more tricks with certutil

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
npocmaka_
Posts: 481
Joined: 24 Jun 2013 17:10
Location: Bulgaria
Contact:

more tricks with certutil

#1 Post by npocmaka_ » 26 Apr 2018 06:07

Here the SO user showed me a not so well documented additional switch of the certutil -encodehex. So you can pass an additional number as a format flag. Here they are:

certutil -encodehex -f strings64.exe strings12.hex 12 - one line HEX value without spaces , columns ,addresses
certutil -encodehex -f strings64.exe strings5.hex 5 - without the addresses
certutil -encodehex -f strings64.exe strings2.hex 2 - pure binary - pointless according to me.
certutil -encodehex -f strings64.exe strings1.hex 1 - base64 without certificate headers
certutil -encodehex -f strings64.exe strings0.hex 0 - base64 with certificate headers
certutil -encodehex -f strings64.exe strings4.hex 4 - in columns with spaces , without the characters and the addresses
certutil -encodehex -f strings64.exe strings7.hex 7 - base64 - X509 without headers (slightly bigger than the normal b64)
certutil -encodehex -f strings64.exe strings8.hex 8 - base64 - x509 with headers

I think these are all. I (still) don't know how X509 can be decoded.

dbenham
Expert
Posts: 2289
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: more tricks with certutil

#2 Post by dbenham » 26 Apr 2018 09:31

:shock:
Wonderful - Thankyou :!: :D

penpen
Expert
Posts: 1731
Joined: 23 Jun 2013 06:15
Location: Germany

Re: more tricks with certutil

#3 Post by penpen » 22 May 2018 16:00

I just noticed that "certutil -encodehex -f strings64.exe strings8.hex 8" doesn't give "base64 - x509 with headers", but does the same as "number 4" ("in columns with spaces , without the characters and the addresses") at least on my win10.

penpen

dbenham
Expert
Posts: 2289
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: more tricks with certutil

#4 Post by dbenham » 03 Sep 2018 10:55

I ran a bunch of tests on Windows 10 with various flavors of -encodehex, and here is what I found.

General notes

CERTUTIL has a surprisingly low limit to the size file it can encode/decode. I'm not sure about the exact value, but the encode limit is only in the tens of millions range.

CERTUTIL accepts both decimal and hex notation for the type argument, but not octal.
Hex values must be prefixed with 0x
Since octal is not recognized, it is safe to prefix any decimal value with zeros.

The type argument seems to be flag based, but in a very freaky, inscrutable way - the meaning of low bits changes depending on the value of other bits. but the top two high order bits have a constant meaning:

0x40000000 bit - The output is encoded on a single line, without any line terminator.
Depending on the format, the result may not be able to be decoded with CERTUTIL.
Documentation states this flag is not supported by XP.

0x80000000 bit - Use \n line terminators instead of \r\n
Note that CERTUTIL only accepts positive numbers, so the type value cannot be computed by SET /A, else it will be converted into a negative value.
It is best to specify a type with this flag using hex.

The 0x80000000 and 0x40000000 bits can be ORed with any of the values documented below.

Unless the 0x40000000 bit is set, any -encodehex result can be decoded using either -decode or -decodehex (whichever is appropriate).

Hex Formats

Generally, each line of output represents 16 bytes of input (except for the last line). The hex pairs are delimited by spaces, with two spaces between the 8th and 9th bytes.

If the 1 bit is set, then 3 spaces are appended to each line, followed by the ASCII string representation, with control codes and non-ASCII bytes represented as dots.

If the 2 bit is set, then the hex address is prepended. The address is always represented with at least 4 hex digits (possibly left 0 padded), and followed by a <TAB> character.

0x4 - Formatted hex only
0x5 - Formatted hex + trailing ASCII
0x8 - Formatted hex only (same as 0x4)
0xA - Formatted hex + prepended address
0xB - Formatted hex + prepended address + trailing ASCII
0xC - Raw hex on a single line, without any spaces between bytes (not supported by XP)

Base 64 formats

Generally all encodings are identical, with 64 bytes per line in the output, and = padding appended as needed, regardless which type is chosen. The only thing that changes is the format of the beginning/ending headers. The only exception is the undocumented 0xD type.

0x0 - Certificate headers
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

0x1 - No headers

0x3 - Request headers
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----

0x6 - No headers (same as 0x1)

0x7 - No headers (same as 0x1)

0x9 - X.509 CRL headers. Note that no encryption is done, it simply changes the header.
-----BEGIN X509 CRL-----
-----END X509 CRL-----

0xD - No headers, base64url format
Index 62 is represented as - (dash) instead of +
Index 63 is represented as _ (underscore) instead of /
No = padding at the end


Dave Benham

ShadowThief
Expert
Posts: 910
Joined: 06 Sep 2013 21:28
Location: Virginia, United States

Re: more tricks with certutil

#5 Post by ShadowThief » 03 Sep 2018 19:42

dbenham wrote:
03 Sep 2018 10:55
CERTUTIL has a surprisingly low limit to the size file it can encode/decode. I'm not sure about the exact value, but the encode limit is only in the tens of millions range.
Through trial and error, I've determined that the limit is 74472684 bytes. I'm guessing that there's an output file size threshold of 100000000 bytes.

Squashman
Expert
Posts: 4114
Joined: 23 Dec 2011 13:59

Re: more tricks with certutil

#6 Post by Squashman » 03 Sep 2018 20:42

ShadowThief wrote:
03 Sep 2018 19:42
dbenham wrote:
03 Sep 2018 10:55
CERTUTIL has a surprisingly low limit to the size file it can encode/decode. I'm not sure about the exact value, but the encode limit is only in the tens of millions range.
Through trial and error, I've determined that the limit is 74472684 bytes. I'm guessing that there's an output file size threshold of 100000000 bytes.
I thought I remember reading somewhere it was roughly 75MB.

ShadowThief
Expert
Posts: 910
Joined: 06 Sep 2013 21:28
Location: Virginia, United States

Re: more tricks with certutil

#7 Post by ShadowThief » 03 Sep 2018 22:20

Image

It's possible that your mileage may vary, but I don't know why it would.

dbenham
Expert
Posts: 2289
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: more tricks with certutil

#8 Post by dbenham » 03 Sep 2018 23:24

ShadowThief wrote:
03 Sep 2018 22:20
It's possible that your mileage may vary, but I don't know why it would.
Mine varied :twisted:

I tried to use encodehex instead of encode, and it failed well before 74 MB,

dbenham
Expert
Posts: 2289
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: more tricks with certutil

#9 Post by dbenham » 04 Sep 2018 13:55

I've posted a convenient HEXDUMP.BAT utility that utilizes these "new" CERTUTIL -encodeHex formatting options at viewtopic.php?f=3&t=8816


Dave Benham

ShadowThief
Expert
Posts: 910
Joined: 06 Sep 2013 21:28
Location: Virginia, United States

Re: more tricks with certutil

#10 Post by ShadowThief » 04 Sep 2018 17:00

dbenham wrote:
03 Sep 2018 23:24
ShadowThief wrote:
03 Sep 2018 22:20
It's possible that your mileage may vary, but I don't know why it would.
Mine varied :twisted:

I tried to use encodehex instead of encode, and it failed well before 74 MB,
Indeed. It seems that the limit for encodehex is 21510272 bytes.

Post Reply