As a part of a project, I'm trying to decrypt saved password in Google Chrome.
I know I need to read Login Data File which contains passwords and decrypt the passwords using the encrypted_key saved in Local State file.
My problem is with the encrypted_key. I can read it from Local State but before using it for passwords, I need to decrypt it. As I searched, it's base64 and protected using CryptoProtectData function. So I thought I should be able to unprotect it using CryptoUnprotectData function. but the function returns False and doesn't work. My code is as follows:
#define DPAPI_PREFIX_LEN 5
static char encoding_table[] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', '+', '/' };
static char* decoding_table = NULL;
void build_decoding_table() {
decoding_table = malloc(256);
for (int i = 0; i < 64; i++)
decoding_table[(unsigned char)encoding_table[i]] = i;
}
unsigned char* base64_decode(const char* data,
SIZE_T input_length,
SIZE_T* output_length) {
if (decoding_table == NULL) build_decoding_table();
if (input_length % 4 != 0) return NULL;
*output_length = input_length / 4 * 3;
if (data[input_length - 1] == '=') (*output_length)--;
if (data[input_length - 2] == '=') (*output_length)--;
unsigned char* decoded_data = malloc(*output_length);
if (decoded_data == NULL) return NULL;
for (int i = 0, j = 0; i < input_length;) {
uint32_t sextet_a = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]];
uint32_t sextet_b = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]];
uint32_t sextet_c = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]];
uint32_t sextet_d = data[i] == '=' ? 0 & i++ : decoding_table[data[i++]];
uint32_t triple = (sextet_a << 3 * 6)
+ (sextet_b << 2 * 6)
+ (sextet_c << 1 * 6)
+ (sextet_d << 0 * 6);
if (j < *output_length) decoded_data[j++] = (triple >> 2 * 8) & 0xFF;
if (j < *output_length) decoded_data[j++] = (triple >> 1 * 8) & 0xFF;
if (j < *output_length) decoded_data[j++] = (triple >> 0 * 8) & 0xFF;
}
return decoded_data;
}
int dpapi_decrypt(unsigned char* encText, unsigned long encTextSize, char* decText)
{
DATA_BLOB in;
DATA_BLOB out;
in.pbData = encText;
in.cbData = encTextSize;
if (CryptUnprotectData(&in, encText, NULL, NULL, NULL, 0, &out))
{
for (int i = 0; i < out.cbData; i++)
decText[i] = out.pbData[i];
decText[out.cbData] = '\0';
return 1;
}
int err = GetLastError();
printf("error: %d\n", err);
return 0;
}
int key_decrypt(unsigned char* keyBase64, int keySize, unsigned char* decKey)
{
int key_decoded_len;
unsigned char* key_decoded = base64_decode(keyBase64, keySize, &key_decoded_len);
if (dpapi_decrypt(key_decoded + DPAPI_PREFIX_LEN, (key_decoded_len - DPAPI_PREFIX_LEN), (decKey)))
{
return 1;
}
return 0;
}
The line if (CryptUnprotectData(&in, encText, NULL, NULL, NULL, 0, &out)) in dpapi_decrypt function doesn't decrypt the key and returns False and err is 13. I really don't know what's wrong. Any ideas?
I analyzed some python and cpp codes with somewhat of same structure and they worked, but i couldn't find a proper C project that works and can help me.
Error 13 is ERROR_INVALID_DATA
Replace encText on the call to CryptUnprotectData with NULL or, a LPWSTR. You must not use the same pointer supplied in pDataIn blob. This will be filled by the function in case there was a description provided in the encrypted text.
Also, don't forget to free the memory from the output blob with LocalFree. And also ppszDataDescr if CryptUnprotectData fills it.