08 April 2015

Cracking the user’s passwords in Outlook Express v.6.0 and Microsoft Outlook 2000 programs

I found this in the depths of my hard drive. I wrote this tutorial 12 years ago but contents is useful for now. I used to use SoftIce, but now IDA for Windows is a better choice. I return to this tutorial becouse currently I try to find out how secure are passwords in trading platforms.
This tutorial will consider achieving the user’s passwords in the mail programs Outlook Express v 6.0 and Microsoft Outlook 2000. I have got both of the programs installed in my Windows 2000 Server system. I decided to describe the two programs as one of them is absolutely for free – Outlook Express v 6.0, while the other is not, being a part of Microsoft Office 2000 packet. It is expected that the paid for version of the mail program guarantees at least minimum safety degree – I am not going to hide that, as the part of the program being responsible for coding the information was made by cryptography experts indeed. As for the protection of the passwords in the program, it is apparent that it was done by the experts of Microsoft. All listings of the codes come from the Outlook Express v.6.0, as I haven’t found the possibility to manage the identities and thus, the password responsible for logging in a mail box is the only possible password here. However the code in each program was the same, that is why the method will be effective for both.

Screen no.1 – Info window - Outlook 2000 (polish version)

I was cracking into Outlook Express v. 6.0 program first. When I realized how easy is to crack the passwords. I decided to measure the time needed to crack the code in a paid for version of the Outlook 2000. My measurement began at the point of running the program – with the SoftIce already installed in the memory, obviously. The procedure of cracking the code took 2 minutes and 40 seconds. Most of that time was spent for moving between windows and setting breakpoints there was no security code, as I did not encounter any security system at all. Once you make familiar with the method, the password can be broken in 1 minute.
The main tasks are:
- Getting the password which activates a mail program for a certain user – programs’ identities – screen no.3
- Getting the password responsible for logging in a mailbox of a certain user – screen no.2
- Illustration of how dangerous using the mail programs Outlook Express v.6.0 and Microsoft Outlook 2000 may appear to be, no matter what kind of a system they are working in
Most of the crackers for sure remember that cracking an arbitrary password from edit controls, in which the Windows 98 inserted pips (‘ * ’) could be done in a really easy manner. Well-doing SnadBoys’s Revelation program could detect any password hidden behind the pips in the Windows 98 system.
With reference to cracking passwords in Outlook Express, Snadboy’s Revelation it happens in two ways:
- In Windows 2000 systems, passwords hidden behind the pips cannot be revealed with the usage of the Snadboy’s Revelation. This fact counts when the properties window is accessible – screen no. 2. An access to the window that configured mail box is possible provided there is no password that activates the mail program, or we know this password for a certain user, or that we get it illegally. An access to the properties window is essential, because it is there that the hidden password that login into mail server is kept. Any password hidden behind the sequence of pips can probably be detected. I will try to demonstrate in this tutorial session that getting the passwords is not a difficult task assuming we have got some necessary tools. I found NuMega SoftIce Driver Suite in internet lately ( the searching for a new packet working in every Windows system had not taken a plenty of time – KaZaA found it without any problems under SoftIce 6 Full name. A size of the packed install file is about 35 MB). After installing it in my Windows 2000 Server the program runs with no errors and allows doing really interesting things. Obviously the SoftIce itself has remained almost unchanged since putting SoftIce v.4.5 for Windows on the market. Basic commands look alike.

Screen no.2 – Account properties - Outlook Express v.6.0

- In case of a password responsible for logging into mail server things are a little bit more complicated. When one uses a mail program, most often he or she uses one password permanently, hoping it cannot be got illegally by crackers. Once you are precocious and do not write the password into computer’s memory, he or she automatically prevents anyone from cracking it. Thus using the introduced method would bring no effect. It is so, because the only thing that cracker can do is to take pips off the screen no.2. This is the only way of getting a login password without any modifications of a mail program. In my considerations I exclude cases in which a victim has some kind of a sniffer, a trojan or his or her activities with the computer are simply followed. The matter is of different nature in case of getting passwords for each certain identity in a mail program. Here there are no pips and the user must give the right password if he or she wants to run a program – there is a window in screen no.3, in which you write a password for a chosen user. When the idea of cracking the passwords in a mail program dawned on me, I was worried that I would have to face struggling through thousands of complicated manuals, I was worried of running into functions that I do not know at all. What worried me most was an identities’ passwords coding algorithm – I had expected having to reverse a complex algorithm, and hoped to create a patch which would enable me to loging in without knowing the right password. I was muchly surprised again, having found that no algorithm exists and that reversing it will not be necessary.

Screen no.3 – Identity window - Outlook Express v.6.0

Basically, cracking always begins by an analysis of any protection. In our case there is no protection. If one claims that the password hidden behind the pips or comparing chains of signs is a protection, he or she should break some “crackme” for beginners – there is more work to do there.
The aim is to get familiar with the passwords. In case of the password to a mail program, we do not need to know it at all in order to run the program for an arbitrary user, however, knowing it enables us to run the program without seeking for it in a program’s code or modifying it. As for the mail box login password – knowing it is essential because a mail program sends it to a server, where it is being compared (at least this is how I understand the basis of a protection systems). In such case, modification of a checking procedure in server seems to be an only possible solution to log in without knowing the password – an impossible thing for me.
Let’s now present the sequence of activities to be performed:
1. We install NuMegaSoftIce Driver Suite (a clear description of a program can be found in help – I am not going to write about details of installing and running it).
2. In order to get to the mail program it is essential to know a certain user’s password. Basically it is not always that the users use this passwords, but if you run into them, you can break them in 10 seconds.
3. The most valuable is a password that logs in a server. Once you get to know it, you will be able to login in others’ mail boxes from your own mail program with the usage of internet addresses. I was thinking about how the passwords can be achieved and what is the aim of doing so. The aim is your own business. When to do that and not be noticed? Frankly, I do not know – I have been cracking the codes at my friends’ and at my home. At work, where many people use the same computer and the same mail program it appears not to be difficult at all, as it takes about 20 minutes to install a debugger and to get all the passwords. In the future I will try to write a program whose task would be modification of the sets responsible for passwords’ servicing – thus there will be no need to run a debugger and even if one does not know an assembler he or she will be able to get the password of other person.
4. We run the mail program and choose the identity whose program access password we want to get to know.
5. Basically we do not need to write anything in the space provided for a password – the comparison will be done anyway.
6. We press [ Ctrl + d ] an in the line of commends of SoltIce we write:
bpx GetDlgItemTextA
This is a breakpoint for a function that is responsible for taking a text from edit control. In our case the procedure will take the password and next compare it with the correct one and the breakpoint will allow us to follow the whole process in debugger window.
7. We press [F5] at first in order to close debugger window and then [ok] button. SoftIce window will appear immediately. Debugger shows the place where the function come from, we are interested in the place of its calling.
8. We press [F11] and find ourselves in a place of calling the function, which is:
001B:6B2C7017   FF15EC102C6B   CALL [USER32!GetDlgItemTextA]
001B:6B2C701D   8D4DE8         LEA ECX, [EBP-18]
001B:6B2C7020   8D85E8FDFFFF   LEA EAX, [EBP-0218]
The above part of a code is proceeded in the beginning. Basically, we can analyze the following instructions but it is absolutely useless. The second instruction clarifies everything. An address containing the right password is loaded into the ECX register. Our task is to read it.
9. We press [F10] until the last instruction of the listing is executed. The last instruction loads an address with the password completed by us into EAX register.
10. Now it is enough to write the following in SoftIce’s commend line:
d ecx
and the password proper for the chosen identity will appear in a data window. The next instructions are responsible for comparing the proper password either the one written by us. Basically, it is possible to follow the process step by step, however it does not make any sense as long as we do not want to modify a procedure in order to make any password correct. As far as I remember it is enough to change two conditional steps and be glad about cracking the code.
11. We protect the trap – in debugger’s commend line we write:
bd 0
We write ‘0’, because the breakpoint’s number is 0, in order to get to know all the breakpoints and to check their numbers we write bl in the commend line.
12. Once a mail program is run, we look for the properties of the account we are interested in.
13. In menu Tools->Account we choose account we are interested in and press [Properties] button.
14. In Servers mark – look Screen no.2., Password edit indicator is most important for us. If there are pips in it, it means that the user had written login password, the same for every activation of his or her mailbox. It means that our only task would be cracking the pips.
15. Press button [Apply] is an important element. To make it active it is enough to change a little a window – it is not suggested to change the password – one cam add one letter which can be next deleted – this would activate the button.
16. We press [Ctrl+d] again and thus activate a breakpoint for the function GetDlgItemTextA – to do this it is enough to write the following in the commend line:
be 0
0 is the number of a breakpoint
17. We exit SoftIce [F5] and then press the button [Apply].
18. Debugger’s window appears immediately.
19. We press [F11] to see where the function GetDlgItemTextA was recalled from.
001B:6AD9838E   57           PUSH EDI
001B:6AD9838F   50           PUSH EAX
001B:6AD98390   68D6070000   PUSH 000007D6
001B:6AD98395   FF7508       PUSH DWORD PTR [EBP+08]
001B:6AD98398   FF158812D86A CALL [USER32!GetDlgItemTextA]
001B:6AD9839E   3BC3         CMP EAX, EBX
After the SoftIce’s window has been displayed, the program stops at the 001B:6AD9839E address. Things put aside before the function GetDlgItemTextA are the most important for us. In order to know its arguments it is necessary to set another breakpoint for address. To do this write in the commend line: ( an address depends on the place in computer’s memory, where there is a library – this address can be changed at your computer!!! ) – the first line of listing is the address, actually.
bpx 001B:6AD9838E
Press [F5] next to exit debugger. To activate the button [Apply] once more you need to change anything in a window – it can be anything except for the password. If you press [Apply], SoftIce will appear immediately. Now your position is an instruction at the 001B:6AD9838E address. To follow steps of the instruction press [F10]. When you are at the point of calling the function stop. In the commend line write the following:
d eax
The above instruction shows a sub address’ contents in a data window. The sub address had been placed in EAX register. A mailbox login should now appear in a data window. To crack the password now, it is enough to carry out a calling of the GetDlgItemTextA function – that is, to press [F10]. When debugger starts to follow the instructions of the GetDlgItemTextA, you must exit it by pressing [F11]. The mailbox password that we are interested in appears immediately in a data window. At this moment all the breakpoints should be protected. If anyone’s attention has been drawn by the option: ‘Logging by safe authentication of a password’ - shown in Screen no.2 – we do not mind it at all, it is not going you be an easy task to find a method of protection against this kind of cracking the passwords – I hope I am wrong – we will see - the time will show.
At this point my description is finished. I am not sure it the above method of protecting the passwords is going to be used in newer Microsoft’s products. I forgot to write which library executes mailbox service – it’s msoeacct.dll. It may be enough to change its contents in order to improve a level of protection in mail programs. In the meantime, I have thought up how to avoid installing SoftIce in every computer that we want to crack a password. It would be enough to modify the library in such a way that it writes a user’s login in a file before the function is called, and after it is called to write in the password for this certain login. This, however, is a task for those whose job is creating viruses, because some codes must be added to the library for sure. Maybe I will set about doing this in the future, but meanwhile someone could check whether such methods of cracking passwords are possible in the newer versions of mail programs. This method is probably successful in Windows XP – it should be checked, however. Maybe it is not in LongHorn.

Thx for A.M