#46
|
|||
|
|||
signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules -t http://timestamp.verisign.com/scripts/timstamp.dll %1
signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules -t http://timestamp.sectigo.com file.sys capicom.dll 726BD80A . /75 07 JNZ SHORT 726BD813 ; capicom.726BD813 726BD80C . |BE 53028880 MOV ESI,0x80880253 726BD811 .^|EB AF JMP SHORT 726BD7C2 ; capicom.726BD7C2 726BD813 > \8D45 E0 LEA EAX,DWORD PTR SS:[EBP-0x20] 726BD3CE |> \FF76 0C PUSH DWORD PTR DS:[ESI+0xC] 726BD3D1 |. 57 PUSH EDI 726BD3D2 |. FF15 C0106972 CALL DWORD PTR DS:[0x726910C0] ; CRYPT32.CertVerifyTimeValidity 726BD3D8 |. 85C0 TEST EAX,EAX 726BD3DA |. 74 05 JE SHORT 726BD3E1 ; capicom.726BD3E1 726BD3DC |. BF 01010B80 MOV EDI,0x800B0101 726BD3E1 |> 8BC7 MOV EAX,EDI 726BD3E3 |. 5F POP EDI 726BD3E4 |. 5E POP ESI 726BD3E5 |. C9 LEAVE 726BD3E6 \. C2 0800 RETN 0x8 I also noticed the presence of: C:\pp2\COPP\Cert\Win8_64\ nvDrvCert.crt nvDrvCert.dat nvDrvCert.prv nvDrvCert.pub what are those? |
The Following User Says Thank You to CodeCracker For This Useful Post: | ||
niculaita (11-19-2024) |
#47
|
|||
|
|||
other certs from huge 18GB archive (read some older posts)...
|
#48
|
||||
|
||||
I tried 2015 and dll modified
726BD3D8 |. 85C0 TEST EAX,EAX 726BD3DA |. 74 05 JE SHORT 726BD3E1 ; capicom.726BD3E1 to Jmp and later to Jne If testsigning is off I got Triangle with ! and this message: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. others Windows nu poate încărca driverul de dispozitiv pentru acest hardware. Este posibil ca driverul să fie deteriorat sau să lipsească. (Cod 39) Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked. or cod 52 Eroare de instalare A certificate chain could not be built to a trusted root authority.
__________________
Decode and Conquer Last edited by niculaita; 11-19-2024 at 21:38. |
#49
|
|||
|
|||
I find other pfx file , also expired, but maybe not revoked.
password in pass.txt. Note: see the valid dates openssl pkcs12 -info -in xxx.pfx -nodes -legacy | openssl x509 -noout -dates |
The Following User Says Thank You to wx69wx2023 For This Useful Post: | ||
niculaita (11-23-2024) |
#50
|
||||
|
||||
C:\Program Files\OpenSSL-Win64\bin>openssl pkcs12 -info -in cs_20151112.pfx -nodes -legacy | openssl x509 -noout -dates
pkcs12: unable to load provider legacy Hint: use -provider-path option or OPENSSL_MODULES environment variable. A86C0000:error:12800067SO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\Program Files\OpenSSL\lib\ossl-modules\legacy.dll) A86C0000:error:12800067SO support routinesSO_load:could not load the shared library:crypto\dso\dso_lib.c:147: A86C0000:error:07880025:common libcrypto routinesrovider_init:reason(37):crypto\provider_core.c:950:name=legacy Could not find certificate from C:\Program Files\OpenSSL-Win64\bin>
__________________
Decode and Conquer |
#51
|
||||
|
||||
C:\1\signtool>signtool.exe sign -a -f cs1.pfx -p cs123456 -t http://timestamp.verisign.com/scripts/timstamp.dll exetools.cat
Done Adding Additional Store SignTool Error: ISignedCode::Sign returned error: 0x80880253 The signer's certificate is not valid for signing. SignTool Error: An error occurred while attempting to sign: Exetools.cat Number of errors: 1 C:\Program Files\OpenSSL-Win64\bin>openssl pkcs12 -in cs1.pfx -out cs1.pem Enter Import Password: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Error outputting keys and certificates 68550000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () C:\Program Files\OpenSSL-Win64\bin>
__________________
Decode and Conquer Last edited by niculaita; 11-23-2024 at 16:59. |
#52
|
||||
|
||||
how to fake timestamp ?
please guide me! cause next does not work 2015 signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules exetools.sys signtool.exe sign -a -f current_cert.pfx -p nv1d1aRules exetools.cat 2015 or 2024 C:\1\signtool>signtool.exe timestamp /t http://timestamp.sectigo.com exetools.sys Successfully timestamped: Exetools.sys C:\1\signtool>signtool.exe timestamp /t http://timestamp.sectigo.com exetools.cat Successfully timestamped: Exetools.cat C:\1\signtool>signtool timestamp /t "http://tsa.pki.jemmylovejenny.tk/SHA1/2015-11-23T12:00:00" exetools.sys SignTool Error: ISignedCode::Timestamp returned error: 0x80072EE7 An unknown error has occured. Please contact your vendor for assistance. SignTool Error: An error occurred while attempting to timestamp: Exetools.sys Number of errors: 1 C:\1\signtool>
__________________
Decode and Conquer Last edited by niculaita; 11-23-2024 at 18:20. |
#53
|
|||
|
|||
I could not handle the timestamp problem.
The command below just get the valid period. So change the system time to match before sign. openssl pkcs12 -info -in cs1.pfx -nodes -legacy | openssl x509 -noout -dates Enter Import Password: MAC: sha1, Iteration 2000 MAC length: 20, salt length: 20 PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000 Certificate bag Certificate bag Certificate bag notBefore=Nov 22 00:00:00 2013 GMT notAfter=Nov 22 23:59:59 2014 GMT openssl pkcs12 -info -in cs20160224_w.pfx -nodes -legacy | openssl x509 -noout -dates Enter Import Password: MAC: sha1, Iteration 2000 MAC length: 20, salt length: 20 PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000 Certificate bag Certificate bag Certificate bag Certificate bag notBefore=Jul 2 01:58:35 2014 GMT notAfter=Jul 2 01:58:35 2015 GMT openssl pkcs12 -info -in cs_20151120.pfx -nodes -legacy | openssl x509 -noout -dates Enter Import Password: MAC: sha1, Iteration 2000 MAC length: 20, salt length: 20 PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000 Certificate bag Certificate bag Certificate bag notBefore=Jan 7 00:00:00 2014 GMT notAfter=Jan 7 23:59:59 2015 GMT |
#54
|
||||
|
||||
That is the big problem: fake time tamp server response site "http://tsa.pki.jemmylovejenny.tk/SHA1/2015-01-01T12:00:00"
does not works anymore ? https://blog.talosintelligence.com/old-certificate-new-signature/
__________________
Decode and Conquer Last edited by niculaita; 11-24-2024 at 11:50. |
#55
|
||||
|
||||
Only cat file signed is enough. So how to remove the digital certificat from sys file ?
__________________
Decode and Conquer Last edited by niculaita; 11-24-2024 at 13:47. |
#56
|
|||
|
|||
Steps:
1. Determine whether the file is 32-bit or 64-bit based on the magic number. (010B or 020B) 2. Locate the Security Directory in the PE HEADER using its RVA and size, and remove the corresponding signature content from the file. ( The signature content is at the end of the file. ) 3. Clear the RVA and size fields of the Security Directory. 4. Recalculate the checksum and update it. You could handle the sys file with tools, e.g. winhex +lordpe. I have made the python file to do this. Attachment is the python file and the sys file (already remove the sign) Last edited by wx69wx2023; 11-24-2024 at 13:08. |
The Following User Gave Reputation+1 to wx69wx2023 For This Useful Post: | ||
niculaita (11-24-2024) |
#57
|
|||
|
|||
Quote:
"http://tsa.pki.jemmylovejenny.tk"" is closed. So try "/t http://time.pika.net.cn/fake/RSA/2013-11-24T00:00:00" (use cs1.pfx) I test ,all is ok! Note: first install the root cer of the fake timestamp server. (in the atratchment, just execute the install reg easily or install .cer to root by hand) FYI: https://github.com/Jemmy1228/HookSigntool https://github.com/PIKACHUIM/FakeSign |
The Following User Gave Reputation+1 to wx69wx2023 For This Useful Post: | ||
niculaita (11-25-2024) |
The Following User Says Thank You to wx69wx2023 For This Useful Post: | ||
niculaita (11-24-2024) |
#58
|
||||
|
||||
I have made a cmd bat file next to signtool.exe and exetools.* files:
c: cd\ cd C:\1\signtool date 24.11.2013 time 00:00:00,81 signtool.exe sign -a -f cs1.pfx -p cs123456 -t http://time.pika.net.cn/fake/RSA/2013-11-24T00:00:00 exetools.sys time 00:00:00,81 signtool.exe sign -a -f cs1.pfx -p cs123456 -t http://time.pika.net.cn/fake/RSA/2013-11-24T00:00:00 exetools.cat pause time 00:00:00,81 UTC+8 China or date 11.24.2013 depends of your regional setting Signed sys and without digital certificate have same hash/sha1 codes so that .cat file sees them ok ? I know .inf should not be changed inside after creating cat file.
__________________
Decode and Conquer |
#59
|
||||
|
||||
I need a new a updated inf2cat folder
C:\__inf2cat>REM Current Drive C:\__inf2cat>set SRC_DRIVE=C: C:\__inf2cat>REM Current Path C:\__inf2cat>set SRC_PATH=C:\__inf2cat C:\__inf2cat>x86\Inf2Cat.exe /driver:C:\__inf2cat\DriverForCat /os:8_X64,8_X86,Server2008R2_X64,Server2008R2_IA64,7_X64,7_X86,Server2008_X64,Server2008_IA64,Server2008_X86,Vista_X64,Vista_X86,Server2003_X64,Server2003_IA64,Server2003_X86,XP_X64,XP_X86,2000 ...................... Signability test complete. Errors: None Warnings: None Catalog generation complete. C:\__inf2cat\DriverForCat\exetools.cat C:\__inf2cat>x86\Inf2Cat.exe /v /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64 /driver:C:\__inf2cat\DriverForCatx86 Operating systems parameter invalid. C:\__inf2cat>x64\inf2cat /v /os:2000,XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64,10_AU_X86,10_AU_X64,10_RS2_X86,10_RS2_X64,10_RS3_X86,10_RS3_X64,10_RS4_X86,10_RS4_X64,10_RS5_X86,10_RS5_X64,10_19H1_X86,10_19H1_X64,10_VB_X86,10_VB_X64,10_CO_X64,10_NI_X64,Server2003_X86,Server2003_X64,Server2008_X86,Server2008_X64,Server2008R2_X64,Server8_X64,Server6_3_X64,Server10_X64,SERVER2016_X64,ServerRS5_X64 /driver:C:\__inf2cat\DriverForCatX64 Operating systems parameter invalid. C:\__inf2cat>pause Press any key to continue . . .
__________________
Decode and Conquer Last edited by niculaita; 11-26-2024 at 03:38. |
#60
|
||||
|
||||
I instaled CA-ALLCERT.zip on a computer with secure boot enable it show me exclamation mark on it in Device manager. I do know password of bios on that pc to disable Secure boot. What can I do ? What I did wrong ? vip.inf cat and sys works fine but timp stamp was real, not fake.
Please somebody with valabil pfx, sign them https://easyupload.io/svpie9 and tamp both cat, too!
__________________
Decode and Conquer |
Thread Tools | |
Display Modes | |
|
|