SamrSetInformation2 (was Re: coding binge coming on.)

Todd Sabin tastas at
Thu Mar 11 02:45:03 GMT 1999

Luke wrote:
> > > that requires info from microsoft on how they obfuscate an area of the rpc
> > > code that contains six buffers (four unicode strings: two passwords).
> > > 
> > 
> > The SamrSetInformationUser2 call looks to have some ugly stuff in it.  Is
> > this the one you're referring to?  I have the sniff if you want it.
> it's going to be full, in the middle, of total garbage, probably
> surrounded by mostly null chars.

Yes, it looks like SamrSetInformationUser2.  There's a big block of
gibberish in the middle.  If it's like other MS stuff, it's probably
a block of 0x204 characters encrypted by the session key and arcfour.
After decryption, the last four of the 0x204 bytes will be the real
length of the password (N), the password will be at the last N bytes
of the first 0x200 bytes, and the stuff at the beginning of the 0x200
bytes will just be garbage.  Of course, that's just a guess.

How does NT generate its session keys?  Is knowing the password and
having the sniff enough to determine the session key, or would I have
to grab it from system memory at the time it happens?  I.e., how
can I verify the above?


More information about the samba-technical mailing list