Jump to content

Hacking in cryptography (registry help needed)


Recommended Posts

IE3 and up provide the Microsoft Cryptography component for Windows 95. Since I'm IE-free, I didn't have it, which made me run into bug 362404.

So, I went ahead to install it manually. I inspected ohare.inf to do this.

; Win95 Only CAPI System Files (NT Has CAPI installed)
DIGSIG.DLL,,,32
IMAGEHLP.DLL,,,32
RSABASE.DLL,,,32
SIGRES.EXE,,,32
WINTRUST.DLL,,,32

Those files were copied into the Windows\System directory.

;	CAPI Registry Entries

HKLM,"Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0","Image Path",2,"rsabase.dll"
HKLM,"Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0","Type",3,01,00,00,00
HKLM,"Software\Microsoft\Cryptography\Defaults\Provider Types\Type 001","Name",2,"Microsoft Base Cryptographic Provider v1.0"
HKCU,"Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing","State",3,08,00,00,00

These registry entries were created.

rsabase.dll and wintrust.dll had to be registered with regsvr32.exe. I did so.

Yet, the test program I got still doesn't work (the one in the bug has a mistake, I got a fixed one). So, I let Regmon loose. It finds the registry entries, then stops at:

6.10455465	Capi:FFF22201	QueryValueEx	0xCB904E78\RSABASE	NOTFOUND

I have no idea what it's looking for there. Some value in the memory?

The second time it was this:

2.61963844	Capi:FFF06F15	QueryValueEx	0xC123C34C\RSABASE	NOTFOUND

Anyone know what this means?

Link to comment
Share on other sites


But where doesn't it find it? There's just a binary address. Here is the context:

2.71582723	Capi:FFF35BD9	OpenKey	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001	SUCCESS	hKey: 0xC11E756C	
2.71588635 Capi:FFF35BD9 QueryValueEx HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name SUCCESS
2.71594000 Capi:FFF35BD9 QueryValueEx HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name SUCCESS "Microsoft Base Cryptographic Provider v1.0"
2.71597433 Capi:FFF35BD9 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001 SUCCESS
2.71605992 Capi:FFF35BD9 OpenKey HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0 SUCCESS hKey: 0xC11E756C
2.71611214 Capi:FFF35BD9 QueryValueEx HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Type SUCCESS 0x1
2.71615124 Capi:FFF35BD9 QueryValueEx HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path SUCCESS
2.71619916 Capi:FFF35BD9 QueryValueEx HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path SUCCESS "rsabase.dll"
2.71624565 Capi:FFF35BD9 QueryValueEx HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Signature SUCCESS
2.71632004 Capi:FFF35BD9 QueryValueEx HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Signature SUCCESS 29 D2 93 D1 AF 2C C3 F1 ...
2.71635294 Capi:FFF35BD9 CloseKey HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0 SUCCESS
2.74032569 Capi:FFF35BD9 QueryValueEx 0xC123C34C\RSABASE NOTFOUND

Link to comment
Share on other sites

Apparently it is this one:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs]
"RSABASE"="RSABASE.DLL"

I also don't know where to find that 0xC1CA61B0\RSABASE (in my case) means the above mentioned key and value.

Petr

Link to comment
Share on other sites

Thanks, Petr! I indeed didn't add RSABASE.DLL (and WINTRUST.DLL for that matter) to the list of Known DLLs. However, we're not there yet:

3.14737034	Capi:FFF598AD	QueryValueEx	0xC123C34C\RSABASE	SUCCESS	"RSABASE.DLL"	
3.16416645 Capi:FFF598AD OpenKey HKLM\System\CurrentControlSet\Control SUCCESS hKey: 0xC11E6B90
3.16421032 Capi:FFF598AD QueryValueEx HKLM\System\CurrentControlSet\Control\Current User SUCCESS "Benoit"
3.16424489 Capi:FFF598AD CloseKey HKLM\System\CurrentControlSet\Control SUCCESS
3.16495848 Capi:FFF598AD QueryValueEx 0x0\EPbK BADKEY
3.16499853 Capi:FFF598AD QueryValueEx 0x0\EPvK BADKEY
3.16503692 Capi:FFF598AD QueryValueEx 0x0\SPvK BADKEY
3.16507435 Capi:FFF598AD QueryValueEx 0x0\SPbK BADKEY
3.16511273 Capi:FFF598AD QueryValueEx 0x0\RandSeed BADKEY
3.16571045 Capi:FFF598AD OpenKey HKLM\System\CurrentControlSet\Control SUCCESS hKey: 0xC11E6B90
3.16575122 Capi:FFF598AD QueryValueEx HKLM\System\CurrentControlSet\Control\Current User SUCCESS "Benoit"
3.16578078 Capi:FFF598AD CloseKey HKLM\System\CurrentControlSet\Control SUCCESS
3.16624403 Capi:FFF598AD OpenKey HKLM\System\CurrentControlSet\Control SUCCESS hKey: 0xC11E6B90
3.16628480 Capi:FFF598AD QueryValueEx HKLM\System\CurrentControlSet\Control\Current User SUCCESS "Benoit"
3.16631436 Capi:FFF598AD CloseKey HKLM\System\CurrentControlSet\Control SUCCESS
3.16730237 Capi:FFF598AD CloseKey 0x0 BADKEY

It already gave that before, but I thought it was because it didn't find the RSABASE key. After these, it just goes on to look for other provider types, and fails.

By the way, how did you find out where that address referred to?

EDIT: Hey, it turns out that Cryptography was successfully installed after all before I posted this thread! I just didn't bother to check the full output of the capi test program. The first it gives me is:

Provider type = PROV_RSA_FULL
loaded advapi32.dll successfully
failed to look up RtlGenRandom: 127
looked up CryptAcquireContextA successfully
looked up CryptReleaseContext successfully
looked up CryptGenRandom successfully
CryptAcquireContextA succeeded
CryptGenRandom succeeded
RNG_SystemRNG returned 1024

Yay!

I guess the rest are providers that aren't installed.

Edited by BenoitRen
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...