[Skydriver]

Hi all

The attached tool allows you to decrypt the MSN Messenger password stored
in your computer password. The tool cannot be used on password stored on
other computers, as the decryption algorithms relies on the computer's
internal certificate for decryption.

enjoy and be cerfull ;)


****************************************************************

/* MSNMessenger DPAPI
*
* tombkeeper[0x40]nsfocus[0x2e]com
* tombkeeper[0x40]xfocus[0x2e]net
* 2004.08.11
*/

#include <Windows.h>


#pragma comment(lib, "Advapi32.lib")

#define FCHK(a) if (!(a)) {printf(#a " failed\n"); return 0;}

typedef struct _CRYPTOAPI_BLOB {
DWORD cbData;
BYTE* pbData;
} DATA_BLOB;

typedef struct _CRYPTPROTECT_PROMPTSTRUCT {
DWORD cbSize;
DWORD dwPromptFlags;
HWND hwndApp;
LPCWSTR szPrompt;
} CRYPTPROTECT_PROMPTSTRUCT, *PCRYPTPROTECT_PROMPTSTRUCT;

typedef BOOL (WINAPI *PCryptUnprotectData)(
DATA_BLOB* pDataIn,
LPWSTR* ppszDataDescr,
DATA_BLOB* pOptionalEntropy,
PVOID pvReserved,
CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
DWORD dwFlags,
DATA_BLOB* pDataOut
);

PCryptUnprotectData CryptUnprotectData = NULL;


int main(void)
{
int ret;
HMODULE hNtdll;

HKEY hKey;
DWORD dwType;
char Data[0x100] = {0};
DWORD dwSize;

DATA_BLOB DataIn;
DATA_BLOB DataOut;

ret = RegOpenKeyEx
(
HKEY_CURRENT_USER,
"Software\\Microsoft\\MSNMessenger",
0,
KEY_READ,
&hKey
);
if( ret != ERROR_SUCCESS ) return 1;

ret = RegQueryValueEx
(
hKey,
"Password.NET Messenger Service",
NULL,
&dwType,
Data,
&dwSize
);
if( ret != ERROR_SUCCESS ) return 1;

FCHK ((hNtdll = LoadLibrary ("Crypt32.dll")) != NULL);
FCHK ((CryptUnprotectData = (PCryptUnprotectData)
GetProcAddress (hNtdll, "CryptUnprotectData")) != NULL);

DataIn.pbData = Data + 2; //
DataIn.cbData = dwSize-2;

CryptUnprotectData
(
&DataIn,
NULL,
NULL,
NULL,
NULL,
1,
&DataOut
);

base64_decode (DataOut.pbData, Data, strlen(DataOut.pbData));
printf ( "MSN Password: %s\n", Data);
return 0;
}

//copied from GNU libc - libc/resolv/base64.c
int base64_decode (char const *src, char *target, size_t targsize)
{
static const char Base64[] =

"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static const char Pad64 = '=';

int tarindex, state, ch;
char *pos;

state = 0;
tarindex = 0;

while ((ch = *src++) != '\0')
{
if (isspace (ch)) /* Skip whitespace anywhere. */
continue;

if (ch == Pad64)
break;

pos = strchr (Base64, ch);
if (pos == 0) /* A non-base64 character. */
return (-1);

switch (state)
{
case 0:
if (target)
{
if ((size_t) tarindex >= targsize)
return (-1);
target[tarindex] = (pos - Base64) << 2;
}
state = 1;
break;
case 1:
if (target)
{
if ((size_t) tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 4;
target[tarindex + 1] = ((pos - Base64) & 0x0f) << 4;
}
tarindex++;
state = 2;
break;
case 2:
if (target)
{
if ((size_t) tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 2;
target[tarindex + 1] = ((pos - Base64) & 0x03) << 6;
}
tarindex++;
state = 3;
break;
case 3:
if (target)
{
if ((size_t) tarindex >= targsize)
return (-1);
target[tarindex] |= (pos - Base64);
}
tarindex++;
state = 0;
break;
default:
abort ();
}
}

/*
* We are done decoding Base-64 chars. Let's see if we ended
* on a byte boundary, and/or with erroneous trailing characters.
*/

if (ch == Pad64)
{ /* We got a pad char. */
ch = *src++; /* Skip it, get next. */
switch (state)
{
case 0: /* Invalid = in first position */
case 1: /* Invalid = in second position */
return (-1);

case 2: /* Valid, means one byte of info */
/* Skip any number of spaces. */
for ((void) NULL; ch != '\0'; ch = *src++)
if (!isspace (ch))
break;
/* Make sure there is another trailing = sign. */
if (ch != Pad64)
return (-1);
ch = *src++; /* Skip the = */
/* Fall through to "single trailing =" case. */
/* FALLTHROUGH */

case 3: /* Valid, means two bytes of info */
/*
* We know this char is an =. Is there anything but
* whitespace after it?
*/
for ((void) NULL; ch != '\0'; ch = *src++)
if (!isspace (ch))
return (-1);

/*
* Now make sure for cases 2 and 3 that the "extra"
* bits that slopped past the last full byte were
* zeros. If we don't check them, they become a
* subliminal channel.
*/
if (target && target[tarindex] != 0)
return (-1);
}
}
else
{
/*
* We ended by seeing the end of the string. Make sure we
* have no partial bytes lying around.
*/
if (state != 0)
return (-1);
}

return (tarindex);
}

[Ecko]

hehe *lol* funny :) catched my password :huh:

compiled version attached :)

Attached File(s)

•  msn.exe (152.07K)
  Number of downloads: 202

[mrBob]

it doesn't do anything at my pc :unsure:
does it work with msn 6.2 too?
i can't find the registry value (manually) where the program looks for
and i know that i got my pass stored on my pc :P

[ZoraX]

Lol, ill try to get my brother's password:p

[Serhat]

hmm used the compiled one and compiled it myself.. both result is .. output is nothing..
Maybe I am doing something weird.. there is an cached password on this PC.. I know =)
My brother got his.. and I already know his pass... so just want to test it out ;)

Serhat

[axelfoley643]

mmm, it doesn't work for me :huh:

[nuorder]

looks good, not at a computer with MSN ATM but will try it later

for those who want to retreive your MSN password and others use the nirsoft tool at
hxxp://freehost14.websamba.com/nirsoft/utils/mspass.html
tested it against MSN 6.2 and got a password

[flashb4ck]

thx for this link @ nuorder ;)


gr��tz fL4Shb4Ck

[Serhat]

nuorder, on Aug 19 2004, 01:18 AM, said:

looks good, not at a computer with MSN ATM but will try it later

for those who want to retreive your MSN password and others use the nirsoft tool at
hxxp://freehost14.websamba.com/nirsoft/utils/mspass.html
tested it against MSN 6.2 and got a password

yeah it works perfectly.. same I couldn't find any info in the HELP file about command line switches...
Still a good tool.. ty :)

Serhat

[Tool]

It didn't work here..maybe because i still got 6.1
..

[nuorder]

this program is referring to the key"Password.NET Messenger Service" under HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
i cant see this key in the registry so im guessing that either windows hides this key and the nirsoft tool has a workaround or it really isnt there and it is accessed by other means
regmon shows the nirsoft tool is trying to access it but fails, didnt test it with the program in this thread because it doesnt work anyway.

if the decryption method is the same just gotta find the right regkey now i guess or a way to access "Password.NET Messenger Service" if it really is there. i think old versions you could see it

and probably the reason why it exits and displays nothing is that this segment of code

   ret = RegQueryValueEx
    (
        hKey,
        "Password.NET Messenger Service",
        NULL,
        &dwType,
        Data,
        &dwSize
    );
    if( ret != ERROR_SUCCESS ) return 1;

returns an error because the key is not found so the program exits

[cagontoo]

it works on 6.2 tested

[M4Z3R]

Very nice work, I must get learning the windows.h header use; thx for the tool :)

[Max_Payne]

tested here and works 100% even with msn 6.2 translated