Thursday, June 22, 2006

Recovering Pocket Outlook passwords, part 2

Having a BLOB

Now, it is time to recover the password from the protected BLOB. First step is to get a valid BLOB, we do that by setting a breakpoint just before and just after CryptProtectData().

Before:

BLOB = {
size=0x0A (10)
data=L"toto"
}


After:

BLOB = {
size=0x7E (126)
data=
00075C40 DCD 1
00075C44 DCD 0
00075C48 DCD 0
00075C4C DCD 0
00075C50 DCD 0
00075C54 DCD 0x20000000
00075C58 DCD 0
00075C5C DCD 0x6801
00075C60 DCD 0x10
00075C64 DCD 0x10
00075C68 DCD 0xFD7C53C
00075C6C DCD 0x5CD8C0A3
00075C70 DCD 0x7A39FA3F
00075C74 DCD 0xDA8959BD
00075C78 DCD 0
00075C7C DCD 0x8004
00075C80 DCD 0x10
00075C84 DCD 0x10
00075C88 DCD 0x65412C18
00075C8C DCD 0x6EDAE82
00075C90 DCD 0xE76ADC3
00075C94 DCD 0xC909937A
00075C98 DCD 0xA
00075C9C DCD 0x720053C6
00075CA0 DCD 0x6CD865A4
00075CA4 DCD 0x14C609
00075CA8 DCD 0xD5870000
00075CAC DCD 0x87F4EAE5
00075CB0 DCD 0xCBB1CE52
00075CB4 DCD 0x19CDF0BB
00075CB8 DCD 0xCC3F1E90
00075CBC DCD 0xCB6D

Finding password store

Since passwords survive a reboot, this BLOB has to be stored somewhere in a persistent storage area. Under Windows CE 4.2, the most common way to do this is to use a Database.

Having a look at system databases (using HPC Database Viewer for example), we quickly find that the BLOB is stored in the "pMailFolders" database, with property identifier #0x8304.

Getting the password back

There are several steps to retrieve a cleartext password:
  • Getting the BLOB out of the Database ;
  • Calling CryptUnprotectData() correctly.
Let's write a little piece of code that does both. Surprisingly, it works out of the box! That means that the CRYPTPROTECT_SYSTEM flag is not enforced by the kernel in my case!

In case CryptUnprotectData() fails, here are some tricks that could work:
  • Calling COREDLL!SetProcPermissions(-1) ;
  • Traditional WriteProcessMemory()/CreateRemoteThread() combination ;
  • Understanding the CryptoAPI BLOB format, for hand decryption.
If you want to know more ... just send me PDA's :)

Greets: mao from oxid.it

No comments: