTHASH hHash = 0;
  220. HCRYPTKEY hKey = 0;
  221. DWORD dwEffectiveKeyLen;
  222. DWORD dwPadding = PKCS5_PADDING;
  223. DWORD dwMode = CRYPT_MODE_CBC;
  225. if (f40bit)
  226. dwEffectiveKeyLen=KEY_LENGTH40;
  227. else
  228. dwEffectiveKeyLen= KEY_LENGTH;
  230. //--------------------------------------------------------------------
  231. // The file will be encrypted with a session key derived from a
  232. // password.
  233. // The session key will be recreated when the file is decrypted.
  235. //--------------------------------------------------------------------
  236. // Create a hash object.
  238. if (!CryptCreateHash(
  239. hCryptProv,
  240. CALG_MD5,
  241. 0,
  242. 0,
  243. &hHash))
  244. {
  245. goto CLEANUP;
  246. }
  248. //--------------------------------------------------------------------
  249. // Hash the password.
  251. if (!CryptHashData(
  252. hHash,
  253. (BYTE *)szPassword,
  254. strlen(szPassword)*sizeof(CHAR),
  255. 0))
  256. {
  257. goto CLEANUP;
  258. }
  259. //--------------------------------------------------------------------
  260. // Derive a session key from the hash object.
  262. if (!CryptDeriveKey(
  263. hCryptProv,
  264. ENCRYPT_ALGORITHM,
  265. hHash,
  266. 0,
  267. &hKey))
  268. {
  269. goto CLEANUP;
  270. }
  272. // set effective key length explicitly
  273. if (!CryptSetKeyParam(
  274. hKey,
  275. KP_EFFECTIVE_KEYLEN,
  276. (BYTE*)&dwEffectiveKeyLen,
  277. 0))
  278. {
  279. if(hKey)
  280. CryptDestroyKey(hKey);
  281. hKey = 0;
  282. goto CLEANUP;
  283. }
  285. if (!f40bit)
  286. {
  287. // set padding explicitly
  288. if (!CryptSetKeyParam(
  289. hKey,
  290. KP_PADDING,
  291. (BYTE*)&dwPadding,
  292. 0))
  293. {
  294. if(hKey)
  295. CryptDestroyKey(hKey);
  296. hKey = 0;
  297. goto CLEANUP;
  298. }
  300. // set mode explicitly
  301. if (!CryptSetKeyParam(
  302. hKey,
  303. KP_MODE,
  304. (BYTE*)&dwMode,
  305. 0))
  306. {
  307. if(hKey)
  308. CryptDestroyKey(hKey);
  309. hKey = 0;
  310. goto CLEANUP;
  311. }
  312. }
  314. //--------------------------------------------------------------------
  315. // Destroy the hash object.
  317. CLEANUP:
  318. if (hHash)
  319. CryptDestroyHash(hHash);
  321. return hKey;
  322. }
  325. BYTE * DecryptWorker(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szPassword, BOOL f40bit, BOOL* pfRet)
  326. {
  327. HCRYPTPROV hCryptProv = NULL; // CSP handle
  328. HCRYPTKEY hKey = 0;
  329. DWORD cbDecryptedMessage = 0;
  330. BYTE* pbDecryptedMessage = NULL;
  331. DWORD dwBlockLen;
  332. DWORD dwBufferLen;
  333. BOOL fCreateKeyset = FALSE;
  335. Assert(pfRet);
  336. *pfRet=TRUE;
  338. //--------------------------------------------------------------------
  339. // Begin processing.
  341. Assert(pcbDecryptedBlob);
  343. *pcbDecryptedBlob = 0;
  345. if (!pbEncryptedBlob || cbEncryptedBlob == 0)
  346. return NULL;
  348. if (FFrenchLCID())
  349. return DecryptFrench(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szPassword);
  351. //--------------------------------------------------------------------
  352. // Get a handle to a cryptographic provider.
  354. while (!CryptAcquireContext(
  355. &hCryptProv, // Address for handle to be returned.
  356. NULL, // Container
  357. NULL, // Use the default provider.
  358. PROV_RSA_FULL, // Need to both encrypt and sign.
  359. (fCreateKeyset ? CRYPT_NEWKEYSET:0))) // flags.
  360. {
  361. // Cryptographic context could not be acquired
  362. DWORD nError = GetLastError();
  364. if (!fCreateKeyset && (nError == NTE_BAD_KEYSET || nError == NTE_KEYSET_NOT_DEF))
  365. {
  366. fCreateKeyset = TRUE;
  367. continue;
  368. }
  369. Assert(FALSE);
  370. goto CLEANUP;
  371. }
  373. //--------------------------------------------------------------------
  374. // Create the session key.
  375. hKey = CreateSessionKey(hCryptProv, szPassword, f40bit);
  376. if (!hKey)
  377. {
  378. goto CLEANUP;
  379. }
  381. dwBlockLen = cbEncryptedBlob;
  382. dwBufferLen = dwBlockLen;
  384. //--------------------------------------------------------------------
  385. // Allocate memory.
  386. pbDecryptedMessage = (BYTE *)crtmalloc(dwBufferLen);
  387. if (!pbDecryptedMessage)
  388. {
  389. // Out of memory
  390. goto CLEANUP;
  391. }
  393. memcpy(pbDecryptedMessage, pbEncryptedBlob, cbEncryptedBlob);
  394. cbDecryptedMessage = cbEncryptedBlob;
  396. //--------------------------------------------------------------------
  397. // Decrypt data.
  398. if (!CryptDecrypt(
  399. hKey,
  400. 0,
  401. TRUE,
  402. 0,
  403. pbDecryptedMessage,
  404. &cbDecryptedMessage))
  405. {
  406. crtfree(pbDecryptedMessage);
  407. pbDecryptedMessage = NULL;
  408. cbDecryptedMessage = 0;
  409. *pfRet=FALSE;
  410. goto CLEANUP;
  411. }
  414. //--------------------------------------------------------------------
  415. // Clean up memory.
  416. CLEANUP:
  418. if(hKey)
  419. CryptDestroyKey(hKey);
  421. if (hCryptProv)
  422. {
  423. CryptReleaseContext(hCryptProv,0);
  424. // The CSP has been released.
  425. }
  427. *pcbDecryptedBlob = cbDecryptedMessage;
  429. return pbDecryptedMessage;
  430. }
  432. BYTE * __cdecl Decrypt(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szEncryptionPassword)
  433. {
  434. BYTE* pbDecryptedMessage;
  435. BOOL fRet;
  436. // try 128 bit first, if we fail, try 40 bit again.
  437. pbDecryptedMessage = DecryptWorker(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szEncryptionPassword, FALSE, &fRet);
  438. if (!fRet)
  439. {
  440. if (pbDecryptedMessage)
  441. crtfree(pbDecryptedMessage);
  442. pbDecryptedMessage = DecryptWorker(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szEncryptionPassword, TRUE, &fRet);
  443. }
  444. return pbDecryptedMessage;
  445. }
  447. //
  448. // End section from Money team
  449. //
  451. /*++
  453. Patch the Decrypt entry point.
  455. --*/
  457. CRITICAL_SECTION g_csPatch;
  458. DWORD g_dwDecrypt = (DWORD_PTR)&Decrypt;
  460. HINSTANCE
  461. APIHOOK(LoadLibraryA)(
  462. LPCSTR lpLibFileName
  463. )
  464. {
  465. HMODULE hMod = ORIGINAL_API(LoadLibraryA)(lpLibFileName);
  467. //
  468. // Wrap the patch in a critical section so we know the library won't be
  469. // freed underneath us
  470. //
  472. EnterCriticalSection(&g_csPatch);
  474. HMODULE hMoney = GetModuleHandleW(L"mnyutil.dll");
  475. if (hMoney) {
  476. // Patch the dll with a jump to our function
  478. LPBYTE lpProc = (LPBYTE) GetProcAddress(hMoney, (LPCSTR)274);
  480. if (lpProc) {
  481. __try {
  482. DWORD dwOldProtect;
  483. if (VirtualProtect((PVOID)lpProc, 5, PAGE_READWRITE, &dwOldProtect)) {
  484. *(WORD *)lpProc = 0x25ff; lpProc += 2;
  485. *(DWORD *)lpProc = (DWORD_PTR)&g_dwDecrypt;
  486. }
  487. } __except(1) {
  488. LOGN(eDbgLevelError, "[LoadLibraryA] Exception while patching entry point");
  489. }
  490. }
  491. }
  493. LeaveCriticalSection(&g_csPatch);
  495. return hMod;
  496. }
  498. BOOL
  499. APIHOOK(FreeLibrary)(
  500. HMODULE hModule
  501. )
  502. {
  503. EnterCriticalSection(&g_csPatch);
  504. BOOL bRet = ORIGINAL_API(FreeLibrary)(hModule);
  505. LeaveCriticalSection(&g_csPatch);
  507. return bRet;
  508. }
  510. /*++
  512. Register hooked functions
  514. --*/
  516. BOOL
  517. NOTIFY_FUNCTION(
  518. DWORD fdwReason
  519. )
  520. {
  521. if (fdwReason == DLL_PROCESS_ATTACH) {
  523. if (!InitializeCriticalSectionAndSpinCount(&g_csPatch, 0x80000000)) {
  524. LOGN(eDbgLevelError, "[NotifyFn] Failed to initialize critical section");
  525. return FALSE;
  526. }
  527. }
  529. return TRUE;
  530. }
  532. HOOK_BEGIN
  533. CALL_NOTIFY_FUNCTION
  534. APIHOOK_ENTRY(KERNEL32.DLL, LoadLibraryA)
  535. APIHOOK_ENTRY(KERNEL32.DLL, FreeLibrary)
  536. HOOK_END
  538. IMPLEMENT_SHIM_END