extern "C" int __stdcall check_id(PDWORD); extern "C" int __stdcall get_wnf_value(PDWORD); int _tmain(int argc, _TCHAR* argv[]) { if ( argc == 3 ) { wchar_t *end; DWORD ids[2]; ids[0] = wcstoul(argv[1], &end, 16); ids[1] = wcstoul(argv[2], &end, 16); int whut = check_id(ids); if ( whut ) printf("invalid pair\n"); else printf("id1 %X id2 %X index %d\n", ids[0] ^ 0xA3BC0074, ids[1] ^ 0x41C64E6D, get_wnf_value(ids) ); }
return 0;
}
the main part of code is functions check_id & get_wnf_value. I am too lazy so just ripped piece of code from ntoskrnl.exe!ExpCaptureWnfStateName function:
BITS 32
global _check_id@4
global _get_wnf_value@4
; code was ripped from kernel ExpCaptureWnfStateName
; no stack frame !
; return 0 if all ok
_check_id@4:
mov ecx, [esp + 4]
mov eax, [ecx] ; id1
mov ecx, [ecx+4] ; id2
xor eax, 0xA3BC0074
xor ecx, 0x41C64E6D
push esi
mov esi, eax
and eax, 0xF
push edi
mov edi, ecx
cmp eax, 1
jnz short .bad_id
mov ecx, esi
mov eax, edi
shrd ecx, eax, 6
mov edx, esi
shr eax, 6
and ecx, 0xF
mov eax, edi
shrd esi, edi, 4
shrd edx, eax, 0xA
and esi, 3
shr edi, 4
shr eax, 0xA
and edx, 1
cmp esi, 3
ja short .bad_id
cmp ecx, 4
ja short .bad_id
test edx, edx
jnz short .loc_70387F
.loc_703877:
xor eax, eax
.loc_703879:
pop edi
pop esi
retn 4
.bad_id:
mov eax, 1
jmp short .loc_703879
.loc_70387F:
test ecx, ecx
jz short .loc_703877
jmp .loc_7EF37B
.loc_7EF37B:
cmp ecx, 2
jz .loc_703877
cmp ecx, 4
jnz .bad_id
jmp .loc_703877
; return value
_get_wnf_value@4:
mov ecx, [esp + 4]
mov eax, [ecx] ; id1
mov ecx, [ecx+4] ; id2
xor eax, 0xA3BC0074
xor ecx, 0x41C64E6D
push esi
mov esi, eax
and eax, 0xF
push edi
mov edi, ecx
cmp eax, 1
jnz short .bad_id
mov ecx, esi
mov eax, edi
shrd ecx, eax, 6
mov edx, esi
shr eax, 6
and ecx, 0xF
mov eax, edi
shrd esi, edi, 4
shrd edx, eax, 0xA
and esi, 3
shr edi, 4
shr eax, 0xA
and edx, 1
cmp esi, 3
ja short .bad_id
cmp ecx, 4
ja short .bad_id
test edx, edx
jnz short .loc_70387F
.loc_703877:
mov eax, ecx
.loc_703879:
pop edi
pop esi
retn 4
.bad_id:
xor eax, eax
jmp short .loc_703879
.loc_70387F:
test ecx, ecx
jz short .loc_703877
jmp .loc_7EF37B
.loc_7EF37B:
cmp ecx, 2
jz .loc_703877
cmp ecx, 4
jnz .bad_id
jmp .loc_703877
Sample of using:
wnf_decode A3BC0835 F840539 id1 841 id2 4E424B54 index 1
Комментариев нет:
Отправить комментарий