All Things IT Blog » Reverse Engineering http://www.enusbaum.com/blog My little nerded out corner of the Internets! Tue, 18 Oct 2011 20:22:58 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Semagic LiveJournal Client Password Decryption and Recovery http://www.enusbaum.com/blog/2007/02/semagic-livejournal-client-password-decryption-and-recovery/ http://www.enusbaum.com/blog/2007/02/semagic-livejournal-client-password-decryption-and-recovery/#comments Thu, 15 Feb 2007 18:09:07 +0000 eric http://www.enusbaum.com/blog/2007/02/15/semagic-livejournal-client-password-decryption-and-recovery/ Semagic (link) is a client application for LiveJournal (link).

Recently I needed to recover a password that was ‘remembered’ by Semagic, but it was hidden in the password field. Simple password unmasking applications weren’t helping me any as the field itself isn’t a simple password box.

After further investigation I was able to find where Semagic stores the saved passwords in the Windows Registry. It was obvious that the password was encrypted and was stored in it’s entire form. Since Semagic is open source, I was able to find the code block which served as its password decrypter:

[cpp] m_password = m_app->GetProfileString(userkey, _T(“password”), _T(“”)); //Gets Encrypted password from registry
enc = m_app->GetProfileInt(userkey, _T(“obscure”), 0); //Checks to see if the password is ‘obscured’

if (enc) { //If password is obscured
LPTSTR str = m_password.GetBuffer(m_password.GetLength()); //Password
LPTSTR key = new TCHAR[m_user.GetLength()+1]; //Sets Key Size (Username + 1)
_tcsncpy(key, (LPCTSTR) m_user, m_user.GetLength()+1); //Copies Username to Key
LPTSTR orig = key;

while (*str) {
if (!*key) //If we’re OOB on the key, reset it
key = orig;
*(str) -= ‘a’; //subtract the value of ‘a’, which is 97, from the encrypted value
*(str++) ^= *(key++); //XOR bitwise based on the key
}
key = orig;
m_password.ReleaseBuffer();
delete[] key;
}

[/cpp]

So needless to say it was just a matter of debugging and some time before I was able to port the decryption routine over to a stand alone C# application.

[csharp]

for (int iLoop = 0; iLoop < Convert.ToString(sPassword).Length; iLoop++)
{
int iInputCharacter = (int)Convert.ToChar(sPassword.ToString().Substring(iLoop,1));

if(iXORCharacter >= sUserName.Length) iXORCharacter = 0;

iInputCharacter -= 97;
iInputCharacter ^= (int)Convert.ToChar(sUserName.Substring(iXORCharacter, 1));

textBox1.Text += (char)iInputCharacter;

iXORCharacter++;
}

[/csharp]

I’ve compiled a quick little program that’ll extract the usernames from the registry and display their passwords:

Semagic Password Decrypter

This program is 100% safe and won’t e-mail your password to me or any other silly crap like that. I just figured someone out there would need it as well.

Cheers!

Link to this post!
]]> http://www.enusbaum.com/blog/2007/02/semagic-livejournal-client-password-decryption-and-recovery/feed/ 3