I’m trying to understand this so I can do something similar. I know:

buf contains an authentication key with a hash appended to it (the last 20 bytes) The HashData that’s being looked up in the MachineKeySection is SHA1

length -= 20; byte[] buffer2 = MachineKeySection.HashData(buf, null, 0, length);  for (int i = 0; i < 20; i++) {     if (buffer2[i] != buf[length + i])     {         return null;     } } 

Here’s what I think is happening: We are hashing all but the last 20 bytes of buf. Then we are, 1 byte at a time, comparing the hash we just created to the hash that is appended on to the last 20 bytes of buf.

So in PHP I’m trying this:

//get the length of the ticket -20 bytes $ticketLn = strlen($buf)-40; //grab all but the last 20 bytes $ticket = substr($decrypthex, 0, $ticketLn); //create a hash of the ticket $hash = substr($decrypthex, $ticketLn); 

And the next step is to compare. But when I echo the output of $hash and sha1($ticket) they don’t match so I haven’t even bothered comparing them in code.