tag:blogger.com,1999:blog-21700124332005098072024-02-20T12:22:53.822+01:00Mounir's ThoughtsMounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-2170012433200509807.post-8955299395626906262014-10-21T09:14:00.002+01:002022-04-05T21:33:00.515+01:00Making VeraCrypt betterWhen I started VeraCrypt back in 2013, the project attracted little attention but after the collapse of the TrueCrypt the number of users started to grow.<br />
This prompted me to publish Linux and MacOSX version of VeraCrypt as requested by many, and to add other security enhancements by fixing a long list of vulnerabilities in the original TrueCrypt source, either discovered by the Open Crypto Audit project (<a href="https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf" target="_blank">https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf</a>), found by running Static Code Analysis tools or found by internal review of the source.<br />
<br />
The result was VeraCrypt 1.0e which was published on September 4th 2014. It can be downloaded on <a href="https://veracrypt.codeplex.com/" target="_blank"><b>CodePlex</b> </a>or <b><a href="https://sourceforge.net/projects/veracrypt/" target="_blank">Sourceforce</a></b>.<br />
<br />
After the publication of the interview I had <b><a href="http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternative.html" target="_blank">with </a></b><span class="userContent"><b><a href="http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternative.html" target="_blank">Paul Rubens from "eSecurity Planet"</a></b>, many people started asking about the list of enhancement implemented so far in VeraCrypt. I posted an answer to that in the Codeplex discussion forum : <b><a href="https://veracrypt.codeplex.com/discussions/569777#PostContent_1313325" target="_blank">https://veracrypt.codeplex.com/discussions/569777#PostContent_1313325</a></b></span><br />
<br />
And what's next? The next target is to deprecate the aging RIPEMD-160 especially in boot encryption and to replace it with SHA-256. This requires a lot of work because of the bootloader constraints but hopefully I'll be able to publish a beta version soon.<br />
<br />
Also, in order to give the users the freedom of choosing the security level they need and for those who complain about the slowness of VeraCrypt, a security level choice will be introduced : when creating VeraCrypt encrypted containers or when encryption the system partition, the user can choose between a high security level (equivalent to what VeraCrypt does now), a medium level and a low security level. <br />
Hopefully, this will help accelerate the adoption of VeraCrypt among a wider segment of users.<br />
<br />Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0Paris, France48.856614 2.352221900000017748.6894645 2.0294984000000178 49.0237635 2.6749454000000177tag:blogger.com,1999:blog-2170012433200509807.post-40404680828513285702014-05-12T10:35:00.001+01:002022-04-05T21:33:24.262+01:00Fixing Virtualbox mounting shared folders issueAs a VirtualBox user, I started to encounter recently issues related to mounting shared folders into Linux guest VMs. The usual mount command started to fail with "<b>wrong fs type</b>" error after updating the Virtualbox Guest Additions and I couldn't understand why.<br />
<br />
After some research, I found that this was due to the fact that the upgrade script of the Guest Additions was confused by the fact that there were many VBoxGuestAdditions-4.XXX under <b>/opt </b>and it failed to pick up the most recent one in order to create the symbolic link under /usr/lib. <br />
<br />
So, in order to solve the issue, you have to manually create symbolic link using the command :<br />
<div style="text-align: center;">
<span style="color: blue;"><b>sudo ln -s /opt/VBoxGuestAdditions-4.3.10/lib/VBoxGuestAdditions /usr/lib/.</b></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In the above, "4.3.10" is the latest version of the Guest Additions I installed. Replace it with the correct version in your case (list all the directories under <b>/opt </b>and pickup the latest one starting by VBoxGuestAdditions).</div>
Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-72362314730094242502013-01-22T11:59:00.002+01:002022-04-05T21:33:37.125+01:00Compiling ARM desktop applications for Windows 8 RT?Microsoft has disabled compiling ARM desktop application on Visual Studio 2012 even if it is possible technically and the binaries can run without an issue (provided that they are signed by Microsoft).<br />
<br />
In order to re-enable the support for ARM desktop application building in Visual Studio 2012, you have to follow these two steps :<br />
<ul>
<li>Edit the file "<b>C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V110\Platforms\ARM\Microsoft.Cpp.ARM.Common.props</b>" and add the following line to the <propertygroup> section PropertyGroup : "<span style="color: blue;">< WindowsSDKDesktopARMSupport > true < / WindowsSDKDesktopARMSupport > </span>"<span style="color: blue;"><windowssdkdesktoparmsupport></windowssdkdesktoparmsupport></span></propertygroup></li>
<li>Add the following define to your project, Makefile or command line through the /D switch: <span style="color: blue;">_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE</span>. </li>
</ul>
Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-2179812443498917202013-01-16T09:52:00.003+01:002022-04-05T21:33:46.719+01:00Backup and restore Windows 7 activation status (Offline activation after reinstall)This post is just a reminder of the necessary steps in order to backup Windows 7 activation status before doing a clean re-install and then restoring it back.<br />
They are taken from post on the following link : <a href="http://www.mydigitallife.info/how-to-backup-and-restore-windows-7-and-server-2008-r2-activation-status-activate-offline-on-reinstall/">http://www.mydigitallife.info/how-to-backup-and-restore-windows-7-and-server-2008-r2-activation-status-activate-offline-on-reinstall/</a><br />
<ol>
<li>Copy and save or backup the following activation-related files to
external storage medium such as USB flash drive or portable hard disk
drive: C:\Windows\ServiceProfiles\NetWorkService\<br />
AppData\Roaming\Microsoft\SoftwareProtectionPlatform\<b>Tokens.dat</b><br />
and,C:\Windows\System32\spp\tokens\pkeyconfig\<b>pkeyconfig.xrm-ms</b><br />
Note: For 64-bit (x64) OS, C:\Windows\SysWOW64\spp\tokens\pkeyconfig\<b>pkeyconfig.xrm-ms</b> have to be backed up too.</li>
<li>Retrieve and record the product key used to install and activate the current Windows 7 or Windows Server 2008 R2.</li>
<li>Reinstall Windows 7 or Windows Server 2008 R2. When installation
wizard prompts for a product key for activation, leave it blank (do not
enter anything).</li>
<li>In the newly installed Windows operating system, stop the <b>Software Protection Service</b> in <b>Services.msc</b> or with the following command (run in elevated command prompt):
<span style="color: blue;"><span style="font-size: small;"><code>net stop sppsvc</code></span></span><br />
</li>
<li>Navigate to the following folder: <b>C:\Windows\System32\spp\tokens\pkeyconfig\</b><br />
Note: In 64-bit (x64) operating system, also perform the action in <b>C:\Windows\SysWOW64\spp\tokens\pkeyconfig\</b> folder.
</li>
<li>Take ownership and give user full control permissions (alternatively add grant full control right click menu item) to <b>pkeyconfig.xrm-ms</b> file.</li>
<li>Delete the original default <b>pkeyconfig.xrm-ms</b> file, and replace with the backup copy.</li>
<li>Navigate to the following folder: <b>C:\Windows\ServiceProfiles\NetWorkService\<br />
AppData\Roaming\Microsoft\SoftwareProtectionPlatform\ </b><br />
</li>
<li>Take ownership and give user full control permissions (alternatively add grant full control right click menu item) to <b>tokens.dat</b> file.</li>
<li>Delete the original default <b>tokens.dat</b> file, and replace with the backup copy.</li>
<li>Restart the <b>Software Protection Service</b> in <b>Services.msc</b> or with the following command (run in elevated command prompt):
<span style="color: blue;"><code>net start sppsvc</code></span><br />
</li>
<li>Register the product key for Windows 7 or Windows Server 2008 R2 with the following command (run in elevated command prompt):
<span style="color: blue;"><code>slmgr.vbs -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx</code></span><br />
Replace xxxxx-xxxxx-xxxxx-xxxxx-xxxxx with the actual product key.</li>
<li>Windows will activated instantly, off-line. To check activation status, uses of of the following commands: </li>
<ul>
<li><span style="color: blue;">slmgr.vbs -dlv</span></li>
</ul>
<ul>
<li><span style="color: blue;">
slmgr.vbs -dli</span></li>
</ul>
<ul>
<li><span style="color: blue;">slmgr.vbs -ato</span><br />
</li>
</ul>
</ol>
Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com1tag:blogger.com,1999:blog-2170012433200509807.post-36661715259126743712011-07-29T03:13:00.001+01:002022-04-05T21:33:55.910+01:00Advapi32 patch for 64-bit Windows XP SP2<div dir="ltr" style="text-align: left;" trbidi="on">I have been asked this week by a customer to provide the patch for the advapi32 dll on Windows XP SP2 64-bit, with version number 5.2.3790.4455. For the 32-bit dll that resides in SysWOW64, it is the same as the one I have already published for Windows Server 2003 SP2. So, I had only to come up with the patch for the 64-bit dll. And without waiting, here are the patch bytes : <br />
<ul><li>Advapi32 dll version 5.2.3790.4455 in <span style="font-weight: bold;">SysWOW64</span> directory :<br />
</li>
<ul style="font-family: courier new;"><li>At offset 0x11E3F : change 75 to 90</li>
<li>At offset 0x11E40 : change 08 to 90</li>
<li>At offset 0x11E47 : change 74 to EB</li>
</ul></ul><ul><li>Advapi32 dll version 5.2.3790.4455 in <span style="font-weight: bold;">System32 </span>directory :<br />
</li>
<ul style="font-family: courier new;"><li>At offset 0x11B05 : change 0F to 90<br />
</li>
<li>At offset 0x11B06 : change 84 to E9<br />
</li>
<li>At offset 0x4D06F : change 0F to 90</li>
<li>At offset 0x4D070 : change 85 to 90</li>
<li>At offset 0x4D071 : change 96 to 90</li>
<li>At offset 0x4D072 : change 4A to 90</li>
<li>At offset 0x4D073 : change FC to 90</li>
<li>At offset 0x4D074 : change FF to 90</li>
</ul></ul></div>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com1tag:blogger.com,1999:blog-2170012433200509807.post-44485554136273857552011-05-05T12:32:00.001+01:002022-04-05T21:34:11.431+01:00Alternative method to disable Certificate Propagation serviceApart from disabling the Certificate Propagation service under Vista/7 using the Services MMC, you can do the same by modifying the registry: under <b>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp</b>, set the REG_DWORD value <b>CertPropEnabled </b>to <b>0</b>.This will forbid the service from starting until you set it again to 1.Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-86777266855230034542011-02-20T08:32:00.002+01:002022-04-05T21:34:24.797+01:00Advapi32 patch for 64-bit Vista SP2 and Windows 2008 SP2Recently, a reader of this blog asked for the patch of the 64-bit advapi32 dll of Windows Server 2008 SP2 64-bit (version 6.0.6002.18005). So, here it is (it also applies to Vista SP2 64-bit).<br />
For the 32-bit advapi32 dll on these systems, I have already published the corresponding patch in the following post about Vista SP2 : <a href="http://blog.idrassi.com/2009/08/advapi32-patch-for-windows-vista-sp2.html">http://blog.idrassi.com/2009/08/advapi32-patch-for-windows-vista-sp2.html</a><br />
<br />
<ul><li>Advapi32 dll in <span style="font-weight: bold;">System32 </span>directory, version 6.0.6002.18005:</li>
<ul style="font-family: courier new;"><li>At offset 0x2BC9D : change 75 to 90</li>
<li>At offset 0x2BC9E : change 0B to 90</li>
<li>At offset 0x2BCA4 : change 0F to 90</li>
<li>At offset 0x2BCA5 : change 84 to E9</li>
</ul></ul>Its new SHA-256 hash value that should be put in the manifest files is :<br />
<b>oUGG12aBTnJoj/xm5nagheO7ePTc0P3BfW1fxRdbwB4=</b><br />
<ul><ul style="font-family: courier new;"></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-66771853078054680082010-02-02T09:53:00.002+01:002022-04-05T21:34:36.615+01:00Advapi32 patch for Windows 7, 32-bit and 64-bitIt has been a log time since my last posting about the release candidate for Windows 7. I was quite busy since then and I couldn't find time to come up with a patch.
Luckily, one reader of this blog, Natko Kalisnik, spent time working on this and he contacted me recently to share his findings. Hi approach is different from the one I usually follow (his is more prudent) but it leads to the same result.
Without getting into more details, here it is for a 64-bit version of Windows 7. For the 32-bit version, just take the patch for the dll in SysWOW64.
cryptsp.dll 32-bit in SysWOW64, version <span style="font-weight: bold;">6.1.7600.16385</span> :
- At offset 0x3CF4 : change 0F to 90
- At offset 0x3CF5 : change 85 to E9
Its new SHA256 hash value is : <span style="font-weight: bold;">
+0SIH7z7WWOMju2QxD4MuCAdC4nnhijXHr8vCLIJ6HE=
</span>cryptsp.dll 64-bit in System32, version <span style="font-weight: bold;">6.1.7600.16385</span> :
- At offset 0x32E3 : change C3 to DB
- At offset 0x337D : change C3 to DB
- At offset 0x33C4 : change C3 to C4
And its new SHA256 hash value is : <span style="font-weight: bold;">
2STx7caFTALkBzuo3qvvdlsBddMCZNmSq/NTqtjK0Y4=</span>
Just a last word about the how to apply this patch for new comers.
Some manifest files must be updated using the new hash values. They are located under C:\Windows\winsxs\Manifests :
For 32-bit : <span style="font-weight: bold;">x86_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_2933c430682017d9.manifest</span>
For 64-bit : <span style="font-weight: bold;">amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f.manifest</span>
The hash value to be modified is in the XML node dsig:DigestValue.
Also, you need to replace cryptsp.dll with the patched one in the following folders under C:\Windows\winsxs :
For 32-bit : <span style="font-weight: bold;">x86_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_2933c430682017d9</span>
For 64-bit : <span style="font-weight: bold;">amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_6.1.7600.16385_none_85525fb4207d890f</span>
This is sufficient for having a running patched system. For a more complete patch, you can have a look at the directory C:\Windows\winsxs\Backup : it contains copies of the manifest files and dlls that you can also patch.
<span style="font-weight: bold;">
</span>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com7tag:blogger.com,1999:blog-2170012433200509807.post-72516212473020202732009-11-15T16:32:00.003+01:002022-04-05T21:34:51.597+01:00UPX 3.04 with patches for MacOSXThe latest version of UPX (3.04) contained a bug that prevented it from handling correctly MacOSX binaries. A correction was committed to the source tree.
I have compiled a version of UPX 3.04 with this correction and you can download the corresponding universal binaries from the following links :
<p>For UPX without LZMA support : <a href="http://www.idrix.fr/Root/MacOSX/upx-3.04-universal-macosx.tar.gz">click here</a> .
For UPX with LZMA support : <a href="http://www.idrix.fr/Root/MacOSX/upx-3.04-lzma-universal-macosx.tar.gz">click here</a> .</p>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-12692367987662729002009-08-19T02:41:00.003+01:002022-04-05T21:34:59.703+01:00Advapi32 patch for Windows Vista SP2Hi,
Here is the patch bytes for the advapi32 of Windows Vista SP2 that enable CSP testing without the MS signing process.
You'll also find the value of the SHA256 hash of the resulting dll: this value must be updated on the two manifest files associated with advapi32 and which are located under <span style="font-weight: bold;">winsxs\Manifests</span> and <span style="font-weight: bold;">winsxs\backup</span>. To find them, just do a file name search containing the strings "advapi32" and "6.0.6002.18005".
Do the same search to find the other folder besides <span style="font-weight: bold;">winsxs\backup</span> and <span style="font-weight: bold;">system32 </span>where you must put the patched copy.
Patch for advapi32.dll version <span style="font-weight: bold;">6.0.6002.18005</span> :
- At offset 0x2C106 : change 75 to 90
- At offset 0x2C107 : change 0C to 90
- At offset 0x2C10E : change 0F to 90
- At offset 0x2C10F : change 84 to E9
The new SHA256 hash value is : <span style="font-weight: bold;">
UJ03+cGhkgBS/X7C/YIy+tu0ko+6sgJmmdHUexvsWSk=</span>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com1tag:blogger.com,1999:blog-2170012433200509807.post-77774874789861015102009-05-26T01:46:00.004+01:002022-04-05T21:35:11.150+01:00Patch for new Advapi32 dll of Windows Server 2003 SP2As for Windows XP SP3, Microsoft released through Windows Update a new version of Advapi32 for Windows Server 2003 SP2 with version number 5.2.3790.4455. Here is the corresponding patch:<div><ul><li>Advapi32 dll, version 5.2.3790.4455:
</li><ul style="font-family: 'courier new'; "><li>At offset 0x11E3F : change 75 to 90
</li><li>At offset 0x11E40 : change 08 to 90
</li><li>At offset 0x11E47 : change 74 to EB</li></ul></ul></div>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-45794185866833740032009-05-03T20:56:00.005+01:002022-04-05T21:35:22.548+01:00Advapi32 patch for Windows 7 RCAfter the recent release of Windows 7 RC, here is the patch for developing and tesing CSPs under this new platform. Unlike previous Windows versions and because of internal changes on Advapi32, the patch applies this time to cryptsp.dll and not to advapi32.dll...so the title of this post is really just for historical reasons!!
Here is the patch :
<ul><li>Cryptsp dll, version 6.1.7100.0 :
</li><ul style="font-family: courier new;"><li>At offset 0x34CB : change 75 to 90
</li><li>At offset 0x34CC : change 10 to 90
</li><li>At offset 0x34D3 : change 75 to 90</li><li>At offset 0x34D4 : change 08 to 90</li></ul></ul>
The SHA-256 hash of the patched dll is in BASE64 encoding :
<span style="font-weight: bold;">6bzJDA9IknZNgyO8sugtmLZxMfeVvZBToZQ82P8ahFI=</span>
This value is needed in order to update the manifest files associated with cryptsp.dll in the WINSXS directory.Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-71032222843842199272009-04-28T18:25:00.003+01:002022-04-05T21:35:31.573+01:00Patch for new Advapi32.dll of Windows XP SP3On February 9th 2009, Microsoft released through Windows Update a new version of Advapi32 for Windows XP SP3 with version number 5.1.2600.5755. Here is the corresponding patch:
<ul><li>Advapi32 dll, version 5.1.2600.5755:
</li><ul style="font-family: courier new;"><li>At offset 0x175C1 : change 75 to 90
</li><li>At offset 0x175C2 : change 0C to 90
</li><li>At offset 0x175C9 : change 0F to 90</li><li>At offset 0x175CA : change 84 to E9</li></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-83766537938670624182008-11-11T13:50:00.004+01:002022-04-05T21:35:42.274+01:00How to export/import CSP session keys in clearSometimes, it's handy to export and import plain text CSP session keys without being obliged to wrap them using RSA keys. For that, one can use a specially crafted RSA keys that have their private and public exponents set to "1". Thus, the encryption and the decryption with them always leed to the clear value.
You'll find in the following link an MSDN article that provides a sample code explaining how we can achieve that.
<a href="http://support.microsoft.com/kb/228786" TARGET="_blank">http://support.microsoft.com/kb/228786</a>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-55755176370938804112008-11-10T00:45:00.003+01:002022-04-05T21:35:52.214+01:00How to clear saved Windows networking passwordsI had a problem connecting to shared VPN network folder because I changed my password but Windows kept using the old one stored in its cache. There was no obvious way to tell Windows to prompt for a new password. After some googling, I found the following command line that displays a dialog showing all the stored credentials and that gives the possibility to delete them :
<code style="font-weight: bold;">rundll32.exe keymgr.dll, KRShowKeyMgr</code>
It saved my life!!!Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-2447684697508868082008-08-07T22:16:00.002+01:002022-04-05T21:36:00.590+01:00Advapi32 patch for Windows Vista 64-Bit (pre SP1)A reader of this blog requested the patch for the advapi32 dll of the Vista 64-Bit (pre SP1). So here it is. For the SysWow64 copy, its patch is the same as the one of Vista 32-Bit version I already published.
<ul><li>Advapi32 dll in <span style="font-weight: bold;">System32 </span>directory, version 5.2.3790.3959:
</li><ul style="font-family: courier new;"><li>At offset 0x12B39 : change 0F to 90
</li><li>At offset 0x12B3A : change 84 to E9
</li><li>At offset 0x67B0D : change 0F to 90</li><li>At offset 0x67B0E : change 85 to 90</li><li>At offset 0x67B0F : change 2C to 90</li><li>At offset 0x67B10 : change B0 to 90</li><li>At offset 0x67B11 : change FA to 90</li><li>At offset 0x67B12 : change FF to 90</li></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-29880563901816220172008-06-30T21:46:00.003+01:002022-04-05T21:36:06.786+01:00Advapi32 patch for Windows Vista SP1 64-BitFollowing a request by a reader of this blog, here is the patch for the advapi32 (version 6.0.6001.18000) of Windows Vista SP1 64-Bit. It's for the one present on the System32 folder used by native 64-Bit applications. The patch for the SysWow64 copy is the same as for the Windows Vista SP1 32-Bit version.
<ul><li>Advapi32 dll, version 6.0.6001.18000, 64-Bit :
</li><ul style="font-family: courier new;"><li>At offset 0x27C29 : change 75 to 90
</li><li>At offset 0x27C2A : change 0B to 90
</li><li>At offset 0x27C30 : change 0F to 90</li><li>At offset 0x27C31 : change 84 to E9</li></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com6tag:blogger.com,1999:blog-2170012433200509807.post-19002377611043201492008-06-05T22:21:00.005+01:002022-04-05T21:36:14.915+01:00Advapi32 Patch for Windows XP SP3The SP3 of Windows XP is already here and with its arrival comes the necessity of testing and validating CSP dlls under it. So, as usual, I'm releasing the necessary patch of advapi32 dll to help on this and avoid the signing process. And here we go :
<ul><li>Advapi32 dll, version 5.1.2600.5512:
</li><ul style="font-family: courier new;"><li>At offset 0x175A1 : change 75 to 90
</li><li>At offset 0x175A2 : change 0C to 90
</li><li>At offset 0x175A9 : change 0F to 90</li><li>At offset 0x175AA : change 84 to E9
</li></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com2tag:blogger.com,1999:blog-2170012433200509807.post-87210542685412355392008-06-02T17:29:00.011+01:002022-04-05T21:36:25.622+01:00Advapi32 Patch for Windows 2003 SP2 64-BitAs requested by a reader of this blog, here is the patch for advapi32 dll bundled with Windows 2003 Server SP2 64-Bit (it took me sometime...). This patch is for the copy present in the <span style="font-weight: bold;">System32 </span>folder. The one in the SysWOW64 folder is the same as the 32-bit advapi32 dll of Windows 2003 Server SP2 for whom I have already posted a patch before.
<ul><li>Advapi32 dll in <span style="font-weight: bold;">System32 </span>directory, version 5.2.3790.3959:
</li><ul style="font-family: courier new;"><li>At offset 0x11AC5 : change 0F to 90
</li><li>At offset 0x11AC6 : change 84 to E9
</li><li>At offset 0x4D0C4 : change 0F to 90</li><li>At offset 0x4D0C5 : change 85 to 90</li><li>At offset 0x4D0C6 : change 01 to 90</li><li>At offset 0x4D0C7 : change 4A to 90</li><li>At offset 0x4D0C8 : change FC to 90</li><li>At offset 0x4D0C9 : change FF to 90</li></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-90012055213773887382008-05-06T15:22:00.005+01:002022-04-05T21:36:47.431+01:00UPX 3.03 for MacOSXThe latest version of UPX (3.03) has just arrived and it adds support for the LZMA compression. This can enhance the overall compression ration but it's new and it's less tested. So, I decided to provide two binaries for this version : one with the LZMA support and one without. As for the previous release, these binaries will run under Tiger (10.4) , PPC and Intel alike, and Leopard (10.5). Here we go :
<p>For UPX without LZMA support : <a href="http://www.idrix.fr/Root/MacOSX/upx-3.03-universal-macosx.tar.gz">click here</a> .
For UPX with LZMA support : <a href="http://www.idrix.fr/Root/MacOSX/upx-3.03-lzma-universal-macosx.tar.gz">click here</a> .</p>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-82748302154657739662008-04-22T10:40:00.005+01:002022-04-05T21:36:54.260+01:00Advapi32 Patch for Windows XP 64-BitAs usual, here is the patch of advapi32 on Windows XP 64-Bit that enables testing of CSP dlls without Microsoft signature. In this platform, there is two versions of this dll : on in the <span style="font-weight: bold;">System32</span> directory that is the real 64-bit one, and one in the <span style="font-weight: bold;">SysWOW64</span> directory that is the 32-bit one. So, we have to patch the two dlls. You'll find below the usual patch description for each one of them. You may notice that two have an identical version number, 5.2.3790.1830, that is the same for advapi32 on Windows 2003 SP1. This is why the patch for the SysWOW64 copy is identical to the one on Windows 2003 SP1.
<ul><li>Advapi32 dll in <span style="font-weight: bold;">SysWOW64</span> directory :
</li><ul style="font-family: courier new;"><li>At offset 0x68CD : change 0F to EB</li><li>At offset 0x68CE : change 84 to 42</li><li>At offset 0x68CF : change 62 to 90</li><li>At offset 0x68D0 : change 0B to 90</li><li>At offset 0x68D1 : change 03 to 90</li><li>At offset 0x68D2 : change 00 to 90</li></ul></ul><ul><li>Advapi32 dll in <span style="font-weight: bold;">System32 </span>directory :
</li><ul style="font-family: courier new;"><li>At offset 0x11B15 : change 0F to 90
</li><li>At offset 0x11B16 : change 84 to E9
</li><li>At offset 0x4D2AD : change 0F to 90</li><li>At offset 0x4D2AE : change 85 to 90</li><li>At offset 0x4D2AF : change 68 to 90</li><li>At offset 0x4D2B0 : change 48 to 90</li><li>At offset 0x4D2B1 : change FC to 90</li><li>At offset 0x4D2B2 : change FF to 90</li></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com4tag:blogger.com,1999:blog-2170012433200509807.post-69341312760258329242008-04-21T01:38:00.018+01:002022-04-05T21:37:00.889+01:00Advapi32 patch for new Windows OS versionsThis is an update of my previous post about the patching of advapi32 dll. You'll find here patches for Windows 2003 Server SP2, Windows Vista, Windows Server 2008 and Windows Vista SP1. The last two platforms share the same version of the advapi32 dll.
<ul><li style="font-family:courier new;"><span style="font-size:100%;">Windows 2003 SP2: advapi32 version = 5.2.3790.3959</span></li><ul style="font-family:courier new;"><li><span style="font-size:100%;">At offset 0x11E3F : change 75 to 90</span></li><li><span style="font-size:100%;">At offset 0x11E40 : change 08 to 90</span></li><li><span style="font-size:100%;">At offset 0x11E47 : change 74 to EB</span></li></ul></ul><ul><li style="font-family:courier new;"><span style="font-size:100%;">Windows Vista : advapi32 version = 6.0.6000.16386</span></li><ul><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x37B7D : change 0F to 90</span></span></li><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x37B7E : change 84 to E9</span></span></li><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x4B66D : change 0F to 90</span></span></li><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x4B66E : change 85 to 90</span></span></li><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x4B66F : change 10 to 90</span></span></li><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x4B670 : change C5 to 90</span></span></li><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x4B671 : change FE to 90</span></span></li><li><span style="font-size:100%;"><span style="font-family:courier new;">At offset 0x4B672 : change FF to 90</span></span></li></ul></ul><ul><li style="font-family:courier new;"><span style="font-size:100%;">Windows 2008 and Windows Vista SP1 : advapi32 version = 6.0.6001.18000</span></li><ul style="font-family:courier new;"><li><span style="font-size:100%;">At offset 0x2420C : change 75 to 90 </span></li><li><span style="font-size:100%;">At offset 0x2420D : change 0C to 90</span></li><li><span style="font-size:100%;">At offset 0x24214 : change 0F to 90</span></li><li><span style="font-size:100%;">At offset 0x24215 : change 84 to E9</span></li></ul></ul>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com9tag:blogger.com,1999:blog-2170012433200509807.post-45786598817527785412008-04-03T22:02:00.006+01:002022-04-05T21:37:07.536+01:00UPX universal binary for Mac OS XAs the buzz is mounting on the Mac OS X platform these days, I decided to buy one and start hacking. On the Windows and Linux platforms, I'm used to compress all my binaries using UPX, thus saving space and bandwidth. Unfortunately, when I tried to download a version of it for Mac OS X, I couldn't find a single link, even on the official web site. So, I decided to compile a version myself.
The task was not straightforward but I was able to build a universal binary Mac OS X 10.4 and 10.5. It should work on 10.3 but I didn't test it. The result can be downloaded from the link below. I hope this will help.
<a href="http://www.idrix.fr/Root/MacOSX/upx-3.02-universal-macosx.tar.gz">http://www.idrix.fr/Root/MacOSX/upx-3.02-universal-macosx.tar.gz</a>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com0tag:blogger.com,1999:blog-2170012433200509807.post-51143277581235102482007-04-18T10:36:00.002+01:002022-04-05T21:37:19.349+01:00Advapi32 patch for CSP developmentMicrosoft provides the use of cryptography in its operations systems by exposing an application programming interface called <span style="font-weight: bold;">CAPI</span>. It's relies on a set of dynamically-linked libraries called <span style="font-weight: bold;">CSP</span> (Cryptographic Service Provider) that actually perform all the cryptographic work.
In order to be used by the system, a CSP dll must be signed by Microsoft, otherwise, CAPI will refuse to use it. The problem is that the signature process can take many days: That delay can be frustrating for a CSP developer/tester.
For that, Microsoft used to ship with the CSP development kit a modified version of the advapi32 dll. This dll is responsible for the verification of the signature associated with a CSP module. The modified version bypasses this verification and thus enables the use of a development version of the CSP dll on the system where it's installed. The problem is that Windows 2000 SP2 is the last supported target for the Microsoft modified advapi32 dll!! So, for those targeting a much newer version of Windows (which is the case of 99% of CSP developers), they find themselves left with no support.
Fortunately, some talented people managed to hack the advapi32 signature verification mechanism. Thus, they could provide the community with a patched version of this dll for various new versions of Windows. In the following, I will give the detail of modifications that must be applied to the advapi32 dll at the byte level. All you need for that is a good hexadecimal editor. Personally, I use HxD : it's free and you can get it from <a href="http://mh-nexus.de/hxd/">here</a>.
Once the patch dll is in your hands, you must put it on the system: of course, this can't be done while Windows is running, so you have to find another way to access the system32 directory. I suggest you to use a dual boot system.
And here is the patches :
<ul><li>Windows 2000 SP4: advapi32 version = 5.0.2195.6710</li><ul><li style="font-family: georgia;">At offset 0x17061 : change 0F to E9</li><li style="font-family: georgia;">At offset 0x17062 : change 84 to 2C</li><li style="font-family: georgia;">At offset 0x17063 : change 22 to 06</li><li><span style="font-family:georgia;">At offset 0x17064 : change 06 to 01</span></li></ul></ul><ul><li>Windows 2000 SP4: advapi32 version = 5.0.2195.7038</li><ul><li style="font-family: georgia;">At offset 0xEA97 : change 0F to E9</li><li style="font-family: georgia;">At offset 0xEA98 : change 84 to 93</li><li style="font-family: georgia;">At offset 0xEA99 : change 89 to 83</li><li><span style="font-family:georgia;">At offset 0xEA9A : change 83 to 01</span></li><li><span style="font-family:georgia;">At offset 0xEA9B : change 01 to 00</span></li><li><span style="font-family:georgia;">At offset 0xEA9C : change 00 to 90
</span></li></ul></ul><ul><li>Windows XP SP1 : advapi32 version = 5.1.2600.1106</li><ul><li>At offset 0x8794 : change 0F to EB </li><li>At offset 0x8795 : change 84 to 71</li><li>At offset 0x8796 : change 55 to 90</li><li>At offset 0x8797 : change 14 to 90</li><li>At offset 0x8798 : change 02 to 90</li><li>At offset 0x8799 : change 00 to 90</li></ul></ul><ul><li>Windows XP SP2:</li><ul><li>At offset 0x17C19 : change 75 to 90</li><li>At offset 0x17C1A : change 0c to 90</li><li>At offset 0x17C21 : change 0f to 90</li><li>At offset 0x17C22 : change 84 to E9</li></ul></ul><ul><li>Windows 2003 SP1: advapi32 version 5.2.3790.1830</li><ul><li>At offset 0x68CD : change 0F to EB</li><li>At offset 0x68CE : change 84 to 42</li><li>At offset 0x68CF : change 62 to 90</li><li>At offset 0x68D0 : change 0B to 90</li><li>At offset 0x68D1 : change 03 to 90</li><li>At offset 0x68D2 : change 00 to 90</li></ul></ul>Under windows Vista, a new architecture called <span style="font-weight: bold;">CNG </span>(Crypto NextGen) was introduced. It adds the notion of card modules that exposes cryptographic features and are called by the CNG runtime. These modules don't need to be signed, thus removing the burden of the Microsoft signature process.Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com1tag:blogger.com,1999:blog-2170012433200509807.post-68365015326722512902007-03-18T14:12:00.000+01:002007-03-25T01:55:04.107+01:00Welcome to my first blog<span style="font-size:100%;">Hi everybody,<br />My name is <span style="font-style: italic;">Mounir IDRASSI</span> and I live in Paris, France. I've created this blog in order to share my passion for cryptography and coding. It's a field where many different scientific disciplines come together to provide us with tools to protected our identity and privacy. For a long time, it has been associated with the military and governments secret services, but thanks to the explosion of the internet and diversification of modern communication channels, it has been brought to our daily life. From purchasing a book on Amazon to placing a call using your mobile phone, cryptography is used without even noticing it.<br />I hope this blog will help you, readers, understand the mechanisms used in cryptography in order to demystify it and better using it.<br />Good luck.<br /></span>Mounir IDRASSIhttp://www.blogger.com/profile/05041891014190291121noreply@blogger.com