Cunprot.exe - CryptUNPROTecteddata function.

counterstrikewi · **Joined:** 19 Apr 2009 23:01 **Posts:** 13

How would i use your cunprot tool to decrypt bf2 login passwords

stored: \Profiles\0001

I can import the function CryptUNPROTecteddata from the crypt32.dll

but with which parameters do i run it to decrypt the password

aluigi · **Posted:** 13 Jul 2009 09:41

it's the basic calling of CryptUnprotectData using the data (encrypted password) after "51:b:" or "x9392".
so take the password, convert it from string of hex values to bytes (so "010002" becomes the 3 bytes 0x01, 0x00 and 0x02) and fill a DATA_BLOB structure (pbData with the bytes and cbData with the length).
and then call the function:

Code:

    DATA_BLOB   DataIn,
                DataOut;
    LPWSTR      description;

    memset(&DataIn,      0, sizeof(DataIn));
    memset(&DataOut,     0, sizeof(DataOut));
    description = NULL;

    // fill DataIn with the binary password and its length

    CryptUnprotectData(
      &DataIn,                          // input data
      &description,                     // output description
      NULL,
      NULL,                             // reserved
      NULL,                             // optional prompt structure
      CRYPTPROTECT_UI_FORBIDDEN,        // flags
      &DataOut);

obviously the decrypted password is located in DataOut.pbData, attention that it could be in ASCII or unicode (utf16) mode

counterstrikewi · **Joined:** 19 Apr 2009 23:01 **Posts:** 13

ok, im back and i have the required functions.
however im having trouble decrypting the passes for battlefield 2 demo.
in the functions i have, i cannot set the "szDataDescr" to NULL or they break.

i was wondering what they are set to in the decryption of battlefield 2 passwords?
thank you for your time luigi. :)

aluigi · **Posted:** 08 Apr 2010 17:24

uhmm as far as I know the bf2 passwords are still in the classical cryptprotect format so in this exact moment I don't understand about what problem you refer (I'm sure I have missed something).
are you sure to have skipped the initial bytes?
"51:b:" and "x9392"

counterstrikewi · **Joined:** 19 Apr 2009 23:01 **Posts:** 13

LocalProfile.setPassword "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062f0dd798d56a14780cc8f35fe0726a800000000400000005400680069007300200069007300200074006800650020006400650073006300720069007000740069006f006e00200073007400720069006e0067002e00000003660000a80000001000000074da8cf288224c8b18b42b23bfaef4dd0000000004800000a000000010000000019f0b906daeaf63a30c321fe529770d100000004af29f6412bf78d38f38c887525909f2140000002097a0c7e461b5bdec134acd887deac5c930eedc"

This is the password taken from the profile.con file

What do you mean by "Take the password after 51:b"

When i try to load the password into the blob structure i receive an error that the blob string cannot be longer than 256 characters?

aluigi · **Posted:** 12 Apr 2010 16:43

51:b: is a string that is usually used by bf2 before the 0100000 encrypted password.

the string you posted is a typical cryptprotecteddata encrypted string.
and as far as I know don't exist similar limitation (256 chars) in using CryptUnprotectData, have you tried with cunprot?

Luigi Auriemma

Cunprot.exe - CryptUNPROTecteddata function.