Hot Pursuit: Deciphering foxmail "Cipher Bible" _ Loophole Research

The author's most commonly used mail client software is Foxmail5.0, I believe many people also use it, because of its simple interface, powerful. In the process of using foxmail found a problem, that is, Foxmail mailbox password is not safe! And this problem exists in the Foxmail 4.x and 5.0 official editions (including beta), and here's a reminder to keep your passwords in good care.
Where is the Foxmail mailbox encryption password saved?
Before the formal start, tell me where the mailbox password is stored in the Foxmail. Right-click your account (assuming the account name is ABCDE), select "Properties" from the pop-up menu, and click "Mail Server", where you will see the password shown with "*" (Figure 1).
Using any password to view the software can be found in the "*" is what the content. In fact, even if you do not use the view * tool can also see the foxmail password!





When you choose to save the mailbox password, the encryption of the mailbox password is stored in a file that is located in the Mail folder under the Foxmail installation directory (if the default installation method is used, generally under C:\ProgramFiles\Foxmail), There is a folder named after your account (for example, the account name is ABCDE, the Mail folder has a ABCDE folder), under which there is a accounts.cfg file, open it will see your email password ciphertext.
To reproduce a well-known foxmail vulnerability

As you all know, open "explorer" or "My Computer", find the Foxmail folder, open the "Mail" folder inside, you will find that there are many folders named after the account name, into the Mail folder you want to invade the account of the corresponding folder, Rename or delete the Account.stg file, and then run Foxmail, and you will find that the original small "lock" on the mailbox is missing (with a password account with a small red "lock" logo)! No password is required at this time to see the protected letter!

Why is ACCOUNT.STG this file copied to someone else's account folder, there is such a big "power" it? Open the file with Notepad and see what you see (Figure 2)! In fact, almost all of the content you set up in Foxmail's account → Properties menu is included (if you're careful, you'll find "templates" in "Properties" are not included), including encrypted mailbox cipher ciphertext, which is "pop3password=." The back part. Now let's talk about this interesting topic.



Foxmail Analysis

Let's assume that you have and only one account in Foxmail: ABCDE, its e-mail address is abcde@163.net, the password for this mailbox is 12345.

Using Notepad to open the Accounts.cfg file, at the beginning is a bit of a mess of content, and then down you will see the following:

Mailaddress=abcde@163.net//This is the email address

....................................

Pop3account=abcde

Pop3host=pop.163.net//POP3 Server Address

pop3password=bb6dfb5df061//Mailbox password encryption after the display of ciphertext

pop3port=110//POP3 Server Port

printfont= XXFarEastFont-Arial, 9

Replyaddr=

Replyformat=1

Samewithpop=1

Smtphost=smtp.163.net//SMTP Server Address

SMTPPORT=25//SMTP Server Port

......
Before calculating Foxmail mailbox password plaintext, please remember one word first: ~dragon~ (note to be case-sensitive), it is foxmail mailbox password encryption key. Remember, we'll start the action:

First step: Download a hexadecimal file editor UltraEdit, this is a set of excellent text, Hex, ASCII code Editor, built-in English word check, C + + and VB instructions highlighted, you can edit multiple files at the same time, even if the opening of a large file speed will not slow. It is also accompanied by HTML tag color display, search replacement, and unlimited restore capabilities, which are often used to modify EXE or DLL files. You can download it here: Http://software.wx88.net/down/cuedit1010b.exe. Install complete, run UltraEdit, enter the word "~dragon~" (without quotes) in its file editing state, and then click "Hex Edit" (16-edit) under the "Edit" menu to find the word's 16-in-code (Figure 3) for: 7E The 6F 6E 7E, respectively, are recorded as A1,A2,A3,A4,A5,A6,A7,A8, which I call AI.



The second step: remember a constant value: 5A (in fact, is also calculated from the above a1~a8, the specific method is not much said), recorded as C0, this C0 we will use below.

The third step: the encryption of the mailbox password after the ciphertext, in this case: bb6dfb5df061, will they 22 separate, get: bb,6d,fb,5d,f0,61, respectively, recorded as B1,b2,b3,b4,b5,b6. Because the total length of this encryption text is 12, we can determine the actual password length of the mailbox is 12÷2-1=5, that is, the mailbox password is 5 bits.

Step Fourth: Calculate the value of CI (CI is the sum of a series of numbers, that is, c1,c2,c3,c4,c5 ...). ）。 Among them, C1 by the C0 (that is, 16 0x5a) and the first cipher (that is, B1, which is the case of BB) by the different or operation. Because of c0=0x5a, so c1=c0^0xf9=0xe1, where "^" represents xor or operation. You can use Windows to carry the calculator to calculate, click the "start → program → attachment → calculator" can open the calculator (Figure 4), the calculator "XOR" on behalf of the XOR or operation. From this:



C1 for 0xe1

C2 is directly inherited by B2, for 0x6d

C3 is directly inherited by B3, 0xFB

C4 is directly inherited by B4, for 0x5d

C5 is directly inherited by B5, for 0xf0

In this way, we get the crucial parameter CI.

The fifth step: please use the cipher from the second place (ie B2) and the key corresponding to the ASCII code (that is, AI) for the different or operation, since we already know that the password is 5 bits, we use A1~A5 to separate or operate with the B2~b6 to get Di (that is, the D1~D5 5 digits). In our case, we can get:

D1=b2^a1=6d^7e=13

d2=b3^a2=fb^64=9f

d3=b4^a3=5d^72=2f

d4=b5^a4=f0^61=91

D5=b6^a5=61^47=26

What if the redaction is long (foxmail up to 18-bit passwords)? Or use the method mentioned above. The value of AI is recycled only when the DI is computed. For example, if the ciphertext 22 is divided into 10 digits (i.e. B1~B10), then the D8 is calculated using B9 and A8, and the D9 is different from B10. Do you understand? That is, the ciphertext length is greater than the key length, then the key is used for calculation.

Sixth step: This is the last step, to solve the account password plaintext. Use Di-ci to get Ei, where ei is the plaintext after the ciphertext is decoded. Note that if di is less than CI, use the Di+0xff (0xFF 16 ff, or decimal 255), and then subtract the CI. All right, open the calculator, and then you can get:

E1=D1-C1=31, convert decimal to 1

E2=D2-C2=32, convert decimal to 2

e3=d3-c3=33, convert decimal to 3

E4=D4-C4=34, convert decimal to 4

E5=D5-C5=35, convert decimal to 5

The above results are concatenated, that is, 12345, and this is what we originally set the mailbox password! What do you think? Foxmail's cipher is not safe!

The above process is difficult to say, and seems not easy to understand, the above Ai, Bi, Ci, di list (Figure 5), and then click on the above to try it on their own to find out easily! Exactly the same as we set out beforehand! It can be inferred from this that ~dragon~ is the Foxmail key! Think carefully, from Foxmail's original author "Zhangxiaolong" The name is not difficult to infer this conclusion, because "dragon" Word is "dragon" English word. So how did I find the word "~dragon~"? With UltraEdit Open Foxmail main program Foxmail.exe, click "Search → find" (or directly by alt+f3), input draGon, the first word in UltraEdit search is "~dragon~"!



Note that the AI, Bi, Ci, Di, and ei mentioned above are hexadecimal values, and you must make sure that you don't confuse them. By the way, after the EI, do not forget to convert to decimal by bit, this is the real mailbox password! In addition, even the same mailbox, after changing the password and save, the next time to change back to the original password, you can see in the Accounts.cfg file password ciphertext will not be the same, but the results of this method will not change, which means you still have the method to get your password.

Prevention methods

The above describes the foxmail password of the crack, the method is very simple, so in everyone sharing a computer site, it is recommended not to save your own mailbox password, if you have saved, you can use the following solution: In the new account do not choose to save the password, if you have selected, you can right-click the account, Select Properties in the pop-up menu, the Account Properties window appears, mail server is selected, and the password in the password field is cleared. In this way, when you open the Account.stg file again, you will find that "pop3password=" behind is empty, so that people will not be afraid to find your password. At the same time, the proposed Foxmail developers can change the encryption algorithm, so that software can be more secure.

Finally remind us not to use this article involved in the content of dry destruction, this is not the original intention of the author, remember: Do unto others, others!