Michał Turecki - hacking

RDPWrap download - remotely connecting to Windows using Remote Desktop multiple times without hacking termsrv.dll

Michał Turecki — Thu, 10 Mar 2016 08:57:22 +0000

Having a home media centre PC (categorised as such because it's connected to a TV instead of a monitor) which is always on, from time to time I need to remote in to it and only Server editions of Windows allow a user to be logged in both locally and remotely at the same time.

As far as I know there are 2 ways to correct this:

Patching termsrv.dll library. This was made harder in Windows 10 as permissions to modify this file have been limited recently and changing of file permissions is needed which is not ideal. It's also not windows update friendly.
RDP Wrapper library by Stas'M is a set of tools prepared to hook into windows remote desktop facilities. It is not invasive but definitely hackish in a way that as far as I know it hooks on in-memory RDP methods.

As it states on the repository website:

RDP Wrapper works as a layer between Service Control Manager and Terminal Services, so the original termsrv.dll file remains untouched. Also this method is very strong against Windows Update

There is one problem though. For some reason binary releases section does not contain the actual binaries (which need to be compiled using Delphi). Not many people out there have access to Delphi development environment so I prepared a build which can be downloaded below for all those who are interested in experimenting with it.

Binary releases are now available, download the binaries from GitHub to get most up to date version.

How to use:

Run install.bat as Administrator to install the patch
Run update.bat as Administrator to update current list of binary patches from git (firewall must allow RDPWInst.exe to access the Internet - it grabs most recent patch offsets from github)

Attachment	Size
RDPWrapper16.zip	1.52 MB

download

hacking

AnalysisLog.sr0 decrypted

Michał Turecki — Sun, 31 Mar 2013 10:43:36 +0000

Curiosity is one important part of the engine of progress. Recently I've sent a bug report as Test Drive Unlimited 2 crashes on Windows Server 2012 and one of the files was named AnalysisLog.sr0.
It was created after a crash after I was kindly asked to voluntarily create it.
What's inside? As some suggest it contains encrypted private information.

What are the actual contents?

Using my favourite text editor it was easy to check that the sr0 file is just a hexadecimal representation of binary data starting with X letter, for example: X5C2D25333321272533....

Easy enough, I removed the initial X letter from the text file and then using TinyHexer (original website is down for some reason) import feature I loaded hexadecimal text which showed the intended contents of this file, now in binary.

The binary data looks like it is encrypted, texts are nowhere to be found but I've noticed patterns are emerging in the file, especially repetitive exact sentences of characters at random offsets. This suggests two things:

1. the file is not encrypted using a strong cipher in which repetitions can occur but only in large segments of identical data with the offset matching the multiple of cipher length.
2. encryption key length is one byte because of randomly offseted identical data.

These two hints are enough to guess it must be one of a few simple tricks to hide information - XOR or ROR/ROL/ROT-x, most probably XOR, second most ROR or ROL.

A wild guess by looking at the beginning of the file gave me a clue - multiple subsequent 60 hexadecimal must be either spaces or nulls so using TinyHexer Tools -> Scripts -> XOR file data feature I managed to find out that 0x60 (96 decimal) is the key.

To sum things up:
1. With a text editor remove leading X from the AnalysisLog.sr0 file
2. Using TinyHexer File -> Import -> Import -> (select file) -> hex text convert hexadecimal text to binary (and save)
3. Using TinyHexer Tools -> Scripts -> XOR file data -> leave position and count unchanged and type in 96 as XOR value

The file looks like a serialized binary object with hexadecimal identifiers and unencrypted values of these identifiers. Identifiers look like a sort of random GUID type values yet looks can be deceiving in this case especially because these identifiers have different lenght, so we might have another encryption here.
In a spare time I'll look into it further.

Thanks for reading.

encryption

hacking

TortoiseMerge with better shortcuts, like WinMerge

Michał Turecki — Fri, 18 Jan 2013 12:58:52 +0000

TortoiseMerge is a useful 3-way merge tool yet it lacks proper keyboard shortcuts configuration and default shortcuts seem to be designed only for basketball players, with fingers stretched from arrow keys up to function keys.
Update: Current Version of TortoiseMerge included in TortoiseGit has the keyboard shortcuts fixed and easy to use

Fortunately it is open source. Moreover, it uses standard accelerators embedded as resources in the executable so it can be easily modified to fit our needs using only a resource editor. I used ResourceHacker ( ResHack.exe ) and modified these while preserving existing shortcuts.

Shortcuts are located in Accelerators -> 100 -> 1033 path.

100 ACCELERATORS
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
{
	VK_Q, 57665, NOINVERT, CONTROL, VIRTKEY
	VK_ESCAPE, 57665, NOINVERT, VIRTKEY
	VK_DOWN, 32831, NOINVERT, VIRTKEY
	VK_DOWN, 32831, NOINVERT, SHIFT, VIRTKEY
	VK_LEFT, 32829, NOINVERT, VIRTKEY
	VK_LEFT, 32829, NOINVERT, SHIFT, VIRTKEY
	VK_RIGHT, 32830, NOINVERT, VIRTKEY
	VK_RIGHT, 32830, NOINVERT, SHIFT, VIRTKEY
	VK_UP, 32832, NOINVERT, VIRTKEY
	VK_UP, 32832, NOINVERT, SHIFT, VIRTKEY
	VK_LEFT, 32833, NOINVERT, CONTROL, VIRTKEY
	VK_LEFT, 32833, NOINVERT, CONTROL, SHIFT, VIRTKEY
	VK_RIGHT, 32834, NOINVERT, CONTROL, VIRTKEY
	VK_RIGHT, 32834, NOINVERT, CONTROL, SHIFT, VIRTKEY
	VK_F1, 57669, NOINVERT, SHIFT, VIRTKEY
	VK_C, 57634, NOINVERT, CONTROL, VIRTKEY
	VK_X, 57635, NOINVERT, CONTROL, VIRTKEY
	VK_F, 57636, NOINVERT, CONTROL, VIRTKEY
	VK_F3, 32790, NOINVERT, VIRTKEY
	VK_F3, 32818, NOINVERT, SHIFT, VIRTKEY
	VK_G, 32884, CONTROL, VIRTKEY
	VK_V, 57637, NOINVERT, CONTROL, VIRTKEY
	VK_INSERT, 57637, NOINVERT, SHIFT, VIRTKEY
	VK_BACK, 57643, NOINVERT, ALT, VIRTKEY
	VK_Z, 57643, NOINVERT, CONTROL, VIRTKEY
	VK_RIGHT, 32855, NOINVERT, ALT, CONTROL, VIRTKEY
	VK_RIGHT, 32857, NOINVERT, ALT, CONTROL, SHIFT, VIRTKEY
	VK_LEFT, 32859, NOINVERT, ALT, CONTROL, SHIFT, VIRTKEY
	VK_RIGHT, 32822, NOINVERT, ALT, SHIFT, VIRTKEY
	VK_RIGHT, 32820, NOINVERT, ALT, VIRTKEY
	VK_LEFT, 32819, NOINVERT, ALT, VIRTKEY
	VK_LEFT, 32821, NOINVERT, ALT, SHIFT, VIRTKEY
	VK_UP, 32780, NOINVERT, ALT, VIRTKEY
	VK_DOWN, 32779, NOINVERT, ALT, VIRTKEY
	VK_UP, 32802, NOINVERT, ALT, SHIFT, VIRTKEY
	VK_DOWN, 32804, NOINVERT, ALT, SHIFT, VIRTKEY
	VK_S, 32808, NOINVERT, ALT, VIRTKEY
	VK_F10, 32822, NOINVERT, CONTROL, SHIFT, VIRTKEY
	VK_F10, 32820, NOINVERT, CONTROL, VIRTKEY
	VK_F9, 32819, NOINVERT, CONTROL, VIRTKEY
	VK_F9, 32821, NOINVERT, CONTROL, SHIFT, VIRTKEY
	VK_O, 57601, NOINVERT, CONTROL, VIRTKEY
	VK_R, 32794, NOINVERT, CONTROL, VIRTKEY
	VK_F5, 32794, NOINVERT, VIRTKEY
	VK_S, 57603, NOINVERT, CONTROL, VIRTKEY
	VK_S, 57604, NOINVERT, CONTROL, SHIFT, VIRTKEY
	VK_F1, 57670, NOINVERT, VIRTKEY
	VK_F8, 32804, NOINVERT, VIRTKEY
	VK_F11, 32779, NOINVERT, VIRTKEY
	VK_F7, 32779, NOINVERT, VIRTKEY
	VK_F8, 32802, NOINVERT, SHIFT, VIRTKEY
	VK_F11, 32780, NOINVERT, CONTROL, VIRTKEY
	VK_UP, 32780, NOINVERT, CONTROL, VIRTKEY
	VK_DOWN, 32779, NOINVERT, CONTROL, VIRTKEY
	VK_F11, 32780, NOINVERT, SHIFT, VIRTKEY
	VK_F7, 32780, NOINVERT, SHIFT, VIRTKEY
	VK_F6, 57680, NOINVERT, VIRTKEY
	VK_F6, 57681, NOINVERT, SHIFT, VIRTKEY
	VK_D, 32775, NOINVERT, CONTROL, VIRTKEY
	VK_T, 32774, NOINVERT, CONTROL, VIRTKEY
	VK_INSERT, 57634, NOINVERT, CONTROL, VIRTKEY
	VK_DELETE, 57635, NOINVERT, SHIFT, VIRTKEY
	VK_INSERT, 57637, NOINVERT, SHIFT, VIRTKEY
	VK_A, 32883, NOINVERT, CONTROL, VIRTKEY
}

If you are too lazy to change the resources, you can download attached TortoiseMerge.exe v1.7.15.0 and use it with recent versions of TortoiseGIT/SVN.

Attachment	Size
TortoiseMerge.exe	1.65 MB