Wang Products

FAQ Article: Decrypting Trillian Passwords

Trillian is fast becoming one of the most-popular instant messaging programs around. It is described as:

"Communicate with Flexibility and Style. Trillian is everything you need for instant messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo! Messenger and IRC in a single, sleek and slim interface."

That's right, trillian is an all-in-one program which allows you to be on ICQ, AIM (the AOL instant messenger), MSN, Yahoo, and even IRC, all at once from one program. In itself, trillian is a good program, with some nice features - but it suffers from an awful password storage system.

Although not compulsory, trillian saves your password to connect to all the networks (ICQ, AOL, MSN etc) - and most people, out of convenience, will want their passwords stored. The problem is that trillian stores them with only a very weak encryption.

The trillian passwords are stored separately in .ini files (which relate to each network, i.e. there is a msn.ini, and a aim.ini etc). These are stored in your trillian directory (usually c:\program files\trillian\) in the "users" folder.

Within the users folder, the ini files will either be in a folder called "default" or a folder named after your username. For example, on my installation for testing purposes, the msn.ini was stored at:


c:\program files\trillian\users\default\msn.ini


On opening this file...you find details like:


[msn]
auto reconnect=1
save passwords=1
idle time=15
show buddy status=1
port=1863
server=messenger.hotmail.com
last msn=someone@hotmail.com
connect num=10
connect sec=60
save status=1
ft port=6891
[profile 0]
name=someone@hotmail.com
password=A347F2B74EE9A9F6


and so on...

The line "password=A347F2B74EE9A9F6" is obviously the encrypted password that we want to decrypt. Now, the encryption used here is a simple xor encryption of the original password, which is then represented as hex. If we split the password into the actual hex representation, it might make more sense:


A3 47 F2 B7 4E E9 A9 F6


Ok, when beating an xor encryption...you need to know what each letter of the original password was xor'd with. Thankfully, there is an easy way to find this out - so long as you know the original pass. And, as you may guess - knowing the xor key that trillian uses to encrypt passwords, is also the key to being able to decrypt passwords that we don't know!

First, we need to know what the hex value "A3" (the first value of the encrypted password) represents in standard numbers. If you know your hex, you will know that the value of "A3" is 163. I know for a fact that the first letter of my password is "P", therefore - to find out what trillian xor'd with my original "P" in order to get 163 - we do the following calculation:


Numeric value of A3 = 163
Numeric (ascii) value of P = 80

Calculation: 80 XOR 163 = 243


There we go - 243 is the number that the first value of your password is xor'd with. We can test this by doing the process in reverse using this knowledge:


First letter of password = P
Ascii value of P = 80
XOR key for 1st char = 243
Calculation = 80 xor 243 = 163
163 in Hex = A3
Encrypted password so far: A3
Go on to 2nd character...and so on...


Hopefully, you can now see how trivial it is to get the rest of the xor key numbers and how to decrypt the passwords once you have the xor key. Let me save you some time...the xor key numbers for each char are (in order):


243, 038, 129, 196, 057, 134, 219, 146, 113, 163, 185, 230, 083, 122, 149, 124, 000, 000, 000, 000, 000, 000, 255, 000, 000, 128, 000, 000, 000, 128, 128, 000, 255, 000, 000, 000, 128, 000, 128, 000, 128, 128, 000, 000, 000, 128, 255, 000, 128, 000, 255, 000, 128, 128, 128, 000, 085, 110, 097, 098, 108, 101, 032, 116, 111, 032, 114, 101, 115, 111, 108, 118, 101, 032, 072, 084, 084, 080, 032, 112, 114, 111, 120, 000


As most passwords are usually 5-10 letters/numbers long, you will rarely need to use even a quarter of those xor keys. And just to help clarify...here is a perl script I have written which will decrypt an encrypted trillian password:


#!/usr/bin/perl

#################
# Trillian Password Decoder - Wang (wang@wangproducts.com)
# written for hack faq Volume 9 (faqs.wangproducts.com)
#################

# Uncomment if you are running as a cgi
#print "Content-type: text/html\n\n";

$encrypted = "A347F2B74EE9A9F6"; # put your encrypted password here!

$xorkeys = "243, 038, 129, 196, 057, 134, 219, 146, 113, 163, 185, 230, 083, 122, 149, 124, 000, 000, 000, 000, 000, 000, 255, 000, 000, 128, 000, 000, 000, 128, 128, 000, 255, 000, 000, 000, 128, 000, 128, 000, 128, 128, 000, 000, 000, 128, 255, 000, 128, 000, 255, 000, 128, 128, 128, 000, 085, 110, 097, 098, 108, 101, 032, 116, 111, 032, 114, 101, 115, 111, 108, 118, 101, 032, 072, 084, 084, 080, 032, 112, 114, 111, 120, 000";

$pointer = 0;

@keys = split(/, /, $xorkeys);

print "Decrypted Password: ";

foreach $key (@keys)
{
$passchar = chr(hex(substr($encrypted, $pointer, 2)) ^ $key);
print "$passchar";
last if ($pointer == length($encrypted) - 2);
$pointer += 2;
}

exit;


Comments
Comment by Colin - 28-05-2005

Brilliant!!! I thought Id lost my AIM account as I had no idea what the password was - this has recovered it for me.

On the other hand this is really rubbish I guess on the part of Trillian.



Comment by Danne - 31-07-2005

In whitch format du u save the script in?



Comment by calle - 06-08-2005

I dont get it. it works fine local. but when i try to build it in to a cgi it dosent work.... what changes do you have to do? saw something about # Uncomment if you are running as a cgi
but it dosent help at all. i just get some strange symbols 9 q S z Can u give me any help?



Comment by Wang - 07-08-2005

Im not sure what problem you might be having - you do need to uncomment that line to make it work as a cgi, but that should be it.



Comment by Calle - 07-08-2005

I solved my problem i think. wanted to add the ability to add your own hash file to the script ( trillian.pl?hash) and i now solved it. But please tell me if you had something agenst me changing the script. It was a nice challange. (im almost totaly new at perl)

But if you do mind please tell me so and ill delete it !!



Comment by Wang - 09-08-2005

I have nothing against people modifying and using the scripts - have fun! :)



Comment by zeb00 - 17-10-2005

Great Script

FYI: ICQ passwords are saved i aim.ini



Comment by umar - 01-04-2006

i want to become a professional hacker what i have to do for that



Comment by root - 05-04-2006

perl to the rescue!



Comment by alter - 21-07-2006

I doesnt work, when i write triallian_passwrd_decoder.plr in cmd it start the dokument and their is nothing only the script but there isnt a decrypted code nothing hmmm waht i do false.




Comment by Wang - 21-07-2006

alter: this decryption script works, however it sounds like you dont know/understand how it should be run. You will need to run this either from a *nix machine or a Windows box that has Perl/ActivePerl installed. Your system does not seem to have perl installed.



Comment by Fares - 25-07-2006

ich schaff das nicht, immer wenn ich das im dos modus eingebe, nffnet sich immer die datei, astatt das da das passwort steht! hmm, brauhe hilfe!



Comment by Fares - 25-07-2006

wenn ich trillian_password_decoder.pl eingebe, ffnet sich das dukument, brauche hilfe please!



Comment by Andrew - 13-09-2006

Thank you for your work



Comment by Dr4k3 - 17-02-2007

nice script...

saved me a lot of work...



Comment by elch - 16-04-2007

i dont get it. how does this xor-operator work on numbers? when i try to do this algorithm out of hand, i get chars that i cannot have used for my password, even negative values.

please explain what the xor-operator does with dec-numbers and proove that the xor-keys are the same in all trillian-versions.

regards, elch



Comment by thomseb - 21-11-2007

appears to still work!



Comment by nebulous - 14-02-2008

Thanks! This rocks and helped me save my Aim pw.

I wrote this port of the script into the evil and awful VBScript for anyone else not setup for perl (I know, I know...):

encrypted = ABCDEFGIHJK
xorkeys = 243, 038, 129, 196, 057, 134, 219, 146, 113, 163, 185, 230, 083, 122, 149, 124, 000, 000, 000, 000, 000, 000, 255, 000, 000, 128, 000, 000, 000, 128, 128, 000, 255, 000, 000, 000, 128, 000, 128, 000, 128, 128, 000, 000, 000, 128, 255, 000, 128, 000, 255, 000, 128, 128, 128, 000, 085, 110, 097, 098, 108, 101, 032, 116, 111, 032, 114, 101, 115, 111, 108, 118, 101, 032, 072, 084, 084, 080, 032, 112, 114, 111, 120, 000
pointer = 1
passchar =
keys = split(xorkeys, ,)
For each key in keys
MsgBox key
h = Mid(encrypted, pointer, 2)
i = CLng(H h)
j = i Xor key
passchar = passchar chr(j)
If pointer (Len(encrypted) - 2) Then
pointer = pointer + 2
End If
Next
MsgBox Decrypted Password: passchar





Comment by Random Onlooker - 28-02-2008

Having used Trillians Check Mail function for Yahoo, I had become dependent on it. However, as FIrefox beta 3 and Yahoo Mail no longer play nicely, I had to log in through Opera. Your script here really saved some headaches in trying to remember what I shouldnt have forgotten. Thanks so much :D



Comment by Doug - 15-07-2010

Your script rocks, I recovered a password from an account I have been unable to use for over 8 years.



Comment by Dave - 24-05-2013

In VB 6:

Public Function DecodeTrillianPassword(Pass As String)
Dim bMagicTrillian As Variant
Dim i As Integer, x As Integer, a As String
If LenB(Pass) = 0 Then Exit Function

bMagicTrillian = Array(0, 243, 38, 129, 196, 57, 134, 219, 146, 113, 163, 185, 230, 83, 122, 149, 124, 0, 0, 0, 0, 0, 0, 255, 0, 0, 128, 0, 0, 0, 128, 128, 0, 255, 0, 0, 0, 128, 0, 128, 0, 128, 128, 0, 0, 0, 128, 255, 0, 128, 0, 255, 0, 128, 128, 128, 0, 85, 110, 97, 98, 108, 101, 32, 116, 111, 32, 114, 101, 115, 111, 108, 118, 101, 32, 72, 84, 84, 80, 32, 112, 114, 111, 120, 0)

For i = 1 To Len(Pass) Step 2
a = Mid$(Pass, i, 2)
x = x + 1
DecodeTrillianPassword = DecodeTrillianPassword Chr$(CInt(h a) Xor bMagicTrillian(x))
Next
End Function



Post a comment

Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.


Your Name
Comment
  Please enter the code from the image below into the code box

Code
 

Valid XHTML 1.0! Valid CSS!

Wang Products Articles Security News and Articles/FAQs Wang Products Software Guitar MP3 tracks by Wang Links