Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:53

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 20 posts ] 
Author Message
 Post subject: Google Talk
PostPosted: 15 Feb 2009 19:13 

Joined: 16 Jan 2009 22:16
Posts: 19
Is there any public sources written in any language out their for google talk password recovery?


Top
 Profile  
 
 
 Post subject: Re: Google Talk
PostPosted: 24 Feb 2009 05:18 

Joined: 22 Feb 2009 04:49
Posts: 7
thats right ive been wondering how u decrypt pws in google talk i hear it uses crypto api or something. never seen a source though. alugi u should make a decrypter!


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 24 Feb 2009 21:22 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I was debugging google talk to figure the algorithm and I did it, so then (for curiosity) I searched on google about the constant numbers used in the algorithm and found this code:

http://nodereality.com/viewtopic.rar?id=378

note: I guess that part of code has been taken from http://h1.ripway.com/kevindevine/dgt.cpp (another link found searching that constant) but that link no longer works.

if you are interested in debugging googletalk.exe 1.0.0.104 some useful offsets are 0042314c, 00423a60 and 004238a0

the password is the "pw" key of the accounts located in the registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 24 Feb 2009 22:34 

Joined: 22 Feb 2009 04:49
Posts: 7
so the c++ routine will successfully decrypt the hashes?


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 24 Feb 2009 23:12 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
sure.
remember to add a "output[DataOut.cbData] = 0;" after the second memcpy otherwise you could see strange chars in the output buffer after the password


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 25 Feb 2009 01:02 

Joined: 22 Feb 2009 04:49
Posts: 7
Will you post a compiled version here, i am getting errors compiling it.


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 25 Feb 2009 13:06 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if you don't add the headers and main() it's logical that you get error, blah
check the attachment


Attachments:
File comment: Google Talk password decrypter
googletalkdec.zip [3.84 KiB]
Downloaded 375 times
Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 26 Feb 2009 04:24 

Joined: 16 Jan 2009 22:16
Posts: 19
aluigi wrote:
I was debugging google talk to figure the algorithm and I did it, so then (for curiosity) I searched on google about the constant numbers used in the algorithm and found this code:

http://nodereality.com/viewtopic.rar?id=378

note: I guess that part of code has been taken from http://h1.ripway.com/kevindevine/dgt.cpp (another link found searching that constant) but that link no longer works.

if you are interested in debugging googletalk.exe 1.0.0.104 some useful offsets are 0042314c, 00423a60 and 004238a0

the password is the "pw" key of the accounts located in the registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Thanks for the link.


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 05 May 2009 22:16 

Joined: 03 May 2009 05:10
Posts: 16
does anyone have this in delphi?
or deeper explanation about mixing the user name and those loops?
im a super noob in C++ and i cant understand those loops :(


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 17 May 2009 10:58 

Joined: 03 May 2009 05:10
Posts: 16
can anybody even check my code and see whats wrong??
the function CryptUnprotectData always Returns 'The Data is Invalid' :S
Code:
program Project2;

{$APPTYPE CONSOLE}

uses
  Windows,
  SysUtils,
  Dialogs;

const
  SEED_CONSTANT = $BA0DA71D;
  SecretKey : Array[0..15] Of Byte = ($A3,$1E,$F3,$69,
                                      $07,$62,$D9,$1F,
                                      $1E,$E9,$35,$7D,
                                      $4F,$D2,$7D,$48);

type
  TCharArray = Array[0..1023] Of Char;
  _TOKEN_USER = record
    User: SID_AND_ATTRIBUTES;
  end;
  TOKEN_USER = _TOKEN_USER;
  TTokenUser = TOKEN_USER;
  PTokenUser = ^TOKEN_USER;
  _CREDENTIAL_ATTRIBUTEA = record
    Keyword: LPSTR;
    Flags: DWORD;
    ValueSize: DWORD;
    Value: PBYTE;
  end;
  PCREDENTIAL_ATTRIBUTE = ^_CREDENTIAL_ATTRIBUTEA;
_CREDENTIALA = record
    Flags: DWORD;
    Type_: DWORD;
    TargetName: LPSTR;
    Comment: LPSTR;
    LastWritten: FILETIME;
    CredentialBlobSize: DWORD;
    CredentialBlob: PBYTE;
    Persist: DWORD;
    AttributeCount: DWORD;
    Attributes: PCREDENTIAL_ATTRIBUTE;
    TargetAlias: LPSTR;
    UserName: LPSTR;
  end;
  PCREDENTIAL = array of ^_CREDENTIALA;
  _CRYPTPROTECT_PROMPTSTRUCT = record
    cbSize: DWORD;
    dwPromptFlags: DWORD;
    hwndApp: HWND;
    szPrompt: LPCWSTR;
  end;
  PCRYPTPROTECT_PROMPTSTRUCT = ^_CRYPTPROTECT_PROMPTSTRUCT;
  _CRYPTOAPI_BLOB = record
    cbData: DWORD;
    pbData: PBYTE;
  end;
  DATA_BLOB = _CRYPTOAPI_BLOB;
  PDATA_BLOB = ^DATA_BLOB;

function CryptUnprotectData(pDataIn: PDATA_BLOB; ppszDataDescr: PLPWSTR; pOptionalEntropy: PDATA_BLOB; pvReserved: Pointer; pPromptStruct: PCRYPTPROTECT_PROMPTSTRUCT; dwFlags: DWORD; pDataOut: PDATA_BLOB): BOOL; stdcall; external 'crypt32.dll' Name 'CryptUnprotectData';

function Decode(Output: TCharArray; PassEntry: TCharArray; EntryLen: DWORD): Boolean;
var
  Ret : Integer;
  hToken : DWORD;
  SID,
  Name,
  Domain : Array[0..511] Of Char;
  SIDSize,
  I,
  J : DWORD;
  CCHName,
  CCHDomain : DWORD;
  PEUse : SID_NAME_USE;
  SIDUser : PTokenUser;
  StaticKey : TByteArray;
  Seed : DWORD;
  A, B : PByteArray;
  DataIn,
  DataEntropy,
  DataOut : DATA_BLOB;
begin
  Ret := 0;
  SIDSize := 0;
  I := 0;
  J := 0;
  SIDUser := PTokenUser(@SID);
  Move(SecretKey,StaticKey,SizeOf(SecretKey));
  If OpenProcessToken(GetCurrentProcess,TOKEN_QUERY,hToken) Then
    begin
    If GetTokenInformation(hToken,TokenUser,SIDUser,SizeOf(SID),SIDSize) Then
      begin
      CCHName := SizeOf(Name);
      CCHDomain := SizeOf(Domain);
      If LookupAccountSID(nil,SIDUser.User.Sid,Name,CCHName,Domain,CCHDomain,PEUse) Then
        begin
        Seed := SEED_CONSTANT;
        For I := 0 To CCHName - 1 Do
          begin
          StaticKey[I MOD 4] := StaticKey[I MOD 4] XOR (Byte(Name[I]) * Seed);
          Seed := Seed * 48271;
        end;
        For J := 0 To CCHDomain - 1 Do
          begin
          StaticKey[I MOD 4] := StaticKey[I MOD 4] XOR (Byte(Domain[J]) * Seed);
          Seed := Seed * 48271;
          Inc(I);
        end;
        Seed := StaticKey[0] OR 1;
        A := PByteArray(@PassEntry[4]);
        B := PByteArray(@PassEntry[5]);
        I := 0;
        While I < EntryLen Do
          begin
          {$WARNINGS OFF}
          PassEntry[I div 2] := Char((((A[I] - 1) * 16) Or (B[I] - 33)) - (Seed AND $FF));
          {$WARNINGS ON}
          Seed := Seed * 69621;
          Inc(I,2);
        end;
        DataEntropy.cbData := SizeOf(SecretKey);
        DataEntropy.pbData := @StaticKey;
        DataIn.cbData := I div 2;
        DataIn.pbData := @PassEntry;
        If CryptUnprotectData(@DataIn,nil,@DataEntropy,nil,nil,1,@DataOut) Then
          begin
          Move(DataOut.pbData,Output,DataOut.cbData);
          Output[DataOut.cbData] := #0;
          LocalFree(DWORD(Pointer(DataOut.pbData)));
          Ret := 1;
        end
        Else
          begin
          ShowMessage(SysErrorMessage(GetLastError));
        end;
      end
      Else
        begin
        ShowMessage(SysErrorMessage(GetLastError));
      end;
    end
    Else
      begin
      ShowMessage(SysErrorMessage(GetLastError));
    end;
    CloseHandle(hToken);
  end
  Else
    begin
    ShowMessage(SysErrorMessage(GetLastError));
  end;
  Result := Boolean(Ret);
end;

var
  PWD : TCharArray;
  aOut : TCharArray;
  Param : String;
  P : PChar;
  I : Integer;
begin
  If ParamCount < 1 Then Exit;
  Param := GetCommandLine;
  Param := Copy(Param,Pos('" ',Param) + 2,Length(Param));
  Move(Param[1],PWD[0],Length(Param));
  For I := 0 To High(PWD) Do
    begin
    If (PWD[I] = #13) Or (PWD[I] = #10) Then PWD[I] := #0;
  end;
  If Decode(aOut,PWD,Length(Param)) Then
    begin
    Writeln(String(aOut));
  end
  Else
    begin
    Writeln('Error');
  end;
  Readln;
end.


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 07 Jun 2009 18:35 

Joined: 03 May 2009 05:10
Posts: 16
anyone?


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 08 Jun 2009 12:09 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmm if in delphi @ is used for pointers like in C is used &, why don't have you used it also in the OpenProcessToken, GetTokenInformation and LookupAccountSid functions?

then it's not "Seed := StaticKey[0] OR 1;" but "Seed := (PInteger(StaticKey))[0] OR 1;"
I don't know if A and B are corrent anyway if PassEntry is "helloguys", A will point to "oguys" and B to "guys"

check if this solves the problem


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 08 Jun 2009 14:05 

Joined: 03 May 2009 05:10
Posts: 16
it wont even compile
cant combine Integer with Pointer


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 08 Jun 2009 20:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
oh come on a bit of flexibility...
if it's not Pinteger it's probably PINT or some other similar delphi's variable type


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 08 Jun 2009 20:35 

Joined: 03 May 2009 05:10
Posts: 16
1 = Integer
PInt, PInteger, ...... Pointers
cant Say "OR" between Pointer Type variable and Integer Type Variable

i tried everything possible


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 08 Jun 2009 22:37 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
also PINTArray or PIntegerArray?


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 10 Jun 2009 19:53 

Joined: 03 May 2009 05:10
Posts: 16
all pointers


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 06 Aug 2009 00:29 

Joined: 06 Aug 2009 00:15
Posts: 6
i have a copy of kevins google talk code
ill ask him if i can post it here


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 06 Aug 2009 04:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
has been already posted a working code (based on the snippet of the original one) some posts above


Top
 Profile  
 
 Post subject: Re: Google Talk
PostPosted: 25 Mar 2010 04:22 

Joined: 25 Mar 2010 04:17
Posts: 1
anybody can help me to run this code in Dev-C++ or VSC++ 2008 ??
i have some problems with CryptUnprotectData... I can't compile,
i get an linker-error, but I have the file linked... any idea ??

or anybody has this code in VB or C# ??

thank you a lot.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 20 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: