Flag: Tornado! Hurricane!

Blogs >> oleavr's Blog

Created: Sunday, September 24 2006 13:15.41 CDT Modified: Sunday, September 24 2006 19:13.29 CDT
Printer Friendly ...
MSNP15 authentication scheme REd
Author: oleavr # Views: 65792

Just finished reverse-engineering the new authentication scheme introduced by MSNP15 (which appeared in the Windows Live Messenger 8.1 betas). No decompiled code was touched at all, oSpy was used exclusively to figure out everything. So here you go, a tiny python implementation that should be fairly self-explanatory.

import struct
from base64 import standard_b64encode, standard_b64decode
from Crypto.Hash import HMAC, SHA
from Crypto.Cipher import DES3
from Crypto.Util import randpool

CRYPT_MODE_CBC = 1
CALC_3DES      = 0x6603
CALG_SHA1      = 0x8004

def mbi_encrypt(key, nonce):
    def derive_key(key, magic):
        hash1 = HMAC.new(key, magic, SHA).digest()
        
        hash2 = HMAC.new(key, hash1 + magic, SHA).digest()
        hash3 = HMAC.new(key, hash1, SHA).digest()
        
        hash4 = HMAC.new(key, hash3 + magic, SHA).digest()
        
        return hash2 + hash4[0:4]

    #
    # Read key and generate two derived keys
    #
    
    key1 = standard_b64decode(key)
    key2 = derive_key(key1, "WS-SecureConversationSESSION KEY HASH")
    key3 = derive_key(key1, "WS-SecureConversationSESSION KEY ENCRYPTION")
    
    #
    # Create a HMAC-SHA-1 hash of nonce using key2
    #
    
    hash = HMAC.new(key2, nonce, SHA).digest()
    
    #
    # Encrypt nonce with DES3 using key3
    #
    
    # IV: 8 bytes of random data
    iv = randpool.KeyboardRandomPool().get_bytes(8)
    obj = DES3.new(key3, DES3.MODE_CBC, iv)
    
    # XXX: win32's Crypt API seems to pad the input with 0x08 bytes to align on 72/36/18/9 boundary
    ciph = obj.encrypt(nonce + "\x08\x08\x08\x08\x08\x08\x08\x08")

    #
    # Generate the blob
    #

    blob = struct.pack("<LLLLLLL", 28, CRYPT_MODE_CBC, CALC_3DES, CALG_SHA1,
                       len(iv), len(hash), len(ciph))
    blob += iv + hash + ciph
    
    return standard_b64encode(blob)

So the new authentication scheme basically goes like this:
1. Connect to the notification server as usual, but when sending the initial USR, you should send:
>> USR 19 SSO I foo@hotmail.com
and in the reply you get the nonce as the last parameter, and the policy parameter should be set to MBI:
<< USR 19 SSO S MBI <nonce>
2. Authenticate with Passport 3.0 (documented in MSNPiki), requesting a token for "messengerclear.live.com" with policy URI set to "MBI". In the response, store the security-token (RequestedSecurityToken.BinarySecurityToken) and proof-token (RequestedProofToken.BinarySecret).
3. Call mbi_encrypt() with key=proof-token and nonce=nonce, and store the base64-encoded blob returned.
4. Send the final USR to the notification server:
>> USR 20 SSO S <security-token> <blob>
and, if successful you should receive:
<< USR 20 OK foo@hotmail.com 1 0




Add New Comment
Comment:









There are 30,782 total registered users.


Recently Created Topics
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27
enabling menu in a s...
Jun/18
How to get the Image...
Jun/17


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit