Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #46  
Old 11-15-2024, 01:04
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules -t http://timestamp.verisign.com/scripts/timstamp.dll %1

signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules -t http://timestamp.sectigo.com file.sys

capicom.dll
726BD80A . /75 07 JNZ SHORT 726BD813 ; capicom.726BD813
726BD80C . |BE 53028880 MOV ESI,0x80880253
726BD811 .^|EB AF JMP SHORT 726BD7C2 ; capicom.726BD7C2
726BD813 > \8D45 E0 LEA EAX,DWORD PTR SS:[EBP-0x20]

726BD3CE |> \FF76 0C PUSH DWORD PTR DS:[ESI+0xC]
726BD3D1 |. 57 PUSH EDI
726BD3D2 |. FF15 C0106972 CALL DWORD PTR DS:[0x726910C0] ; CRYPT32.CertVerifyTimeValidity
726BD3D8 |. 85C0 TEST EAX,EAX
726BD3DA |. 74 05 JE SHORT 726BD3E1 ; capicom.726BD3E1
726BD3DC |. BF 01010B80 MOV EDI,0x800B0101
726BD3E1 |> 8BC7 MOV EAX,EDI
726BD3E3 |. 5F POP EDI
726BD3E4 |. 5E POP ESI
726BD3E5 |. C9 LEAVE
726BD3E6 \. C2 0800 RETN 0x8

I also noticed the presence of:
C:\pp2\COPP\Cert\Win8_64\
nvDrvCert.crt
nvDrvCert.dat
nvDrvCert.prv
nvDrvCert.pub

what are those?
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
niculaita (11-19-2024)
  #47  
Old 11-15-2024, 22:23
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,173
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 567 Times in 315 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
other certs from huge 18GB archive (read some older posts)...
Reply With Quote
  #48  
Old 11-19-2024, 21:03
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
I tried 2015 and dll modified
726BD3D8 |. 85C0 TEST EAX,EAX
726BD3DA |. 74 05 JE SHORT 726BD3E1 ; capicom.726BD3E1
to Jmp
and later to Jne
If testsigning is off I got Triangle with ! and this message:
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

others
Windows nu poate încărca driverul de dispozitiv pentru acest hardware. Este posibil ca driverul să fie deteriorat sau să lipsească. (Cod 39)
Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.
or cod 52

Eroare de instalare
A certificate chain could not be built to a trusted root authority.
__________________
Decode and Conquer

Last edited by niculaita; 11-19-2024 at 21:38.
Reply With Quote
  #49  
Old 11-23-2024, 10:15
wx69wx2023 wx69wx2023 is online now
Family
 
Join Date: Sep 2023
Posts: 156
Rept. Given: 10
Rept. Rcvd 39 Times in 19 Posts
Thanks Given: 163
Thanks Rcvd at 471 Times in 107 Posts
wx69wx2023 Reputation: 39
I find other pfx file , also expired, but maybe not revoked.
password in pass.txt.

Note: see the valid dates
openssl pkcs12 -info -in xxx.pfx -nodes -legacy | openssl x509 -noout -dates
Attached Files
File Type: zip pfx.zip (33.2 KB, 8 views)
Reply With Quote
The Following User Says Thank You to wx69wx2023 For This Useful Post:
niculaita (11-23-2024)
  #50  
Old 11-23-2024, 16:44
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
C:\Program Files\OpenSSL-Win64\bin>openssl pkcs12 -info -in cs_20151112.pfx -nodes -legacy | openssl x509 -noout -dates
pkcs12: unable to load provider legacy
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
A86C0000:error:12800067SO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\Program Files\OpenSSL\lib\ossl-modules\legacy.dll)
A86C0000:error:12800067SO support routinesSO_load:could not load the shared library:crypto\dso\dso_lib.c:147:
A86C0000:error:07880025:common libcrypto routinesrovider_init:reason(37):crypto\provider_core.c:950:name=legacy
Could not find certificate from

C:\Program Files\OpenSSL-Win64\bin>
__________________
Decode and Conquer
Reply With Quote
  #51  
Old 11-23-2024, 16:51
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
C:\1\signtool>signtool.exe sign -a -f cs1.pfx -p cs123456 -t http://timestamp.verisign.com/scripts/timstamp.dll exetools.cat
Done Adding Additional Store
SignTool Error: ISignedCode::Sign returned error: 0x80880253
The signer's certificate is not valid for signing.
SignTool Error: An error occurred while attempting to sign: Exetools.cat

Number of errors: 1

C:\Program Files\OpenSSL-Win64\bin>openssl pkcs12 -in cs1.pfx -out cs1.pem
Enter Import Password:

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

Error outputting keys and certificates
68550000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

C:\Program Files\OpenSSL-Win64\bin>
__________________
Decode and Conquer

Last edited by niculaita; 11-23-2024 at 16:59.
Reply With Quote
  #52  
Old 11-23-2024, 17:36
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
how to fake timestamp ?

please guide me!

cause next does not work
2015
signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules exetools.sys
signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules exetools.cat

2015 or 2024
C:\1\signtool>signtool.exe timestamp /t http://timestamp.sectigo.com exetools.sys
Successfully timestamped: Exetools.sys
C:\1\signtool>signtool.exe timestamp /t http://timestamp.sectigo.com exetools.cat
Successfully timestamped: Exetools.cat


C:\1\signtool>signtool timestamp /t "http://tsa.pki.jemmylovejenny.tk/SHA1/2015-11-23T12:00:00" exetools.sys
SignTool Error: ISignedCode::Timestamp returned error: 0x80072EE7
An unknown error has occured. Please contact your vendor for assistance.
SignTool Error: An error occurred while attempting to timestamp: Exetools.sys

Number of errors: 1

C:\1\signtool>
__________________
Decode and Conquer

Last edited by niculaita; 11-23-2024 at 18:20.
Reply With Quote
  #53  
Old 11-23-2024, 19:42
wx69wx2023 wx69wx2023 is online now
Family
 
Join Date: Sep 2023
Posts: 156
Rept. Given: 10
Rept. Rcvd 39 Times in 19 Posts
Thanks Given: 163
Thanks Rcvd at 471 Times in 107 Posts
wx69wx2023 Reputation: 39
I could not handle the timestamp problem.

The command below just get the valid period. So change the system time to match before sign.

openssl pkcs12 -info -in cs1.pfx -nodes -legacy | openssl x509 -noout -dates
Enter Import Password:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Certificate bag
Certificate bag
notBefore=Nov 22 00:00:00 2013 GMT
notAfter=Nov 22 23:59:59 2014 GMT

openssl pkcs12 -info -in cs20160224_w.pfx -nodes -legacy | openssl x509 -noout -dates
Enter Import Password:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
notBefore=Jul 2 01:58:35 2014 GMT
notAfter=Jul 2 01:58:35 2015 GMT

openssl pkcs12 -info -in cs_20151120.pfx -nodes -legacy | openssl x509 -noout -dates
Enter Import Password:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Certificate bag
Certificate bag
notBefore=Jan 7 00:00:00 2014 GMT
notAfter=Jan 7 23:59:59 2015 GMT
Reply With Quote
  #54  
Old 11-23-2024, 22:59
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
That is the big problem: fake time tamp server response site "http://tsa.pki.jemmylovejenny.tk/SHA1/2015-01-01T12:00:00"
does not works anymore ?
https://blog.talosintelligence.com/old-certificate-new-signature/
__________________
Decode and Conquer

Last edited by niculaita; 11-24-2024 at 11:50.
Reply With Quote
  #55  
Old 11-24-2024, 01:06
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
Only cat file signed is enough. So how to remove the digital certificat from sys file ?
Attached Images
File Type: png remove signiture and time stamp.png (145.5 KB, 8 views)
__________________
Decode and Conquer

Last edited by niculaita; 11-24-2024 at 13:47.
Reply With Quote
  #56  
Old 11-24-2024, 12:27
wx69wx2023 wx69wx2023 is online now
Family
 
Join Date: Sep 2023
Posts: 156
Rept. Given: 10
Rept. Rcvd 39 Times in 19 Posts
Thanks Given: 163
Thanks Rcvd at 471 Times in 107 Posts
wx69wx2023 Reputation: 39
Steps:

1. Determine whether the file is 32-bit or 64-bit based on the magic number. (010B or 020B)

2. Locate the Security Directory in the PE HEADER using its RVA and size, and remove the corresponding signature content from the file. ( The signature content is at the end of the file. )

3. Clear the RVA and size fields of the Security Directory.

4. Recalculate the checksum and update it.

You could handle the sys file with tools, e.g. winhex +lordpe.

I have made the python file to do this.

Attachment is the python file and the sys file (already remove the sign)
Attached Files
File Type: 7z remove_signature.7z (1.18 MB, 6 views)

Last edited by wx69wx2023; 11-24-2024 at 13:08.
Reply With Quote
The Following User Gave Reputation+1 to wx69wx2023 For This Useful Post:
niculaita (11-24-2024)
The Following 3 Users Say Thank You to wx69wx2023 For This Useful Post:
besoeso (11-24-2024), niculaita (11-24-2024), uranus64 (11-24-2024)
  #57  
Old 11-24-2024, 16:58
wx69wx2023 wx69wx2023 is online now
Family
 
Join Date: Sep 2023
Posts: 156
Rept. Given: 10
Rept. Rcvd 39 Times in 19 Posts
Thanks Given: 163
Thanks Rcvd at 471 Times in 107 Posts
wx69wx2023 Reputation: 39
Quote:
Originally Posted by niculaita View Post
That is the big problem: fake time tamp server response site "http://tsa.pki.jemmylovejenny.tk/SHA1/2015-01-01T12:00:00"
does not works anymore ?
https://blog.talosintelligence.com/old-certificate-new-signature/
The timestamp server can be set up by self.
"http://tsa.pki.jemmylovejenny.tk"" is closed.
So try "/t http://time.pika.net.cn/fake/RSA/2013-11-24T00:00:00" (use cs1.pfx)

I test ,all is ok!

Note: first install the root cer of the fake timestamp server. (in the atratchment, just execute the install reg easily or install .cer to root by hand)

FYI:
https://github.com/Jemmy1228/HookSigntool
https://github.com/PIKACHUIM/FakeSign
Attached Files
File Type: zip CA-ALLCERT.zip (11.1 KB, 7 views)
Reply With Quote
The Following User Gave Reputation+1 to wx69wx2023 For This Useful Post:
niculaita (11-25-2024)
The Following User Says Thank You to wx69wx2023 For This Useful Post:
niculaita (11-24-2024)
  #58  
Old 11-24-2024, 19:39
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
I have made a cmd bat file next to signtool.exe and exetools.* files:
c:
cd\
cd C:\1\signtool
date 24.11.2013
time 00:00:00,81
signtool.exe sign -a -f cs1.pfx -p cs123456 -t http://time.pika.net.cn/fake/RSA/2013-11-24T00:00:00 exetools.sys
time 00:00:00,81
signtool.exe sign -a -f cs1.pfx -p cs123456 -t http://time.pika.net.cn/fake/RSA/2013-11-24T00:00:00 exetools.cat
pause

time 00:00:00,81 UTC+8 China
or date 11.24.2013 depends of your regional setting

Signed sys and without digital certificate have same hash/sha1 codes so that .cat file sees them ok ?
I know .inf should not be changed inside after creating cat file.
__________________
Decode and Conquer
Reply With Quote
  #59  
Old 11-24-2024, 22:02
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
I need a new a updated inf2cat folder

C:\__inf2cat>REM Current Drive
C:\__inf2cat>set SRC_DRIVE=C:
C:\__inf2cat>REM Current Path

C:\__inf2cat>set SRC_PATH=C:\__inf2cat
C:\__inf2cat>x86\Inf2Cat.exe /driver:C:\__inf2cat\DriverForCat /os:8_X64,8_X86,Server2008R2_X64,Server2008R2_IA64,7_X64,7_X86,Server2008_X64,Server2008_IA64,Server2008_X86,Vista_X64,Vista_X86,Server2003_X64,Server2003_IA64,Server2003_X86,XP_X64,XP_X86,2000
......................
Signability test complete.
Errors:
None
Warnings:
None
Catalog generation complete.
C:\__inf2cat\DriverForCat\exetools.cat
C:\__inf2cat>x86\Inf2Cat.exe /v /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64 /driver:C:\__inf2cat\DriverForCatx86
Operating systems parameter invalid.

C:\__inf2cat>x64\inf2cat /v /os:2000,XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64,10_AU_X86,10_AU_X64,10_RS2_X86,10_RS2_X64,10_RS3_X86,10_RS3_X64,10_RS4_X86,10_RS4_X64,10_RS5_X86,10_RS5_X64,10_19H1_X86,10_19H1_X64,10_VB_X86,10_VB_X64,10_CO_X64,10_NI_X64,Server2003_X86,Server2003_X64,Server2008_X86,Server2008_X64,Server2008R2_X64,Server8_X64,Server6_3_X64,Server10_X64,SERVER2016_X64,ServerRS5_X64 /driver:C:\__inf2cat\DriverForCatX64
Operating systems parameter invalid.
C:\__inf2cat>pause
Press any key to continue . . .
__________________
Decode and Conquer

Last edited by niculaita; 11-26-2024 at 03:38.
Reply With Quote
  #60  
Old 11-26-2024, 03:52
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,404
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,681
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
I instaled CA-ALLCERT.zip on a computer with secure boot enable it show me exclamation mark on it in Device manager. I do know password of bios on that pc to disable Secure boot. What can I do ? What I did wrong ? vip.inf cat and sys works fine but timp stamp was real, not fake.
Please somebody with valabil pfx, sign them https://easyupload.io/svpie9 and tamp both cat, too!
__________________
Decode and Conquer
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 19:24.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )