Recover encrypted chat logs. - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! Help (/forumdisplay.php?fid=12)
+----- Thread: Recover encrypted chat logs. (/showthread.php?tid=59502)
Recover encrypted chat logs. by muratyilmaz on 05-18-2006 at 10:22 AM
Hi all,
This is an important issue. Please help me for that.
My best friend was missing. We couldnt get any news about him.
Other hand i have begun to research somethings. I have caught some msn chat logs. But these are encrypted and we cant open them. May be these logs have some info for us. Can anyone help me?
Look, this is not a joke. My best friend may be die 
Please help me to recover these logs. I think we can find him.
Please help me, please
Murat YILMAZ
msn : myilmaz@dotnetishere.com
email : myilmaz@dotnetishere.com
RE: Recover encrypted chat logs. by user35870 on 05-18-2006 at 10:34 AM
i'm sorry but without the password to the logs they are impossible to open.
RE: Recover encrypted chat logs. by muratyilmaz on 05-18-2006 at 10:38 AM
but why, there is an algorythm to encrypt. thats right?
who is programmer of these logs sections.
Thank you for your answer
RE: Recover encrypted chat logs. by Lou on 05-18-2006 at 10:41 AM
quote:There's only 1 single programmer for Plus!, and it's Patchou. He himself can't decrpyt encrypted logs without the password.
Originally posted by muratyilmaz
but why, there is an algorythm to encrypt. thats right?
who is programmer of these logs sections.
Thank you for your answer
RE: Recover encrypted chat logs. by muratyilmaz on 05-18-2006 at 10:46 AM
Thanks lou,
How can I contact him?
Why did you coded that like this
RE: Recover encrypted chat logs. by qgroessl on 05-18-2006 at 12:18 PM
quote:So that only the person with the password can get into the logs...
Originally posted by muratyilmaz
Why did you coded that like this
... quote:Trying to contact him won't do anygood... he stops by the forum on occasion though.
Originally posted by muratyilmaz
How can I contact him?
RE: Recover encrypted chat logs. by RaceProUK on 05-18-2006 at 12:24 PM
quote:If it's vital you get the logs, you'll just have to try guess the password. I'm afraid there's no tool to help. You can't even use the Registry entry: the password is stored encrypted itself.
Originally posted by muratyilmaz
Please help me to recover these logs.
RE: Recover encrypted chat logs. by muratyilmaz on 05-18-2006 at 12:39 PM
So, how is application decrypt logs? I'm a programmer, and i know all encrypt algorythms are based on basic encryption. If application can decrypt it i think coder can do that.
If you want i can send you logs. Not want to open method, just opened logs need me.
thank you all for your hard help
RE: Recover encrypted chat logs. by RaceProUK on 05-18-2006 at 12:41 PM
I don't think anyone's explained it fully: the password is the encryption key. Without the password, you won't have the encryption key, and therefore can't easily decrypt the logs.
Sorry, but that's how it is. I sincerely hope you find your friend though, however you manage to do it.
RE: Recover encrypted chat logs. by muratyilmaz on 05-18-2006 at 12:47 PM
I see.
You said "the password is the encryption key". so how can application know password is true or wrong?
RE: Recover encrypted chat logs. by RaceProUK on 05-18-2006 at 12:50 PM
I think, but don't quote me on it, that the first few bytes of the file, if correctly decrypted, are a kind of 'checksum'. I don't know the encrypted format in any detail, but that's how I guess Plus! can tell the right password.
RE: Recover encrypted chat logs. by muratyilmaz on 05-18-2006 at 01:00 PM
race,
You are right, plus need first a few bytes to correction password is correct or not. It s mean all logs may have same first few byte so this bytes can tell to coder password encryption even password.
am I right?
RE: Recover encrypted chat logs. by Ezra on 05-18-2006 at 01:36 PM
If that's true you should be abled to do an analytical attack, but it could still take years and it's very difficult
RE: RE: Recover encrypted chat logs. by CookieRevised on 05-18-2006 at 05:37 PM
quote:The password isn't stored at all.
Originally posted by raceprouk
the password is stored encrypted itself.
quote:No
Originally posted by muratyilmaz
You are right, plus need first a few bytes to correction password is correct or not. It s mean all logs may have same first few byte so this bytes can tell to coder password encryption even password.
am I right?
As said, the password itself is the encryption key. This means that every file encrypted with a different password has different "starting"[*] bytes as the "checksum"[*] is obviously encrypted too.
You can not reverse engineer the encrypted bytes to catch the password, in any way.
In fact, the password is not stored in the file at all; it is just used as the key to decrypt (thus doesn't need to be stored anywhere anyways).
The only way you could decrypt a encrypted log succesfully without knowing the password is by applying a brute force attack to the file. And that can take, without exagrating, thousands of years[**].
--
[*]Raceprouk, the special 'checksum' bytes aren't located at the beginning of each file. And the 'checksum' isn't a checksum but a specific word as you can read in one of the threads about the log format.
What Plus! does to check if a password is correct or not is decrypting that encrypted word with the given password and if that specific word isn't what it should be, it knows the password wasn't correct. Again, the password is not stored in the file itself, nor the length, nor any other thing to know even the slightest thing or get the slightest hint about the password.
[**]To have an idea:
If a password has a maximum length of 10 characters (note that the password can actually be far longer than that) and can contain all printeable characters, you have 60.510.544.115.717.378.340 possible passwords. Say an average computer can process roughly 35.000.000 passwords per second (which would be relative fast though), it would still take you more than 55.000 years!
RE: Recover encrypted chat logs. by can16358p on 05-20-2006 at 08:44 AM
Uhm, I have an idea maybe it'll help.
Don't all chat logs start as:
.--------------------------------------------------------------------.
| Session Start: Datte of the conversation |
| Participants: |
If we then can learn the encryption algorithm (which, I assume, only Patchou knows), we may find some possible values for the domain of the function. I mean; the data decrypted is known, and the encrypted part is known. Can't we find something with it? I know there won't be one result for this. But I've been thinking of catching something with these.
RE: Recover encrypted chat logs. by RaceProUK on 05-20-2006 at 01:11 PM
quote:Hence why I used 'checksum' in inverted commas ;P
Originally posted by CookieRevised
Raceprouk, the special 'checksum' bytes aren't located at the beginning of each file. And the 'checksum' isn't a checksum but a specific word as you can read in one of the threads about the log format.
quote:But you don't have to keep re-entering the password when new logs are created. I did find a value called 'LogEncryptionDataEx', which may not strictly be the password, but would be used to not require re-entering the password? Much like DataP is used for the Preferences Lock.
Originally posted by CookieRevised
The password isn't stored at all.
RE: RE: Recover encrypted chat logs. by CookieRevised on 05-20-2006 at 02:25 PM
quote:Logs don't neccesairly begin with that though, normally they do... but you can't be 100% sure if you have a log in your hands from someone else. Logs are just a bunch of characters, it doesn't matter what they contain. So to base your reverse engeneering on that is applying guesswork...
Originally posted by can16358p
Uhm, I have an idea maybe it'll help.
Don't all chat logs start as:
.--------------------------------------------------------------------.
| Session Start: Datte of the conversation |
| Participants: |
If we then can learn the encryption algorithm (which, I assume, only Patchou knows), we may find some possible values for the domain of the function. I mean; the data decrypted is known, and the encrypted part is known. Can't we find something with it? I know there won't be one result for this. But I've been thinking of catching something with these.
Anyways...
The encryption/decryption method is known, it isn't a secret. But without the password (as the key) you can do absolutely nothing with encrypted text/logs.
Also, as you said so yourself: the encrypted text is different each time (because the password was different), so what or how are you going to "catch" anything? With extremly basic "encryptions" (mind the quotes) where the encryption key is always the same you _could_ find something out, but reverse engineering encryptions (even if the encryption itself is dead easy) which use keys is as good as impossible.
So, no it isn't possible.... Moreover, what would the purpose be to "catch" anything? To know how the encryption method works? As said, that isn't a secret and is already know. But even knowing the encryption method, you can not decrypt anything without the proper encryption key (which is what the password is used for).
---------------------------------------------
It is absolutely NOT possible to recover encrypted log files WITHOUT the exact correct password.
It is abdolutely NOT possible to strip/catch/extract anything from the encrypted logs files in a way you would get even the smallest hint of the password; the password is NOT even stored!
No matter what things or ideas people might come up with: it is NOT possible...
---------------------------------------------
quote:That doesn't have anything to do with this (except for the fact that the password _may_ be stored there, but that will not help at all):
Originally posted by raceprouk
quote:But you don't have to keep re-entering the password when new logs are created. I did find a value called 'LogEncryptionDataEx', which may not strictly be the password, but would be used to not require re-entering the password? Much like DataP is used for the Preferences Lock.
Originally posted by CookieRevised
The password isn't stored at all.
We are obviously talking about (not) stored stuff in the log files itself to "break" the encryption. The registry wont help you at all in this, even if the password was stored unencrypted!!
People wanting to "recover" an encrypted log obviously haven't the (old) password stored in the registry (anymore), otherwise they wouldn't have the problem in the first place as Plus! would be able to open the log.
RE: Recover encrypted chat logs. by muratyilmaz on 05-20-2006 at 07:39 PM
Ok. i see, logs are not decrypt.
So, when i logged in msn messenger(same time plus!), it ask me password. right? then i need to enter my password. This mean plus knows my password then check it my entering keys. Plus saves password to anywhere?
RE: Recover encrypted chat logs. by Voldemort on 05-20-2006 at 07:51 PM
No, it doesnt. See CookieRevised's reply..
RE: Recover encrypted chat logs. by RaceProUK on 05-21-2006 at 08:41 PM
quote:Hence why I said the key isn't strictly the password, like DataP. However, my guess is the value is used so the user doesn't have to keep re-entering the password.
Originally posted by CookieRevised
except for the fact that the password _may_ be stored there