# Table of contents:

• Introduction
  • Finding keypairs
    • With a disassembler
    • With a hex editor
    • With a binary pattern matching tool
    • With a hex editor (PresenceIM.dll versions)
• Old key pairs
• New key pairs

# Introduction

Challenges (CHL commands) require a key pair (for the QRY command) to be solved.

The following is a list of valid key pairs.

If you know of a key pair not on this list, or just the Public Key associated with a client, feel free to contact me.

Format of the Public Keys (except the first msmsgs@msnmsgr.com one) seems to be "PROD", then four digits, the first being a 0, then 8 random characters.
The four digits seem to increase by at least 1 every time a new key pair is made.

Private keys seem to have a format of 16 random characters.

Random characters in both cases will match the regular expression of [A-Z0-9{}!@*%_?$#].

The function to deobfuscate the keypairs is usually as such:

/* (Object.Array[Number], Number) -> string */
function deobfuscateString(arrayOfObfuscatedChars, xorValue) {
	var xorValue = xorValue||arrayOfObfuscatedChars[arrayOfObfuscatedChars.length-1];
	var resultStr = "";
	for (var i = 0; i < arrayOfObfuscatedChars.length; i++) {
		var value = arrayOfObfuscatedChars[i];
		resultStr += String.fromCharCode(value ^ xorValue);
	}
	return resultStr;
}

# Finding keypairs

# With a disassembler

You can usually find keypairs by looking in a disassembler using these steps:

1. Search for the string %hs&CLCID=0x%04x&Country=%hs.
2. Enter the function that uses this string (OnMNSRequestURLResult).
3. Go to the first cross-reference that references this function (OnMNSRequestURLResult).
4. Go to the cross-reference for the new function.
5. In the CHotmailService::vftable, go down 5 times, and enter the function.
6. Name this function OnMNSLockChallenge.
7. Find a function that is used early on that uses a \0 or \x01 as a parameter.
8. Name this function GetLKString.
9. Find the last function used in GetLKString.
10. Define the function as such:

void Unobfuscate (char * stringToDeobfuscate, char * buffer, int length, unsigned char xorConstant);

11. Return to GetLKString.
12. In an if-block, look for the usage of stringToDeobfuscate. Call this CHALLENGE_PUBLIC_KEY.
13. Outside of the if-block, look for another usage of stringToDeobfuscate. Call this CHALLENGE_PRIVATE_KEY.
14. Follow references of CHALLENGE_PUBLIC_KEY and CHALLENGE_PRIVATE_KEY.
15. If possible, set the types of both constants to char[17].
16. Copy the 17 bytes of both values and save somewhere for referencing.
17. Use the deobfuscateString function above or an equivalent to deobfuscate the keys.
18. If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
19. Copy deobfuscated keys.

# With a hex editor

1. Search for the ASCII string "0123456789abcdef", case-sensitive.
2. Look for two obfuscated keys.
3. Use the deobfuscateString function above or an equivalent to deobfuscate the keys.
4. If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
5. Copy deobfuscated keys.

# With a binary pattern matching tool

1. Search for B7 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B7.
2. Replace B7 with another XOR value if required.
3. Look around area for obfuscated keys.
4. Use the deobfuscateString function above or an equivalent to deofbuscate the keys.
5. If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
6. Copy deobfuscated keys.

# With a hex editor (PresenceIM.dll versions)

1. Search for the ASCII string "PROD0", case-sensitive.
2. Copy deobfuscated keys.

# Old key pairs

Only in MSNP6 to MSNP10.

PUBLIC KEY	PRIVATE KEY	XOR values	Introduced with...
msmsgs@msnmsgr.com	Q1P7W2E4J9R8U3S5	none, 0xC5	Client Version 3.6.0038
PROD0039E3VGM%GB	B7WRX$T9S3875{68	0xA6	Client Version 4.7.0031
PROD00504RLUG%WL	I2EBK%PYNLZL5_J4	0xA6, 0xB7	Client Version 4.7.2009
PROD0038W!61ZTF9	VT6PX?UQTM4WM%YR	0xB7	Client Version 5.0.0124
PROD00517IFH4@RV	MYRED!3QTCFWG@9G	0xB7	Client Version 5.1.0701
PROD0066X_86JBY8	%_IP#M2WDG247}@I	0xB7	Client Version 6.0.0101
PROD0075THRTM{7!	WLJIQ$8LDLNI_J4Q	0xB7	Client Version 6.0.4074
PROD0058#7IL2{QD	QHDCY@7R1TB6W?5B	0xB7	Client Version 6.0.0250
PROD0061VRRZH@4F	JXQ6J@TUOGYV@N0M	0xB7	Client Version 6.0.0268
PROD0076ENE8*@AW	CEQJ8}OE0!WTSWII	0xB7	Client Version 6.2.0133
PROD0062I2RVG#RV	LPOFJ{8L6AM2N!G_	0xB7	PocketPC Client 3.1.3080
PROD0045YI56T?TX	FV!WOP5UKXO8$LV$	none	threedegrees 1.0.0352
PROD0046K9O#QFXY	8{B7#LEX_V5HV@SQ	none	threedegrees musicmix

# New key pairs

Since MSNP11.

PUBLIC KEY	PRIVATE KEY	XOR values	Introduced with...
PROD008955JTJ_S7	DHCPQ$8JI5HD3{4L	0xB7	Client Version 7.0.0205
PROD0090YUAUV{2B	YMM8C_H7KCQ2S_KL	0xB7	Client Version 7.0.0225
PROD00974#MT*RC2	LMCVO*18PQJ3H!K3	0xB7	Client Version 7.0.0604
PROD0101{0RM?UBW	CFHUR$52U_{VIX5T	0xB7	Client Version 7.0.0777
PROD0104U6VVM{UJ	VK67B}379XYM5}$T	0xB7	Client Version 7.5.0160
PROD01065C%ZFN6F	O4BG@C7BWLYQX?5G	0xB7	Client Version 8.0.0290
PROD0112J1LW7%NB	RH96F{PHI8PPX_TJ	0xB7	Client Version 8.0.0787
PROD0113H11T8$X_	RG@XY*28Q5QHS%Q5	0xB7	Client Version 8.1.0106
PROD0114ES4Z%Q5W	PK}_A_0N_K%O?A9S	0xB7, none	Client Version 8.1.0178
PROD0118R6%2WYOS	YIXPX@5I2P0UT*LK	0xB7	Client Version 8.5.1235
PROD0119GSJUC$18	ILTXC!4IXB5FB*PX	0xB7, none	Client Version 8.5.1288
PROD0116PE?TSI1_	EXFK#_48PJR82_3G	0xB7	Client Version 9.0.1407
PROD0120PW!CCV9@	C1BX{V4W}Q3*10SM	none	Client Version 14.0.8050