jds

128 bit SECUR32.DLL - Myth or Missing?

52 posts in this topic

IF it's that, the SAME "instsec.dll" file is also inside dsclient9x.msi (but other files are changed, particularly in the .msi SECUR32.DLL is 4.10.0.226 whilst in the .exe it is 4.10.0.228) :wacko:

jaclaz

yup. both old and new versions of the dsclient w9x package have that instsec.dll file which would then get renamed to secur32.dll during setup.

so indeed as Joe said a 128bit secur32.dll file does exist. it's just that Microsoft hid it so well and changed the name of that file.

clever guy MS...

0

Share this post


Link to post
Share on other sites

@jds: Can you provide the exact size and CRC-32, MD-5 and SHA-1 hashes of the bona-fide secur32.dll v. 4.10.2226 - 128 bit?

This would be a great reference for future use, for such a hard-to-get file, and also permit us to determine whether it truly is the unchanged instsec.dll.

I just looked into that file and it says "High strength upgrade" in the description and SECURITY in the internal name and SECURITY.DLL in the original file name, so I'm not at all convinced it is used unmodified.

0

Share this post


Link to post
Share on other sites

@jds: Can you provide the exact size and CRC-32, MD-5 and SHA-1 hashes of the bona-fide secur32.dll v. 4.10.2226 - 128 bit?

This would be a great reference for future use, for such a hard-to-get file, and also permit us to determine whether it truly is the unchanged instsec.dll.

I just looked into that file and it says "High strength upgrade" in the description and SECURITY in the internal name and SECURITY.DLL in the original file name, so I'm not at all convinced it is used unmodified.

As said, it is NOTused unmodified (i.e. renamed)

During install it (or something else triggered by it) patches the actual SECUR32.DLL

Just have a look at instsec and to secur32 dll's with bintext or a similar text extractor:

http://www.foundstone.com/us/resources/proddesc/bintext.htm

;)

jaclaz

0

Share this post


Link to post
Share on other sites

jaclaz has a good point, dencorso.

during dsclient9x installation, instsec.dll gets renamed to secur32.dll when dsclient setup detects certain DLL files that have 128bit encryption

something I (and many other 9x users) wasn't fully aware about

instsec.dll (when renamed to secur32.dll) is 83,456 bytes in size [according to the DSClient (v5.0.2920.5) KB323455 hotfix package that I have]

KB323455 hotfix still exists but MS KB article 323455 doesn't exist anymore

Edited by erpdude8
0

Share this post


Link to post
Share on other sites

I'm not convinced, erpdude8!

jaclaz is right (of course!):

As said, it is NOT used unmodified (i.e. renamed)

During install it (or something else triggered by it) patches the actual SECUR32.DLL

And his own finding:

I guess that the actual explanation comes hear-hear :w00t: from the NSA:

http://www.nsa.gov/ia/_files/os/win2k/w2k_winnt_9x_clients.pdf

(page 9)

That would explain everything nicely.

States literally, in p. 9:

Verify the installation by locating the Secur32.dll file, clicking Properties and the Version tab. The description for the 56-bit version is "Microsoft Win32 Security Services (Export Version)". The description for the 128-bit version is "Microsoft Win32 Security Services (US and Canada Only)".

While, again, the description for intsec.dll is just "High strength upgrade"!

So I maintain my request:

@jds: Can you please provide the exact size and CRC-32, MD-5 and SHA-1 hashes of the bona-fide secur32.dll v. 4.10.2226 - 128 bit? Tools to do it, if you don't alteady have them, are here (just FCIV.EXE and CRC.EXE are enough):

* CRC/MD5/SHA file (PE) checksum tools that work with 9x OSes [free(ware)]:

http://www.mdgx.com/xptoy.htm#CRC

The ones I'm refering to [because they work with 95/98/ME] are: FCIV.EXE, CRC.EXE, WinCRC + FileRepair.

0

Share this post


Link to post
Share on other sites

I'm not convinced, erpdude8!

ah, so you are still skeptical. that's alright. jaclaz, how do you respond to this?

I guess that the actual explanation comes hear-hear :w00t: from the NSA:

http://www.nsa.gov/ia/_files/os/win2k/w2k_winnt_9x_clients.pdf

(page 9)

That would explain everything nicely.

States literally, in p. 9:

Verify the installation by locating the Secur32.dll file, clicking Properties and the Version tab. The description for the 56-bit version is "Microsoft Win32 Security Services (Export Version)". The description for the 128-bit version is "Microsoft Win32 Security Services (US and Canada Only)".

While, again, the description for intsec.dll is just "High strength upgrade"!

that kind of information of checking between the "export" version and the 128bit version of the secur32.dll file from that PDF file is not entirely accurate, dencorso.

Note to PROBLEMCHYLD: Dsclient does not include nor support WinME as mentioned in MS KB article 276472.

Edited by erpdude8
0

Share this post


Link to post
Share on other sites

DSClient setup uses instsec.dll to write 128-bit secur32.dll when 128-bit schanel.dll, rsaenh.dll and rsaenhs.dll are detected (hash of file matches to the ones it knows).

0

Share this post


Link to post
Share on other sites

Next stop was grab the high encryption pack and checked the included

Dll's against what was resident on my system, The only thing missing

of 3 jaclaz pointed out was sch128c. dll. So I copied that into the Windows

System directory , ended with same results.

Hi Jake, please see "Fourth experiment" in my previous post. This shows all I did (inc. files I copied) to produce the 128 bit version of 'secur32.dll' on my machine with IE5.01SP2, which might be enough with IE6 (I'll be trying this myself as soon as I have a chance). The 'sch128c.dll' file was not included.

So I maintain my request:

@jds: Can you please provide the exact size and CRC-32, MD-5 and SHA-1 hashes of the bona-fide secur32.dll v. 4.10.2226 - 128 bit?

No worries. (BTW, I've been away, but in any case, I'm not on the web everyday) :unsure:

Anyway, here are the requested statistics :

File = SECUR32.DLL version 4.10.2226, 128-bit build

Description = Microsoft Win32 Security Services (US and Canada Only)

Size = 59904

MD5 = 8854c4fb59b506e53c5a4200142d188e

SHA1 = de40257dffa532eb8f4d9cbfc3e518d229dcf5ab

CRC32 = 7500186b

Joe.

PS. You guys/gals sure have been busy sleuthing! :thumbup

PPS. OK, I need to catch up on some sleep now!

0

Share this post


Link to post
Share on other sites

Secur32.dll 128-bit version differs by just 1 byte in code section.

So here is secur32.dll 4.10.2228 128-bit created by altering that byte (and version in resources) in Export version:

secur32.zip

Hot!

0

Share this post


Link to post
Share on other sites

While I was considering it possibly might be done, you went ahead and did it!

Great :thumbup Thanks a lot! :yes:

You do rock, Tihiy! worship.gif

0

Share this post


Link to post
Share on other sites

DSClient setup uses instsec.dll to write 128-bit secur32.dll when 128-bit schanel.dll, rsaenh.dll and rsaenhs.dll are detected (hash of file matches to the ones it knows).

Q.E.D. :)

http://en.wikipedia.org/wiki/Q.E.D.

:thumbup

jaclaz

0

Share this post


Link to post
Share on other sites

While I was considering it possibly might be done, you went ahead and did it!

Great :thumbup Thanks a lot! :yes:

You do rock, Tihiy! worship.gif

Seconded! :thumbup

Tihiy hasn't merely changed one byte in the code, he's also updated all the version information, etc. Very neat!

Joe.

0

Share this post


Link to post
Share on other sites

# Fourth experiment. Those "high encryption pack" files …

Of those files listed above, the following were present on the W98SE laptop : 'ADVPACK.DLL', 'enhsig.dll', 'rsaenh.dll', 'W95INF16.DLL' and 'W95INF32.DLL'.

These files were copied onto the W98SE desktop with IE 5.01SP2 mentioned at the outset of this thread, after first backing up the existing files. Deleting the 'secur32.dll' file (in DOS mode) and applying 'dsclient.exe' 5.00.2920.0005 resulted in the 128 bit sub-version of 'secur32.dll' 4.10.2226! (The above substituted files were then restored.)

Just for my own peace of mind.....

Tryed all 3 versions of the dsclient install on my 98se system

with ie6sp1....all 3 produced the same "export" version of Secur32.dll.

Next stop was grab the high encryption pack and checked the included

Dll's against what was resident on my system, The only thing missing

of 3 jaclaz pointed out was sch128c. dll. So I copied that into the Windows

System directory , ended with same results.

Next stop is to find out if that DLL needs to be registered, also going to

roll back my registry to a pretest state and try again.....

any other suggestions would be welcome???

Jake

DSClient setup uses instsec.dll to write 128-bit secur32.dll when 128-bit schanel.dll, rsaenh.dll and rsaenhs.dll are detected (hash of file matches to the ones it knows).

Q.E.D. :)

http://en.wikipedia.org/wiki/Q.E.D.

:thumbup

jaclaz

I presume "DSClient setup uses instsec.dll to write 128-bit secur32.dll" means something like :

rundll32 instsec.dll,SomeEntryPoint

OK, by trial and error, I've determined that the only DLL that needed replacing (temporarily) with its counterpart from 'ie5dom.exe' on my (existing) IE5.01SP2 (128 bit) installation, to convince 'dsclient.exe' (5.00.2920.0005) to produce the 128 bit sub-version of 'secur32.dll', was rsaenh.dll. The files sch128c.dll, schanel.dll and rsaenhs.dll must not be relevant, as they do not even exist on this system.

Nothing more (eg. registering a DLL) was necessary. For IE5.5 and IE6.0, it's possible other DLL's may need to be temporarily replaced, so that 'ie5dom.exe' can recognise the system as 128 bit security enabled.

Joe.

0

Share this post


Link to post
Share on other sites

From the "quick and dirty" suggestion I made (check instsec.dll with bintext or similar), the ONLY lines containg "dll" are:

00000000072C 00000620112C 0 rsaenhs.dll

000000000738 000006201138 0 rsaenh.dll

000000000744 000006201144 0 schannel.dll

000000003378 000006203D78 0 KERNEL32.dll

000000003396 000006203D96 0 IMAGEHLP.dll

0000000033EC 000006203DEC 0 instsch.dll

0000000033F8 000006203DF8 0 DllMain

000000013B5A 000006213B5A 0 _DllMain@12

000000013D44 000006213D44 0 ??_C@_0M@KHOF@rsaenhs?4dll?$AA@

000000013D64 000006213D64 0 ??_C@_0L@LOKH@rsaenh?4dll?$AA@

000000013D83 000006213D83 0 ??_C@_0N@MMCA@schannel?4dll?$AA@

000000014228 000006214228 0 obj\i386\instsch.dll

000000012E34 000006214834 0 SECURITY.DLL

00000000072C 00000620112C 0 rsaenhs.dll

000000000738 000006201138 0 rsaenh.dll

000000000744 000006201144 0 schannel.dll

000000003378 000006203D78 0 KERNEL32.dll

000000003396 000006203D96 0 IMAGEHLP.dll

0000000033EC 000006203DEC 0 instsch.dll

0000000033F8 000006203DF8 0 DllMain

000000013B5A 000006213B5A 0 _DllMain@12

000000013D44 000006213D44 0 ??_C@_0M@KHOF@rsaenhs?4dll?$AA@

000000013D64 000006213D64 0 ??_C@_0L@LOKH@rsaenh?4dll?$AA@

000000013D83 000006213D83 0 ??_C@_0N@MMCA@schannel?4dll?$AA@

000000014228 000006214228 0 obj\i386\instsch.dll

000000012E34 000006214834 0 SECURITY.DLL

So, all three dll's are somehow "queried" or "checked":

  • rsaenhs.dll
  • rsaenh.dll
  • schannel.dll

it is very possible that one only is enough to "trigger" the patching, though the order in which they are listed seem to suggest that the "first one" is rsaenhs.dll.

jaclaz

Edited by jaclaz
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.