archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/windows/appcompat/shims/specific/money2001.cpp

540 lines
13 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 2002 Microsoft Corporation
  5. Module Name:
  7. Money2001.cpp
  9. Abstract:
  11. Retry passwords at 128-bit encryption if 40-bit fails. Most code from Money
  12. team.
  14. We have to patch the API directly since it is called from within it's own
  15. DLL, i.e. it doesn't go through the import table.
  17. The function we're patching is cdecl and is referenced by it's ordinal
  18. because the name is mangled.
  20. Notes:
  22. This is an app specific shim.
  24. History:
  26. 07/11/2002 linstev Created
  27. 08/07/2002 linstev Fixed allocations to go through crt
  29. --*/
  31. #include "precomp.h"
  33. IMPLEMENT_SHIM_BEGIN(Money2001)
  34. #include "ShimHookMacro.h"
  35. #include <wincrypt.h>
  37. APIHOOK_ENUM_BEGIN
  38. APIHOOK_ENUM_ENTRY(LoadLibraryA)
  39. APIHOOK_ENUM_ENTRY(FreeLibrary)
  40. APIHOOK_ENUM_END
  42. #define Assert(a)
  44. void *crtmalloc(size_t size)
  45. {
  46. HMODULE hMod = GetModuleHandleW(L"msvcrt.dll");
  48. if (hMod) {
  50. typedef void * (__cdecl *_pfn_malloc)(size_t size);
  52. _pfn_malloc pfnmalloc = (_pfn_malloc) GetProcAddress(hMod, "malloc");
  53. if (pfnmalloc) {
  54. return pfnmalloc(size);
  55. }
  56. }
  58. return malloc(size);
  59. }
  61. void crtfree(void *memblock)
  62. {
  63. HMODULE hMod = GetModuleHandleW(L"msvcrt.dll");
  65. if (hMod) {
  67. _pfn_free pfnfree = (_pfn_free) GetProcAddress(hMod, "free");
  68. if (pfnfree) {
  69. pfnfree(memblock);
  70. return;
  71. }
  72. }
  74. free(memblock);
  75. }
  78. //
  79. // This section from the Money team
  80. //
  82. #define MAXLEN (100)
  83. #define ENCRYPT_BLOCK_SIZE (8)
  84. #define ENCRYPT_ALGORITHM CALG_RC2
  85. #define KEY_LENGTH (128)
  86. #define KEY_LENGTH40 (40)
  88. #define LgidMain(lcid) PRIMARYLANGID(LANGIDFROMLCID(lcid))
  89. #define LgidSub(lcid) SUBLANGID(LANGIDFROMLCID(lcid))
  91. BOOL FFrenchLCID()
  92. {
  93. LCID lcidSys=::GetSystemDefaultLCID();
  94. if (LgidMain(lcidSys)==LANG_FRENCH && LgidSub(lcidSys)==SUBLANG_FRENCH)
  95. return TRUE;
  96. else
  97. return FALSE;
  98. }
  100. // the smallest buffer size is 8
  101. #define BLOCKSIZE 8
  103. // process a block, either encrypt it or decrypt it
  104. void ProcessBlock(BOOL fEncrypt, BYTE * buffer)
  105. {
  106. BYTE mask[BLOCKSIZE]; // mask array
  107. BYTE temp[BLOCKSIZE]; // temporary array
  108. int rgnScramble[BLOCKSIZE]; // scramble array
  109. int i;
  111. // initialized scramble array
  112. for (i=0; i<BLOCKSIZE; i++)
  113. rgnScramble[i] = i;
  115. // generate mask and scramble indice
  116. for (i=0; i<BLOCKSIZE; i++)
  117. mask[i] = (BYTE)rand();
  119. for (i=0; i<4*BLOCKSIZE; i++)
  120. {
  121. int temp;
  122. int ind = rand() % BLOCKSIZE;
  123. temp = rgnScramble[i%BLOCKSIZE];
  124. rgnScramble[i%BLOCKSIZE] = rgnScramble[ind];
  125. rgnScramble[ind] = temp;
  126. }
  128. if (fEncrypt)
  129. {
  130. // xor encryption
  131. for (i=0; i<BLOCKSIZE; i++)
  132. mask[i] ^= buffer[i];
  134. // scramble the data
  135. for (i=0; i<BLOCKSIZE; i++)
  136. buffer[rgnScramble[i]] = mask[i];
  137. }
  138. else
  139. {
  140. // descramble the data
  141. for (i=0; i<BLOCKSIZE; i++)
  142. temp[i] = buffer[rgnScramble[i]];
  144. // xor decryption
  145. for (i=0; i<BLOCKSIZE; i++)
  146. buffer[i] = (BYTE) (temp[i] ^ mask[i]);
  147. }
  148. }
  151. BYTE * DecryptFrench(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szPassword)
  152. {
  153. BYTE buffer[BLOCKSIZE];
  154. int i;
  155. unsigned int seed = 0;
  156. unsigned int seedAdd = 0;
  157. BYTE * pb;
  158. BYTE * pbResult = NULL;
  159. unsigned int cBlocks;
  160. unsigned int cbResult = 0;
  161. unsigned int iBlocks;
  163. // make sure blob is at least 1 block long
  164. // and it's an integral number of blocks
  165. Assert(cbEncryptedBlob >= BLOCKSIZE);
  166. Assert(cbEncryptedBlob % BLOCKSIZE == 0);
  167. *pcbDecryptedBlob = 0;
  168. if (cbEncryptedBlob < BLOCKSIZE || cbEncryptedBlob % BLOCKSIZE != 0)
  169. return NULL;
  171. // calculate initial seed
  172. while (*szPassword)
  173. seed += *szPassword++;
  174. srand(seed);
  176. // retrieve the first block
  177. for (i=0; i<BLOCKSIZE; i++)
  178. buffer[i] = *pbEncryptedBlob++;
  179. ProcessBlock(FALSE, buffer);
  181. // find out the byte count and addon seed
  182. cbResult = *pcbDecryptedBlob = *((DWORD*)buffer);
  183. seedAdd = *(((DWORD*)buffer) + 1);
  185. // find out how many blocks we need
  186. cBlocks = 1 + (*pcbDecryptedBlob-1)/BLOCKSIZE;
  188. // make sure we have the right number of blocks
  189. Assert(cBlocks + 1 == cbEncryptedBlob / BLOCKSIZE);
  190. if (cBlocks + 1 == cbEncryptedBlob / BLOCKSIZE)
  191. {
  192. // allocate output memory
  193. pbResult = (BYTE*)crtmalloc(*pcbDecryptedBlob);
  194. if (pbResult)
  195. {
  196. // re-seed
  197. srand(seed + seedAdd);
  198. pb = pbResult;
  200. // process all blocks of data
  201. for (iBlocks=0; iBlocks<cBlocks; iBlocks++)
  202. {
  203. for (i=0; i<BLOCKSIZE; i++)
  204. buffer[i] = *pbEncryptedBlob++;
  205. ProcessBlock(FALSE, buffer);
  206. for (i=0; i<BLOCKSIZE && cbResult>0; i++, cbResult--)
  207. *pb++ = buffer[i];
  208. }
  209. }
  210. }
  212. if (!pbResult)
  213. *pcbDecryptedBlob = 0;
  214. return pbResult;
  215. }
  218. HCRYPTKEY CreateSessionKey(HCRYPTPROV hCryptProv, LPCSTR szPassword, BOOL f40bit)
  219. {
  220. HCRYPTHASH hHash = 0;
  221. HCRYPTKEY hKey = 0;
  222. DWORD dwEffectiveKeyLen;
  223. DWORD dwPadding = PKCS5_PADDING;
  224. DWORD dwMode = CRYPT_MODE_CBC;
  226. if (f40bit)
  227. dwEffectiveKeyLen=KEY_LENGTH40;
  228. else
  229. dwEffectiveKeyLen= KEY_LENGTH;
  231. //--------------------------------------------------------------------
  232. // The file will be encrypted with a session key derived from a
  233. // password.
  234. // The session key will be recreated when the file is decrypted.
  236. //--------------------------------------------------------------------
  237. // Create a hash object.
  239. if (!CryptCreateHash(
  240. hCryptProv,
  241. CALG_MD5,
  242. 0,
  243. 0,
  244. &hHash))
  245. {
  246. goto CLEANUP;
  247. }
  249. //--------------------------------------------------------------------
  250. // Hash the password.
  252. if (!CryptHashData(
  253. hHash,
  254. (BYTE *)szPassword,
  255. strlen(szPassword)*sizeof(CHAR),
  256. 0))
  257. {
  258. goto CLEANUP;
  259. }
  260. //--------------------------------------------------------------------
  261. // Derive a session key from the hash object.
  263. if (!CryptDeriveKey(
  264. hCryptProv,
  265. ENCRYPT_ALGORITHM,
  266. hHash,
  267. 0,
  268. &hKey))
  269. {
  270. goto CLEANUP;
  271. }
  273. // set effective key length explicitly
  274. if (!CryptSetKeyParam(
  275. hKey,
  276. KP_EFFECTIVE_KEYLEN,
  277. (BYTE*)&dwEffectiveKeyLen,
  278. 0))
  279. {
  280. if(hKey)
  281. CryptDestroyKey(hKey);
  282. hKey = 0;
  283. goto CLEANUP;
  284. }
  286. if (!f40bit)
  287. {
  288. // set padding explicitly
  289. if (!CryptSetKeyParam(
  290. hKey,
  291. KP_PADDING,
  292. (BYTE*)&dwPadding,
  293. 0))
  294. {
  295. if(hKey)
  296. CryptDestroyKey(hKey);
  297. hKey = 0;
  298. goto CLEANUP;
  299. }
  301. // set mode explicitly
  302. if (!CryptSetKeyParam(
  303. hKey,
  304. KP_MODE,
  305. (BYTE*)&dwMode,
  306. 0))
  307. {
  308. if(hKey)
  309. CryptDestroyKey(hKey);
  310. hKey = 0;
  311. goto CLEANUP;
  312. }
  313. }
  315. //--------------------------------------------------------------------
  316. // Destroy the hash object.
  318. CLEANUP:
  319. if (hHash)
  320. CryptDestroyHash(hHash);
  322. return hKey;
  323. }
  326. BYTE * DecryptWorker(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szPassword, BOOL f40bit, BOOL* pfRet)
  327. {
  328. HCRYPTPROV hCryptProv = NULL; // CSP handle
  329. HCRYPTKEY hKey = 0;
  330. DWORD cbDecryptedMessage = 0;
  331. BYTE* pbDecryptedMessage = NULL;
  332. DWORD dwBlockLen;
  333. DWORD dwBufferLen;
  334. BOOL fCreateKeyset = FALSE;
  336. Assert(pfRet);
  337. *pfRet=TRUE;
  339. //--------------------------------------------------------------------
  340. // Begin processing.
  342. Assert(pcbDecryptedBlob);
  344. *pcbDecryptedBlob = 0;
  346. if (!pbEncryptedBlob || cbEncryptedBlob == 0)
  347. return NULL;
  349. if (FFrenchLCID())
  350. return DecryptFrench(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szPassword);
  352. //--------------------------------------------------------------------
  353. // Get a handle to a cryptographic provider.
  355. while (!CryptAcquireContext(
  356. &hCryptProv, // Address for handle to be returned.
  357. NULL, // Container
  358. NULL, // Use the default provider.
  359. PROV_RSA_FULL, // Need to both encrypt and sign.
  360. (fCreateKeyset ? CRYPT_NEWKEYSET:0))) // flags.
  361. {
  362. // Cryptographic context could not be acquired
  363. DWORD nError = GetLastError();
  365. if (!fCreateKeyset && (nError == NTE_BAD_KEYSET || nError == NTE_KEYSET_NOT_DEF))
  366. {
  367. fCreateKeyset = TRUE;
  368. continue;
  369. }
  370. Assert(FALSE);
  371. goto CLEANUP;
  372. }
  374. //--------------------------------------------------------------------
  375. // Create the session key.
  376. hKey = CreateSessionKey(hCryptProv, szPassword, f40bit);
  377. if (!hKey)
  378. {
  379. goto CLEANUP;
  380. }
  382. dwBlockLen = cbEncryptedBlob;
  383. dwBufferLen = dwBlockLen;
  385. //--------------------------------------------------------------------
  386. // Allocate memory.
  387. pbDecryptedMessage = (BYTE *)crtmalloc(dwBufferLen);
  388. if (!pbDecryptedMessage)
  389. {
  390. // Out of memory
  391. goto CLEANUP;
  392. }
  394. memcpy(pbDecryptedMessage, pbEncryptedBlob, cbEncryptedBlob);
  395. cbDecryptedMessage = cbEncryptedBlob;
  397. //--------------------------------------------------------------------
  398. // Decrypt data.
  399. if (!CryptDecrypt(
  400. hKey,
  401. 0,
  402. TRUE,
  403. 0,
  404. pbDecryptedMessage,
  405. &cbDecryptedMessage))
  406. {
  407. crtfree(pbDecryptedMessage);
  408. pbDecryptedMessage = NULL;
  409. cbDecryptedMessage = 0;
  410. *pfRet=FALSE;
  411. goto CLEANUP;
  412. }
  415. //--------------------------------------------------------------------
  416. // Clean up memory.
  417. CLEANUP:
  419. if(hKey)
  420. CryptDestroyKey(hKey);
  422. if (hCryptProv)
  423. {
  424. CryptReleaseContext(hCryptProv,0);
  425. // The CSP has been released.
  426. }
  428. *pcbDecryptedBlob = cbDecryptedMessage;
  430. return pbDecryptedMessage;
  431. }
  433. BYTE * __cdecl Decrypt(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szEncryptionPassword)
  434. {
  435. BYTE* pbDecryptedMessage;
  436. BOOL fRet;
  437. // try 128 bit first, if we fail, try 40 bit again.
  438. pbDecryptedMessage = DecryptWorker(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szEncryptionPassword, FALSE, &fRet);
  439. if (!fRet)
  440. {
  441. if (pbDecryptedMessage)
  442. crtfree(pbDecryptedMessage);
  443. pbDecryptedMessage = DecryptWorker(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szEncryptionPassword, TRUE, &fRet);
  444. }
  445. return pbDecryptedMessage;
  446. }
  448. //
  449. // End section from Money team
  450. //
  452. /*++
  454. Patch the Decrypt entry point.
  456. --*/
  458. CRITICAL_SECTION g_csPatch;
  459. DWORD g_dwDecrypt = (DWORD_PTR)&Decrypt;
  461. HINSTANCE
  462. APIHOOK(LoadLibraryA)(
  463. LPCSTR lpLibFileName
  464. )
  465. {
  466. HMODULE hMod = ORIGINAL_API(LoadLibraryA)(lpLibFileName);
  468. //
  469. // Wrap the patch in a critical section so we know the library won't be
  470. // freed underneath us
  471. //
  473. EnterCriticalSection(&g_csPatch);
  475. HMODULE hMoney = GetModuleHandleW(L"mnyutil.dll");
  476. if (hMoney) {
  477. // Patch the dll with a jump to our function
  479. LPBYTE lpProc = (LPBYTE) GetProcAddress(hMoney, (LPCSTR)274);
  481. if (lpProc) {
  482. __try {
  483. DWORD dwOldProtect;
  484. if (VirtualProtect((PVOID)lpProc, 5, PAGE_READWRITE, &dwOldProtect)) {
  485. *(WORD *)lpProc = 0x25ff; lpProc += 2;
  486. *(DWORD *)lpProc = (DWORD_PTR)&g_dwDecrypt;
  487. }
  488. } __except(1) {
  489. LOGN(eDbgLevelError, "[LoadLibraryA] Exception while patching entry point");
  490. }
  491. }
  492. }
  494. LeaveCriticalSection(&g_csPatch);
  496. return hMod;
  497. }
  499. BOOL
  500. APIHOOK(FreeLibrary)(
  501. HMODULE hModule
  502. )
  503. {
  504. EnterCriticalSection(&g_csPatch);
  505. BOOL bRet = ORIGINAL_API(FreeLibrary)(hModule);
  506. LeaveCriticalSection(&g_csPatch);
  508. return bRet;
  509. }
  511. /*++
  513. Register hooked functions
  515. --*/
  517. BOOL
  518. NOTIFY_FUNCTION(
  519. DWORD fdwReason
  520. )
  521. {
  522. if (fdwReason == DLL_PROCESS_ATTACH) {
  524. if (!InitializeCriticalSectionAndSpinCount(&g_csPatch, 0x80000000)) {
  525. LOGN(eDbgLevelError, "[NotifyFn] Failed to initialize critical section");
  526. return FALSE;
  527. }
  528. }
  530. return TRUE;
  531. }
  533. HOOK_BEGIN
  534. CALL_NOTIFY_FUNCTION
  535. APIHOOK_ENTRY(KERNEL32.DLL, LoadLibraryA)
  536. APIHOOK_ENTRY(KERNEL32.DLL, FreeLibrary)
  537. HOOK_END
  539. IMPLEMENT_SHIM_END