diff --unified --recursive --new-file --exclude=changeIP --exclude=sl --exclude=start --exclude=live chntpw-source-040818/chntpw.c chntpwdmod/chntpw.c --- chntpw-source-040818/chntpw.c 2004-08-19 04:42:01.000000000 +0800 +++ chntpwdmod/chntpw.c 2006-03-10 08:00:43.000000000 +0800 @@ -85,6 +85,10 @@ int dirty = 0; int max_sam_lock = 0; + +FILE *scriptfile = NULL; +FILE *exportfile = NULL; + /* * of user with RID 500, because silly MS decided * to localize the bloody admin-username!! AAAGHH! @@ -511,7 +515,7 @@ printf("** LANMAN password IS however set. Will now install new password as NT pass instead.\n"); printf("** NOTE: Continue at own risk!\n"); ntpw_offs = lmpw_offs; - (unsigned int)*(vp+0xa8) = ntpw_offs - 0xcc; + *(vp+0xa8) = (unsigned int)(ntpw_offs - 0xcc); ntpw_len = 16; lmpw_len = 0; } @@ -621,14 +625,14 @@ ntpw_len = 16; lmpw_len = 16; ntpw_offs -= 4; - (unsigned int)*(vp+0xa8) = ntpw_offs - 0xcc; + *(vp+0xa8) = (unsigned int)(ntpw_offs - 0xcc); *(vp + 0xa0) = 16; *(vp + 0xac) = 16; } for (i = 0; i < 16; i++) { - (unsigned char)*(vp+ntpw_offs+i) = despw[i]; - if (lmpw_len >= 16) (unsigned char)*(vp+lmpw_offs+i) = newlandes[i]; + *(vp+ntpw_offs+i) = (unsigned char)(despw[i]); + if (lmpw_len >= 16) *(vp+lmpw_offs+i) = (unsigned char)(newlandes[i]); } } else { printf("Unable to set since it is blank.\n"); @@ -700,9 +704,11 @@ if (type == REG_SZ) break; } puts(string); + if (exportfile) addexportfile(string); break; case REG_DWORD: printf("0x%08x",*(unsigned short *)data); + if (exportfile) addexportfile(data); break; default: printf("Don't know how to handle type yet!\n"); @@ -778,19 +784,64 @@ void edit_val(struct hive *h, int nkofs, char *path) { struct keyval *kv, *newkv; + struct nk_key *key; int type,len,n,i,in,go, newsize, d = 0, done, insert = 0; char inbuf[SZ_MAX+4]; char origstring[SZ_MAX+4]; char *newstring; char *dbuf; + int vofs; type = get_val_type(h, nkofs, path); if (type == -1) { printf("Value <%s> not found!\n",path); return; } + + if (type == 0) { + printf("Value <%s> type 0!\n",path); + + vofs = trav_path(h, nkofs, path, 0); + + if(!vofs) { + printf("edit_val(0): Key <%s> not found\n",path); + return; + } + vofs += 4; + + key = (struct nk_key *)(h->buffer + vofs); + printf("edit_val of node at offset 0x%0x\n",vofs); + + if (key->id != 0x6b6e) { + printf("Error: Not a 'nk' node!\n"); + + debugit(h->buffer,h->size); + + } + if (scriptfile) { + getnextline(inbuf); + } + else { + fmyinput("enter new value - \n-> ", inbuf, 50); + } + + if (strlen(inbuf) < 1) { + printf("Keeping old name\n"); + return; + } + if (strlen(inbuf) > key->len_name) { + printf("Limitation - new string must not be longer than old string\n"); + return; + } + + strncpy(key->keyname,inbuf,key->len_name); + h->state |= HMODE_DIRTY; + return; + + } kv = get_val2buf(h, NULL, nkofs, path, type); + printf("get_val2_buf\n"); if (!kv) { printf("Unable to get data of value <%s>\n",path); return; @@ -804,8 +855,13 @@ switch(type) { case REG_DWORD: printf("DWORD: Old value %d [0x%x], ", kv->data, kv->data); - fmyinput("enter new value (prepend 0x if hex, empty to keep old value)\n-> ", + if (scriptfile) { + getnextline(inbuf); + } + else { + fmyinput("enter new value (prepend 0x if hex, empty to keep old value)\n-> ", inbuf, 12); + } if (*inbuf) { sscanf(inbuf,"%i",&kv->data); d = 1; @@ -842,7 +898,14 @@ printf("[%2d]: %s\n",n, insert == 1 ? "[INSERT]" : ((i < (len>>1)-1 ) ? origstring+i : "[NEW]")); if (insert) insert++; - if (!go) fmyinput("-> ",inbuf, 500); + if (!go) { + if (scriptfile) { + getnextline(inbuf); + } + else { + fmyinput("-> ",inbuf, 500); + } + } else *inbuf = 0; if (*inbuf && strcmp("--q", inbuf)) { if (!strcmp("--n", inbuf) || !strcmp("--Q", inbuf)) { /* Zap rest */ @@ -946,6 +1009,38 @@ return(0); } +/* Get next line from script file + * + */ +int getnextline(char *inbuf) +{ + int l; + char arg; + for (l=0;99>l;l++) + inbuf[l] = '\0'; + + l = 0; + while ((arg = fgetc(scriptfile)) != EOF) { + if (arg == '\n') break; + inbuf[l] = arg; + l++; + } + printf("!!!%s!!!\n",inbuf); + if (arg == EOF) { + fclose(scriptfile); + scriptfile = NULL; + return 2; + } + return 1; +} + +void addexportfile(char *name) +{ + if (exportfile) { + fprintf(exportfile,"%s\n",name); + } +} + /* Simple interactive command-parser * Main loop for manually looking through the registry */ @@ -960,6 +1055,7 @@ int l, vkofs, nh; int usehive = 0; struct keyval *kv; + int script = 0; #if ALLOC_DEBUG int pagestart; @@ -984,7 +1080,17 @@ printf("find_free_blk: 0x%x\n",freetest); #endif printf("\n[%0x] %s> ",cdofs,path); + + if (scriptfile) { + script = getnextline(inbuf); + l = strlen(inbuf); + } + + if (script == 0) { l = fmyinput("",inbuf,90); + } + if (script == 2) return; + bp = inbuf; skipspace(&bp); @@ -1070,6 +1176,7 @@ case MCMD_EDIT : bp++; skipspace(&bp); + printf("pre edit_val\n"); edit_val(hdesc, cdofs+4, bp); break; case MCMD_HIVE : @@ -1529,9 +1636,11 @@ " -l list all users in SAM file\n" " -i Interactive. List users (as -l) then ask for username to change\n" " -e Registry editor. Now with full write support!\n" + " -f Registry editor from script file.\n" + " -x Export Harddrive info.\n" " -d Enter buffer debugger instead (hex editor), \n" - " -t Trace. Show hexdump of structs/segments. (deprecated debug function)\n" - " -v Be a little more verbose (for debuging)\n" + " -t Trace. Show hexdump of structs/segments. (deprecated debug function)\n" + " -v Be a little more verbose (for debuging)\n" " -L Write names of changed files to /tmp/changed\n" " -N No allocation mode. Only (old style) same length overwrites possible\n" "See readme file on how to extract/read/write the NT's SAM file\n" @@ -1552,8 +1661,10 @@ char *who = "Administrator"; char iwho[100]; FILE *ch; /* Write out names of touched files to this */ + char *scriptf,*exportf; + int script = 0,x = 0; - char *options = "LNidehltvu:"; + char *options = "LNidehltvf:u:x:"; printf("%s\n",chntpw_version); while((c=getopt(argc,argv,options)) > 0) { @@ -1567,6 +1678,8 @@ case 'v': gverbose = 1; break; case 'i': list = 1; who = 0; inter = 1; break; case 'u': who = optarg; list = 1; break; + case 'f': scriptf = optarg;script = 1;break; + case 'x': exportf = optarg;x = 1;script = 1;break; case 'h': usage(); exit(0); break; default: usage(); exit(1); break; } @@ -1575,6 +1688,22 @@ if (!filename || !*filename) { usage(); exit(1); } + if (x) { + if (!(exportfile=fopen (exportf, "w"))) { + printf ("Can't findr: %s",exportf); + exit(0); + } + } + if (script) { + if (!(scriptfile=fopen (scriptf, "r"))) { + + exit(0); + } + else { + printf ("Script File %s found\n",scriptf); + } + } + do { if (!(hive[no_hives] = openHive(filename, HMODE_RW|noalloc|(list == 2 ? HMODE_VERBOSE : 0)))) { @@ -1598,7 +1727,7 @@ if (list && !edit && !inter) { if ( list_users(1) ) edit = 1; } - if (edit) mainloop(); + if (edit || script) mainloop(); else if (who) { handle_syskey(); find_n_change(who); } if (inter) interactive(); @@ -1614,7 +1743,10 @@ if (d) { /* Only prompt user if logging of changed files has not been set */ /* Thus we assume confirmations are done externally if they ask for a list of changes */ - if (!logchange) fmyinput("Write hive files? (y/n) [n] : ",iwho,3); + if (!logchange) { + if (script) {iwho[0] = 'y';} + else {fmyinput("Write hive files? (y/n) [n] : ",iwho,3);} + } if (*iwho == 'y' || logchange) { if (logchange) { ch = fopen("/tmp/changed","w"); diff --unified --recursive --new-file --exclude=changeIP --exclude=sl --exclude=start --exclude=live chntpw-source-040818/ntreg.c chntpwdmod/ntreg.c --- chntpw-source-040818/ntreg.c 2004-08-19 04:42:02.000000000 +0800 +++ chntpwdmod/ntreg.c 2006-03-14 08:13:09.000000000 +0800 @@ -1390,6 +1390,19 @@ } + printf("%d\n",key->id); + printf("%d\n",key->type); + printf("0x%0x\n",key->ofs_parent); + printf("%d\n",key->no_subkeys); + printf("0x%0x\n",key->ofs_lf); + printf("%d\n",key->no_values); + printf("0x%0x\n",key->ofs_vallist); + printf("0x%0x\n",key->ofs_sk); + printf("%d\n",key->ofs_classnam); + printf("%d\n",key->len_name); + printf("%d\n",key->len_classnam); + printf("%s\n",key->keyname); + printf("Node has %ld subkeys and %ld values",key->no_subkeys,key->no_values); if (key->len_classnam) printf(", and class-data of %d bytes",key->len_classnam); printf("\n"); @@ -1397,6 +1410,7 @@ if (key->no_subkeys) { printf("offs key name\n"); while ((ex_next_n(hdesc, nkofs, &count, &countri, &ex) > 0)) { + addexportfile(ex.name); printf("[%6x] %c <%s>\n", ex.nkoffs, (ex.nk->len_classnam)?'*':' ',ex.name); FREE(ex.name); } @@ -2514,7 +2528,7 @@ ALLOC(kr,1,sizeof(int)+sizeof(int)); kr->len = sizeof(int); - (int)kr->data = dword; + kr->data = (int)dword; r = put_buf2val(hdesc, kr, vofs, path, REG_DWORD); diff --unified --recursive --new-file --exclude=changeIP --exclude=sl --exclude=start --exclude=live chntpw-source-040818/ntreg.h chntpwdmod/ntreg.h --- chntpw-source-040818/ntreg.h 2004-08-19 04:42:02.000000000 +0800 +++ chntpwdmod/ntreg.h 2006-03-08 08:55:43.000000000 +0800 @@ -365,3 +365,6 @@ int del_key(struct hive *hdesc, int nkofs, char *name); void rdel_keys(struct hive *hdesc, char *path, int nkofs); struct keyval *get_class(struct hive *hdesc, int curnk, char *path); + +int getnextline(char *inbuf); +void addexportfile(char *name); diff --unified --recursive --new-file --exclude=changeIP --exclude=sl --exclude=start --exclude=live chntpw-source-040818/README_Chris_Macaulay.txt chntpwdmod/README_Chris_Macaulay.txt --- chntpw-source-040818/README_Chris_Macaulay.txt 1970-01-01 08:00:00.000000000 +0800 +++ chntpwdmod/README_Chris_Macaulay.txt 2006-06-27 16:54:05.000000000 +0800 @@ -0,0 +1,67 @@ +The chntpw agreement is ... (sorry, its a bit long) +The Offline NT Password & Registry Editor + +Copyright information & credits for: +chntpw binary +chntpw source +urce (registry edit library) +is Copyright (c) 1997-2004 Petter Nordahl-Hagen, pnordahl@eunet.no + +Rules (someone calls it license): +The chntpw binary & source can be both changed and distributed +by anyone in any way they like if: +e makes money on it (commercial sales is a big NONO) +except: a) Charging for media/packaging/printed docs/support/shipping +is allowed. +b) Inclusion in typical linux, *bsd or similar OS +tions (also commercial) +is allowed as long as use of chntpw & ntreg is +not the distributions primary purpose. Anyway it's +nice if I get notified any such inclusion. +ource must be available (at least as an option) +3) The changed program also follows these rules. +4) As long as code written by me is included, it must give me credit, +at least in the source code and docs. + +If you ask I will very likely allow other types of distribution. +(have already had questions of it as a bonus on eBay auctions. + ask, and you will likely get permission) +I'm just a kind of control freak, so I want to know what's going on. + + + +This program is still considered a huge HACK so please note:: + +* THIS SOFTWARE IS PROVIDED BY PETTER NORDAHL-HAGEN `AS IS'' AND +* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +* SUCH DAMAGE. + +ric Young, I borrowed your disclaimer, too..) + +--------------------------------------------------------------------------------- + +This software uses some routines & links with routines +by the following people/organizations: + +* As of 2001, it now uses OpenSSL for MD4 & DES. +* Thanks to Denis Ducamp for patches to make it work with OpenSSL. +* +* Part of some routines, information and ideas taken from +* pwdump by Jeremy Allison. +* +* Some stuff from NTCrack by Jonathan Wilkins. + +-------------------------------------------------------------------------------- + + +It would be nice to be credited to have modified it, other than that, just follow that license. + +Chris