![]() ![]() ![]() I checked MSDN and noted that the first parameter to the function is a DATA_BLOB which holds the plaintext, the second is data description while the third is another DATA_BLOB holding an optional entropy parameter: I then disassembled the main binary (*./JamUI/Pulse.exe*) with Radare2 and discovered that the client indeed rely on **Windows Data Protection API** (DPAPI) to encrypt credentials. I used procmon to get stack traces prior to calls to *RegSetValueEXW* and discovered that *CryptProtectData* is called just before saving data in the registry. No one ever answered that email since 2014, so it's time to dig into the code ! Static Analysis The only reference to this format I could find is a request on 'John the Ripper' mailing-list asking if anyone looked into this before: ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |