TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

Trillian Passwords

March 27th, 2008 by Dev Team in News, Trillian

The trillian passwords are stored separately in .ini files (i.e. msn.ini,yahoo.ini aim.ini etc). These are stored in your trillian directory (usually c:\program files\trillian\) in the “users” folder.

Within the users folder, the ini files will either be in a folder called “default” or a folder named after your username.

c:\program files\trillian\users\default\msn.ini

msn.ini contains:

[msn]
auto reconnect=1
save passwords=1
idle time=15
show buddy status=1
port=1863
server=messenger.hotmail.com
last msn=haxor@hotmail.com
connect num=10
connect sec=60
save status=1
ft port=6891
[profile 0]
name=haxor@hotmail.com
password=A347F2B74EE9A9F6

“password=A347F2B74EE9A9F6” is our encrypted password. The encryption used here is a simple xor encryption of the original password, which is then hexxed.

A3 47 F2 B7 4E E9 A9 F6

Ok, when beating an xor encryption…you need to know what each letter of the original password was xor’d with. Thankfully, there is an easy way to find this out – so long as you know the original pass. And, as you may guess – knowing the xor key that trillian uses to encrypt passwords, is also the key to being able to decrypt passwords that we don’t know!

First, we need to know what the hex value “A3” (the first value of the encrypted password) represents in standard numbers. The value of “A3” is 163. The first letter of my password is “P”, therefore – to find out what trillian xor’d with my original “P” in order to get 163 – we do the following calculation:

Numeric value of A3 = 163
Numeric (ascii) value of P = 80

Calculation: 80 XOR 163 = 243

243 is the number that the first value of your password is xor’d with. We can test this by doing the process in reverse:

First letter of password = P
Ascii value of P = 80
XOR key for 1st char = 243
Calculation = 80 xor 243 = 163
163 in Hex = A3
Encrypted password so far: A3
Go on to 2nd character…and so on…

The xor key numbers for each char are (in order):

243, 038, 129, 196, 057, 134, 219, 146, 113, 163, 185, 230, 083, 122, 149, 124, 000, 000, 000, 000, 000, 000, 255, 000, 000, 128, 000, 000, 000, 128, 128, 000, 255, 000, 000, 000, 128, 000, 128, 000, 128, 128, 000, 000, 000, 128, 255, 000, 128, 000, 255, 000, 128, 128, 128, 000, 085, 110, 097, 098, 108, 101, 032, 116, 111, 032, 114, 101, 115, 111, 108, 118, 101, 032, 072, 084, 084, 080, 032, 112, 114, 111, 120, 000

Trillian Astra (vers. 4.x-5.x) aim,yahoo,msn,icq passwords are not saved locally only your Astra account user/pass are stored. Additionally they are base64 encoded before stored in the .ini file.

One Response to ' Trillian Passwords '

Subscribe to comments with RSS or TrackBack to ' Trillian Passwords '.

  1. Masupik said,

    on April 8th, 2010 at 2:39 am

    Great tips to follow. Being professional and showing them there’s more to come I think are the most important. You need to give them a great article, that makes them want to come back. And then make sure you don’t disappoint.

Leave a reply