Original: http://www.blogcn.com/User8/flier_lu/index.html? Id = 3300158
Tomekeeper has passed a code for the saved MSN password through the DPAPI yesterday. Its core idea is to save the key in the registry from the MSN encryption, and the encrypted string is removed, and then use the DPAPI's function CRYPTUNPROTECTDATA to decrypt. The key code is as follows:
The following is program code: //...ret = regopenkeyex (HKEY_CURRENT_USER, "Software / Microsoft / MsnMessenger", 0, Key_Read, & HKey); // ... Ret = RegQueryValueex (HKEY, "Password.Net Messenger Service" , //... "; Datain.pbdata = DATA 2; // 口 口 密 文 文 from the second bit Datain.cbdata = dwsize-2; CryptunProtectData (& DataIn, Null, Null, Null, Null, 1, & Data) Base64_Decode (DataOut.pbdata, Data, Strlen (DataOut.pbdata)); Printf ("MSN Password:% S", DATA);
However, this method is no effect on the new version of the MSN in the XP / 2003 environment, because it is no longer saved directly in the registry key. So I installed similar ideas, using Windbg and IDA Pro to analyze the new version of the save password method. Since the conclusion is that the MSN uses a function of XP / 2003 to manage the current user credential set, put the encrypted password in this in this unified management.
You can use the new CredReadDomaincredentials function, give the read goal to get encrypted credentials, such as:
The following is a program code: typedef struct _CREDENTIAL_TARGET_INFORMATIONW {LPWSTR TargetName; LPWSTR NetbiosServerName; LPWSTR DnsServerName; LPWSTR NetbiosDomainName; LPWSTR DnsDomainName; LPWSTR DnsTreeName; LPWSTR PackageName; ULONG Flags; DWORD CredTypeCount; LPDWORD CredTypes;} CREDENTIAL_TARGET_INFORMATIONW, * PCREDENTIAL_TARGET_INFORMATIONW; DWORD CredTypes = CRED_TYPE_DOMAIN_VISIBLE_PASSWORD Credential_target_informationw target = {L "Messenger.hotmail.com", NULL, NULL, NULL, L "Passport.Net", NULL, L "Passport1.4", 0, 1, & CredTypes}; dWord dwcount = 0; pcredentialw * creds; Win32Check (CredReadDomainCredentialsW (& target, CRED_CACHE_TARGET_INFORMATION, & dwCount, & creds), "Can not read user / 's domain credential, maybe you are not save your password" [img] /images/wink.gif [/ img]; CREDENTIAL_TARGET_INFORMATIONW where Structure Specifies the source and package name to obtain credentials; CredReadDomaincredentialsw, based on this information, send RPC calls through the NDrClientCall2 function to complete the actual functionality.
The read credentials include this credentials and credential content (Credentialblob):
The following is a program code: typedef struct _CREDENTIALW {DWORD Flags; DWORD Type; LPWSTR TargetName; LPWSTR Comment; FILETIME LastWritten; DWORD CredentialBlobSize; LPBYTE CredentialBlob; DWORD Persist; DWORD AttributeCount; PCREDENTIAL_ATTRIBUTEW Attributes; LPWSTR TargetAlias; LPWSTR UserName;} CREDENTIALW, * PCRedentialw; pcredentialw cred = creds [0];
For MSN Messenger, Credentialw :: UserName is the login account. MSN Messenger When the file menu is displayed, you will get the current account name from the credentials for display. Each time you log in, you will further decrypt the contents of the CRYPTUNPROTECTDATA function, the code is as follows:
The following is program code: static unsigned char entropydata [] = {0xE0, 0x00, 0xc8, 0x00, 0x08, 0x01, 0x10, 0x14, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0, 0x00, 0xB4, 0x00, 0xE4, 0x00, 0x18, 0x01, 0x14, 0x01, 0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc8, 0x00, 0x01, 0x0, 0x00, 0x14, 0x01, 0x18, 0x01, 0x14, 0x01, 0x01, 0x00, 0x08, 0x01, 0x00, 0x00, 0x0, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0, 0x00, 0x00, 0x00}; PCREDENTIALW cred = creds [0]; DATA_BLOB data = {cred-> CredentialBlobSize, cred-> CredentialBlob}, entropy = {sizeof (entropyData), entropyData}, pass = { 0, null}; Bool Ret = CryptunProtectData (& Data, NULL, & Entropy, Null, Null, CryptProtect_UI_FORBIDDEN, & PASS) Here, EntropyData saves the internal use of fixed encryption keys directly from the MSN Messenger code from the MSN Messenger code. It may change depending on the version. Because the new MSN Messenger is not directly encrypted, but use this key encryption, it is slightly different from Tomekeeper. Saved in the decrypted Pass is the password of the current MSN Messenger account, huh, huh.
The following is the program code: Static const st: string toString (lpcwstr lpstr, dword cbstr) {std :: string str; str.resize (widechartomultibyte (cp_acp, 0, lpstr, cbstr, null, 0, null, null) WideChartomultibyte (CP_ACP, 0, LPSTR, CBSTR, (Char *) Str.c_str (), Str.Size (), null, null; Return Str;} static const st: string toString (lpcwstr lpstr) {Return Tostring (LPSTR, WCSLEN (LPSTR);} m_username = toString (CRED-> Username); M_FcredFree (CREDs); Win32Check (Ret, "Cannot Decrypt Credential [IMG] /images/wink.gif [/ img]; m_password = TOSTRING ((lpcwstr) Pass.pbdata, Pass.cbdata / sizeof (wchar_t)) ;: LocalFree (Pass.pbdata);
It seems that it seems unsafe, but it is also okay, huh, huh. Because CredreadDomainCredentials and CryptunProtectData are used, the default is the security context of the current account for encryption, which is no longer meaningful if the encrypted data is changed. Therefore, unless you are getting the current account or Administrator account permission, the password is still safe; in turn, if the two accounts are made by others, it is possible to install a keyboard logger to achieve a similar effect. Therefore, in general, it is still safe. This code can only be used as a recovery tool when forgetting to automatically record the MSN password: P In fact, this is the main purpose of our research, huh Just for fun!: P
