Vulnerability Development mailing list archives
Re: [Fwd: R: Oulook password]
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Tue, 18 Apr 2000 23:55:41 -0700
Couple of comments so far on this... Old account info never seems to come out. At least, when I remove the account in Outlook Express, those keys stay behind. Even if I set the same account to the same password again, nearly the whole key changes. If that is in fact a function of the password, then MS has gotten a little smarter with the local password storage... perhaps part of it is a random number used as a key to an encoding function. For example, the one time I set the PW to "test", and I get this: 02 00 00 00 18 00 00 00 e4 ba c1 22 33 d7 80 d6 3a ad 9e bc b3 57 b1 db 51 9d c2 6c 33 83 e0 03 28 00 00 00 58 b0 48 76 e3 8e 09 ec fd 9c 3b 82 03 51 2d 58 73 c4 fc a2 50 32 28 d8 d6 c7 17 10 9f fe 64 bf 06 11 1e 60 2f de 69 ce I set it to "test" again, I get this: 02 00 00 00 18 00 00 00 1b 89 33 fe ae 33 7d 99 33 ad c6 90 82 8a c0 a0 4b c1 af 8b c5 5f af 72 28 00 00 00 2b 02 dc 2c 2b 61 73 36 88 fe 36 61 99 98 6d 5b 9b 7d 85 4d b1 8a 4f 72 4e e5 41 f9 87 13 bd 1e 5e 2d 72 d8 4c 56 8d ee The structure is very regular.. Assuming 32-bit numbers, the first s 0x02, which I interpret to mean 2 items following. The next is 0x18, followed by x18=24 bytes. The next is 0x28, followed by 0x28=40 bytes. So, it's easy to pick out the relevant bytes (unless someone is it getting a real different structure... I could be doing things wrong because I'm using "test" each time..) Ok.. setting it to 20 "a"'s turns the second length number into a 0x38=56. Lesse... test is 4 letters, 20 a's is 20. 56 is 16 more than 40. That can't be good for MS's alg. :) It also means this is likely the password key indeed. Of course, we already know that since Outlook can retrieve the PW, then so can we with the right code. ...oh, and if you paste in one of the keys, it decodes and sends the POP password as expected. :) So... for those that have someone else's reg key, and need to decode their POP password RIGHT NOW this may work. (out of curiosity, if someone wants to take one of the above keys and punch it in, Outlook ought to send "test" as the password.. I'm curious if any of my other settings come out.) It's also possible it won't work due to some other dependency that isn't identified yet. Popping it onto your machine and trying it is one way to tell for sure. I hope I've typed it correctly. Hey, as a side note... anyone got any interesting tools for poking at the registry? Regedit is apparently only willing to cut and paste back into itself.. not notepad or my mail program. Are there third party regedits out there? BB
Current thread:
- Re: [Fwd: R: Oulook password] Gerardo (Apr 15)
- Re: [Fwd: R: Oulook password] Blue Boar (Apr 18)
- Re: [Fwd: R: Oulook password] Blue Boar (Apr 18)
- Re: [Fwd: R: Oulook password] Kurt Buff (Apr 19)
- Re: [Fwd: R: Oulook password] Dave Parkin (Apr 19)
- Re: [Fwd: R: Oulook password] Olle Segerdahl (Apr 19)
- Re: [Fwd: R: Oulook password] Blue Boar (Apr 18)
- <Possible follow-ups>
- Re: [Fwd: R: Oulook password] Dave Parkin (Apr 19)
- Re: [Fwd: R: Oulook password] Blue Boar (Apr 18)