• NTLM挑战模式散列认证加密协议过程,算法实现与一些想法



    创建时间:2003-05-28
    文章属性:原创
    文章提交:flashsky (flashsky1_at_sina.com)

    NTLM挑战模式散列认证加密协议过程,算法实现与一些想法
    转摘请注明作者和安全焦点
    作者:FLASHSKY
    SITE:WWW.XFOCUS.NETWWW.SHOPSKY.COM
    邮件:flashsky@xfocus.org
    作者单位:启明星辰积极防御实验室

    说明:
    本来先从看见小四的《LM/NTLM验证机制》就没准备发的,但是从如下几点考虑还是发:
    1。给出完全的算法实现代码
    2。小四的关于NTLM,LM的过程针对返回会话KEY的有效,针对完全挑战模式下说明并非完全
    3。一些新的思路和思考
    4。安全BLOB的结构说明

    一:NTLM认证算法过程
        1。客户端申请挑战
         安全BLOB的结构如下:
        {
            CHAR DESC[8]=“NTLMSSP”;
            DWORD NO=1;        //顺序号
            DWORD FLAG;        
            WORD DOMAINNAMELEN;    //域名长度
            WORD DOMAINNAMEMAXLEN;//域名最大长度
            DWORD DOMAINNAMEOFFSET;//域名便移
            WORD HOSTNAMELEN;    //主机名长度
            WORD HOSTNAMEMAXLEN;    //主机名最大长度
            DWORD HOSTNAMEOFFSET;    //主机名便移
            CHAR HOSTNAME[HOSTNAMELEN];//主机名
            CHAR DOMAINNAME[DOMAINNAMELEN];//域名
        }
         2。服务器返回挑战,这个挑战是一个8字节的随机数    
         安全BLOB的结构如下:
        {
            CHAR DESC[8]=“NTLMSSP”;
            DWORD NO=2;        //顺序号,必须为2
            WORD DOMAINNAMELEN;    //帐户域名长度
            WORD DOMAINNAMEMAXLEN;    //帐户域名最大长度
            DWORD DOMAINNAMEOFFSET;////帐户域名偏移
            DWORD FLAG;
            BYTE CHALLAGE[8];    //8字节挑战
            BYTE RE[8];        //保留8字节,必须为0
            WORD HOSTNAMELISTLEN;  //主机名列表长度
            WORD HOSTNAMELISTMAXLEN;//主机名列表最大长度
            DWORD HOSTNAMELISTOFFSET;//主机名列表偏移
            CHAR DOMAINNAME[DOMAINNAMELEN];
            CHAR HOSTLISTNAME[HOSTNAMELISTLEN];
            //这里是多个结构组成
            //每个结构如下:
            //WORD ITEMNO;索引
            //WORD HOSTNAMELEN;主机名长度
            //BYTE HOSTNAME[HOSTNAMELEN]:主机名
        }
        3。客户端加密密码散列
        其实这个过程还是很复杂的
        如果是明文口令,先将此口令转化成散列,如果是系统用户则直接根据令牌从SESSION表中取出散列。
        这下面就是小四的文章中没提到的过程
        客户端先生成一个随机KEY,然后和服务器端的挑战使用MD5算法生成16字节的散列,但MS只取前8字节做为加密KEY,其实后面的散列加密并非是使用挑战直接加密的,而是
    使用此加密KEY进行加密的。
            这个算法的代码如下:romkey就是客户端生成的一个随机KEY,challage就是服务器挑战
    void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey)
    {
        unsigned char LM[0x58];
        md5init(LM);
        *(DWORD *)LM=0x200;
        memcpy(LM+0X18,challage,8);
        memcpy(LM+0X20,romkey,8);
        *(DWORD *)(LM+0x28)=0x80;
        *(DWORD *)(LM+0x50)=0x80;
        md5final(LM);
        memcpy(enkey,LM+8,8);
    }
        然后再使用生成的加密KEY加密MD4生成的NTLM散列,具体的过程在下四的文章中有详细介绍,这里就不再讲了,后面给出了完全实现的代码。
        同时还会先选择一个RC4的KEY,对MD4生成的NTLM散列用MD4再生成一个散列,再用HMACMD5算法,加密KEY,这个散列计算出一个0X10字节的散
    列,用此散列和rc4_key函数生成rc4的key表,最后用这个KEY表和先选择的RC4的KEY生成一个0X10字节的RC的结果出来。
        但要注意的是:通常情况下,这个RC4的结果并没用于认证。

        安全BLOB的结构如下:
        {
            CHAR DESC[8]=“NTLMSSP”;
            DWORD NO=3;        //顺序号,必须为3
            WORD RANDOMKEYLEN;    //客户端随机KEY长度,固定为0X18
            WORD RANDOMKEYMAXLEN;    //客户端随机KEY最大长度,固定为0X18
            //其实客户端随机KEY只有8字节,但是后面补0添满0X18字节
            DWORD RANDOMKEYOFFSET;////客户端随机KEY偏移
            WORD ENNTLMLEN;    //加密的NTLM散列长度,固定为0X18
            WORD ENNTLMMAXLEN;    //加密的NTLM散列最大长度,固定为0X18
            DWORD ENNTLMOFFSET;    //加密的NTLM散列偏移
            WORD HOSTNAMELEN;  //主机名长度
            WORD HOSTNAMEMAXLEN;//主机名最大长度
            DWORD HOSTNAMEOFFSET;//主机名偏移
            WORD USERNAMELEN;  //用户名长度
            WORD USERNAMEMAXLEN;//用户名最大长度
            DWORD USERNAMEOFFSET;//用户名偏移
            WORD USERDOMAINLEN;  //帐户域名长度
            WORD USERDOMAINMAXLEN;//帐户域名最大长度
            DWORD USERDOMAINOFFSET;//帐户域名偏移
            WORD ENNTLMRC4LEN;    //加密的RC4 NTLM散列长度,固定为0X10
            WORD ENNTLMRC4MAXLEN;    //加密的RC4 NTLM散列最大长度,固定为0X10
            DWORD ENNTLMRC4OFFSET;    //加密的RC4 NTLM散列偏移
            DWORD FLAG;
            CHAR HOSTNAME[HOSTNAMELEN];//主机名
            CHAR USERNAME[HOSTNAMELEN];//用户名
            CHAR USERDOMAINNAME[HOSTNAMELEN];//帐户域名
            RANDOMKEY[0X18];//其实客户端随机KEY只有8字节,但是后面补0添满0X18字节
            ENNTLM[0X18];
            ENRC4NTLM[0X10];
        }
        
        4。服务器认证
          服务器获得客户端随即KEY以后,也和挑战运算获得此加密KEY,然后计算加密的NTLM散列做对比进行判断。

        5。一些思考
        主要是关于重放攻击的,其实真正的加密KEY是挑战和客户端随机KEY做MD5运算的结果,那么如果我们嗅探出了一个挑战,随机KEY就
    能计算出加密KEY,如果我们发起一个请求获得一个挑战2,如果能计算一个随即KEY2(这个可由我们自己控制),满足MD5(挑战2,随即KEY2)
    =加密KEY,那么我们就能发送我们修探获得的安全BLOB中的加密散列的内容来获得认证。
            当然MD5的算法本事就是要防碰撞的,但是在MS的SMB实现中,由于MD5生成的是16字节的散列,但是用来做加密KEY的只是前8个字节,那
    么对于寻找只满足部分(前8字节)碰撞的算法复杂度就会大大的降低,当然我们在MD5中唯一能控制的东西就是随即KEY,但是挑战KEY已知,其实
    针对加密算发是常量(因为加密内容固定为0X1O字节,其他的内容可以常量),应该来说还是很有希望的。不过就我的数学水平而已,尝试了
    一下就被难到了,希望对MD5碰撞有研究的人给予指教。下面就是给出的一个针对其挑战,随即KEY到加密KEY的替代函数:

    void challagetorkey(unsigned long c1,unsigned long c2,unsigned long r1,unsigned long r2)
    {
    //我们把挑战看做2个unsigned long的数C1,C2,客户端随即KEY也看做2个unsigned long的数R1,R2
    //最后生成的是B1,D1,S1,D2,但其实用做加密KEY的只是B1,D1而已
    //如果我们知道B1,D1,C1,C2,是否能找过一个R1,R2,使得满足这个函数呢?
    //按照概率是针对每个B1,D1都有可能找到对应的R1,R2,因为MD5的算发要求是每个字节的变化都应该平均分布的
    //我们可控的是256的8次方,结果也是256的8次方
    //即使不是完全平均分布的,在测试100个挑战中总会有满足的吧?
    //而算法复杂度对于16字节的256的16次方应该降低了不少
    //那么再退一步说,如果我们知道B1,D1,C1,C2,R1,如果能解出R2也行,我们对R1实行穷举
    //R1是256的4次方,4亿左右的穷举对现在的机器不应该是负担吧?当然真正实现工具由于认证要求,可能要求在10分钟以内
    //但是如果我们在2天内能找到结果,也能说明很多问题
        DWORD a1,d1,d2,s1;
        DWORD b1;

        b1=(((0x10325476^0x98badcfe)&0xefcdab89)^0x10325476)+c1;
        b1=b1+0x67452301+0xd76aa478;
        b1=((b1<<0x7)|(b1>>0x19))+0xefcdab89;
        //第一轮
        a1=(((0x98badcfe^0xefcdab89)&b1)^0x98badcfe)+0xe8c7b756;
        d2=0x10325476+c2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;
        a1=(((0xefcdab89^b1)&d2)^0xefcdab89)+0x242070db;
        s1=0x98badcfe+r1+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;
        a1=(((d2^b1)&s1)^b1)+0xc1bdceee;
        d1=0xefcdab89+r2+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;
        a1=(((d2^s1)&d1)^d2)+0xf57c0faf;
        b1=b1+0x80+a1;
        b1=((b1<<0x7)|(b1>>0x19))+d1;
        a1=(((s1^d1)&b1)^s1)+0x4787C62A;
        d2=d2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;    
        a1=(((d1^b1)&d2)^d1)+0xA8304613;
        s1=s1+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;    
        a1=(((d2^b1)&s1)^b1)+0xFD469501;
        d1=d1+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;    
        a1=(((d2^s1)&d1)^d2)+0x698098D8;
        b1=b1+a1;
        b1=((b1<<0x7)|(b1>>0x19))+d1;
        a1=(((s1^d1)&b1)^s1)+0x8B44F7AF;
        d2=d2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;
        a1=(((d1^b1)&d2)^d1)+0xFFFF5BB1;
        s1=s1+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;
        a1=(((d2^b1)&s1)^b1)+0x895CD7BE;
        d1=d1+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;
        a1=(((d2^s1)&d1)^d2)+0x6B901122;
        b1=b1+a1;
        b1=((b1<<0x7)|(b1>>0x19))+d1;
        a1=(((s1^d1)&b1)^s1)+0xFD987193;
        d2=d2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;
        a1=(((d1^b1)&d2)^d1)+0xA679438E;
        s1=s1+0x80+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;
        a1=(((d2^b1)&s1)^b1)+0x49B40821;
        d1=d1+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;
        //第二轮
        a1=(((s1^d1)&d2)^s1)+0xF61E2562;
        b1=b1+c2+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        a1=(((d1^b1)&s1)^d1)+0xC040B340;
        d2=d2+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        a1=(((d2^b1)&d1)^b1)+0x265E5A51;
        s1=s1+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        a1=(((d2^s1)&b1)^d2)+0xE9B6C7AA;
        d1=d1+c1+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        a1=(((s1^d1)&d2)^s1)+0xD62F105D;
        b1=b1+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        a1=(((d1^b1)&s1)^d1)+0x2441453;
        d2=d2+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        a1=(((d2^b1)&d1)^b1)+0xD8A1E681;
        s1=s1+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        a1=(((d2^s1)&b1)^d2)+0xE7D3FBC8;
        d1=d1+0x80+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        a1=(((s1^d1)&d2)^s1)+0x21E1CDE6;
        b1=b1+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        a1=(((d1^b1)&s1)^d1)+0xC33707D6;
        d2=d2+0x80+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        a1=(((d2^b1)&d1)^b1)+0xF4D50D87;
        s1=s1+r2+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        a1=(((d2^s1)&b1)^d2)+0x455A14ED;
        d1=d1+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        a1=(((s1^d1)&d2)^s1)+0xA9E3E905;
        b1=b1+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        a1=(((d1^b1)&s1)^d1)+0xFCEFA3F8;
        d2=d2+r1+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        a1=(((d2^b1)&d1)^b1)+0x676F02D9;
        s1=s1+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        a1=(((d2^s1)&b1)^d2)+0x8D2A4C8A;
        d1=d1+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        //第三轮
        a1=((d2^s1)^d1)+0xFFFA3942;
        b1=b1+a1;
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        a1=((s1^d1)^b1)+0x8771F681;
        d2=d2+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        a1=(d2^d1)^b1;
        s1=s1+0x6D9D6122+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        a1=d2^s1;
        d1=d1+0x80+0xFDE5380C+(b1^a1);
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        b1=b1+c2+0xA4BEEA44+(d1^a1);
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        a1=((s1^d1)^b1)+0x4BDECFA9;
        d2=d2+0x80+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        a1=(d2^d1)^b1;
        s1=s1+0xF6BB4B60+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        a1=(d2^s1);
        d1=d1+0xBEBFBC70+(b1^a1);
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        b1=b1+0x289B7EC6+(d1^a1);
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        a1=((s1^d1)^b1)+0xEAA127FA;
        d2=d2+c1+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        a1=(d2^d1)^b1;
        s1=s1+r2+0xD4EF3085+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        a1=d2^s1;
        d1=d1+0x4881D05+(b1^a1);
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        a1=d1^a1;    
        b1=b1+a1+0xD9D4D039;
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        a1=((s1^d1)^b1)+0xE6DB99E5;
        d2=d2+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        a1=((d2^d1)^b1);
        s1=s1+0x1FA27CF8+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        a1=((d2^s1)^b1);
        d1=d1+r1+0xC4AC5665+a1;
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        //第4轮
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF4292244;
        b1=b1+c1+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x432AFF97;
        d2=d2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xAB9423A7;
        s1=s1+0x80+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        a1=(((b1^0xFFFFFFFF)|s1)^d2);
        d1=d1+0xFC93A039+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x655B59C3;
        b1=b1+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x8F0CCC92;
        d2=d2+r2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xFFEFF47D;
        s1=s1+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x85845DD1;
        d1=d1+c2+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x6FA87E4F;
        b1=b1+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xFE2CE6E0;
        d2=d2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xA3014314;
        s1=s1+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x4E0811A1;
        d1=d1+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF7537E82;
        b1=b1+0x80+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xBD3AF235;
        d2=d2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0x2AD7D2BB;
        s1=s1+r1+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        a1=(((b1^0xFFFFFFFF)|s1)^d2)+0xEB86D391;
        d1=d1+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;

        b1=b1+0x67452301;
        d1=d1+0xefcdab89;
        s1=s1+0x98badcfe;
        d2=d2+0x10325476;
    }


        6。实现代码的说明
    这个代码是完全在TCP只上实现NTLM挑战认证的,密码的计算不调用任何加密的API。
    如果知道散列也可以去掉口令到散列的部分直接使用散列进行处理。

    #include <stdio.h>
    #include <winsock2.h>
    #include <windows.h>
    #include <wincrypt.h>
    #include <process.h>
    #include <string.h>
    #include <winbase.h>
    # include <wincrypt.h>
    #define SECURITY_WIN32
    # include <Security.h>
    # include <Ntsecapi.h>
    # include "smb.h"

    void SmbNegotiate(SMBP * psmbp);
    void SmbSessionSetupAndX1(SMBP * psmbp);
    void SmbSessionSetupAndX2(SMBP * psmbp,wchar_t * username,wchar_t * domainname,wchar_t * password);
    void deskey(char * LmPass,unsigned char * desecb);
    void passtoowf(wchar_t * password,unsigned char * paswdowf);
    void initLMP(char * pass,unsigned char * LM);
    void deskey(char * LmPass,unsigned char * desecb);
    void des(unsigned char * LM,char * magic,unsigned char * ecb,long no);
    void md4init(unsigned char * LM);
    void md4(unsigned char * LM);
    void md5init(unsigned char * LM);
    void md5final(unsigned char * LM);
    void initMDP(PLSA_UNICODE_STRING pass,unsigned char * LM);
    void hashtocread(unsigned char * enkey,unsigned char * hash,unsigned char * cread);
    void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey);
    void hmacmd5(unsigned char * rc4key,unsigned char * enkey);
    void rc4_key(unsigned char * rc4keylist,unsigned char * rc4key,int keylen);

    typedef DWORD (CALLBACK* RTLUPCASEUNICODESTRINGTOOEMSTRING)(PLSA_UNICODE_STRING, PLSA_UNICODE_STRING, DWORD);
    RTLUPCASEUNICODESTRINGTOOEMSTRING RtlUpcaseUnicodeStringToOemString;

    typedef struct _SMBNBT
    {
        unsigned char nbtsmb;
        unsigned char flag;
        short smbpacketlen;
    }SMBNBT,* PSMBNBT;

    typedef struct _SMBINFO
    {
        unsigned char magic[4];
        BYTE smbtoken;
        BYTE errcodeclass;
        BYTE dosaherrcode;
        unsigned char errcode[2];
        BYTE flagsummary;
        short flagsummary2;
        short unuse[6];
        short treeid;
        short callprocessid;
        short userid;
        short multiplexid;
        unsigned char info[2048];
    }SMBINFO,* PSMBINFO;

    typedef struct _SMBP
    {
        SMBNBT smbnbt;
        SMBINFO smbinfo;
    }SMBP,* PSMBP;

    wchar_t navos[]=L"windows 2000 2195";
    wchar_t lanman[]=L"windows 2000 5.0";
    unsigned char challage[8]={0x53,0xe6,0x97,0x53,0xfb,0x97,0x7c,0x19};
    unsigned char romkey[8]={0xc7,0x91,0xdd,0xe8,0x5c,0xcd,0xc8,0xde};

    unsigned char DESParity[]={0,1,1,2,1,2,2,3,1,2,2,3,2,3,3,4};
    unsigned char DESDShift[]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0,
    0x64,0xCC,0xF9,0x29,0xDF,0xDE,0x86,0x4A,0x81,0x84,9,0x3C,0,0,0,0,
    0xFB,0x99,0xE9,8,0xEC,0x87,0x67,0x2F,0x59,0x0FD,0x22,0xF1};

    DWORD DESKEY1[]={
    0x00000000,0x00000010,0x20000000,0x20000010,0x00010000,0x00010010,0x20010000,0x20010010,
    0x00000800,0x00000810,0x20000800,0x20000810,0x00010800,0x00010810,0x20010800,0x20010810,
    0x00000020,0x00000030,0x20000020,0x20000030,0x00010020,0x00010030,0x20010020,0x20010030,
    0x00000820,0x00000830,0x20000820,0x20000830,0x00010820,0x00010830,0x20010820,0x20010830,
    0x00080000,0x00080010,0x20080000,0x20080010,0x00090000,0x00090010,0x20090000,0x20090010,
    0x00080800,0x00080810,0x20080800,0x20080810,0x00090800,0x00090810,0x20090800,0x20090810,
    0x00080020,0x00080030,0x20080020,0x20080030,0x00090020,0x00090030,0x20090020,0x20090030,
    0x00080820,0x00080830,0x20080820,0x20080830,0x00090820,0x00090830,0x20090820,0x20090830};

    DWORD DESKEY2[]={
    0x00000000,0x02000000,0x00002000,0x02002000,0x00200000,0x02200000,0x00202000,0x02202000,
    0x00000004,0x02000004,0x00002004,0x02002004,0x00200004,0x02200004,0x00202004,0x02202004,
    0x00000400,0x02000400,0x00002400,0x02002400,0x00200400,0x02200400,0x00202400,0x02202400,
    0x00000404,0x02000404,0x00002404,0x02002404,0x00200404,0x02200404,0x00202404,0x02202404,
    0x10000000,0x12000000,0x10002000,0x12002000,0x10200000,0x12200000,0x10202000,0x12202000,
    0x10000004,0x12000004,0x10002004,0x12002004,0x10200004,0x12200004,0x10202004,0x12202004,
    0x10000400,0x12000400,0x10002400,0x12002400,0x10200400,0x12200400,0x10202400,0x12202400,
    0x10000404,0x12000404,0x10002404,0x12002404,0x10200404,0x12200404,0x10202404,0x12202404};

    DWORD DESKEY3[]={
    0x00000000,0x00000001,0x00040000,0x00040001,0x01000000,0x01000001,0x01040000,0x01040001,
    0x00000002,0x00000003,0x00040002,0x00040003,0x01000002,0x01000003,0x01040002,0x01040003,
    0x00000200,0x00000201,0x00040200,0x00040201,0x01000200,0x01000201,0x01040200,0x01040201,
    0x00000202,0x00000203,0x00040202,0x00040203,0x01000202,0x01000203,0x01040202,0x01040203,
    0x08000000,0x08000001,0x08040000,0x08040001,0x09000000,0x09000001,0x09040000,0x09040001,
    0x08000002,0x08000003,0x08040002,0x08040003,0x09000002,0x09000003,0x09040002,0x09040003,
    0x08000200,0x08000201,0x08040200,0x08040201,0x09000200,0x09000201,0x09040200,0x09040201,
    0x08000202,0x08000203,0x08040202,0x08040203,0x09000202,0x09000203,0x09040202,0x09040203};

    DWORD DESKEY4[]={
    0x00000000,0x00100000,0x00000100,0x00100100,0x00000008,0x00100008,0x00000108,0x00100108,
    0x00001000,0x00101000,0x00001100,0x00101100,0x00001008,0x00101008,0x00001108,0x00101108,
    0x04000000,0x04100000,0x04000100,0x04100100,0x04000008,0x04100008,0x04000108,0x04100108,
    0x04001000,0x04101000,0x04001100,0x04101100,0x04001008,0x04101008,0x04001108,0x04101108,
    0x00020000,0x00120000,0x00020100,0x00120100,0x00020008,0x00120008,0x00020108,0x00120108,
    0x00021000,0x00121000,0x00021100,0x00121100,0x00021008,0x00121008,0x00021108,0x00121108,
    0x04020000,0x04120000,0x04020100,0x04120100,0x04020008,0x04120008,0x04020108,0x04120108,
    0x04021000,0x04121000,0x04021100,0x04121100,0x04021008,0x04121008,0x04021108,0x04121108};

    DWORD DESKEY5[]={
    0x00000000,0x10000000,0x00010000,0x10010000,0x00000004,0x10000004,0x00010004,0x10010004,
    0x20000000,0x30000000,0x20010000,0x30010000,0x20000004,0x30000004,0x20010004,0x30010004,
    0x00100000,0x10100000,0x00110000,0x10110000,0x00100004,0x10100004,0x00110004,0x10110004,
    0x20100000,0x30100000,0x20110000,0x30110000,0x20100004,0x30100004,0x20110004,0x30110004,
    0x00001000,0x10001000,0x00011000,0x10011000,0x00001004,0x10001004,0x00011004,0x10011004,
    0x20001000,0x30001000,0x20011000,0x30011000,0x20001004,0x30001004,0x20011004,0x30011004,
    0x00101000,0x10101000,0x00111000,0x10111000,0x00101004,0x10101004,0x00111004,0x10111004,
    0x20101000,0x30101000,0x20111000,0x30111000,0x20101004,0x30101004,0x20111004,0x30111004};

    DWORD DESKEY6[]={
    0x00000000,0x08000000,0x00000008,0x08000008,0x00000400,0x08000400,0x00000408,0x08000408,
    0x00020000,0x08020000,0x00020008,0x08020008,0x00020400,0x08020400,0x00020408,0x08020408,
    0x00000001,0x08000001,0x00000009,0x08000009,0x00000401,0x08000401,0x00000409,0x08000409,
    0x00020001,0x08020001,0x00020009,0x08020009,0x00020401,0x08020401,0x00020409,0x08020409,
    0x02000000,0x0A000000,0x02000008,0x0A000008,0x02000400,0x0A000400,0x02000408,0x0A000408,
    0x02020000,0x0A020000,0x02020008,0x0A020008,0x02020400,0x0A020400,0x02020408,0x0A020408,
    0x02000001,0x0A000001,0x02000009,0x0A000009,0x02000401,0x0A000401,0x02000409,0x0A000409,
    0x02020001,0x0A020001,0x02020009,0x0A020009,0x02020401,0x0A020401,0x02020409,0x0A020409};

    DWORD DESKEY7[]={
    0x00000000,0x00000100,0x00080000,0x00080100,0x01000000,0x01000100,0x01080000,0x01080100,
    0x00000010,0x00000110,0x00080010,0x00080110,0x01000010,0x01000110,0x01080010,0x01080110,
    0x00200000,0x00200100,0x00280000,0x00280100,0x01200000,0x01200100,0x01280000,0x01280100,
    0x00200010,0x00200110,0x00280010,0x00280110,0x01200010,0x01200110,0x01280010,0x01280110,
    0x00000200,0x00000300,0x00080200,0x00080300,0x01000200,0x01000300,0x01080200,0x01080300,
    0x00000210,0x00000310,0x00080210,0x00080310,0x01000210,0x01000310,0x01080210,0x01080310,
    0x00200200,0x00200300,0x00280200,0x00280300,0x01200200,0x01200300,0x01280200,0x01280300,
    0x00200210,0x00200310,0x00280210,0x00280310,0x01200210,0x01200310,0x01280210,0x01280310};

    DWORD DESKEY8[]={
    0x00000000,0x04000000,0x00040000,0x04040000,0x00000002,0x04000002,0x00040002,0x04040002,
    0x00002000,0x04002000,0x00042000,0x04042000,0x00002002,0x04002002,0x00042002,0x04042002,
    0x00000020,0x04000020,0x00040020,0x04040020,0x00000022,0x04000022,0x00040022,0x04040022,
    0x00002020,0x04002020,0x00042020,0x04042020,0x00002022,0x04002022,0x00042022,0x04042022,
    0x00000800,0x04000800,0x00040800,0x04040800,0x00000802,0x04000802,0x00040802,0x04040802,
    0x00002800,0x04002800,0x00042800,0x04042800,0x00002802,0x04002802,0x00042802,0x04042802,
    0x00000820,0x04000820,0x00040820,0x04040820,0x00000822,0x04000822,0x00040822,0x04040822,
    0x00002820,0x04002820,0x00042820,0x04042820,0x00002822,0x04002822,0x00042822,0x04042822};

    DWORD DESSpBox1[]={
    0x02080800,0x00080000,0x02000002,0x02080802,0x02000000,0x00080802,0x00080002,0x02000002,
    0x00080802,0x02080800,0x02080000,0x00000802,0x02000802,0x02000000,0x00000000,0x00080002,
    0x00080000,0x00000002,0x02000800,0x00080800,0x02080802,0x02080000,0x00000802,0x02000800,
    0x00000002,0x00000800,0x00080800,0x02080002,0x00000800,0x02000802,0x02080002,0x00000000,
    0x00000000,0x02080802,0x02000800,0x00080002,0x02080800,0x00080000,0x00000802,0x02000800,
    0x02080002,0x00000800,0x00080800,0x02000002,0x00080802,0x00000002,0x02000002,0x02080000,
    0x02080802,0x00080800,0x02080000,0x02000802,0x02000000,0x00000802,0x00080002,0x00000000,
    0x00080000,0x02000000,0x02000802,0x02080800,0x00000002,0x02080002,0x00000800,0x00080802};

    DWORD DESSpBox2[]={
    0x40108010,0x00000000,0x00108000,0x40100000,0x40000010,0x00008010,0x40008000,0x00108000,
    0x00008000,0x40100010,0x00000010,0x40008000,0x00100010,0x40108000,0x40100000,0x00000010,
    0x00100000,0x40008010,0x40100010,0x00008000,0x00108010,0x40000000,0x00000000,0x00100010,
    0x40008010,0x00108010,0x40108000,0x40000010,0x40000000,0x00100000,0x00008010,0x40108010,
    0x00100010,0x40108000,0x40008000,0x00108010,0x40108010,0x00100010,0x40000010,0x00000000,
    0x40000000,0x00008010,0x00100000,0x40100010,0x00008000,0x40000000,0x00108010,0x40008010,
    0x40108000,0x00008000,0x00000000,0x40000010,0x00000010,0x40108010,0x00108000,0x40100000,
    0x40100010,0x00100000,0x00008010,0x40008000,0x40008010,0x00000010,0x40100000,0x00108000};

    DWORD DESSpBox3[]={
    0x04000001,0x04040100,0x00000100,0x04000101,0x00040001,0x04000000,0x04000101,0x00040100,
    0x04000100,0x00040000,0x04040000,0x00000001,0x04040101,0x00000101,0x00000001,0x04040001,
    0x00000000,0x00040001,0x04040100,0x00000100,0x00000101,0x04040101,0x00040000,0x04000001,
    0x04040001,0x04000100,0x00040101,0x04040000,0x00040100,0x00000000,0x04000000,0x00040101,
    0x04040100,0x00000100,0x00000001,0x00040000,0x00000101,0x00040001,0x04040000,0x04000101,
    0x00000000,0x04040100,0x00040100,0x04040001,0x00040001,0x04000000,0x04040101,0x00000001,
    0x00040101,0x04000001,0x04000000,0x04040101,0x00040000,0x04000100,0x04000101,0x00040100,
    0x04000100,0x00000000,0x04040001,0x00000101,0x04000001,0x00040101,0x00000100,0x04040000};

    DWORD DESSpBox4[]={
    0x00401008,0x10001000,0x00000008,0x10401008,0x00000000,0x10400000,0x10001008,0x00400008,
    0x10401000,0x10000008,0x10000000,0x00001008,0x10000008,0x00401008,0x00400000,0x10000000,
    0x10400008,0x00401000,0x00001000,0x00000008,0x00401000,0x10001008,0x10400000,0x00001000,
    0x00001008,0x00000000,0x00400008,0x10401000,0x10001000,0x10400008,0x10401008,0x00400000,
    0x10400008,0x00001008,0x00400000,0x10000008,0x00401000,0x10001000,0x00000008,0x10400000,
    0x10001008,0x00000000,0x00001000,0x00400008,0x00000000,0x10400008,0x10401000,0x00001000,
    0x10000000,0x10401008,0x00401008,0x00400000,0x10401008,0x00000008,0x10001000,0x00401008,
    0x00400008,0x00401000,0x10400000,0x10001008,0x00001008,0x10000000,0x10000008,0x10401000};

    DWORD DESSpBox5[]={
    0x08000000,0x00010000,0x00000400,0x08010420,0x08010020,0x08000400,0x00010420,0x08010000,
    0x00010000,0x00000020,0x08000020,0x00010400,0x08000420,0x08010020,0x08010400,0x00000000,
    0x00010400,0x08000000,0x00010020,0x00000420,0x08000400,0x00010420,0x00000000,0x08000020,
    0x00000020,0x08000420,0x08010420,0x00010020,0x08010000,0x00000400,0x00000420,0x08010400,
    0x08010400,0x08000420,0x00010020,0x08010000,0x00010000,0x00000020,0x08000020,0x08000400,
    0x08000000,0x00010400,0x08010420,0x00000000,0x00010420,0x08000000,0x00000400,0x00010020,
    0x08000420,0x00000400,0x00000000,0x08010420,0x08010020,0x08010400,0x00000420,0x00010000,
    0x00010400,0x08010020,0x08000400,0x00000420,0x00000020,0x00010420,0x08010000,0x08000020};

    DWORD DESSpBox6[]={
    0x80000040,0x00200040,0x00000000,0x80202000,0x00200040,0x00002000,0x80002040,0x00200000,
    0x00002040,0x80202040,0x00202000,0x80000000,0x80002000,0x80000040,0x80200000,0x00202040,
    0x00200000,0x80002040,0x80200040,0x00000000,0x00002000,0x00000040,0x80202000,0x80200040,
    0x80202040,0x80200000,0x80000000,0x00002040,0x00000040,0x00202000,0x00202040,0x80002000,
    0x00002040,0x80000000,0x80002000,0x00202040,0x80202000,0x00200040,0x00000000,0x80002000,
    0x80000000,0x00002000,0x80200040,0x00200000,0x00200040,0x80202040,0x00202000,0x00000040,
    0x80202040,0x00202000,0x00200000,0x80002040,0x80000040,0x80200000,0x00202040,0x00000000,
    0x00002000,0x80000040,0x80002040,0x80202000,0x80200000,0x00002040,0x00000040,0x80200040};

    DWORD DESSpBox7[]={
    0x00004000,0x00000200,0x01000200,0x01000004,0x01004204,0x00004004,0x00004200,0x00000000,
    0x01000000,0x01000204,0x00000204,0x01004000,0x00000004,0x01004200,0x01004000,0x00000204,
    0x01000204,0x00004000,0x00004004,0x01004204,0x00000000,0x01000200,0x01000004,0x00004200,
    0x01004004,0x00004204,0x01004200,0x00000004,0x00004204,0x01004004,0x00000200,0x01000000,
    0x00004204,0x01004000,0x01004004,0x00000204,0x00004000,0x00000200,0x01000000,0x01004004,
    0x01000204,0x00004204,0x00004200,0x00000000,0x00000200,0x01000004,0x00000004,0x01000200,
    0x00000000,0x01000204,0x01000200,0x00004200,0x00000204,0x00004000,0x01004204,0x01000000,
    0x01004200,0x00000004,0x00004004,0x01004204,0x01000004,0x01004200,0x01004000,0x00004004};

    DWORD DESSpBox8[]={
    0x20800080,0x20820000,0x00020080,0x00000000,0x20020000,0x00800080,0x20800000,0x20820080,
    0x00000080,0x20000000,0x00820000,0x00020080,0x00820080,0x20020080,0x20000080,0x20800000,
    0x00020000,0x00820080,0x00800080,0x20020000,0x20820080,0x20000080,0x00000000,0x00820000,
    0x20000000,0x00800000,0x20020080,0x20800080,0x00800000,0x00020000,0x20820000,0x00000080,
    0x00800000,0x00020000,0x20000080,0x20820080,0x00020080,0x20000000,0x00000000,0x00820000,
    0x20800080,0x20020080,0x20020000,0x00800080,0x20820000,0x00000080,0x00800080,0x20020000,
    0x20820080,0x00800000,0x20800000,0x20000080,0x00820000,0x00020080,0x20020080,0x20800000,
    0x00000080,0x20820000,0x00820080,0x00000000,0x20000000,0x20800080,0x00020000,0x00820080};

    void main(int argc,char ** argv)
    {
        WSADATA WSAData;
        SOCKET sock;
        SOCKADDR_IN addr_in;
        int len;
        char serverip[]="192.168.13.211";
        short port=445;
        WORD olen,nlen;
        unsigned char buf1[0x1000];
        SMBP smbp;
        HMODULE hNtdll = NULL;

        hNtdll = LoadLibrary( "ntdll.dll" );
        if ( !hNtdll )
        {
            printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
            return ;
        }
        RtlUpcaseUnicodeStringToOemString = (RTLUPCASEUNICODESTRINGTOOEMSTRING)
            GetProcAddress(    hNtdll,    "RtlUpcaseUnicodeStringToOemString");
        if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
        {
            printf("WSAStartup error.Error:%d\n",WSAGetLastError());
            return;
        }

        addr_in.sin_family=AF_INET;
        addr_in.sin_port=htons(port);
        addr_in.sin_addr.S_un.S_addr=inet_addr(serverip);
        
        if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==INVALID_SOCKET)
        {
            printf("Socket failed.Error:%d\n",WSAGetLastError());
            return;
        }
        if(WSAConnect(sock,(struct sockaddr *)&addr_in,sizeof(addr_in),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
        {
            printf("Connect failed.Error:%d",WSAGetLastError());
            return;
        }
        SmbNegotiate(&smbp);
        if (send(sock,(unsigned char *)&smbp,ntohs(smbp.smbnbt.smbpacketlen)+4,0)==SOCKET_ERROR)
        {
                printf("Send failed.Error:%d\n",WSAGetLastError());
                return;
        }
        len=recv(sock,buf1,1024,NULL);
        SmbSessionSetupAndX1(&smbp);
        if (send(sock,(unsigned char *)&smbp,ntohs(smbp.smbnbt.smbpacketlen)+4,0)==SOCKET_ERROR)
        {
                printf("Send failed.Error:%d\n",WSAGetLastError());
                return;
        }
        len=recv(sock,buf1,1024,NULL);
        if((buf1[0]==0xff)&&(buf1[1]=='S')&&(buf1[2]=='M')&&(buf1[3]=='B'))
            olen=0x20;
        else if((buf1[4]==0xff)&&(buf1[5]=='S')&&(buf1[6]=='M')&&(buf1[7]=='B'))
            olen=0x24;
        else
            return;
        smbp.smbinfo.userid =  *(WORD *)(buf1+olen-0x4);
        nlen=*(WORD *)(buf1+olen+1+2*3);//BLOB的长度
        olen=olen+1+2*buf1[olen]+2;
        memcpy(challage,buf1+olen+0x18,8);
        SmbSessionSetupAndX2(&smbp,L"administrator",L"FXNB",L"asdasd");
        if (send(sock,(unsigned char *)&smbp,ntohs(smbp.smbnbt.smbpacketlen)+4,0)==SOCKET_ERROR)
        {
                printf("Send failed.Error:%d\n",WSAGetLastError());
                return;
        }
        len=recv(sock,buf1,1024,NULL);
        if((buf1[0]==0xff)&&(buf1[1]=='S')&&(buf1[2]=='M')&&(buf1[3]=='B'))
            olen=0x20;
        else if((buf1[4]==0xff)&&(buf1[5]=='S')&&(buf1[6]=='M')&&(buf1[7]=='B'))
            olen=0x24;
        else
            return;
        if(buf1[olen]==0)
            printf("error username and password\n");
        else
            printf("login ok\n");
        WSACleanup();
        return;
    }

    void SmbSessionSetupAndX1(SMBP * psmbp)
    {
        unsigned char sb[0x20]={
    0x4E,0x54,0x4C,0x4D,0x53,0x53,0x50,0x00,0x01,0x00,0x00,0x00,0x97,0x82,0x08,0xE0,
    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};

        psmbp->smbinfo.smbtoken =0x73;
        memset(psmbp->smbinfo.info,0,0x200);
        psmbp->smbinfo.flagsummary2 = 0xc807;
        *(DWORD *)(psmbp->smbinfo.info+21) = 0x800000D4;
        //指定使用加密的FLAG
        psmbp->smbinfo.info[0]=0xc;//WORD 参数个数
        *(WORD *)(psmbp->smbinfo.info+1)=0Xff;//无下一个命令
        *(WORD *)(psmbp->smbinfo.info+3)=0Xb0;//下一命令偏移
        *(WORD *)(psmbp->smbinfo.info+5)=0X4104;//最大缓冲
        *(WORD *)(psmbp->smbinfo.info+7)=0X32;//最大的MPX
        *(WORD *)(psmbp->smbinfo.info+9)=0X0;//虚拟通道
        *(DWORD *)(psmbp->smbinfo.info+11)=0X0;//虚拟通道
        *(DWORD *)(psmbp->smbinfo.info+17)=0X0;//保留

        *(WORD *)(psmbp->smbinfo.info+15)=0x20;  //BLOB的长度
        memcpy(psmbp->smbinfo.info+27,sb,0x20);//放入BLOB
        memcpy(psmbp->smbinfo.info+28+0x20,navos,36);//
        memcpy(psmbp->smbinfo.info+66+0x20,lanman,32);//
        *(WORD *)(psmbp->smbinfo.info+25)=73+0x20;
        psmbp->smbnbt.smbpacketlen = htons(132+0x20);
    }

    void SmbSessionSetupAndX2(SMBP * psmbp,wchar_t * username,wchar_t * domainname,wchar_t * password)
    {
        unsigned char enkey[8];
        unsigned char cread[0x40];
        unsigned char passwordhash[0x20];
        unsigned char creaded[0x100];
        int ulen;
        int dlen;
        int i;
        for(i=0;i<0x20;i++)
        {
            if(username[i]==0)
                break;
        }
        ulen=2*i;
        for(i=0;i<0x20;i++)
        {
            if(domainname[i]==0)
                break;
        }
        dlen=2*i;

        memset(creaded,0,0x100);
        memcpy(creaded,"NTLMSSP",8);
        *(DWORD *)(creaded+8)=3;
        *(WORD *)(creaded+0xc)=0x18;
        *(WORD *)(creaded+0xe)=0x18;
        *(DWORD *)(creaded+0x10)=0x40+ulen+dlen+dlen;
        *(WORD *)(creaded+0x14)=0x18;
        *(WORD *)(creaded+0x16)=0x18;
        *(DWORD *)(creaded+0x18)=0x40+ulen+dlen+dlen+0x18;
        *(WORD *)(creaded+0x1c)=dlen;
        *(WORD *)(creaded+0x1e)=dlen;
        *(DWORD *)(creaded+0x20)=0x40;
        *(WORD *)(creaded+0x24)=ulen;
        *(WORD *)(creaded+0x26)=ulen;
        *(DWORD *)(creaded+0x28)=0x40+dlen;
        *(WORD *)(creaded+0x2c)=dlen;
        *(WORD *)(creaded+0x2e)=dlen;
        *(DWORD *)(creaded+0x30)=0x40+dlen+ulen;
        *(WORD *)(creaded+0x34)=0x10;
        *(WORD *)(creaded+0x36)=0x10;
        *(DWORD *)(creaded+0x38)=0x40+ulen+dlen+dlen+0x30;
        *(DWORD *)(creaded+0x3C)=0XE0888215;
        //放如用户名等信息
        memcpy(creaded+0x40,domainname,dlen);
        memcpy(creaded+0x40+dlen,username,ulen);
        memcpy(creaded+0x40+dlen+ulen,domainname,dlen);
        psmbp->smbinfo.smbtoken =0x73;
        memset(psmbp->smbinfo.info,0,0x200);
        psmbp->smbinfo.flagsummary2 = 0xc807;
        *(DWORD *)(psmbp->smbinfo.info+21) = 0x800000D4;
        //指定使用加密的FLAG
        psmbp->smbinfo.info[0]=0xc;//WORD 参数个数
        *(WORD *)(psmbp->smbinfo.info+1)=0Xff;//无下一个命令
        *(WORD *)(psmbp->smbinfo.info+3)=0X12e;//下一命令偏移
        *(WORD *)(psmbp->smbinfo.info+5)=0X4104;//最大缓冲
        *(WORD *)(psmbp->smbinfo.info+7)=0X32;//最大的MPX
        *(WORD *)(psmbp->smbinfo.info+9)=0X0;//虚拟通道
        *(DWORD *)(psmbp->smbinfo.info+11)=0X0;//虚拟通道
        *(DWORD *)(psmbp->smbinfo.info+17)=0X0;//保留

        passtoowf(password,passwordhash);    //口令到散列
        challagetorkey(romkey,challage,enkey);    //把挑战和任意一个本地随机KEY通过MD5计算出加密KEY
        memset(cread,0,0x40);
        memcpy(cread,romkey,0x8);    //BLOB中放入本地随机KEY,好让服务器知道能计算出加密KEY
        hashtocread(enkey,passwordhash,cread);    //通过加密KEY计算NTLM的加密形式
        memcpy(creaded+0x40+ulen+dlen+dlen,cread,0x40);    
        *(WORD *)(psmbp->smbinfo.info+15)=0x80+ulen+dlen+dlen;  //BLOB的长度
        memcpy(psmbp->smbinfo.info+27,creaded,0x80+ulen+dlen+dlen);//放入BLOB
        memcpy(psmbp->smbinfo.info+28+0x80+ulen+dlen+dlen,navos,36);//
        memcpy(psmbp->smbinfo.info+66+0x80+ulen+dlen+dlen,lanman,32);//
        *(WORD *)(psmbp->smbinfo.info+25)=73+0x80+ulen+dlen+dlen;
        psmbp->smbnbt.smbpacketlen = htons(132+ 0x80+ulen+dlen+dlen);
    }

    void SmbNegotiate(SMBP * psmbp)
    {
        unsigned char magic[4]={0xff,'S','M','B'};
        short len;
        char langitem1[]="PC NETWORK PROGRAM 1.0";
        char langitem2[]="LANMAN1.0";
        char langitem3[]="Windows for Workgroups 3.1a";
        char langitem4[]="LM1.2X002";
        char langitem5[]="LANMAN2.1";
        char langitem6[]="NT LM 0.12";
        char langitem7[]="PCLAN1.0";
        char langitem8[]="MICROSOFT NETWORKS 1.03";
        char langitem9[]="MICROSOFT NETWORKS 3.0";
        char langitem10[]="DOS LM1.2X002";
        char langitem11[]="DOS LANMAN2.1";
        char langitem12[]="Cairo 0.xa";

        memset(psmbp,0,sizeof(SMBP));
        psmbp->smbnbt.nbtsmb = 0;
        psmbp->smbnbt.flag = 0;
        memcpy(psmbp->smbinfo.magic, magic,4);
        psmbp->smbinfo.smbtoken = 0x72;
        psmbp->smbinfo.errcodeclass = 0x0;
        psmbp->smbinfo.dosaherrcode = 0x0;
        psmbp->smbinfo.errcode[0] = 0x0;
        psmbp->smbinfo.errcode[1] = 0x0;
        psmbp->smbinfo.flagsummary = 0x18;
        psmbp->smbinfo.flagsummary2 = 0xc853;
        //指定了带挑战方式支持的FLAG
        psmbp->smbinfo.callprocessid = 0xfeff;
        psmbp->smbinfo.multiplexid = 0;
        psmbp->smbinfo.info[0]=0x0;
        len=3+2*(psmbp->smbinfo.info[0]);
        psmbp->smbinfo.info[len]=0x2;
        memcpy(psmbp->smbinfo.info+len+1,langitem6,sizeof(langitem6));
        len = len+1+sizeof(langitem6);

        *(WORD *)(psmbp->smbinfo.info+1) =len-3-2*(psmbp->smbinfo.info[0]);
        psmbp->smbnbt.smbpacketlen = htons(len+0x20);
    }

    void challagetorkey(unsigned char * romkey,unsigned char * challage,unsigned char * enkey)
    {
        unsigned char LM[0x58];
        md5init(LM);
        *(DWORD *)LM=0x200;
        memcpy(LM+0X18,challage,8);
        memcpy(LM+0X20,romkey,8);
        *(DWORD *)(LM+0x28)=0x80;
        *(DWORD *)(LM+0x50)=0x80;
        md5final(LM);
        memcpy(enkey,LM+8,8);
    }

    void hashtocread(unsigned char * enkey,unsigned char * hash,unsigned char * cread)
    {
        unsigned char LmPass[0x10];
        unsigned char rc4keylist[0x102];
        LSA_UNICODE_STRING lmhash;
        unsigned char desecb[128];
        unsigned char lm[0x28];
        unsigned char key[0x8];
        unsigned char rc4key[0x10];
    //加密KEY加密NTLM
        initLMP(hash,LmPass);
        deskey(LmPass,desecb);
        des(lm,enkey,desecb,1);
        initLMP(hash+7,LmPass);
        deskey(LmPass,desecb);
        des(lm+8,enkey,desecb,1);
        memset(key,0,8);
        memcpy(key,hash+0xe,2);
        initLMP(key,LmPass);
        deskey(LmPass,desecb);
        des(lm+0x10,enkey,desecb,1);
        memcpy(cread+0x18,lm,0x18);
    //计算NTLM的RC4形式
        lmhash.Length=0x10;
        lmhash.MaximumLength=0x10;
        lmhash.Buffer= hash;
        initMDP(&lmhash,rc4key);
        hmacmd5(rc4key,enkey);
        memcpy(cread+0x30,rc4key,0x10);
        rc4_key(rc4keylist,rc4key,0x10);    
    //由于并未使用此字段认证,下面的函数未实现,就以RC4KEY做其放进去了
    //    rc4_424(rc4keylist,rc4rom,0x10);
    }

    void rc4_key(unsigned char * rc4keylist,unsigned char * rc4key,int keylen)
    {
        int i,j;
        DWORD a1=0x03020100;
        unsigned char c1,c2,c3;
        for(i=0;i<0x40;i++)
        {
            *(DWORD *)(rc4keylist+4*i)=a1;
            a1+=0x04040404;
        }
        rc4keylist[0x100]=0;
        rc4keylist[0x101]=0;
        j=0;
        i=0;
        c3=0;
        for(j=0;j<0x100;j++)
        {
            c1=rc4keylist[j];
            c2=rc4key[i];
            c3=(c3+c2+c1)%256;
            rc4keylist[j]=rc4keylist[c3];
            rc4keylist[c3]=c1;
            i++;
            if(i==keylen)
                i=0;
        }
    }

    void hmacmd5(unsigned char * rc4key,unsigned char * enkey)
    {
        unsigned char Lm1[0x58];
        unsigned char Lm2[0x58];
        unsigned char k1[0x40];
        unsigned char k2[0x40];
        int i;
        md5init(Lm1);
        md5init(Lm2);
        memset(k1,0,0x40);
        memset(k2,0,0x40);
        memcpy(k1,rc4key,0x10);
        memcpy(k2,rc4key,0x10);
        for(i=0;i<0x10;i++)
        {
            *(DWORD *)(k1+4*i)=(*(DWORD *)(k1+4*i))^0x36363636;
            *(DWORD *)(k2+4*i)=(*(DWORD *)(k2+4*i))^0x5c5c5c5c;
        }
        *(DWORD *)Lm1=0x200;
        memcpy(Lm1+0X18,k1,0x40);
        md5final(Lm1);
        *(DWORD *)Lm2=0x200;
        memcpy(Lm2+0X18,k2,0x40);
        md5final(Lm2);
        *(DWORD *)Lm1=0x400;
        memcpy(Lm1+0X18,challage,0x8);
        memcpy(Lm1+0X20,romkey,0x8);
        memset(Lm1+0X28,0x80,1);
        memset(Lm1+0X29,0,0x2f);
        *(DWORD *)(Lm1+0x50)=0x280;
        md5final(Lm1);
        memcpy(Lm2+0X18,Lm1+8,0x10);
        *(DWORD *)Lm2=0x400;
        memset(Lm2+0X28,0x80,1);
        memset(Lm2+0X29,0,0x2f);
        *(DWORD *)(Lm2+0x50)=0x280;
        md5final(Lm2);
        memcpy(rc4key,Lm2+8,0x10);
    }

    void passtoowf(wchar_t * password,unsigned char * paswdowf)
    {
        int len;
        int i;
        LSA_UNICODE_STRING pass;
        LSA_UNICODE_STRING opass;
        char magic1[8]="KGS!@#$%";
        unsigned char desecb[128];
        unsigned char upassword[0x10];
        unsigned char LmPass[0x10];

        len=0;
        for(i=0;i<0x20;i++)
        {
            if(password[i]==0 )
                break;
            len=len+2;
        }
        if(len>28)
        {
            printf("password <=14");
            return;
        }
        pass.Length=len;
        pass.MaximumLength=len;
        pass.Buffer=password;
        opass.MaximumLength=0xf;
        opass.Buffer=upassword;
        memset(upassword,0,0x10);
        RtlUpcaseUnicodeStringToOemString(&opass,&pass,0);
        initLMP(upassword,LmPass);
        deskey(LmPass,desecb);
        des(paswdowf+0x10,magic1,desecb,1);
        initLMP(upassword+7,LmPass);
        deskey(LmPass,desecb);
        des(paswdowf+0x18,magic1,desecb,1);
        initMDP(&pass,paswdowf);
    }

    void initMDP(PLSA_UNICODE_STRING pass,unsigned char * LM)
    {
        unsigned char LM1[0x58];
        unsigned char s[2]="0";
        md4init(LM1);
        memcpy(LM1+0x18,pass->Buffer,pass->Length);
        memset(LM1+0x18+pass->Length,0x80,1);
        memset(LM1+0x18+pass->Length+1,0,0x37-pass->Length);
        *(DWORD *)(LM1+0x50)=8*(pass->Length);
        memset(LM1+0x51,0x0,7);
        *(DWORD *)(LM1+0x10)=0x200;
        md4(LM1);
        memcpy(LM,LM1,16);
    }

    void md4init(unsigned char * LM)
    {
        *(DWORD *)(LM)=0x67452301;
        *(DWORD *)(LM+4)=0xefcdab89;
        *(DWORD *)(LM+8)=0x98badcfe;
        *(DWORD *)(LM+0xc)=0x10325476;
        *(DWORD *)(LM+0x10)=0;
        *(DWORD *)(LM+0x14)=0;
    }

    void md4(unsigned char * LM)
    {
        DWORD d1,d2,d3,d4;
        DWORD a1,a2,a3;
        //第1轮
        d1=*(DWORD *)(LM);
        d2=*(DWORD *)(LM+4);
        d3=*(DWORD *)(LM+8);
        d4=*(DWORD *)(LM+0xc);
        a1=*(DWORD *)(LM+0x18);
        a2=(((d4^d3)&d2)^d4)+a1+d1;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x1c);
        a3=(((d3^d2)&a2)^d3)+a1;
        d4=d4+a3;
        d4=(d4<<7)|(d4>>0x19);
        a1=*(DWORD *)(LM+0x20);
        a3=(((d2^a2)&d4)^d2)+a1;
        d3=d3+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x24);
        a3=(((d4^a2)&d3)^a2)+a1;
        d2=d2+a3;
        d2=(d2<<0x13)|(d2>>0xd);
        a1=*(DWORD *)(LM+0x28);
        a3=(((d4^d3)&d2)^d4)+a1;
        a2=a2+a3;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x2c);
        a3=(((d3^d2)&a2)^d3)+a1;
        d4=d4+a3;
        d4=(d4<<7)|(d4>>0x19);
        a1=*(DWORD *)(LM+0x30);
        a3=(((d2^a2)&d4)^d2)+a1;
        d3=d3+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x34);
        a3=(((d4^a2)&d3)^a2)+a1;
        d2=d2+a3;
        d2=(d2<<0x13)|(d2>>0xd);
        a1=*(DWORD *)(LM+0x38);
        a3=(((d4^d3)&d2)^d4)+a1;
        a2=a2+a3;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x3c);
        a3=(((d3^d2)&a2)^d3)+a1;
        d4=d4+a3;
        d4=(d4<<7)|(d4>>0x19);
        a1=*(DWORD *)(LM+0x40);
        a3=(((d2^a2)&d4)^d2)+a1;
        d3=d3+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x44);
        a3=(((d4^a2)&d3)^a2)+a1;
        d2=d2+a3;
        d2=(d2<<0x13)|(d2>>0xd);
        a1=*(DWORD *)(LM+0x48);
        a3=(((d4^d3)&d2)^d4)+a1;
        a2=a2+a3;
        a2=(a2<<0x3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x4c);
        a3=(((d3^d2)&a2)^d3)+a1;
        d4=d4+a3;
        d4=(d4<<7)|(d4>>0x19);
        a1=*(DWORD *)(LM+0x50);
        a3=(((d2^a2)&d4)^d2)+a1;
        d3=d3+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x54);
        a3=(((d4^a2)&d3)^a2)+a1;
        d2=d2+a3;
        d2=(d2<<0x13)|(d2>>0xd);
        //第2轮
        a1=*(DWORD *)(LM+0x18);
        a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
        a2=a2+a3;    
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x28);
        a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
        d4=d4+a1+a3;
        d4=(d4<<5)|(d4>>0x1b);
        a1=*(DWORD *)(LM+0x38);
        a3=(((d4|a2)&d2)|(d4&a2))+a1+0x5a827999;
        d3=d3+a3;
        d3=(d3<<9)|(d3>>0x17);
        a1=*(DWORD *)(LM+0x48);
        a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
        d2=d2+a3;
        d2=(d2<<0xd)|(d2>>0x13);
        a1=*(DWORD *)(LM+0x1c);
        a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
        a2=a2+a3;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x2c);
        a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
        d4=d4+a1+a3;
        d4=(d4<<5)|(d4>>0x1b);
        a1=*(DWORD *)(LM+0x3c);
        a3=(((d4|a2)&d2)|(d4&a2))+a1+0x5a827999;
        d3=d3+a3;
        d3=(d3<<9)|(d3>>0x17);
        a1=*(DWORD *)(LM+0x4c);
        a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
        d2=d2+a3;
        d2=(d2<<0xd)|(d2>>0x13);
        a1=*(DWORD *)(LM+0x20);
        a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
        a2=a2+a3;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x30);
        a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
        d4=d4+a1+a3;
        d4=(d4<<5)|(d4>>0x1b);
        a1=*(DWORD *)(LM+0x40);
        a3=(((d4|a2)&d2)|(d4&a2))+0x5a827999;
        d3=d3+a1+a3;
        d3=(d3<<9)|(d3>>0x17);
        a1=*(DWORD *)(LM+0x50);
        a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
        d2=d2+a3;
        d2=(d2<<0xd)|(d2>>0x13);
        a1=*(DWORD *)(LM+0x24);
        a3=(((d3|d2)&d4)|(d3&d2))+a1+0x5a827999;
        a2=a2+a3;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x34);
        a3=(((d2|a2)&d3)|(d2&a2))+0x5a827999;
        d4=d4+a1+a3;
        d4=(d4<<5)|(d4>>0x1b);
        a1=*(DWORD *)(LM+0x44);
        a3=(((d4|a2)&d2)|(d4&a2))+a1+0x5a827999;
        d3=d3+a3;
        d3=(d3<<9)|(d3>>0x17);    
        a1=*(DWORD *)(LM+0x54);
        a3=(((d4|d3)&a2)|(d4&d3))+a1+0x5a827999;
        d2=d2+a3;
        d2=(d2<<0xd)|(d2>>0x13);    
        //第3轮
        a1=*(DWORD *)(LM+0x18);
        a3=((d4^d3)^d2)+a1;
        a2=a2+0x6ed9eba1+a3;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x38);
        a3=((d3^d2)^a2)+a1;
        d4=d4+0x6ed9eba1+a3;
        d4=(d4<<9)|(d4>>0x17);
        a1=*(DWORD *)(LM+0x28);
        a3=((d4^d2)^a2)+a1;
        d3=d3+0x6ed9eba1+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x48);
        a3=d4^d3;
        d2=d2+a1+0x6ed9eba1+(a2^a3);
        d2=(d2<<0xf)|(d2>>0x11);
        a1=*(DWORD *)(LM+0x20);
        a2=a2+((d2^a3)+a1+0x6ed9eba1);
        a3=d3^d2;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x40);
        a3=(a3^a2)+a1;
        d4=d4+0x6ed9eba1+a3;
        d4=(d4<<9)|(d4>>0x17);
        a1=*(DWORD *)(LM+0x30);
        a3=((d4^d2)^a2)+a1;
        d3=d3+0x6ed9eba1+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x50);
        a3=d4^d3;
        d2=d2+a1+0x6ed9eba1+(a2^a3);
        d2=(d2<<0xf)|(d2>>0x11);
        a1=*(DWORD *)(LM+0x1c);
        a2=a2+0x6ed9eba1+((d2^a3)+a1);
        a3=d3^d2;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x3c);
        a3=(a3^a2)+a1;
        d4=d4+0x6ed9eba1+a3;
        d4=(d4<<9)|(d4>>0x17);
        a1=*(DWORD *)(LM+0x2c);
        a3=((d4^d2)^a2)+a1;
        d3=d3+0x6ed9eba1+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x4c);
        a3=d4^d3;
        d2=d2+a1+0x6ed9eba1+(a2^a3);
        d2=(d2<<0xf)|(d2>>0x11);
        a1=*(DWORD *)(LM+0x24);
        a2=a2+0x6ed9eba1+((d2^a3)+a1);
        a3=d3^d2;
        a2=(a2<<3)|(a2>>0x1d);
        a1=*(DWORD *)(LM+0x44);
        a3=(a3^a2)+a1;
        d4=d4+0x6ed9eba1+a3;
        d4=(d4<<9)|(d4>>0x17);
        a1=*(DWORD *)(LM+0x34);
        a3=((d4^d2)^a2)+a1;
        d3=d3+0x6ed9eba1+a3;
        d3=(d3<<0xb)|(d3>>0x15);
        a1=*(DWORD *)(LM+0x54);
        a3=((d4^a2)^d3)+a1;
        d2=d2+0x6ed9eba1+a3;
        d2=(d2<<0xf)|(d2>>0x11);
        *(DWORD *)(LM)=a2+*(DWORD *)(LM);
        *(DWORD *)(LM+4)=d2+*(DWORD *)(LM+4);
        *(DWORD *)(LM+8)=d3+*(DWORD *)(LM+8);
        *(DWORD *)(LM+0xc)=d4+*(DWORD *)(LM+0xc);
    }

    void initLMP(char * pass,unsigned char * LM)
    {
        char LmPass[0x20];
        DWORD d1,d2;
        unsigned char a1,a2;
        char a3[]={1,3,7,0xf,0x1f,0x3f,0x7f};
        int i;

        for(i=0;i<8;i++)
        {
            if(i==0)
            {
                a1=pass[0];
                LmPass[0]=a1>>1;
            }
            else if(i==7)
            {
                a1=pass[i-1];
                a1=a1&a3[i-1];            
                LmPass[i]=a1;
            }
            else
            {
                a1=pass[i-1];
                a2=pass[i];
                a1=a1&a3[i-1];
                a1=a1<<(7-i);
                a2=a2>>(i+1);
                LmPass[i]=a1|a2;
            }
        }
        d1=*(DWORD *)LmPass;
        d2=*(DWORD *)(LmPass+4);
        d1=(d1&0xff7f7f7f)<<1;
        d2=(d2&0xff7f7f7f)<<1;
        *(DWORD *)LmPass=d1;
        *(DWORD *)(LmPass+4)=d2;
        //
        for(i=0;i<8;i++)
        {
            a1=LmPass[i];
            a2=a1;
            a1=a1&0xf;
            a2=a2>>4;
            a2=DESParity[a2];
            a1=DESParity[a1];
            a2=a1+a2;
            a2=a2^a1;
            a2=a2-a1;
            a2=a2&1;
            a2=a2^a1;
            a2=a2-a1;
            if(a2==0)
                LmPass[i]=LmPass[i]^1;
        }
        memcpy(LM,LmPass,8);
        //deskey(LmPass,desecb);
        //des(LM,magic1,desecb,1);
    }

    void deskey(char * LmPass,unsigned char * desecb)
    {
        int i;
        unsigned char a1;
        DWORD d1,d2,d3,d4,d5,d6;


        d1=*(DWORD *)LmPass;
        d2=*(DWORD *)(LmPass+4);
        d2=d2>>4;
        d1=d1&0xf0f0f0f;
        d2=d2&0xf0f0f0f;
        d2=d2^d1;
        d1=(*(DWORD *)LmPass)^d2;
        d2=d2<<4;
        d2=(*(DWORD *)(LmPass+4))^d2;
        d3=d1&0xfffff333;
        d3=d3<<0x12;
        d4=d1&0xcccc0000;
        d4=d4^d3;
        d3=d4;
        d3=d3>>0x12;
        d3=d3^d4;
        d1=d1^d3;
        d3=d2&0xfffff333;
        d3=d3<<0x12;
        d4=d2&0xcccc0000;
        d4=d4^d3;
        d3=d4>>0x12;
        d3=d3^d4;
        d2=d2^d3;
        d3=d1;
        d4=d2>>1;
        d3=d3&0x55555555;
        d4=d4&0x55555555;
        d4=d4^d3;
        d1=d1^d4;
        d4=d4+d4;
        d2=d2^d4;
        d4=d1>>8;
        d3=d2&0xff00ff;
        d4=d4&0xff00ff;
        d4=d4^d3;
        d2=d2^d4;
        d4=d4<<8;
        d1=d1^d4;
        d4=d2>>1;
        d3=d1;
        d3=d3&0x55555555;
        d4=d4&0x55555555;
        d4=d4^d3;
        d1=d1^d4;
        d4=d4+d4;
        d2=d2^d4;
        d3=d1&0xf000000f;
        d4=(d2>>0xc)&0xff0;
        d1=d1&0x0fffffff;
        d3=(d3|d4)>>4;
        d4=d2&0xff00;
        d2=(d2&0xff)<<0x10;
        d3=d3|d4;
        d3=d3|d2;
        for(i=0;i<16;i++)
        {
            d2=d1;
            a1=DESDShift[i];
            if(a1==0)
            {
                d2=d2>>1;
                d1=d1<<0x1b;
                d4=d3>>1;
                d3=d3<<0x1b;
                d1=d1|d2;            
            }
            else
            {
                d2=d2>>2;
                d1=d1<<0x1a;
                d4=d3>>2;
                d3=d3<<0x1a;
                d1=d1|d2;
            }
            d1=d1&0x0fffffff;
            d3=d3|d4;
            d2=d1>>1;
            d4=d1&0xc00000;
            d4=d4|(d2&0x07000000);
            d4=(d4>>1)|(d1&0x00100000);
            //d6=d2&0x00060000;
            d5=(d1&0x0001e000)|(d2&0x00060000);
            d2=d2&0x00000f00;
            d3=d3&0x0fffffff;
            d5=d5>>0xd;
            d4=d4>>0x14;
            d6=DESKEY3[d5];
            d5=d1&0xc0;
            d4=DESKEY4[d4];
            d5=(d5|d2)>>6;
            d4=d4|d6;
            d2=d1&0x3f;
            d6=DESKEY2[d5];
            d5=d3&0x180;
            d4=d4|d6;
            d6=DESKEY1[d2];
            d2=d3>>1;
            d4=d4|d6;
            d6=d2&0x1e00;
            d2=d2&0x6000000;
            d5=(d5^d6)>>7;
            d6=(d3&0x1e00000)|d2;
            d6=d6>>0x15;
            d2=DESKEY6[d5];
            d5=DESKEY8[d6];
            d2=d2^d5;
            d5=d3&0x3f;
            d6=DESKEY5[d5];
            d5=(d3>>0xf)&0x3f;
            d2=d2|d6;
            d6=DESKEY7[d5];
            d5=d4&0xffff;
            d2=d2|d6;
            d6=d2<<0x10;
            d2=d2&0xffff0000;
            d5=d5|d6;
            d5=(d5<<2)|(d5>>0x1e);
            d4=d4>>0x10;
            d2=d2|d4;
            d2=(d2<<6)|(d2>>0x1a);
            *(DWORD *)(desecb+8*i)=d5;
            *(DWORD *)(desecb+8*i+4)=d2;
        }
    }

    void des(unsigned char * LM,char * magic,unsigned char * ecb,long no)
    {
        DWORD d1,d2,d3,d4;
        DWORD a1,a2,a3;
        int i;
        d1= *(DWORD *)magic;
        d2= *(DWORD *)(magic+4);
        d1 = (d1<<4)|(d1>>0x1c);
        d3 = d1;
        d1 = (d1^d2)&0xf0f0f0f0;
        d3 = d3^d1;
        d2 = d2^d1;
        d2 =(d2<<0x14)|(d2>>0xc);
        d1 = d2;
        d2 = (d2^d3)&0xfff0000f;
        d1 = d1 ^ d2;
        d3 = d3^d2;
        d1 = (d1<<0xe)|(d1>>0x12);
        d2 = d1;
        d1 = (d1 ^ d3) & 0x33333333;
        d2 = d2 ^ d1;
        d3 = d3^d1;
        d3 = (d3<<0x16)|(d3>>0xa);
        d1 = d3;
        d3 = (d3 ^ d2)&0x3fc03fc;
        d1 = d1^d3;
        d2 = d2^d3;
        d1 = (d1<<9)|(d1>>0x17);
        d3 = d1;
        d1 = (d1^d2)&0xaaaaaaaa;
        d3 = d3^d1;
        d2 = d2^d1;
        d2 = (d2<<1)|(d2>>0x1f);
        if(no!=0)
        {
            for(i=0;i<8;i++)
            {
                a1=0;
                d1=*(DWORD *)(ecb+16*i);
                d4=*(DWORD *)(ecb+16*i+4);
                d1=(d1^d3)&0xfcfcfcfc;
                d4=(d4^d3)&0xcfcfcfcf;
                a1=d1&0xff;
                a2=(d1>>8)&0xff;
                d4=(d4>>4)|(d4<<0x1c);
                a3=DESSpBox1[a1/4];
                a1=d4&0xff;
                d2=d2^a3;
                a3=DESSpBox3[a2/4];
                d2=d2^a3;
                a2=(d4>>8)&0xff;
                d1=d1>>0x10;
                a3=DESSpBox2[a1/4];
                d2=d2^a3;
                a1=(d1>>8)&0xff;
                d4=d4>>0x10;
                a3=DESSpBox4[a2/4];
                d2=d2^a3;
                a2=(d4>>8)&0xff;
                d1=d1&0xff;
                d4=d4&0xff;
                a1=DESSpBox7[a1/4];
                d2=d2^a1;
                a1=DESSpBox8[a2/4];
                d2=d2^a1;
                a1=DESSpBox5[d1/4];
                d2=d2^a1;
                a1=DESSpBox6[d4/4];
                d2=d2^a1;

                a1=0;
                d1=*(DWORD *)(ecb+16*i+8);
                d4=*(DWORD *)(ecb+16*i+0xc);
                d1=(d1^d2)&0xfcfcfcfc;
                d4=(d4^d2)&0xcfcfcfcf;
                a1=d1&0xff;
                a2=(d1>>8)&0xff;
                d4=(d4>>4)|(d4<<0x1c);
                a3=DESSpBox1[a1/4];
                a1=d4&0xff;
                d3=d3^a3;
                a3=DESSpBox3[a2/4];
                d3=d3^a3;
                a2=(d4>>8)&0xff;
                d1=d1>>0x10;
                a3=DESSpBox2[a1/4];
                d3=d3^a3;
                a1=(d1>>8)&0xff;
                d4=d4>>0x10;
                a3=DESSpBox4[a2/4];
                d3=d3^a3;
                a2=(d4>>8)&0xff;
                d1=d1&0xff;
                d4=d4&0xff;
                a1=DESSpBox7[a1/4];
                d3=d3^a1;
                a1=DESSpBox8[a2/4];
                d3=d3^a1;
                a1=DESSpBox5[d1/4];
                d3=d3^a1;
                a1=DESSpBox6[d4/4];
                d3=d3^a1;
            }
            d3=(d3>>1)|(d3<<0x1f);
            d1=d2;
            d2=(d2^d3)&0XAAAAAAAA;
            d1=d1^d2;
            d3=d3^d2;
            d1=(d1<<0x17)|(d1>>9);
            d2=d1;
            d1=(d1^d3)&0x3fc03fc;
            d2=(d2^d1);
            d3=d3^d1;
            d2=(d2<<0xa)|(d2>>0x16);
            d1=d2;
            d2=(d2^d3)&0x33333333;
            d1=d1^d2;
            d3=d3^d2;
            d3=(d3<<0x12)|(d3>>0xe);
            d2=d3;
            d3=(d3^d1)&0xfff0000f;
            d2=d2^d3;
            d1=d1^d3;
            d2=(d2<<0xc)|(d2>>0x14);
            d3=d2;
            d2=(d2^d1)&0xf0f0f0f0;
            d3=d3^d2;
            d1=d1^d2;
            d1=(d1>>4)|(d1<<0x1c);
            *(DWORD *)LM=d1;
            *(DWORD *)(LM+4)=d3;
        }
        else
        {
        }
    }

    void md5init(unsigned char * LM)
    {
        memset(LM,0,0x58);
        *(DWORD *)(LM+8)=0x67452301;
        *(DWORD *)(LM+0xc)=0xefcdab89;
        *(DWORD *)(LM+0x10)=0x98badcfe;
        *(DWORD *)(LM+0x14)=0x10325476;
        *(DWORD *)(LM+0x0)=0;
        *(DWORD *)(LM+0x0)=0;
    }

    void md5final(unsigned char * LM)
    {
        DWORD a1,d1,d2,s1;
        DWORD b1,b2;
        d1=*(DWORD *)(LM+0XC);
        s1=*(DWORD *)(LM+0X10);
        d2=*(DWORD *)(LM+0X14);
        b2=*(DWORD *)(LM+0X18);
        b1=(((d2^s1)&d1)^d2)+b2;
        b2=*(DWORD *)(LM+0X8);
        b1=b1+b2+0xd76aa478;
        b1=((b1<<0x7)|(b1>>0x19))+d1;
        //第一轮
        b2=*(DWORD *)(LM+0X1c);    
        a1=(((s1^d1)&b1)^s1)+0xe8c7b756;
        d2=d2+b2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;
        b2=*(DWORD *)(LM+0X20);    
        a1=(((d1^b1)&d2)^d1)+0x242070db;
        s1=s1+b2+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;
        b2=*(DWORD *)(LM+0X24);    
        a1=(((d2^b1)&s1)^b1)+0xc1bdceee;
        d1=d1+b2+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;
        b2=*(DWORD *)(LM+0X28);    
        a1=(((d2^s1)&d1)^d2)+0xf57c0faf;
        b1=b1+b2+a1;
        b1=((b1<<0x7)|(b1>>0x19))+d1;
        b2=*(DWORD *)(LM+0X2c);    
        a1=(((s1^d1)&b1)^s1)+0x4787C62A;
        d2=d2+b2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;    
        b2=*(DWORD *)(LM+0X30);    
        a1=(((d1^b1)&d2)^d1)+0xA8304613;
        s1=s1+b2+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;    
        b2=*(DWORD *)(LM+0X34);    
        a1=(((d2^b1)&s1)^b1)+0xFD469501;
        d1=d1+b2+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;    
        b2=*(DWORD *)(LM+0X38);    
        a1=(((d2^s1)&d1)^d2)+0x698098D8;
        b1=b1+b2+a1;
        b1=((b1<<0x7)|(b1>>0x19))+d1;
        b2=*(DWORD *)(LM+0X3c);    
        a1=(((s1^d1)&b1)^s1)+0x8B44F7AF;
        d2=d2+b2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;
        b2=*(DWORD *)(LM+0X40);    
        a1=(((d1^b1)&d2)^d1)+0xFFFF5BB1;
        s1=s1+b2+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;
        b2=*(DWORD *)(LM+0X44);    
        a1=(((d2^b1)&s1)^b1)+0x895CD7BE;
        d1=d1+b2+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;
        b2=*(DWORD *)(LM+0X48);    
        a1=(((d2^s1)&d1)^d2)+0x6B901122;
        b1=b1+b2+a1;
        b1=((b1<<0x7)|(b1>>0x19))+d1;
        b2=*(DWORD *)(LM+0X4c);    
        a1=(((s1^d1)&b1)^s1)+0xFD987193;
        d2=d2+b2+a1;
        d2=((d2<<0xc)|(d2>>0x14))+b1;
        b2=*(DWORD *)(LM+0X50);    
        a1=(((d1^b1)&d2)^d1)+0xA679438E;
        s1=s1+b2+a1;
        s1=((s1<<0x11)|(s1>>0xf))+d2;
        b2=*(DWORD *)(LM+0X54);    
        a1=(((d2^b1)&s1)^b1)+0x49B40821;
        d1=d1+b2+a1;
        d1=((d1<<0x16)|(d1>>0xa))+s1;
        //第二轮
        b2=*(DWORD *)(LM+0X1c);    
        a1=(((s1^d1)&d2)^s1)+0xF61E2562;
        b1=b1+b2+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        b2=*(DWORD *)(LM+0X30);    
        a1=(((d1^b1)&s1)^d1)+0xC040B340;
        d2=d2+b2+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        b2=*(DWORD *)(LM+0X44);    
        a1=(((d2^b1)&d1)^b1)+0x265E5A51;
        s1=s1+b2+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        b2=*(DWORD *)(LM+0X18);    
        a1=(((d2^s1)&b1)^d2)+0xE9B6C7AA;
        d1=d1+b2+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        b2=*(DWORD *)(LM+0X2c);    
        a1=(((s1^d1)&d2)^s1)+0xD62F105D;
        b1=b1+b2+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        b2=*(DWORD *)(LM+0X40);    
        a1=(((d1^b1)&s1)^d1)+0x2441453;
        d2=d2+b2+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        b2=*(DWORD *)(LM+0X54);    
        a1=(((d2^b1)&d1)^b1)+0xD8A1E681;
        s1=s1+b2+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        b2=*(DWORD *)(LM+0X28);    
        a1=(((d2^s1)&b1)^d2)+0xE7D3FBC8;
        d1=d1+b2+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        b2=*(DWORD *)(LM+0X3c);    
        a1=(((s1^d1)&d2)^s1)+0x21E1CDE6;
        b1=b1+b2+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        b2=*(DWORD *)(LM+0X50);    
        a1=(((d1^b1)&s1)^d1)+0xC33707D6;
        d2=d2+b2+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        b2=*(DWORD *)(LM+0X24);    
        a1=(((d2^b1)&d1)^b1)+0xF4D50D87;
        s1=s1+b2+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        b2=*(DWORD *)(LM+0X38);    
        a1=(((d2^s1)&b1)^d2)+0x455A14ED;
        d1=d1+b2+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        b2=*(DWORD *)(LM+0X4c);    
        a1=(((s1^d1)&d2)^s1)+0xA9E3E905;
        b1=b1+b2+a1;
        b1=((b1<<0x5)|(b1>>0x1b))+d1;
        b2=*(DWORD *)(LM+0X20);    
        a1=(((d1^b1)&s1)^d1)+0xFCEFA3F8;
        d2=d2+b2+a1;
        d2=((d2<<0x9)|(d2>>0x17))+b1;
        b2=*(DWORD *)(LM+0X34);    
        a1=(((d2^b1)&d1)^b1)+0x676F02D9;
        s1=s1+b2+a1;
        s1=((s1<<0xe)|(s1>>0x12))+d2;
        b2=*(DWORD *)(LM+0X48);    
        a1=(((d2^s1)&b1)^d2)+0x8D2A4C8A;
        d1=d1+b2+a1;
        d1=((d1<<0x14)|(d1>>0xc))+s1;
        //第三轮
        b2=*(DWORD *)(LM+0X2c);    
        a1=((d2^s1)^d1)+0xFFFA3942;
        b1=b1+b2+a1;
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        b2=*(DWORD *)(LM+0X38);    
        a1=((s1^d1)^b1)+0x8771F681;
        d2=d2+b2+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        b2=*(DWORD *)(LM+0X44);    
        a1=(d2^d1)^b1;
        s1=s1+b2+0x6D9D6122+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        b2=*(DWORD *)(LM+0X50);    
        a1=d2^s1;
        d1=d1+b2+0xFDE5380C+(b1^a1);
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        b2=*(DWORD *)(LM+0X1c);    
        b1=b1+b2+0xA4BEEA44+(d1^a1);
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        b2=*(DWORD *)(LM+0X28);    
        a1=((s1^d1)^b1)+0x4BDECFA9;
        d2=d2+b2+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        b2=*(DWORD *)(LM+0X34);    
        a1=(d2^d1)^b1;
        s1=s1+b2+0xF6BB4B60+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        b2=*(DWORD *)(LM+0X40);    
        a1=(d2^s1);
        d1=d1+b2+0xBEBFBC70+(b1^a1);
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        b2=*(DWORD *)(LM+0X4c);    
        b1=b1+b2+0x289B7EC6+(d1^a1);
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        b2=*(DWORD *)(LM+0X18);    
        a1=((s1^d1)^b1)+0xEAA127FA;
        d2=d2+b2+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        b2=*(DWORD *)(LM+0X24);    
        a1=(d2^d1)^b1;
        s1=s1+b2+0xD4EF3085+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        b2=*(DWORD *)(LM+0X30);    
        a1=d2^s1;
        d1=d1+b2+0x4881D05+(b1^a1);
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        b2=d1^a1;
        a1=*(DWORD *)(LM+0X3c)+0xD9D4D039;    
        b1=b1+b2+a1;
        b1=((b1<<0x4)|(b1>>0x1c))+d1;
        b2=*(DWORD *)(LM+0X48);
        a1=((s1^d1)^b1)+0xE6DB99E5;
        d2=d2+b2+a1;
        d2=((d2<<0xb)|(d2>>0x15))+b1;
        b2=*(DWORD *)(LM+0X54);
        a1=((d2^d1)^b1);
        s1=s1+b2+0x1FA27CF8+a1;
        s1=((s1<<0x10)|(s1>>0x10))+d2;
        b2=*(DWORD *)(LM+0X20);
        a1=((d2^s1)^b1);
        d1=d1+b2+0xC4AC5665+a1;
        d1=((d1<<0x17)|(d1>>0x9))+s1;
        //第4轮
        b2=*(DWORD *)(LM+0X18);
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF4292244;
        b1=b1+b2+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        b2=*(DWORD *)(LM+0X34);
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x432AFF97;
        d2=d2+b2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        b2=*(DWORD *)(LM+0X50);
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xAB9423A7;
        s1=s1+b2+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        b2=*(DWORD *)(LM+0X2c);
        a1=(((b1^0xFFFFFFFF)|s1)^d2);
        d1=d1+b2+0xFC93A039+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;
        b2=*(DWORD *)(LM+0X48);
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x655B59C3;
        b1=b1+b2+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        b2=*(DWORD *)(LM+0X24);
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0x8F0CCC92;
        d2=d2+b2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        b2=*(DWORD *)(LM+0X40);
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xFFEFF47D;
        s1=s1+b2+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        b2=*(DWORD *)(LM+0X1c);
        a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x85845DD1;
        d1=d1+b2+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;
        b2=*(DWORD *)(LM+0X38);
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0x6FA87E4F;
        b1=b1+b2+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        b2=*(DWORD *)(LM+0X54);
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xFE2CE6E0;
        d2=d2+b2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        b2=*(DWORD *)(LM+0X30);
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0xA3014314;
        s1=s1+b2+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        b2=*(DWORD *)(LM+0X4c);
        a1=(((b1^0xFFFFFFFF)|s1)^d2)+0x4E0811A1;
        d1=d1+b2+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;
        b2=*(DWORD *)(LM+0X28);
        a1=(((d2^0xFFFFFFFF)|d1)^s1)+0xF7537E82;
        b1=b1+b2+a1;
        b1=((b1<<0x6)|(b1>>0x1a))+d1;
        b2=*(DWORD *)(LM+0X44);
        a1=(((s1^0xFFFFFFFF)|b1)^d1)+0xBD3AF235;
        d2=d2+b2+a1;
        d2=((d2<<0xa)|(d2>>0x16))+b1;
        b2=*(DWORD *)(LM+0X20);
        a1=(((d1^0xFFFFFFFF)|d2)^b1)+0x2AD7D2BB;
        s1=s1+b2+a1;
        s1=((s1<<0xf)|(s1>>0x11))+d2;
        b2=*(DWORD *)(LM+0X3c);
        a1=(((b1^0xFFFFFFFF)|s1)^d2)+0xEB86D391;
        d1=d1+b2+a1;
        d1=((d1<<0x15)|(d1>>0xb))+s1;

        b2=*(DWORD *)(LM+0X8);
        b1=b1+b2;
        b2=*(DWORD *)(LM+0Xc);
        d1=d1+b2;
        b2=*(DWORD *)(LM+0X10);
        s1=s1+b2;
        b2=*(DWORD *)(LM+0X14);
        d2=d2+b2;
        *(DWORD *)(LM+0X8)=b1;
        *(DWORD *)(LM+0Xc)=d1;
        *(DWORD *)(LM+0X10)=s1;
        *(DWORD *)(LM+0X14)=d2;
    }
  • 相关阅读:
    2017.04.05-2017.07.14封闭开发总结
    Android读取Manifest文件下Application等节点下的metadata自定义数据
    MyEclipse Hibernate Reverse Engineering 找不到项目错误
    web服务器决定支持多少人同时在线的因素
    配置servers时,错误:Setting property 'source' to 'org.eclipse.jst.jee.server:hczm' did not find a matching property
    查看端口被占用
    高德开发 android 出现 key 鉴权失败
    Android EventBus
    javascript 中的数据驱动页面模式
    读书笔记之
  • 原文地址:https://www.cnblogs.com/huqingyu/p/1071634.html
Copyright © 2020-2023  润新知