[Devin Heitmueller <dheitmueller@xxxxxxxxxxx>]

Attached is a patch to show the proper field names for the SAMR
UnicodeChangePassword2 call.  The hashes are properly renamed to
verifiers (since they are in fact not hashes but the DES encryption of
the new password hash using the old password hash as the key).  For more
info on the algorithm, see lkcl's "DCE/RPC over SMB" page 256.

I have broken the fields out into individual dissection functions, so
that it will be easier to decrypt the payload (should I get around to
it).

Please let me know if there any reason why this patch could not be
applied.

Thanks,

-- 
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc

Index: packet-dcerpc-samr.c
===================================================================
RCS file: /cvsroot/ethereal/packet-dcerpc-samr.c,v
retrieving revision 1.59
diff -u -r1.59 packet-dcerpc-samr.c
--- packet-dcerpc-samr.c	2002/11/10 09:49:38	1.59
+++ packet-dcerpc-samr.c	2002/11/10 17:36:15
@@ -81,6 +81,10 @@
 static int hf_samr_crypt_password = -1;
 static int hf_samr_crypt_hash = -1;
 static int hf_samr_lm_change = -1;
+static int hf_samr_lm_passchange_block = -1;
+static int hf_samr_nt_passchange_block = -1;
+static int hf_samr_lm_verifier = -1;
+static int hf_samr_nt_verifier = -1;
 static int hf_samr_attrib = -1;
 static int hf_samr_max_pwd_age = -1;
 static int hf_samr_min_pwd_age = -1;
@@ -1633,6 +1637,99 @@
 	return offset;
 }
 
+static int
+samr_dissect_NT_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
+				 packet_info *pinfo _U_, proto_tree *tree,
+				 char *drep _U_)
+{
+	dcerpc_info *di;
+
+	/* Right now, this just dumps the output.  In the long term, we can use
+	   the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
+	   actually decrypt the block */
+
+	di=pinfo->private_data;
+	if(di->conformant_run){
+		/* just a run to handle conformant arrays, no scalars to dissect */
+		return offset;
+	}
+
+	proto_tree_add_item(tree, hf_samr_nt_passchange_block, tvb, offset,
+			    516, FALSE);
+	offset += 516;
+	return offset;
+}
+
+static int
+samr_dissect_LM_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
+				 packet_info *pinfo _U_, proto_tree *tree,
+				 char *drep _U_)
+{
+	dcerpc_info *di;
+
+	/* Right now, this just dumps the output.  In the long term, we can use
+	   the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
+	   actually decrypt the block */
+
+	di=pinfo->private_data;
+	if(di->conformant_run){
+		/* just a run to handle conformant arrays, no scalars to dissect */
+		return offset;
+	}
+
+	proto_tree_add_item(tree, hf_samr_lm_passchange_block, tvb, offset, 
+			    516, FALSE);
+	offset += 516;
+	return offset;
+}
+
+static int
+samr_dissect_LM_VERIFIER(tvbuff_t *tvb, int offset,
+			 packet_info *pinfo _U_, proto_tree *tree,
+			 char *drep _U_)
+{
+	dcerpc_info *di;
+
+	/* Right now, this just dumps the output.  In the long term, we can use
+	   the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
+	   actually validate the verifier */
+
+	di=pinfo->private_data;
+	if(di->conformant_run){
+		/* just a run to handle conformant arrays, no scalars to dissect */
+		return offset;
+	}
+
+	proto_tree_add_item(tree, hf_samr_lm_verifier, tvb, offset, 16,
+		FALSE);
+	offset += 16;
+	return offset;
+}
+
+
+static int
+samr_dissect_NT_VERIFIER(tvbuff_t *tvb, int offset,
+			 packet_info *pinfo _U_, proto_tree *tree,
+			 char *drep _U_)
+{
+	dcerpc_info *di;
+
+	/* Right now, this just dumps the output.  In the long term, we can use
+	   the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
+	   actually validate the verifier */
+
+	di=pinfo->private_data;
+	if(di->conformant_run){
+		/* just a run to handle conformant arrays, no scalars to dissect */
+		return offset;
+	}
+
+	proto_tree_add_item(tree, hf_samr_nt_verifier, tvb, offset, 16,
+		FALSE);
+	offset += 16;
+	return offset;
+}
+
 
 static int
 samr_dissect_oem_change_password_user2_rqst(tvbuff_t *tvb, int offset,
@@ -1686,19 +1783,19 @@
 			"Account Name:", hf_samr_acct_name, 1);
 
         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
-			samr_dissect_CRYPT_PASSWORD, NDR_POINTER_UNIQUE,
-			"Password", -1, 0);
+			samr_dissect_NT_PASSCHANGE_BLOCK, NDR_POINTER_UNIQUE,
+			"New NT Password Encrypted Block", -1, 0);
         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
-			samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
-			"Hash", -1, 0);
+			samr_dissect_NT_VERIFIER, NDR_POINTER_UNIQUE,
+			"NT Password Verifier", -1, 0);
         offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
                                      hf_samr_lm_change, NULL);
         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
-			samr_dissect_CRYPT_PASSWORD, NDR_POINTER_UNIQUE,
-			"Password", -1, 0);
+			samr_dissect_LM_PASSCHANGE_BLOCK, NDR_POINTER_UNIQUE,
+			"New Lan Manager Password Encrypted Block", -1, 0);
         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
-			samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
-			"Hash", -1, 0);
+			samr_dissect_LM_VERIFIER, NDR_POINTER_UNIQUE,
+			"Lan Manager Password Verifier", -1, 0);
 	return offset;
 }
 
@@ -4858,6 +4955,22 @@
 	{ &hf_samr_crypt_hash, {
 		"Hash", "samr.crypt_hash", FT_BYTES, BASE_HEX,
 		NULL, 0, "Encrypted Hash", HFILL }},
+
+	{ &hf_samr_lm_verifier, {
+		"Verifier", "samr.lm_password_verifier", FT_BYTES, BASE_HEX,
+		NULL, 0, "Lan Manager Password Verifier", HFILL }},
+
+	{ &hf_samr_nt_verifier, {
+		"Verifier", "samr.nt_password_verifier", FT_BYTES, BASE_HEX,
+		NULL, 0, "NT Password Verifier", HFILL }},
+
+	{ &hf_samr_lm_passchange_block, {
+		"Encrypted Block", "samr.lm_passchange_block", FT_BYTES, BASE_HEX,
+		NULL, 0, "Lan Manager Password Change Block", HFILL }},
+
+	{ &hf_samr_nt_passchange_block, {
+		"Encrypted Block", "samr.nt_passchange_block", FT_BYTES, BASE_HEX,
+		NULL, 0, "NT Password Change Block", HFILL }},
 
 	{ &hf_samr_lm_change, {
 		"LM Change", "samr.lm_change", FT_UINT8, BASE_HEX,