Re: [Fwd: R: Oulook password]

[BlueBoar () THIEVCO COM (Blue Boar)]

Couple of comments so far on this...

Old account info never seems to come out.  At least, when I remove the
account in Outlook Express, those keys stay behind.

Even if I set the same account to the same password again, nearly
the whole key changes.  If that is in fact a function of the
password, then MS has gotten a little smarter with the local password
storage... perhaps part of it is a random number used as a key
to an encoding function.

For example, the one time I set the PW to "test", and I get this:

02 00 00 00 18 00 00 00
e4 ba c1 22 33 d7 80 d6
3a ad 9e bc b3 57 b1 db
51 9d c2 6c 33 83 e0 03
28 00 00 00 58 b0 48 76
e3 8e 09 ec fd 9c 3b 82
03 51 2d 58 73 c4 fc a2
50 32 28 d8 d6 c7 17 10
9f fe 64 bf 06 11 1e 60
2f de 69 ce

I set it to "test" again, I get this:

02 00 00 00 18 00 00 00
1b 89 33 fe ae 33 7d 99
33 ad c6 90 82 8a c0 a0
4b c1 af 8b c5 5f af 72
28 00 00 00 2b 02 dc 2c
2b 61 73 36 88 fe 36 61
99 98 6d 5b 9b 7d 85 4d
b1 8a 4f 72 4e e5 41 f9
87 13 bd 1e 5e 2d 72 d8
4c 56 8d ee

The structure is very regular..

Assuming 32-bit numbers, the first s 0x02, which I interpret to
mean 2 items following.  The next is 0x18, followed by x18=24
bytes.  The next is 0x28, followed by 0x28=40 bytes.  So, it's
easy to pick out the relevant bytes (unless someone is it getting
a real different structure... I could be doing things wrong
because I'm using "test" each time..)

Ok.. setting it to 20 "a"'s turns the second length number into
a 0x38=56.  Lesse... test is 4 letters, 20 a's is 20.  56 is
16 more than 40.  That can't be good for MS's alg. :)  It also
means this is likely the password key indeed.

Of course, we already know that since Outlook can retrieve the
PW, then so can we with the right code.

...oh, and if you paste in one of the keys, it decodes and
sends the POP password as expected. :)  So... for those that
have someone else's reg key, and need to decode their
POP password RIGHT NOW this may work.  (out of curiosity, if
someone wants to take one of the above keys and punch it in,
Outlook ought to send "test" as the password.. I'm curious
if any of my other settings come out.)  It's also possible it
won't work due to some other dependency that isn't identified
yet.  Popping it onto your machine and trying it is one way
to tell for sure.  I hope I've typed it correctly.

Hey, as a side note... anyone got any interesting tools for poking
at the registry?  Regedit is apparently only willing to cut and
paste back into itself.. not notepad or my mail program.  Are
there third party regedits out there?

                                BB