NT/2000的密码散列也叫OWF，其实这个散列的作用很大，任何密码都会先生成散列进行保存，在网络认证的时候，也会使用散列。

  但是关于NT/2000的密码散列虽然有很多的介绍，但是却缺乏具体的算法，影响了对于其算法安全性的研究，这里就是通过反汇编获得的密码到散列的实现。

  NT/2000的密码散列其实由2部分组成，一部分是通过变形DES算法，使用密码的大写OEM格式作为密钥（分成2个KEY，每个KEY7字节，用0补足14个字节），通过DESECB方式获得一个128位的密钥，加密特殊字符串“KGS!@#$%”获得的一个16字节长度的值。另一部分则是使用MD4对密码的UNICODE形式进行加密获得的一个散列，下面就是具体的算法代码，提供给大家做进一步深入的研究：

  //注：DES的算法与标准DES的算法有如下不同

  //与标准DES的SPBOX不同

  //与标准DES的ECB生成算法不同，DESKEY不同，标准的是生成64位字节，而他是生成128位字节

  //标准的DES一次是8字节块加密8字节再循环，而他是16字节一次

  //关于MD4的实现，我这里没有标准MD4的算法实现和说明，但是有MD5的，按照MD4与MD5的区别中，好象算法还是有很多改变。

  //因为按照标准的MD5的说法，每轮当中的每次计算，除了参数不同，函数算法是一致的，但其实他的实现是不同的。

void passtoowf(wchar_t * password);

void initLMP(char * pass,unsigned char * LM);

void deskey(char * LmPass,unsigned char * desecb);

void des(unsigned char * LM,char * magic,unsigned char * ecb,long no);

void md4init(unsigned char * LM);

void md4(unsigned char * LM);

void initMDP(PLSA_UNICODE_STRING pass,unsigned char * LM);

typedef DWORD (CALLBACK* RTLUPCASEUNICODESTRINGTOOEMSTRING)(PLSA_UNICODE_STRING, PLSA_UNICODE_STRING, DWORD);

RTLUPCASEUNICODESTRINGTOOEMSTRING RtlUpcaseUnicodeStringToOemString;

unsigned char DESParity[]={0,1,1,2,1,2,2,3,1,2,2,3,2,3,3,4};

unsigned char DESDShift[]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0,

0x64,0xCC,0xF9,0x29,0xDF,0xDE,0x86,0x4A,0x81,0x84,9,0x3C,0,0,0,0,

0xFB,0x99,0xE9,8,0xEC,0x87,0x67,0x2F,0x59,0x0FD,0x22,0xF1};

DWORD DESKEY1[]={

0x00000000,0x00000010,0x20000000,0x20000010,0x00010000,0x00010010,0x20010000,0x20010010,

0x00000800,0x00000810,0x20000800,0x20000810,0x00010800,0x00010810,0x20010800,0x20010810,

0x00000020,0x00000030,0x20000020,0x20000030,0x00010020,0x00010030,0x20010020,0x20010030,

0x00000820,0x00000830,0x20000820,0x20000830,0x00010820,0x00010830,0x20010820,0x20010830,

0x00080000,0x00080010,0x20080000,0x20080010,0x00090000,0x00090010,0x20090000,0x20090010,

0x00080800,0x00080810,0x20080800,0x20080810,0x00090800,0x00090810,0x20090800,0x20090810,

0x00080020,0x00080030,0x20080020,0x20080030,0x00090020,0x00090030,0x20090020,0x20090030,

0x00080820,0x00080830,0x20080820,0x20080830,0x00090820,0x00090830,0x20090820,0x20090830};

DWORD DESKEY2[]={

0x00000000,0x02000000,0x00002000,0x02002000,0x00200000,0x02200000,0x00202000,0x02202000,

0x00000004,0x02000004,0x00002004,0x02002004,0x00200004,0x02200004,0x00202004,0x02202004,

0x00000400,0x02000400,0x00002400,0x02002400,0x00200400,0x02200400,0x00202400,0x02202400,

0x00000404,0x02000404,0x00002404,0x02002404,0x00200404,0x02200404,0x00202404,0x02202404,

0x10000000,0x12000000,0x10002000,0x12002000,0x10200000,0x12200000,0x10202000,0x12202000,

0x10000004,0x12000004,0x10002004,0x12002004,0x10200004,0x12200004,0x10202004,0x12202004,

0x10000400,0x12000400,0x10002400,0x12002400,0x10200400,0x12200400,0x10202400,0x12202400,

0x10000404,0x12000404,0x10002404,0x12002404,0x10200404,0x12200404,0x10202404,0x12202404};

DWORD DESKEY3[]={

0x00000000,0x00000001,0x00040000,0x00040001,0x01000000,0x01000001,0x01040000,0x01040001,

0x00000002,0x00000003,0x00040002,0x00040003,0x01000002,0x01000003,0x01040002,0x01040003,

0x00000200,0x00000201,0x00040200,0x00040201,0x01000200,0x01000201,0x01040200,0x01040201,

0x00000202,0x00000203,0x00040202,0x00040203,0x01000202,0x01000203,0x01040202,0x01040203,

0x08000000,0x08000001,0x08040000,0x08040001,0x09000000,0x09000001,0x09040000,0x09040001,

0x08000002,0x08000003,0x08040002,0x08040003,0x09000002,0x09000003,0x09040002,0x09040003,

0x08000200,0x08000201,0x08040200,0x08040201,0x09000200,0x09000201,0x09040200,0x09040201,

0x08000202,0x08000203,0x08040202,0x08040203,0x09000202,0x09000203,0x09040202,0x09040203};

DWORD DESKEY4[]={

0x00000000,0x00100000,0x00000100,0x00100100,0x00000008,0x00100008,0x00000108,0x00100108,

0x00001000,0x00101000,0x00001100,0x00101100,0x00001008,0x00101008,0x00001108,0x00101108,

0x04000000,0x04100000,0x04000100,0x04100100,0x04000008,0x04100008,0x04000108,0x04100108,

0x04001000,0x04101000,0x04001100,0x04101100,0x04001008,0x04101008,0x04001108,0x04101108,

0x00020000,0x00120000,0x00020100,0x00120100,0x00020008,0x00120008,0x00020108,0x00120108,

0x00021000,0x00121000,0x00021100,0x00121100,0x00021008,0x00121008,0x00021108,0x00121108,

0x04020000,0x04120000,0x04020100,0x04120100,0x04020008,0x04120008,0x04020108,0x04120108,

0x04021000,0x04121000,0x04021100,0x04121100,0x04021008,0x04121008,0x04021108,0x04121108};

DWORD DESKEY5[]={

0x00000000,0x10000000,0x00010000,0x10010000,0x00000004,0x10000004,0x00010004,0x10010004,

0x20000000,0x30000000,0x20010000,0x30010000,0x20000004,0x30000004,0x20010004,0x30010004,

0x00100000,0x10100000,0x00110000,0x10110000,0x00100004,0x10100004,0x00110004,0x10110004,

0x20100000,0x30100000,0x20110000,0x30110000,0x20100004,0x30100004,0x20110004,0x30110004,

0x00001000,0x10001000,0x00011000,0x10011000,0x00001004,0x10001004,0x00011004,0x10011004,

0x20001000,0x30001000,0x20011000,0x30011000,0x20001004,0x30001004,0x20011004,0x30011004,

0x00101000,0x10101000,0x00111000,0x10111000,0x00101004,0x10101004,0x00111004,0x10111004,

0x20101000,0x30101000,0x20111000,0x30111000,0x20101004,0x30101004,0x20111004,0x30111004};

DWORD DESKEY6[]={

0x00000000,0x08000000,0x00000008,0x08000008,0x00000400,0x08000400,0x00000408,0x08000408,

0x00020000,0x08020000,0x00020008,0x08020008,0x00020400,0x08020400,0x00020408,0x08020408,

0x00000001,0x08000001,0x00000009,0x08000009,0x00000401,0x08000401,0x00000409,0x08000409,

0x00020001,0x08020001,0x00020009,0x08020009,0x00020401,0x08020401,0x00020409,0x08020409,

0x02000000,0x0A000000,0x02000008,0x0A000008,0x02000400,0x0A000400,0x02000408,0x0A000408,

0x02020000,0x0A020000,0x02020008,0x0A020008,0x02020400,0x0A020400,0x02020408,0x0A020408,

0x02000001,0x0A000001,0x02000009,0x0A000009,0x02000401,0x0A000401,0x02000409,0x0A000409,

0x02020001,0x0A020001,0x02020009,0x0A020009,0x02020401,0x0A020401,0x02020409,0x0A020409};

DWORD DESKEY7[]={

0x00000000,0x00000100,0x00080000,0x00080100,0x01000000,0x01000100,0x01080000,0x01080100,

0x00000010,0x00000110,0x00080010,0x00080110,0x01000010,0x01000110,0x01080010,0x01080110,

0x00200000,0x00200100,0x00280000,0x00280100,0x01200000,0x01200100,0x01280000,0x01280100,

0x00200010,0x00200110,0x00280010,0x00280110,0x01200010,0x01200110,0x01280010,0x01280110,

0x00000200,0x00000300,0x00080200,0x00080300,0x01000200,0x01000300,0x01080200,0x01080300,

0x00000210,0x00000310,0x00080210,0x00080310,0x01000210,0x01000310,0x01080210,0x01080310,

0x00200200,0x00200300,0x00280200,0x00280300,0x01200200,0x01200300,0x01280200,0x01280300,

0x00200210,0x00200310,0x00280210,0x00280310,0x01200210,0x01200310,0x01280210,0x01280310};

DWORD DESKEY8[]={

0x00000000,0x04000000,0x00040000,0x04040000,0x00000002,0x04000002,0x00040002,0x04040002,

0x00002000,0x04002000,0x00042000,0x04042000,0x00002002,0x04002002,0x00042002,0x04042002,

0x00000020,0x04000020,0x00040020,0x04040020,0x00000022,0x04000022,0x00040022,0x04040022,

0x00002020,0x04002020,0x00042020,0x04042020,0x00002022,0x04002022,0x00042022,0x04042022,

0x00000800,0x04000800,0x00040800,0x04040800,0x00000802,0x04000802,0x00040802,0x04040802,

0x00002800,0x04002800,0x00042800,0x04042800,0x00002802,0x04002802,0x00042802,0x04042802,

0x00000820,0x04000820,0x00040820,0x04040820,0x00000822,0x04000822,0x00040822,0x04040822,

0x00002820,0x04002820,0x00042820,0x04042820,0x00002822,0x04002822,0x00042822,0x04042822};

DWORD DESSpBox1[]={

0x02080800,0x00080000,0x02000002,0x02080802,0x02000000,0x00080802,0x00080002,0x02000002,

0x00080802,0x02080800,0x02080000,0x00000802,0x02000802,0x02000000,0x00000000,0x00080002,

0x00080000,0x00000002,0x02000800,0x00080800,0x02080802,0x02080000,0x00000802,0x02000800,

0x00000002,0x00000800,0x00080800,0x02080002,0x00000800,0x02000802,0x02080002,0x00000000,

0x00000000,0x02080802,0x02000800,0x00080002,0x02080800,0x00080000,0x00000802,0x02000800,

0x02080002,0x00000800,0x00080800,0x02000002,0x00080802,0x00000002,0x02000002,0x02080000,

0x02080802,0x00080800,0x02080000,0x02000802,0x02000000,0x00000802,0x00080002,0x00000000,

0x00080000,0x02000000,0x02000802,0x02080800,0x00000002,0x02080002,0x00000800,0x00080802};

DWORD DESSpBox2[]={

0x40108010,0x00000000,0x00108000,0x40100000,0x40000010,0x00008010,0x40008000,0x00108000,

0x00008000,0x40100010,0x00000010,0x40008000,0x00100010,0x40108000,0x40100000,0x00000010,

0x00100000,0x40008010,0x40100010,0x00008000,0x00108010,0x40000000,0x00000000,0x00100010,

0x40008010,0x00108010,0x40108000,0x40000010,0x40000000,0x00100000,0x00008010,0x40108010,

0x00100010,0x40108000,0x40008000,0x00108010,0x40108010,0x00100010,0x40000010,0x00000000,

0x40000000,0x00008010,0x00100000,0x40100010,0x00008000,0x40000000,0x00108010,0x40008010,

0x40108000,0x00008000,0x00000000,0x40000010,0x00000010,0x40108010,0x00108000,0x40100000,

0x40100010,0x00100000,0x00008010,0x40008000,0x40008010,0x00000010,0x40100000,0x00108000};

DWORD DESSpBox3[]={

0x04000001,0x04040100,0x00000100,0x04000101,0x00040001,0x04000000,0x04000101,0x00040100,

0x04000100,0x00040000,0x04040000,0x00000001,0x04040101,0x00000101,0x00000001,0x04040001,

0x00000000,0x00040001,0x04040100,0x00000100,0x00000101,0x04040101,0x00040000,0x04000001,

0x04040001,0x04000100,0x00040101,0x04040000,0x00040100,0x00000000,0x04000000,0x00040101,

0x04040100,0x00000100,0x00000001,0x00040000,0x00000101,0x00040001,0x04040000,0x04000101,

0x00000000,0x04040100,0x00040100,0x04040001,0x00040001,0x04000000,0x04040101,0x00000001,

0x00040101,0x04000001,0x04000000,0x04040101,0x00040000,0x04000100,0x04000101,0x00040100,

0x04000100,0x00000000,0x04040001,0x00000101,0x04000001,0x00040101,0x00000100,0x04040000};

DWORD DESSpBox4[]={

0x00401008,0x10001000,0x00000008,0x10401008,0x00000000,0x10400000,0x10001008,0x00400008,

0x10401000,0x10000008,0x10000000,0x00001008,0x10000008,0x00401008,0x00400000,0x10000000,

0x10400008,0x00401000,0x00001000,0x00000008,0x00401000,0x10001008,0x10400000,0x00001000,

0x00001008,0x00000000,0x00400008,0x10401000,0x10001000,0x10400008,0x10401008,0x00400000,

0x10400008,0x00001008,0x00400000,0x10000008,0x00401000,0x10001000,0x00000008,0x10400000,

0x10001008,0x00000000,0x00001000,0x00400008,0x00000000,0x10400008,0x10401000,0x00001000,

0x10000000,0x10401008,0x00401008,0x00400000,0x10401008,0x00000008,0x10001000,0x00401008,

0x00400008,0x00401000,0x10400000,0x10001008,0x00001008,0x10000000,0x10000008,0x10401000};

DWORD DESSpBox5[]={

0x08000000,0x00010000,0x00000400,0x08010420,0x08010020,0x08000400,0x00010420,0x08010000,

0x00010000,0x00000020,0x08000020,0x00010400,0x08000420,0x08010020,0x08010400,0x00000000,

0x00010400,0x08000000,0x00010020,0x00000420,0x08000400,0x00010420,0x00000000,0x08000020,

0x00000020,0x08000420,0x08010420,0x00010020,0x08010000,0x00000400,0x00000420,0x08010400,

0x08010400,0x08000420,0x00010020,0x08010000,0x00010000,0x00000020,0x08000020,0x08000400,

0x08000000,0x00010400,0x08010420,0x00000000,0x00010420,0x08000000,0x00000400,0x00010020,

0x08000420,0x00000400,0x00000000,0x08010420,0x08010020,0x08010400,0x00000420,0x00010000,

0x00010400,0x08010020,0x08000400,0x00000420,0x00000020,0x00010420,0x08010000,0x08000020};

DWORD DESSpBox6[]={

0x80000040,0x00200040,0x00000000,0x80202000,0x00200040,0x00002000,0x80002040,0x00200000,

0x00002040,0x80202040,0x00202000,0x80000000,0x80002000,0x80000040,0x80200000,0x00202040,

0x00200000,0x80002040,0x80200040,0x00000000,0x00002000,0x00000040,0x80202000,0x80200040,

0x80202040,0x80200000,0x80000000,0x00002040,0x00000040,0x00202000,0x00202040,0x80002000,

0x00002040,0x80000000,0x80002000,0x00202040,0x80202000,0x00200040,0x00000000,0x80002000,

0x80000000,0x00002000,0x80200040,0x00200000,0x00200040,0x80202040,0x00202000,0x00000040,

0x80202040,0x00202000,0x00200000,0x80002040,0x80000040,0x80200000,0x00202040,0x00000000,

0x00002000,0x80000040,0x80002040,0x80202000,0x80200000,0x00002040,0x00000040,0x80200040};

DWORD DESSpBox7[]={

0x00004000,0x00000200,0x01000200,0x01000004,0x01004204,0x00004004,0x00004200,0x00000000,

0x01000000,0x01000204,0x00000204,0x01004000,0x00000004,0x01004200,0x01004000,0x00000204,

0x01000204,0x00004000,0x00004004,0x01004204,0x00000000,0x01000200,0x01000004,0x00004200,

0x01004004,0x00004204,0x01004200,0x00000004,0x00004204,0x01004004,0x00000200,0x01000000,

0x00004204,0x01004000,0x01004004,0x00000204,0x00004000,0x00000200,0x01000000,0x01004004,

0x01000204,0x00004204,0x00004200,0x00000000,0x00000200,0x01000004,0x00000004,0x01000200,

0x00000000,0x01000204,0x01000200,0x00004200,0x00000204,0x00004000,0x01004204,0x01000000,

0x01004200,0x00000004,0x00004004,0x01004204,0x01000004,0x01004200,0x01004000,0x00004004};

DWORD DESSpBox8[]={

0x20800080,0x20820000,0x00020080,0x00000000,0x20020000,0x00800080,0x20800000,0x20820080,

0x00000080,0x20000000,0x00820000,0x00020080,0x00820080,0x20020080,0x20000080,0x20800000,

0x00020000,0x00820080,0x00800080,0x20020000,0x20820080,0x20000080,0x00000000,0x00820000,

0x20000000,0x00800000,0x20020080,0x20800080,0x00800000,0x00020000,0x20820000,0x00000080,

0x00800000,0x00020000,0x20000080,0x20820080,0x00020080,0x20000000,0x00000000,0x00820000,

0x20800080,0x20020080,0x20020000,0x00800080,0x20820000,0x00000080,0x00800080,0x20020000,

0x20820080,0x00800000,0x20800000,0x20000080,0x00820000,0x00020080,0x20020080,0x20800000,

0x00000080,0x20820000,0x00820080,0x00000000,0x20000000,0x20800080,0x00020000,0x00820080};

void wmain()

{

  HMODULE hNtdll = NULL;

  hNtdll = LoadLibrary( "ntdll.dll" );

  if ( !hNtdll )

  {

    printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );

    return ;

  }

  RtlUpcaseUnicodeStringToOemString = (RTLUPCASEUNICODESTRINGTOOEMSTRING)

    GetProcAddress(  hNtdll,  "RtlUpcaseUnicodeStringToOemString");

  passtoowf(L"test");

}

void passtoowf(wchar_t * password)

{

  int len;

  int i;

  LSA_UNICODE_STRING pass;

  LSA_UNICODE_STRING opass;

  unsigned char upassword[0x10];

  unsigned char LM[0x20];

  len=0;

  for(i=0;i<0x20;i++)

  {

    if(password[i]==0 )

      break;

    len=len+2;

  }

  if(len>28)

  {

    printf("password <=14");

    return;

  }

  pass.Length=len;

  pass.MaximumLength=len;

  pass.Buffer=password;

  opass.MaximumLength=0xf;

  opass.Buffer=upassword;

  memset(upassword,0,0x10);

  RtlUpcaseUnicodeStringToOemString(&opass,&pass,0);

  initLMP(upassword,LM+0x10);

  initLMP(upassword+7,LM+0x18);

  initMDP(&pass,LM);

  printf("MD4:\n");

  for(i=0;i<16;i++)

    printf("%02X",LM[i]);

  printf(" DES:");

  for(i=0;i<16;i++)

    printf("%02X",LM[16+i]);

}

void initLMP(char * pass,unsigned char * LM)

{

  char LmPass[0x20];

  unsigned char desecb[128];

  DWORD d1,d2;

  unsigned char a1,a2;

  char a3[]={1,3,7,0xf,0x1f,0x3f,0x7f};

  int i;

  char magic1[8]="KGS!@#$%";

  for(i=0;i<8;i++)

  {

    if(i==0)

    {

      a1=pass[0];

      LmPass[0]=a1>>1;

    }

    else if(i==7)

    {

      a1=pass[i-1];

      a1=a1&a3[i-1];      

      LmPass[i]=a1;

    }

    else

    {

      a1=pass[i-1];

      a2=pass[i];

      a1=a1&a3[i-1];

      a1=a1<<(7-i);

      a2=a2>>(i+1);

      LmPass[i]=a1|a2;

    }

  }

  d1=*(DWORD *)LmPass;

  d2=*(DWORD *)(LmPass+4);

  d1=(d1&0xff7f7f7f)<<1;

  d2=(d2&0xff7f7f7f)<<1;

  *(DWORD *)LmPass=d1;

  *(DWORD *)(LmPass+4)=d2;

  //

  for(i=0;i<8;i++)

  {

    a1=LmPass[i];

    a2=a1;

    a1=a1&0xf;

    a2=a2>>4;

    a2=DESParity[a2];

    a1=DESParity[a1];

    a2=a1+a2;

    a2=a2^a1;

    a2=a2-a1;

    a2=a2&1;

    a2=a2^a1;

    a2=a2-a1;

    if(a2==0)

      LmPass[i]=LmPass[i]^1;

  }

  deskey(LmPass,desecb);

  des(LM,magic1,desecb,1);

}

void deskey(char * LmPass,unsigned char * desecb)

{

  int i;

  unsigned char a1;

  DWORD d1,d2,d3,d4,d5,d6;

  d1=*(DWORD *)LmPass;

  d2=*(DWORD *)(LmPass+4);

  d2=d2>>4;

  d1=d1&0xf0f0f0f;

  d2=d2&0xf0f0f0f;

  d2=d2^d1;

  d1=*(DWORD *)LmPass^d2;

  d2=d2<<4;

  d2=*(DWORD *)(LmPass+4)^d2;

  d3=d1&0xfffff333;

  d3=d3<<0x12;

  d4=d1&0xcccc0000;

  d4=d4^d3;

  d3=d4;

  d3=d3>>0x12;

  d3=d3^d4;

  d1=d1^d3;

  d3=d2&0xfffff333;

  d3=d3<<0x12;

  d4=d2&0xcccc0000;

  d4=d4^d3;

  d3=d3>>0x12;

  d3=d3^d4;

  d2=d2^d3;

  d3=d1;

  d4=d2>>1;

  d3=d3&0x55555555;

  d4=d4&0x55555555;

  d4=d4^d3;

  d1=d1^d4;

  d4=d4+d4;

  d2=d2^d4;

  d4=d1>>8;

  d3=d2&0xff00ff;

  d4=d4&0xff00ff;

  d4=d4^d3;

  d2=d2^d4;

  d4=d4<<8;

  d1=d1^d4;

  d4=d2>>1;

  d3=d1;

  d3=d3&0x55555555;

  d4=d4&0x55555555;

  d4=d4^d3;

  d1=d1^d4;

  d4=d4+d4;

  d2=d2^d4;

  d3=d1&0xf000000f;

  d4=(d2>>0xc)&0xff0;

  d1=d1&0x0fffffff;

  d3=(d3|d4)>>4;

  d4=d2&0xff00;

  d2=(d2&0xff)<<0x10;

  d3=d3|d4;

  d3=d3|d2;

  for(i=0;i<16;i++)

  {

    d2=d1;

    a1=DESDShift[i];

    if(a1==0)

    {

      d2=d2>>1;

      d1=d1<<0x1b;

      d4=d3>>1;

      d3=d3<<0x1b;

      d1=d1|d2;      

    }

    else

    {

      d2=d2>>2;

      d1=d1<<0x1a;

      d4=d3>>2;

      d3=d3<<0x1a;

      d1=d1|d2;

    }

    d1=d1&0x0fffffff;

    d3=d3|d4;

    d2=d1>>1;

    d4=d1&0xc00000;

    d4=d4|(d2&0x07000000);

    d4=(d4>>1)|(d1&0x00100000);

    //d6=d2&0x00060000;

    d5=(d1&0x0001e000)|(d2&0x00060000);

    d2=d2&0x00000f00;

    d3=d3&0x0fffffff;

    d5=d5>>0xd;

    d4=d4>>0x14;

    d6=DESKEY3[d5];

    d5=d1&0xc0;

    d4=DESKEY4[d4];

    d5=(d5|d2)>>6;

    d4=d4|d6;

    d2=d1&0x3f;

    d6=DESKEY2[d5];

    d5=d3&0x180;

    d4=d4|d6;

    d6=DESKEY1[d2];

    d2=d3>>1;

    d4=d4|d6;

    d6=d2&0x1e00;

    d2=d2&0x6000000;

    d5=(d5^d6)>>7;

    d6=(d3&0x1e00000)|d2;

    d6=d6>>0x15;

    d2=DESKEY6[d5];

    d5=DESKEY8[d6];

    d2=d2^d5;

    d5=d3&0x3f;

    d6=DESKEY5[d5];

    d5=(d3>>0xf)&0x3f;

    d2=d2|d6;

    d6=DESKEY7[d5];

    d5=d4&0xffff;

    d2=d2|d6;

    d6=d2<<0x10;

    d2=d2&0xffff0000;

    d5=d5|d6;

    d5=(d5<<2)|(d5>>0x1e);

    d4=d4>>0x10;

    d2=d2|d4;

    d2=(d2<<6)|(d2>>0x1a);

    *(DWORD *)(desecb+8*i)=d5;

    *(DWORD *)(desecb+8*i+4)=d2;

  }

}

void des(unsigned char * LM,char * magic,unsigned char * ecb,long no)

{

  DWORD d1,d2,d3,d4;

  DWORD a1,a2,a3;

  int i;

  d1= *(DWORD *)magic;

  d2= *(DWORD *)(magic+4);

  d1 = (d1<<4)|(d1>>0x1c);

  d3 = d1;

  d1 = (d1^d2)&0xf0f0f0f0;

  d3 = d3^d1;

  d2 = d2^d1;

  d2 =(d2<<0x14)|(d2>>0xc);

  d1 = d2;

  d2 = (d2^d3)&0xfff0000f;

  d1 = d1 ^ d2;

  d3 = d3^d2;

  d1 = (d1<<0xe)|(d1>>0x12);

  d2 = d1;

  d1 = (d1 ^ d3) & 0x33333333;

  d2 = d2 ^ d1;

  d3 = d3^d1;

  d3 = (d3<<0x16)|(d3>>0xa);

  d1 = d3;

  d3 = (d3 ^ d2)&0x3fc03fc;

  d1 = d1^d3;

  d2 = d2^d3;

  d1 = (d1<<9)|(d1>>0x17);

  d3 = d1;

  d1 = (d1^d2)&0xaaaaaaaa;

  d3 = d3^d1;

  d2 = d2^d1;

  d2 = (d2<<1)|(d2>>0x1f);

  if(no!=0)

  {

    for(i=0;i<8;i++)

    {

      a1=0;

      d1=*(DWORD *)(ecb+16*i);

      d4=*(DWORD *)(ecb+16*i+4);

      d1=(d1^d3)&0xfcfcfcfc;

      d4=(d4^d3)&0xcfcfcfcf;

      a1=d1&0xff;

      a2=(d1>>8)&0xff;

      d4=(d4>>4)|(d4<<0x1c);

      a3=DESSpBox1[a1/4];

      a1=d4&0xff;

      d2=d2^a3;

      a3=DESSpBox3[a2/4];

      d2=d2^a3;

      a2=(d4>>8)&0xff;

      d1=d1>>0x10;

      a3=DESSpBox2[a1/4];

      d2=d2^a3;

      a1=(d1>>8)&0xff;

      d4=d4>>0x10;

      a3=DESSpBox4[a2/4];

      d2=d2^a3;

      a2=(d4>>8)&0xff;

      d1=d1&0xff;

      d4=d4&0xff;

      a1=DESSpBox7[a1/4];

      d2=d2^a1;

      a1=DESSpBox8[a2/4];

      d2=d2^a1;

      a1=DESSpBox5[d1/4];

      d2=d2^a1;

      a1=DESSpBox6[d4/4];

      d2=d2^a1;

      a1=0;

      d1=*(DWORD *)(ecb+16*i+8);

      d4=*(DWORD *)(ecb+16*i+0xc);

      d1=(d1^d2)&0xfcfcfcfc;

      d4=(d4^d2)&0xcfcfcfcf;

      a1=d1&0xff;

      a2=(d1>>8)&0xff;

      d4=(d4>>4)|(d4<<0x1c);

      a3=DESSpBox1[a1/4];

      a1=d4&0xff;

      d3=d3^a3;

      a3=DESSpBox3[a2/4];

      d3=d3^a3;

      a2=(d4>>8)&0xff;

      d1=d1>>0x10;

      a3=DESSpBox2[a1/4];

      d3=d3^a3;

      a1=(d1>>8)&0xff;

      d4=d4>>0x10;

      a3=DESSpBox4[a2/4];

      d3=d3^a3;

      a2=(d4>>8)&0xff;

      d1=d1&0xff;

      d4=d4&0xff;

      a1=DESSpBox7[a1/4];

      d3=d3^a1;

      a1=DESSpBox8[a2/4];

      d3=d3^a1;

      a1=DESSpBox5[d1/4];

      d3=d3^a1;

      a1=DESSpBox6[d4/4];

      d3=d3^a1;

    }

    d3=(d3>>1)|(d3<<0x1f);

    d1=d2;

    d2=(d2^d3)&0XAAAAAAAA;

    d1=d1^d2;

    d3=d3^d2;

    d1=(d1<<0x17)|(d1>>9);

    d2=d1;

    d1=(d1^d3)&0x3fc03fc;

    d2=(d2^d1);

    d3=d3^d1;

    d2=(d2<<0xa)|(d2>>0x16);

    d1=d2;

    d2=(d2^d3)&0x33333333;

    d1=d1^d2;

    d3=d3^d2;

    d3=(d3<<0x12)|(d3>>0xe);

    d2=d3;

    d3=(d3^d1)&0xfff0000f;

    d2=d2^d3;

    d1=d1^d3;

    d2=(d2<<0xc)|(d2>>0x14);

    d3=d2;

    d2=(d2^d1)&0xf0f0f0f0;

    d3=d3^d2;

    d1=d1^d2;

    d1=(d1>>4)|(d1<<0x1c);

    *(DWORD *)LM=d1;

    *(DWORD *)(LM+4)=d3;

  }

}

void initMDP(PLSA_UNICODE_STRING pass,unsigned char * LM)

{

  unsigned char LM1[0x58];

  unsigned char s[2]="0";

  md4init(LM1);

  memcpy(LM1+0x18,pass->Buffer,pass->Length);

  memset(LM1+0x18+pass->Length,0x80,1);

  memset(LM1+0x18+pass->Length+1,0,0x37-pass->Length);

  memset(LM1+0x50,0x30,1);

  memset(LM1+0x51,0x0,7);

  *(DWORD *)(LM1+0x10)=0x200;

  md4(LM1);

  memcpy(LM,LM1,16);

}

void md4init(unsigned char * LM)

{

  *(DWORD *)(LM)=0x67452301;

  *(DWORD *)(LM+4)=0xefcdab89;

  *(DWORD *)(LM+8)=0x98badcfe;

  *(DWORD *)(LM+0xc)=0x10325476;

  *(DWORD *)(LM+0x10)=0;

  *(DWORD *)(LM+0x14)=0;

}

void md4(unsigned char * LM)

{

  DWORD d1,d2,d3,d4;

  DWORD a1,a2,a3;

  //第1轮

  d1=*(DWORD *)(LM);

  d2=*(DWORD *)(LM+4);

  d3=*(DWORD *)(LM+8);

  d4=*(DWORD *)(LM+0xc);

  a1=*(DWORD *)(LM+0x18);

  a2=(((d4^d3)&d2)^d4)+a1+d1;

  a2=(a2<<3)|(a2>>0x1d);

  a1=*(DWORD *)(LM+0x1c);

  a3=(((d3^d2)&a2)^d3)+a1;

  d4=d4+a3;

  d4=(d4<<7)|(d4>>0x19);

  a1=*(DWORD *)(LM+0x20);

  a3=(((d2^a2)&d4)^d2)+a1;

  d3=d3+a3;

  d3=(d3<<0xb)|(d3>>0x15);

  a1=*(DWORD *)(LM+0x24);

  a3=(((d4^a2)&d3)^a2)+a1;

  d2=d2+a3;

  d2=(d2<<0x13)|(d2>>0xd);

  a1=*(DWORD *)(LM+0x28);

  a3=(((d4^d3)&d2)^d4)+a1;

  a2=a2+a3;

  a2=(a2<<3)|(a2>>0x1d);

  a1=*(DWORD *)(LM+0x2c);

  a3=(((d3^d2)&a2)^d3)+a1;

  d4=d4+a3;

  d4=(d4<<7)|(d4>>0x19);

  a1=*(DWORD *)(LM+0x30);

  a3=(((d2^a2)&d4)^d2)+a1;

  d3=d3+a3;

  d3=(d3<<0xb)|(d3>>0x15);

  a1=*(DWORD *)(LM+0x34);

  a3=(((d4^a2)&d3)^a2)+a1;

  d2=d2+a3;

  d2=(d2<<0x13)|(d2>>0xd);

  a1=*(DWORD *)(LM+0x38);

  a3=(((d4^d3)&d2)^d4)+a1;

  a2=a2+a3;

  a2=(a2<<3)|(a2>>0x1d);

  a1=*(DWORD *)(LM+0x3c);

  a3=(((d3^d2)&a2)^d3)+a1;

  d4=d4+a3;

发送给朋友】 【加入收藏】 【返加顶部】 【打印本页】 【关闭窗口】