Shoutbox

Hello.

I just thought I'd post this up here incase it helps anyone. Attached is a tool to encrypt or decrypt log files, I'll bring out a tool which will encrypt/decrypt a whole directory when I have more time.

To decrypt Messenger Plus! log files (C++):


Fileformat of .ple files

First 10 bytes are the same for all log files.
const char standardHeader[] = {0x10,0x01,'M','P','L','E','1','<','<',0};

The next 4 bytes, I'm not sure what they are for, but in all log files I've seen they are
const char unknownbytes[] = {1,0,0,0};

After this is the length of the password check string (4 bytes). This is usually 13
Then comes the encrypted password check string. Ill talk about how to decrypt it later.


All that was the header. For the rest of the file, it is in multiple chunks of data.
Each of these chunks start with the 'signature' :
const char sig[] = {0xE9,0xFF,0xA3,0x00};
After this, there is the length of the following data (4 bytes).
Then there is the encrypted text.



To decrypt text :

Messenger Plus! uses the CryptoAPI to encrypt and decrypt text.
This is set up with the following call
CryptAcquireContextW(&hProv,L"MessengerPlusEncryptProvider",L"Microsoft Enhanced Cryptographic Provider v1.0",1,0);

I discovered that for some reason, the password is scrambled, and that the password is unicode (2 bytes).
The algorithm for this in pseudo code is:

for i = 0 to length of password - 1
        newpassword [i] = password[i] + password [i + 1]
next i
newpassword[last letter] = password[last letter] + password[0]


The calls to continue setting up so that you can decrypt text are:

CryptCreateHash(hProv,0x8003,0,0,&hHash);
CryptHashData(hHash,newpassword,len,0);
CryptDeriveKey(hProv,0x6801,hHash,0x800000,&hKey);

This final call gives you a HCRYPTKEY which you can use in the CryptEncrypt and CryptDecrypt functions on the text

Sorry if this is all a bit confusing, I dont think i formatted it, or explained it very well

Solus


Edit - I replaced the file with one which has the VC runtime library statically linked, so it *should* work now

Edit 2 - Ok, so I converted it all to unicode, and made a few changes so it'll run on computers which haven't got Messenger Plus on.

This thread was temporarily moved to a staff-only forum for a few days, pending approval from Patchou, who is busy coding.

He finally replied about an hour ago, and he doesn't seem to have a problem with this thread, so I have moved it back.

Thanks for the tool, will come in handy

seems like the file is corrupt

quote:

---

Originally posted by WDZ
he doesn't seem to have a problem with this thread

---

TBH, I was extremely surprised reading that...

quote:

---

Originally posted by solus
Attached is a tool to encrypt or decrypt log files

---

Your tool does not work!; it doesn't start...




--------

PS: The explanations are indeed a bit confussing, but I'm not going to explain it in a better way to keep this somewhat away from "script kiddies" though

Though:

quote:

---

Originally posted by solus
This is usually 13

---

It is always 13. Though, nothing says this could be changed in the futur. Although I doubt it for backward compatibility reasons.

quote:

---

Originally posted by solus
I discovered that for some reason, the password is scrambled, and that the password is unicode (2 bytes).

---

The password is "scrambled" for better security (so the API isn't called with the text password in plain sight). Although that didn't kept you from discovering it though, hehehe

But more importantly, the password is unicode because you can enter unicode characters. Remember that this also has implications of how the password is scrambled. Your pseudo-code is correct (appart from "0 to length" which should be "length-1") although lacks the big notice that all characters must be interpreted as unicode characters, as that is what they are, not as ascii characters.

(and this is also where one of those bugs were in old Plus! versions in regards to the "changing password")

PS2: And don't forget to destroy the handles of the key, hash and crypto provider.

I'm not sure what the problem is. I just tried downloading it and it works fine on my computer....

Maybe it requires a DLL file you havent got?
Have you got MSVCR80.DLL?

Thanks for moving it back WDZ

quote:

---

Originally posted by solus
I'm not sure what the problem is. I just tried downloading it and it works fine on my computer....

Maybe it requires a DLL file you havent got?
Have you got MSVCR80.DLL?

Thanks for moving it back WDZ

---

I get the same error and a system search did not turn up the dll.

Try putting this DLL in the same folder as the exe.

If that doesn't  work, install the C++ runtime maybe? I don't know...

quote:

---

Originally posted by solus
Try putting this DLL in the same folder as the exe.

If that doesn't  work, install the C++ runtime maybe? I don't know...

---

I put the dll in the same directory as the exe, as well as in C:/Windows/System but I still get the same error message.

As for installing the C++ Runtimes, I dont actually have a use for this tool at the moment so I dont feel like going through the trouble.

Very good job deciphering the logs though!

quote:

---

Originally posted by .Norma

I put the dll in the same directory as the exe, as well as in C:/Windows/System but I still get the same error message.

---

Ok, I'll test it out a bit more and see if I can find the problem

quote:

---

Originally posted by .Norma

Very good job deciphering the logs though!

---

Thanks