Hacking in cryptography (registry help needed)

#1 BenoitRen

Friend of MSFN

Group: Members
Posts: 986
Joined: 21-October 06
OS:95
Country:

Posted 02 December 2006 - 05:34 PM

IE3 and up provide the Microsoft Cryptography component for Windows 95. Since I'm IE-free, I didn't have it, which made me run into bug 362404.

So, I went ahead to install it manually. I inspected ohare.inf to do this.

; Win95 Only CAPI System Files (NT Has CAPI installed)
DIGSIG.DLL,,,32
IMAGEHLP.DLL,,,32
RSABASE.DLL,,,32
SIGRES.EXE,,,32
WINTRUST.DLL,,,32

Those files were copied into the Windows\System directory.

;	CAPI Registry Entries

HKLM,"Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0","Image Path",2,"rsabase.dll"
HKLM,"Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0","Type",3,01,00,00,00
HKLM,"Software\Microsoft\Cryptography\Defaults\Provider Types\Type 001","Name",2,"Microsoft Base Cryptographic Provider v1.0"
HKCU,"Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing","State",3,08,00,00,00

These registry entries were created.

rsabase.dll and wintrust.dll had to be registered with regsvr32.exe. I did so.

Yet, the test program I got still doesn't work (the one in the bug has a mistake, I got a fixed one). So, I let Regmon loose. It finds the registry entries, then stops at:

6.10455465	Capi:FFF22201	QueryValueEx	0xCB904E78\RSABASE	NOTFOUND

I have no idea what it's looking for there. Some value in the memory?
The second time it was this:

2.61963844	Capi:FFF06F15	QueryValueEx	0xC123C34C\RSABASE	NOTFOUND

Anyone know what this means?

#2 LLXX

MSFN Junkie

Group: Banned
Posts: 3,399
Joined: 04-December 05

Posted 03 December 2006 - 03:58 AM

Missing key "rsabase".

#3 BenoitRen

Friend of MSFN

Group: Members
Posts: 986
Joined: 21-October 06
OS:95
Country:

Posted 03 December 2006 - 11:14 AM

But where doesn't it find it? There's just a binary address. Here is the context:

2.71582723	Capi:FFF35BD9	OpenKey	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001	SUCCESS	hKey: 0xC11E756C	
2.71588635	Capi:FFF35BD9	QueryValueEx	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name	SUCCESS		
2.71594000	Capi:FFF35BD9	QueryValueEx	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name	SUCCESS	"Microsoft Base Cryptographic Provider v1.0"	
2.71597433	Capi:FFF35BD9	CloseKey	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001	SUCCESS		
2.71605992	Capi:FFF35BD9	OpenKey	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0	SUCCESS	hKey: 0xC11E756C	
2.71611214	Capi:FFF35BD9	QueryValueEx	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Type	SUCCESS	0x1	
2.71615124	Capi:FFF35BD9	QueryValueEx	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path	SUCCESS		
2.71619916	Capi:FFF35BD9	QueryValueEx	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Image Path	SUCCESS	"rsabase.dll"	
2.71624565	Capi:FFF35BD9	QueryValueEx	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Signature	SUCCESS		
2.71632004	Capi:FFF35BD9	QueryValueEx	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0\Signature	SUCCESS	29 D2 93 D1 AF 2C C3 F1 ...	
2.71635294	Capi:FFF35BD9	CloseKey	HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Cryptographic Provider v1.0	SUCCESS		
2.74032569	Capi:FFF35BD9	QueryValueEx	0xC123C34C\RSABASE	NOTFOUND

#4 Petr

Friend of MSFN

Group: Members
Posts: 981
Joined: 15-April 05
OS:98SE
Country:

Posted 03 December 2006 - 12:00 PM

Apparently it is this one:

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\KnownDLLs]
"RSABASE"="RSABASE.DLL"

I also don't know where to find that 0xC1CA61B0\RSABASE (in my case) means the above mentioned key and value.

Petr

#5 BenoitRen

Friend of MSFN

Group: Members
Posts: 986
Joined: 21-October 06
OS:95
Country:

Posted 03 December 2006 - 03:07 PM

Thanks, Petr! I indeed didn't add RSABASE.DLL (and WINTRUST.DLL for that matter) to the list of Known DLLs. However, we're not there yet:

3.14737034	Capi:FFF598AD	QueryValueEx	0xC123C34C\RSABASE	SUCCESS	"RSABASE.DLL"	
3.16416645	Capi:FFF598AD	OpenKey	HKLM\System\CurrentControlSet\Control	SUCCESS	hKey: 0xC11E6B90	
3.16421032	Capi:FFF598AD	QueryValueEx	HKLM\System\CurrentControlSet\Control\Current User	SUCCESS	"Benoit"	
3.16424489	Capi:FFF598AD	CloseKey	HKLM\System\CurrentControlSet\Control	SUCCESS		
3.16495848	Capi:FFF598AD	QueryValueEx	0x0\EPbK	BADKEY		
3.16499853	Capi:FFF598AD	QueryValueEx	0x0\EPvK	BADKEY		
3.16503692	Capi:FFF598AD	QueryValueEx	0x0\SPvK	BADKEY		
3.16507435	Capi:FFF598AD	QueryValueEx	0x0\SPbK	BADKEY		
3.16511273	Capi:FFF598AD	QueryValueEx	0x0\RandSeed	BADKEY		
3.16571045	Capi:FFF598AD	OpenKey	HKLM\System\CurrentControlSet\Control	SUCCESS	hKey: 0xC11E6B90	
3.16575122	Capi:FFF598AD	QueryValueEx	HKLM\System\CurrentControlSet\Control\Current User	SUCCESS	"Benoit"	
3.16578078	Capi:FFF598AD	CloseKey	HKLM\System\CurrentControlSet\Control	SUCCESS		
3.16624403	Capi:FFF598AD	OpenKey	HKLM\System\CurrentControlSet\Control	SUCCESS	hKey: 0xC11E6B90	
3.16628480	Capi:FFF598AD	QueryValueEx	HKLM\System\CurrentControlSet\Control\Current User	SUCCESS	"Benoit"	
3.16631436	Capi:FFF598AD	CloseKey	HKLM\System\CurrentControlSet\Control	SUCCESS		
3.16730237	Capi:FFF598AD	CloseKey	0x0	BADKEY

It already gave that before, but I thought it was because it didn't find the RSABASE key. After these, it just goes on to look for other provider types, and fails.

By the way, how did you find out where that address referred to?

EDIT: Hey, it turns out that Cryptography was successfully installed after all before I posted this thread! I just didn't bother to check the full output of the capi test program. The first it gives me is:

Provider type = PROV_RSA_FULL
loaded advapi32.dll successfully
failed to look up RtlGenRandom: 127
looked up CryptAcquireContextA successfully
looked up CryptReleaseContext successfully
looked up CryptGenRandom successfully
CryptAcquireContextA succeeded
CryptGenRandom succeeded
RNG_SystemRNG returned 1024

Yay!

I guess the rest are providers that aren't installed.

This post has been edited by BenoitRen: 03 December 2006 - 03:24 PM

#6 Petr

Friend of MSFN

Group: Members
Posts: 981
Joined: 15-April 05
OS:98SE
Country:

Posted 03 December 2006 - 05:24 PM

BenoitRen, on Dec 3 2006, 10:07 PM, said:

By the way, how did you find out where that address referred to?

I used REGMON on my Win98SE computer and then looked for the value using regedit search function.

Petr

#7 BenoitRen

Friend of MSFN

Group: Members
Posts: 986
Joined: 21-October 06
OS:95
Country:

Posted 03 December 2006 - 05:48 PM

Could you explain in more detail? When I search for either hexadecimal value in Regedit, I don't find anything.

#8 Petr

Friend of MSFN

Group: Members
Posts: 981
Joined: 15-April 05
OS:98SE
Country:

Posted 04 December 2006 - 01:20 AM

BenoitRen, on Dec 4 2006, 12:48 AM, said:

Could you explain in more detail? When I search for either hexadecimal value in Regedit, I don't find anything.

I was searching for RSABASE.DLL in RSABASE.

Petr

#9 BenoitRen

Friend of MSFN

Group: Members
Posts: 986
Joined: 21-October 06
OS:95
Country:

Posted 04 December 2006 - 03:39 PM

Oh, so you just identified what other values had RSABASE. Okay.

MSFN Forum: Hacking in cryptography (registry help needed) - MSFN Forum