NT5 (XP and 2003 support) - decryption implementation missing

[skelsec]

Summary

In order to support parsing LSASS dumps acquired from XP and 2003 the decryption function implementation is currently incorrect, basically the current version contains my latest (failed)approach of porting the algorithm found here

Detailed description of the problem

The main LSA secret key in the LSASS memory is stored in a DES_EXPANDED_KEY structure ( definition is here . This strutct holds the original DES key in an already scheduled form (inner struct here). BUT it is not the usual pre-scheduled key in a "textbook" format, rather it's a modified version per microsoft (original expansion process here) Other info: the algorithm used for encryption and decryption is actually DESX, however implementing DESX is a relatively easy task, as it uses

Possible solutions

1. Implement the decryption algo as-is, basically porting the code from mimikatz
2. Find a way to de-schedule the expanded DES key and get the original key, it would be used in an existing crypto implementation (pypykatz already has a pure-python DES implementation, that can be used)
3. Convert the expanded key to a K-table used by the existing DES implementation (be careful I just think this might work, but never actually done it)

   Expected input for solution 1

   Provide a python function that performs the exact same decryption as this function.
   The definition should look like the following:
   def desx_decrypt(expanded_des_key, input_whitening_key, output_whitening_key, blob):
   where
   expanded_des_key : 4-byte long unsinged integers in a [16][2] matrix (list) - OR - the expanded key bytes in bytearray format (size is 16*2*4 bytes)
input_whitening_key : 8 byte long bytearray output_whitening_key : 8 byte long bytearray blob : data to be decrypted in bytearray format. the blob size is always %8

[skelsec]

why did I even bother writing this.... whatever.