1
: kd> g
Breakpoint
0
hit
netlogon!NetpServerPasswordSet
+
0x2b9
:
00007ffb
`
0e001159
e8526e0000 call netlogon!NlDecrypt (
00007ffb
`
0e007fb0
)
1
: kd> db rcx l204
DBGHELP: SharedUserData
-
virtual symbol module
00000083
`da84e430
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e440
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e450
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e460
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e470
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e480
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e490
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e4a0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e4b0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e4c0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e4d0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e4e0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e4f0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e500
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e510
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e520
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e530
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e540
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e550
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e560
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e570
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e580
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e590
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e5a0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e5b0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e5c0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e5d0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e5e0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e5f0
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e600
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e610
00
00
00
00
00
00
00
00
-
00
00
00
00
00
00
00
00
................
00000083
`da84e620
74
00
65
00
73
00
74
00
-
74
00
65
00
73
00
74
00
t.e.s.t.t.e.s.t.
/
/
理论上是
Unicode
密码加密后的结果
00000083
`da84e630
10
00
00
00
....
/
/
加密前
Unicode
密码长度
1
: kd> p
netlogon!NetpServerPasswordSet
+
0x2be
:
00007ffb
`
0e00115e
448b8d90010000
mov r9d,dword ptr [rbp
+
190h
]
1
: kd> db
00000083
`da84e620
/
/
解密后的数据,长度变成了
0xc6e8ca2
00000083
`da84e620
74
7d
5d
be
3e
03
af cc
-
2e
cb b8
52
1c
4b
af f5 t}].>......R.K..
00000083
`da84e630 a2
8c
6e
c0
83
00
00
00
-
00
4e
f7
0d
fb
7f
00
00
..n......N......
00000083
`da84e640
00
ec
84
da
83
00
00
00
-
18
8d
30
db
83
00
00
00
..........
0.
....
00000083
`da84e650
87
a7
43
c4
73
a1
23
4f
-
77
12
88
bf c4 d4
04
90
..C.s.
00000083
`da84e660 ff ff
2f
21
00
00
00
00
-
0c
40
f7
23
04
19
bb
84
..
/
!.....@.
00000083
`da84e670
68
75
b4
7f
66
9f
7d
87
-
e6
89
31
81
7d
b4
00
00
hu..f.}...
1.
}...
00000083
`da84e680 d0 eb
84
da
83
00
00
00
-
52
fd f7
0d
fb
7f
00
00
........R.......
00000083
`da84e690 d0 eb
84
da
83
00
00
00
-
68
fd f7
0d
fb
7f
00
00
........h.......
1
: kd> ed
83
`da84e630
10
/
/
由于后面有
cmp
r9d,
200h
判断,手动将其改为
0x10