<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"MS Shell Dlg";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Matthieu,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We completed our review. The raw, unencrypted data you provided is:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> Raw data:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ----------<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 64 0c 27 47 c7 2f 9b 49 ac 5b 0e 37 cd ce 89 9a # 00000000<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 74 01 00 00 02 00 00 00 00 01 00 00 58 00 00 00 # 00000010<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> bd 8b dc a1 3f 74 3e 47 8d 00 0a 47 42 df 76 bd # 00000020<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 30 e5 9a 15 1b 59 b8 1e b6 b8 2a d0 9f 30 aa b3 # 00000030<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 12 9a 98 55 63 d2 11 e4 41 00 db 37 9c d9 86 63 # 00000040<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> a1 30 1d 8c f4 25 00 16 e2 c1 b0 36 89 10 83 56 # 00000050<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ad 8f 0b 11 60 20 c4 07 81 77 c1 d4 95 7d 81 e8 # 00000060<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> cc a6 bf c5 f5 23 8d 29 2e 9c 8d 21 ff c3 b7 c3 # 00000070<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ba 14 35 ec 6f 50 24 14 17 83 5f dc bc 2a d9 f6 # 00000080<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ee f9 4f 63 16 0a fc 93 b4 a2 4c 10 cf 28 54 55 # 00000090<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 7e a7 47 db 24 96 e4 dd 5f 4c 0c 4d c8 17 c9 53 # 000000a0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> db 58 98 03 f6 f9 19 ec 56 b0 8d f5 39 9d fb ea # 000000b0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 59 dd eb 3d a0 af 1b 7c e1 85 22 d2 19 45 a8 14 # 000000c0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 2a 8f 26 3d 3e 4f c8 4d b5 b4 eb 49 6b 16 c2 5f # 000000d0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> a7 3b 1e d3 25 e9 84 c0 30 d9 56 f7 15 89 d5 ac # 000000e0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 40 96 14 ed 02 cf 66 03 ee f5 79 a3 c6 4e 59 fe # 000000f0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 01 07 da 5f d1 b8 d6 e3 15 28 78 83 4b f6 5b d6 # 00000100<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> b0 10 b7 74 5f aa aa c4 4f 53 e7 1f fd e4 ab a3 # 00000110<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> bb f3 98 5c 47 ea 2b a5 bf a1 be a2 3b 3b 13 6a # 00000120<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> aa 5e 85 dd fb df 5c 8e 0f c4 9e df 43 b7 b8 aa # 00000130<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 01 17 f6 d4 93 cb 35 b9 9f 57 2a ed 8d 6f dc 4d # 00000140<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 9c ae 9f 2a 45 c9 bb f5 48 8a 3e 98 62 93 b8 20 # 00000150<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 77 0e 8f 24 75 16 12 2e 7b f0 b9 61 1d ee 8f 2a # 00000160<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ed fb ed 39 41 ba 73 91 68 0c 21 4b 9d 2e 13 3b # 00000170<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 4a 5a 96 83 74 4d 52 34 74 01 00 00 00 00 00 00 # 00000180<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 8a e3 13 71 02 f4 36 71 02 40 28 00 30 7c de 3d # 00000190<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 5d 16 d1 11 ab 8f 00 80 5f 14 db 40 01 00 00 00 # 000001a0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 # 000001b0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 02 00 00 00 # 000001c0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Which you decoded as follows with an unexplained 52 bytes trailing:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">Decoded data:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">--------------<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">BACKUPKEY_RESTORE_GUID {47270C64-2FC7-499B-AC5B-0E37CDCE899A}<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 64 0c 27 47 c7 2f 9b 49 ac 5b 0e 37 cd ce 89 9a # 00000000<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">Length 0x174 (372)<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 74 01 00 00 .. .. .. .. .. .. .. .. .. .. .. .. # 00000010<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">2.2.2 Client-Side-Wrapped Secret<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"> dwVersion (2) BACKUPKEY_RECOVERY_BLOB_VERSION_VISTA)<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"> cbEncryptedSecret (256)<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"> cbAccessCheck (88)<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> .. .. .. .. 02 00 00 00 00 01 00 00 58 00 00 00 # 00000010<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">guidKey: {a1dc8bbd-743f-473e-8d00-0a4742df76bd}<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> bd 8b dc a1 3f 74 3e 47 8d 00 0a 47 42 df 76 bd # 00000020<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">EncryptedSecret (for 256 bytes):<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 30 e5 9a 15 1b 59 b8 1e b6 b8 2a d0 9f 30 aa b3 # 00000030<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 12 9a 98 55 63 d2 11 e4 41 00 db 37 9c d9 86 63 # 00000040<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> a1 30 1d 8c f4 25 00 16 e2 c1 b0 36 89 10 83 56 # 00000050<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ad 8f 0b 11 60 20 c4 07 81 77 c1 d4 95 7d 81 e8 # 00000060<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> cc a6 bf c5 f5 23 8d 29 2e 9c 8d 21 ff c3 b7 c3 # 00000070<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ba 14 35 ec 6f 50 24 14 17 83 5f dc bc 2a d9 f6 # 00000080<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ee f9 4f 63 16 0a fc 93 b4 a2 4c 10 cf 28 54 55 # 00000090<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 7e a7 47 db 24 96 e4 dd 5f 4c 0c 4d c8 17 c9 53 # 000000a0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> db 58 98 03 f6 f9 19 ec 56 b0 8d f5 39 9d fb ea # 000000b0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 59 dd eb 3d a0 af 1b 7c e1 85 22 d2 19 45 a8 14 # 000000c0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 2a 8f 26 3d 3e 4f c8 4d b5 b4 eb 49 6b 16 c2 5f # 000000d0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> a7 3b 1e d3 25 e9 84 c0 30 d9 56 f7 15 89 d5 ac # 000000e0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 40 96 14 ed 02 cf 66 03 ee f5 79 a3 c6 4e 59 fe # 000000f0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 01 07 da 5f d1 b8 d6 e3 15 28 78 83 4b f6 5b d6 # 00000100<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> b0 10 b7 74 5f aa aa c4 4f 53 e7 1f fd e4 ab a3 # 00000110<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> bb f3 98 5c 47 ea 2b a5 bf a1 be a2 3b 3b 13 6a # 00000120<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">AccessCheck (for 88 bytes):<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> aa 5e 85 dd fb df 5c 8e 0f c4 9e df 43 b7 b8 aa # 00000130<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 01 17 f6 d4 93 cb 35 b9 9f 57 2a ed 8d 6f dc 4d # 00000140<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 9c ae 9f 2a 45 c9 bb f5 48 8a 3e 98 62 93 b8 20 # 00000150<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 77 0e 8f 24 75 16 12 2e 7b f0 b9 61 1d ee 8f 2a # 00000160<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> ed fb ed 39 41 ba 73 91 68 0c 21 4b 9d 2e 13 3b # 00000170<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 4a 5a 96 83 74 4d 52 34 .. .. .. .. .. .. .. .. # 00000180<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">Size again (0x174) data_in_len and zero param<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> .. .. .. .. .. .. .. .. 74 01 00 00 00 00 00 00 # 00000180<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">Trailing unexplained 52 bytes :<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 8a e3 13 71 02 f4 36 71 02 40 28 00 30 7c de 3d # 00000190<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 5d 16 d1 11 ab 8f 00 80 5f 14 db 40 01 00 00 00 # 000001a0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 # 000001b0<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.25in"><span style="font-family:"Courier New""> 02 00 00 00 # 000001c0<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">These 52 bytes is the MS-RPCE Verification Trailer specified in MS-RPCE 2.2.2.13, as follows:<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">Eight-byte signature octets {0x8a, 0xe3, 0x13, 0x71, 0x02, 0xf4, 0x36, 0x71}:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 8a e3 13 71 02 f4 36 71 .. .. .. .. .. .. .. .. # 00000190<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">Four-byte rcp_sec_vt_pcontext header:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">(0x4002 & 3fff) = 0x0002 = rpc_sec_vt_pcontext command<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">0x0028 = length<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> .. .. .. .. .. .. .. .. 02 40 28 00 .. .. .. .. # 00000190<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none">rcp_sec_vt_pcontext InterfaceId and TransferSyntax (MS-RPCE 2.2.2.13.4) consume the remaining 40 (0x28) bytes:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-size:7.5pt;font-family:"MS Shell Dlg","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> .. .. .. .. .. .. .. .. .. .. .. .. 30 7c de 3d # 00000190<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 5d 16 d1 11 ab 8f 00 80 5f 14 db 40 01 00 00 00 # 000001a0<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.25in;text-autospace:none"><span style="font-family:"Courier New""> 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 # 000001b0<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.25in"><span style="font-family:"Courier New""> 02 00 00 00 # 000001c0<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">Bryan<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Bryan Burgin
<br>
<b>Sent:</b> Tuesday, August 10, 2010 10:03 AM<br>
<b>To:</b> 'mat@samba.org'<br>
<b>Cc:</b> 'pfif@tridgell.net'; 'cifs-protocol@samba.org'; MSSolve Case Email<br>
<b>Subject:</b> RE: [REG:110071868986368] unused bytes after while decoding bkrp requests<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Hi, Matthieu,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Just a quick update. I have a pending TDI with the BKRP team to verify our findings that these bytes are unused and should be ignored if received.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Your other three issues we’re distributed to other team members and they are contacting you separately.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Bryan<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Bryan Burgin
<br>
<b>Sent:</b> Monday, July 26, 2010 9:36 AM<br>
<b>To:</b> 'mat@samba.org'<br>
<b>Cc:</b> pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email<br>
<b>Subject:</b> RE: [REG:110071868986368] unused bytes after while decoding bkrp requests<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">Hi, Matthieu,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I made some progress on this last week, but I wanted to close in on a few loose ends before I sent any conclusions. But, let me indicate where I am.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Below is the buffer you provided:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 640c2747 c72f9b49 ac5b0e37 cdce899a # 00000000 d.'G./.I.[.7....<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 74010000 02000000 00010000 58000000 # 00000010 t...........X...<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> bd8bdca1 3f743e47 8d000a47 42df76bd # 00000020 ....?t>G...GB.v.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 30e59a15 1b59b81e b6b82ad0 9f30aab3 # 00000030 0....Y....*..0..<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 129a9855 63d211e4 4100db37 9cd98663 # 00000040 ...Uc...A..7...c<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> a1301d8c f4250016 e2c1b036 89108356 # 00000050 .0...%.....6...V<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> ad8f0b11 6020c407 8177c1d4 957d81e8 # 00000060 ....` ...w...}..<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> cca6bfc5 f5238d29 2e9c8d21 ffc3b7c3 # 00000070 .....#.)...!....<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> ba1435ec 6f502414 17835fdc bc2ad9f6 # 00000080 ..5.oP$..._..*..<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> eef94f63 160afc93 b4a24c10 cf285455 # 00000090 ..Oc......L..(TU<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 7ea747db 2496e4dd 5f4c0c4d c817c953 # 000000a0 ~.G.$..._L.M...S<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> db589803 f6f919ec 56b08df5 399dfbea # 000000b0 .X......V...9...<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 59ddeb3d a0af1b7c e18522d2 1945a814 # 000000c0 Y..=...|.."..E..<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 2a8f263d 3e4fc84d b5b4eb49 6b16c25f # 000000d0 *.&=>O.M...Ik.._<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> a73b1ed3 25e984c0 30d956f7 1589d5ac # 000000e0 .;..%...0.V.....<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 409614ed 02cf6603 eef579a3 c64e59fe # 000000f0 @.....f...y..NY.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0107da5f d1b8d6e3 15287883 4bf65bd6 # 00000100 ..._.....(x.K.[.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> b010b774 5faaaac4 4f53e71f fde4aba3 # 00000110 ...t_...OS......<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> bbf3985c 47ea2ba5 bfa1bea2 3b3b136a # 00000120 ...\G.+.....;;.j<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> aa5e85dd fbdf5c8e 0fc49edf 43b7b8aa # 00000130 .^....\.....C...<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 0117f6d4 93cb35b9 9f572aed 8d6fdc4d # 00000140 ......5..W*..o.M<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 9cae9f2a 45c9bbf5 488a3e98 6293b820 # 00000150 ...*E...H.>.b..
<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 770e8f24 7516122e 7bf0b961 1dee8f2a # 00000160 w..$u...{..a...*<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> edfbed39 41ba7391 680c214b 9d2e133b # 00000170 ...9A.s.h.!K...;<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 4a5a9683 744d5234 74010000 00000000 # 00000180 JZ..tMR4t.......<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 8ae31371 02f43671 02402800 307cde3d # 00000190
<a href="mailto:...q..6q.@(.0|">...q..6q.@(.0|</a>.=<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 5d16d111 ab8f0080 5f14db40 01000000 # 000001a0 ]<a href="mailto:......._..@">......._..@</a>....<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 045d888a eb1cc911 9fe80800 2b104860 # 000001b0 .]..........+.H`<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 02000000 # 000001c0 ....
<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I was focused on your specific question regarding the apparent extra 52 bytes. I found the code where I believe this structure is allocated and it appears that we do some rounding-up as we determine how many bytes to allocate. And
then, when we encrypt and send the buffer, the total allocation is transmitted.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It begins with BACKUPKEY_RESTORE_GUID<o:p></o:p></p>
<p class="MsoPlainText">47270C64-2FC7-499B-AC5B-0E37CDCE899A:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 640c2747 c72f9b49 ac5b0e37 cdce899a # 00000000 d.'G./.I.[.7....<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It then contains what appears to be the length of the remaining buffer (0x174/372). This caught my attention and I’ll discuss this in a bit.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 74010000 ........ ........ ........ # 00000010 t...............<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText">Followed with 372(0x174) bytes starting with three DWORDS:<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">-- Version 2: BACKUPKEY_RECOVERY_BLOB_VERSION_VISTA<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">-- 0x100 (256): length of Encryption Secret<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">-- 0x58 (88): length of Access Check<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> ........ 02000000 00010000 58000000 # 00000010 t...........X...<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">-- GUID-Key:<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> bd8bdca1 3f743e47 8d000a47 42df76bd # 00000020 ....?t>G...GB.v.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">-- The encrypted secret (for 256 bytes):<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 30e59a15 1b59b81e b6b82ad0 9f30aab3 # 00000030 0....Y....*..0..<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 129a9855 63d211e4 4100db37 9cd98663 # 00000040 ...Uc...A..7...c<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> a1301d8c f4250016 e2c1b036 89108356 # 00000050 .0...%.....6...V<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> ad8f0b11 6020c407 8177c1d4 957d81e8 # 00000060 ....` ...w...}..<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> cca6bfc5 f5238d29 2e9c8d21 ffc3b7c3 # 00000070 .....#.)...!....<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> ba1435ec 6f502414 17835fdc bc2ad9f6 # 00000080 ..5.oP$..._..*..<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> eef94f63 160afc93 b4a24c10 cf285455 # 00000090 ..Oc......L..(TU<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 7ea747db 2496e4dd 5f4c0c4d c817c953 # 000000a0 ~.G.$..._L.M...S<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> db589803 f6f919ec 56b08df5 399dfbea # 000000b0 .X......V...9...<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 59ddeb3d a0af1b7c e18522d2 1945a814 # 000000c0 Y..=...|.."..E..<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 2a8f263d 3e4fc84d b5b4eb49 6b16c25f # 000000d0 *.&=>O.M...Ik.._<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> a73b1ed3 25e984c0 30d956f7 1589d5ac # 000000e0 .;..%...0.V.....<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 409614ed 02cf6603 eef579a3 c64e59fe # 000000f0 @.....f...y..NY.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 0107da5f d1b8d6e3 15287883 4bf65bd6 # 00000100 ..._.....(x.K.[.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> b010b774 5faaaac4 4f53e71f fde4aba3 # 00000110 ...t_...OS......<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> bbf3985c 47ea2ba5 bfa1bea2 3b3b136a # 00000120 ...\G.+.....;;.j<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in">-- The Access Check (for 88 bytes)<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> aa5e85dd fbdf5c8e 0fc49edf 43b7b8aa # 00000130 .^....\.....C...<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 0117f6d4 93cb35b9 9f572aed 8d6fdc4d # 00000140 ......5..W*..o.M<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 9cae9f2a 45c9bbf5 488a3e98 6293b820 # 00000150 ...*E...H.>.b..
<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 770e8f24 7516122e 7bf0b961 1dee8f2a # 00000160 w..$u...{..a...*<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> edfbed39 41ba7391 680c214b 9d2e133b # 00000170 ...9A.s.h.!K...;<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:.5in"><span style="font-family:"Courier New""> 4a5a9683 744d5234 ........ ........ # 00000180 JZ..tMR4........<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Following the 372 (0x174) bytes, I see the length again and zero<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> ........ ........ 74010000 00000000 # 00000180 ........t.......<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Which you identified as:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">> data_in_len : 0x00000174 (372)<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">> param : 0x00000000 (0)<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in">> dump OK<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">In your original mail.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Lastly, I see the unused 52 bytes at the end:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> [extra 52 bytes starts here]<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 8ae31371 02f43671 02402800 307cde3d # 00000190
<a href="mailto:...q..6q.@(.0|">...q..6q.@(.0|</a>.=<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 5d16d111 ab8f0080 5f14db40 01000000 # 000001a0 ]<a href="mailto:......._..@">......._..@</a>....<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 045d888a eb1cc911 9fe80800 2b104860 # 000001b0 .]..........+.H`<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Courier New""> 02000000 # 000001c0 ....
<o:p></o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I’m fairly certain that these 52 trailing bytes are unused and should be ignored. But, I got side tracked looking at what appears to be a length field immediately following the BACKUPKEY_RESTORE_GUID and that it appears to be replicated
immediately following the buffer as if they were bookends.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Let me fully read the message you just sent as it has a couple of questions. I wanted to share with you the status of where I was on your original question.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Bryan<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Matthieu Patou [mailto:mat@samba.org] <br>
Sent: Sunday, July 25, 2010 1:55 PM<br>
To: Bryan Burgin<br>
Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email<br>
Subject: Re: [REG:110071868986368] unused bytes after while decoding bkrp requests<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> Hi Bryan<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Any news on this subject ?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">In the mean time I worked on the implementation of the protocol for the samba project and have more questions now.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">So page 31 of MS-BKRP.pdf state that the message format for exchange is :<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">NET_API_STATUS BackuprKey(<o:p></o:p></p>
<p class="MsoPlainText">[in] handle_t h,<o:p></o:p></p>
<p class="MsoPlainText">[in] GUID* pguidActionAgent,<o:p></o:p></p>
<p class="MsoPlainText">[in, size_is(cbDataIn)] byte* pDataIn,<o:p></o:p></p>
<p class="MsoPlainText">[in] DWORD cbDataIn,<o:p></o:p></p>
<p class="MsoPlainText">[out, size_is(,*pcbDataOut)] byte** ppDataOut,<o:p></o:p></p>
<p class="MsoPlainText">[out] DWORD* pcbDataOut,<o:p></o:p></p>
<p class="MsoPlainText">[in] DWORD dwParam<o:p></o:p></p>
<p class="MsoPlainText">);<o:p></o:p></p>
<p class="MsoPlainText">I already asked if there is not some bytes after the dwParam.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">After analyzing the out message I have the impression that before the
<o:p></o:p></p>
<p class="MsoPlainText">ppDataOut there is some kind of integer.<o:p></o:p></p>
<p class="MsoPlainText">Here is the hex dump of an output message:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">00000000 00 00 02 00 44 00 00 00 00 00 00 00 8d 65 cd e4
<o:p></o:p></p>
<p class="MsoPlainText">|....D........e..|<o:p></o:p></p>
<p class="MsoPlainText">00000010 6c 93 62 22 48 e7 04 ff 0c 8f 0e 83 7a e4 dd d4
<o:p></o:p></p>
<p class="MsoPlainText">|l.b"H.......z...|<o:p></o:p></p>
<p class="MsoPlainText">00000020 4b d1 8e 74 95 67 4f 85 be a5 9c b7 7f fd 39 2c
<o:p></o:p></p>
<p class="MsoPlainText">|K..t.gO.......9,|<o:p></o:p></p>
<p class="MsoPlainText">00000030 54 bc a7 60 e4 e0 13 26 49 6f ca 35 ee bb 23 24
<o:p></o:p></p>
<p class="MsoPlainText">|T..`...&Io.5..#$|<o:p></o:p></p>
<p class="MsoPlainText">00000040 51 d4 4e c9 37 1d f0 9e 83 69 bd 10 44 00 00 00
<o:p></o:p></p>
<p class="MsoPlainText">|Q.N.7....i..D...|<o:p></o:p></p>
<p class="MsoPlainText">00000050 00 00 00 00 |....|<o:p></o:p></p>
<p class="MsoPlainText">00000054<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">so from byte 4 (0x44 ) we have clearly (at least to me) the ppDataOut
<o:p></o:p></p>
<p class="MsoPlainText">variable that is NDR encoded (meaning that the size is specified before
<o:p></o:p></p>
<p class="MsoPlainText">on the wire) up to byte 4B then we have the size (pcbDataOut) (0x44 0x00
<o:p></o:p></p>
<p class="MsoPlainText">0x00 0x00) and then the return code.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I attach the out message extracted from the trace I sent last time.
<o:p></o:p></p>
<p class="MsoPlainText">With the following samba idl:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> [public,nopush,nopull,noprint] WERROR bkrp_BackupKey (<o:p></o:p></p>
<p class="MsoPlainText"> [in,ref] GUID *guidActionAgent,<o:p></o:p></p>
<p class="MsoPlainText"> [in,ref] [subcontext(4)] uint8 *data_in,<o:p></o:p></p>
<p class="MsoPlainText"> [in] uint32 data_in_len,<o:p></o:p></p>
<p class="MsoPlainText"> [in] uint32 param,<o:p></o:p></p>
<p class="MsoPlainText"> [out] uint32 misc,<o:p></o:p></p>
<p class="MsoPlainText"> [out] DATA_BLOB secret,<o:p></o:p></p>
<p class="MsoPlainText"> [out] uint32 data_out_len<o:p></o:p></p>
<p class="MsoPlainText"> );<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">We have the following result while using our ndrdump tool:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">pull returned NT_STATUS_OK<o:p></o:p></p>
<p class="MsoPlainText"> bkrp_BackupKey: struct bkrp_BackupKey<o:p></o:p></p>
<p class="MsoPlainText"> out: struct bkrp_BackupKey<o:p></o:p></p>
<p class="MsoPlainText"> misc : 0x00020000 (131072)<o:p></o:p></p>
<p class="MsoPlainText"> secret : DATA_BLOB length=68<o:p></o:p></p>
<p class="MsoPlainText"> data_out_len : 0x00000044 (68)<o:p></o:p></p>
<p class="MsoPlainText"> result : WERR_OK<o:p></o:p></p>
<p class="MsoPlainText">dump OK<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">As I have also managed to get a correct <o:p></o:p></p>
<p class="MsoPlainText">BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID exchange I also witnessed that on
<o:p></o:p></p>
<p class="MsoPlainText">the out message there is also "something" (that I named misc in our idl)
<o:p></o:p></p>
<p class="MsoPlainText">(see the get_key_out file which is the extraction of out message on a
<o:p></o:p></p>
<p class="MsoPlainText">BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID request). As the certificate that I
<o:p></o:p></p>
<p class="MsoPlainText">extracted seems to be correct I pretty encline to think I am right as
<o:p></o:p></p>
<p class="MsoPlainText">first we are able to parse the NDR encoded data, and that the result
<o:p></o:p></p>
<p class="MsoPlainText">seems sensible.<o:p></o:p></p>
<p class="MsoPlainText">Can you see if my analysis is correct and if so can you give us the
<o:p></o:p></p>
<p class="MsoPlainText">explanation of this "misc" parameter. If not, well please tell me the
<o:p></o:p></p>
<p class="MsoPlainText">correct way to parse the message.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Also I've got questions of what is explained in the document.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">First in paragraph 3.1.4.1.3, it is stated<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">"The server MUST ignore the cbDataIn and pDataIn parameters. It MUST
<o:p></o:p></p>
<p class="MsoPlainText">return the RSA public key<o:p></o:p></p>
<p class="MsoPlainText">from the ClientWrap key pair, in the format specified in section 2.2.1.
<o:p></o:p></p>
<p class="MsoPlainText">If no such key can be found or<o:p></o:p></p>
<p class="MsoPlainText">created, the server MUST return an error."<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">The client is supposed to send a 2.2.2 Client-Side-Wrapped Secret struct
<o:p></o:p></p>
<p class="MsoPlainText">in the pDataIn variable, this struct contains also a version field and a
<o:p></o:p></p>
<p class="MsoPlainText">guid field.<o:p></o:p></p>
<p class="MsoPlainText">Nothing is said about this fields, how should they be populated, can you
<o:p></o:p></p>
<p class="MsoPlainText">explain this ?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Second in paragraph 1.3.1 Call Flows, it is stated<o:p></o:p></p>
<p class="MsoPlainText">"For the ClientWrap subprotocol, the Microsoft implementation of the
<o:p></o:p></p>
<p class="MsoPlainText">BackupKey Remote Protocol<o:p></o:p></p>
<p class="MsoPlainText">server stores the following LSA global secret objects (note that the LSA
<o:p></o:p></p>
<p class="MsoPlainText">global secret names are<o:p></o:p></p>
<p class="MsoPlainText">Unicode strings):<o:p></o:p></p>
<p class="MsoPlainText">1. G$BCKUPKEY_PREFERRED: This contains the 16-byte GUID ([MS-DTYP]
<o:p></o:p></p>
<p class="MsoPlainText">section 2.3.2.2) of the<o:p></o:p></p>
<p class="MsoPlainText">RSA key pair currently used for client-side secret wrapping.<o:p></o:p></p>
<p class="MsoPlainText">2. G$BCKUPKEY_guid: Here, guid is the string GUID that identifies the
<o:p></o:p></p>
<p class="MsoPlainText">wrapping key, formatted as a<o:p></o:p></p>
<p class="MsoPlainText">GUIDString ([MS-DTYP] section 2.3.2.3). The value of the secret object
<o:p></o:p></p>
<p class="MsoPlainText">is the server's ClientWrap<o:p></o:p></p>
<p class="MsoPlainText">key pair, formatted as specified in section 2.2.5"<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Should I conclude that in a given domain there is only "active" rsa key
<o:p></o:p></p>
<p class="MsoPlainText">on all the server or said in another way no matter which server is asked
<o:p></o:p></p>
<p class="MsoPlainText">at a given moment we will always receive the same GUID for the key ?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Also just to be sure this will be stored in the currentValue attribute
<o:p></o:p></p>
<p class="MsoPlainText">but it will be only accessible through a lsaQuerySecret call right ?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Regards.<o:p></o:p></p>
<p class="MsoPlainText">Matthieu .<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 19/07/2010 03:06, Bryan Burgin wrote:<o:p></o:p></p>
<p class="MsoPlainText">> [Mark and dochelp to bcc]<o:p></o:p></p>
<p class="MsoPlainText">> [Adding case number& CaseMail]<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Hi Matthieu,<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> I began looking at this for you to identify the trailing bytes you specified and to investigate tools to decode/parse the Backup Key request. I'll reply with more information as soon as I have more information to share.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Bryan<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> -----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">> From: Mark Miller (MBD)<o:p></o:p></p>
<p class="MsoPlainText">> Sent: Sunday, July 18, 2010 11:50 AM<o:p></o:p></p>
<p class="MsoPlainText">> To: mat@samba.org; Interoperability Documentation Help; pfif@tridgell.net; cifs-protocol@samba.org<o:p></o:p></p>
<p class="MsoPlainText">> Subject: RE: unused bytes after while decoding bkrp requests<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Hi Matthieu,<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Thank you for your question. A colleague will contact you to investigate this issue.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Regards,<o:p></o:p></p>
<p class="MsoPlainText">> Mark Miller<o:p></o:p></p>
<p class="MsoPlainText">> Escalation Engineer<o:p></o:p></p>
<p class="MsoPlainText">> US-CSS DSC PROTOCOL TEAM<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> -----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">> From: Matthieu Patou [mailto:mat@samba.org]<o:p></o:p></p>
<p class="MsoPlainText">> Sent: Sunday, July 18, 2010 2:27 PM<o:p></o:p></p>
<p class="MsoPlainText">> To: Interoperability Documentation Help; pfif@tridgell.net; cifs-protocol@samba.org<o:p></o:p></p>
<p class="MsoPlainText">> Subject: unused bytes after while decoding bkrp requests<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Dear dochelp team,<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> I started to implement the backup key remote protocol for samba.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Right now I'm a bit suspicious I got the data structure ok as when I parse some bytes with ndrdump I have ~52 bytes unused.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> From the attached capture called protected_storage.pcap I managed to extract and decrypt the payload (452 bytes + 12 bytes of padding) at packet 485.<o:p></o:p></p>
<p class="MsoPlainText">> The payload is also attached to this email as protected_xtr.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Here are the result of ndrdump<o:p></o:p></p>
<p class="MsoPlainText">> mat@ares:/usr/local/src/samba4/source4$ ./bin/ndrdump protected_storage bkrp_BakuprKey in ~/protected_xtr pull returned NT_STATUS_OK WARNING! 52 unread bytes<o:p></o:p></p>
<p class="MsoPlainText">> [0000] 8A E3 13 71 02 F4 36 71 02 40 28 00 30 7C DE 3D ...q..6q
<a href="mailto:.@(.0|"><span style="color:windowtext;text-decoration:none">.@(.0|</span></a>.=<o:p></o:p></p>
<p class="MsoPlainText">> [0010] 5D 16 D1 11 AB 8F 00 80 5F 14 DB 40 01 00 00 00 ].......
<a href="mailto:_..@"><span style="color:windowtext;text-decoration:none">_..@</span></a>....<o:p></o:p></p>
<p class="MsoPlainText">> [0020] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H`<o:p></o:p></p>
<p class="MsoPlainText">> [0030] 02 00 00 00 ....<o:p></o:p></p>
<p class="MsoPlainText">> bkrp_BakuprKey: struct bkrp_BakuprKey<o:p></o:p></p>
<p class="MsoPlainText">> in: struct bkrp_BakuprKey<o:p></o:p></p>
<p class="MsoPlainText">> guidActionAgent : *<o:p></o:p></p>
<p class="MsoPlainText">> guidActionAgent :<o:p></o:p></p>
<p class="MsoPlainText">> 47270c64-2fc7-499b-ac5b-0e37cdce899a<o:p></o:p></p>
<p class="MsoPlainText">> data_in: struct bkrp_client_side_wrapped<o:p></o:p></p>
<p class="MsoPlainText">> version : 0x00000002 (2)<o:p></o:p></p>
<p class="MsoPlainText">> encrypted_secret_len : 0x00000100 (256)<o:p></o:p></p>
<p class="MsoPlainText">> access_check_len : 0x00000058 (88)<o:p></o:p></p>
<p class="MsoPlainText">> guid :<o:p></o:p></p>
<p class="MsoPlainText">> a1dc8bbd-743f-473e-8d00-0a4742df76bd<o:p></o:p></p>
<p class="MsoPlainText">> encrypted_secret : DATA_BLOB length=256<o:p></o:p></p>
<p class="MsoPlainText">> access_check : DATA_BLOB length=88<o:p></o:p></p>
<p class="MsoPlainText">> data_in_len : 0x00000174 (372)<o:p></o:p></p>
<p class="MsoPlainText">> param : 0x00000000 (0)<o:p></o:p></p>
<p class="MsoPlainText">> dump OK<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> To me the result looks sensible I'm just concerned that it seems to have some garbage at the end.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> I tried to analyze the frames with netmon 3.4 but it says that it's encrypted (and I didn't find a way to tell him to decrypt ...).<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> So here is my question: is it normal that I found some trailing bytes ?<o:p></o:p></p>
<p class="MsoPlainText">> do you have the capacity to parse the protected_xtr file and give us the result of the parsing with your tools ?<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Cheers, Matthieu.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-- <o:p></o:p></p>
<p class="MsoPlainText">Matthieu Patou<o:p></o:p></p>
<p class="MsoPlainText">Samba Team <a href="http://samba.org"><span style="color:windowtext;text-decoration:none">http://samba.org</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</body>
</html>