# Table of contents:
# Introduction
Challenges (CHL commands) require a key pair (for the QRY command) to be solved.
The following is a list of valid key pairs.
If you know of a key pair not on this list, or just the Public Key associated with a client, feel free to contact me.
Format of the Public Keys (except the first msmsgs@msnmsgr.com one)
seems to be "PROD", then four digits, the first being a 0, then 8 random characters.
The four digits seem to increase by at least 1 every time a new key pair is made.
Private keys seem to have a format of 16 random characters.
Random characters in both cases will match the regular expression of
[A-Z0-9{}!@*%_?$#].
The function to deobfuscate the keypairs is usually as such:
/* (Object.Array[Number], Number) -> string */
function deobfuscateString(arrayOfObfuscatedChars, xorValue) {
var xorValue = xorValue||arrayOfObfuscatedChars[arrayOfObfuscatedChars.length-1];
var resultStr = "";
for (var i = 0; i < arrayOfObfuscatedChars.length; i++) {
var value = arrayOfObfuscatedChars[i];
resultStr += String.fromCharCode(value ^ xorValue);
}
return resultStr;
}
# Finding keypairs
# With a disassembler
You can usually find keypairs by looking in a disassembler using these steps:
- Search for the string
%hs&CLCID=0x%04x&Country=%hs. - Enter the function that uses this string (
OnMNSRequestURLResult). - Go to the first cross-reference that references this function (
OnMNSRequestURLResult). - Go to the cross-reference for the new function.
- In the
CHotmailService::vftable, go down 5 times, and enter the function. - Name this function
OnMNSLockChallenge. - Find a function that is used early on that uses a
\0or\x01as a parameter. - Name this function
GetLKString. - Find the last function used in
GetLKString. - Define the function as such:
void Unobfuscate (char * stringToDeobfuscate, char * buffer, int length, unsigned char xorConstant);
- Return to
GetLKString. - In an
if-block, look for the usage ofstringToDeobfuscate. Call thisCHALLENGE_PUBLIC_KEY. - Outside of the
if-block, look for another usage ofstringToDeobfuscate. Call thisCHALLENGE_PRIVATE_KEY. - Follow references of
CHALLENGE_PUBLIC_KEYandCHALLENGE_PRIVATE_KEY. - If possible, set the types of both constants to char[17].
- Copy the 17 bytes of both values and save somewhere for referencing.
- Use the
deobfuscateStringfunction above or an equivalent to deobfuscate the keys. - If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
- Copy deobfuscated keys.
# With a hex editor
- Search for the ASCII string "0123456789abcdef", case-sensitive.
- Look for two obfuscated keys.
- Use the
deobfuscateStringfunction above or an equivalent to deobfuscate the keys. - If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
- Copy deobfuscated keys.
# With a binary pattern matching tool
- Search for
B7 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B7. - Replace B7 with another XOR value if required.
- Look around area for obfuscated keys.
- Use the
deobfuscateStringfunction above or an equivalent to deofbuscate the keys. - If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
- Copy deobfuscated keys.
# With a hex editor (PresenceIM.dll versions)
- Search for the ASCII string "PROD0", case-sensitive.
- Copy deobfuscated keys.
# All key pairs (sorted by type, then version)
PUBLIC KEY |
PRIVATE KEY |
XOR values |
Introduced with... |
|---|---|---|---|
msmsgs@msnmsgr.com |
Q1P7W2E4J9R8U3S5 |
none, 0xC5 |
Client Version 3.6.0038 |
PROD0039E3VGM%GB |
B7WRX$T9S3875{68 |
0xA6 |
Client Version 4.7.0031 |
PROD00504RLUG%WL |
I2EBK%PYNLZL5_J4 |
0xA6, 0xB7 |
Client Version 4.7.2009 |
PROD0038W!61ZTF9 |
VT6PX?UQTM4WM%YR |
0xB7 |
Client Version 5.0.0124 |
PROD00517IFH4@RV |
MYRED!3QTCFWG@9G |
0xB7 |
Client Version 5.1.0701 |
PROD0066X_86JBY8 |
%_IP#M2WDG247}@I |
0xB7 |
Client Version 6.0.0101 |
PROD0075THRTM{7! |
WLJIQ$8LDLNI_J4Q |
0xB7 |
Client Version 6.0.4074 |
PROD0058#7IL2{QD |
QHDCY@7R1TB6W?5B |
0xB7 |
Client Version 6.0.0250 |
PROD0061VRRZH@4F |
JXQ6J@TUOGYV@N0M |
0xB7 |
Client Version 6.0.0268 |
PROD0076ENE8*@AW |
CEQJ8}OE0!WTSWII |
0xB7 |
Client Version 6.2.0133 |
PROD008955JTJ_S7 |
DHCPQ$8JI5HD3{4L |
0xB7 |
Client Version 7.0.0205 |
PROD0090YUAUV{2B |
YMM8C_H7KCQ2S_KL |
0xB7 |
Client Version 7.0.0225 |
PROD00974#MT*RC2 |
LMCVO*18PQJ3H!K3 |
0xB7 |
Client Version 7.0.0604 |
PROD0101{0RM?UBW |
CFHUR$52U_{VIX5T |
0xB7 |
Client Version 7.0.0777 |
PROD0104U6VVM{UJ |
VK67B}379XYM5}$T |
0xB7 |
Client Version 7.5.0160 |
PROD01065C%ZFN6F |
O4BG@C7BWLYQX?5G |
0xB7 |
Client Version 8.0.0290 |
PROD0112J1LW7%NB |
RH96F{PHI8PPX_TJ |
0xB7 |
Client Version 8.0.0787 |
PROD0113H11T8$X_ |
RG@XY*28Q5QHS%Q5 |
0xB7 |
Client Version 8.1.0106 |
PROD0114ES4Z%Q5W |
PK}_A_0N_K%O?A9S |
0xB7, none |
Client Version 8.1.0178 |
PROD0118R6%2WYOS |
YIXPX@5I2P0UT*LK |
0xB7 |
Client Version 8.5.1235 |
PROD0119GSJUC$18 |
ILTXC!4IXB5FB*PX |
0xB7, none |
Client Version 8.5.1288 |
PROD0116PE?TSI1_ |
EXFK#_48PJR82_3G |
0xB7 |
Client Version 9.0.1407 |
PROD0120PW!CCV9@ |
C1BX{V4W}Q3*10SM |
none | Client Version 14.0.8050 |
macmsgr@msnmsgr.com |
A8J3D5F7L3K2V6F4 |
none | MacOS Client 2.0r037 |
PROD00444_M6XYJT |
UMJBL@QN17VEI{5L |
none | MacOS Client 3.0.0 |
PROD0074Z}QA4HPI |
5JHDY@F5_KLEF?3O |
0xB7 |
MacOS Client 4.0.0 |
PROD0102LUNTP%M? |
JD5QT%#ILEBP5?LI |
0xB7 |
MacOS Client 5.0.0 |
PROD0062I2RVG#RV |
LPOFJ{8L6AM2N!G_ |
0xB7 |
PocketPC Client 3.1.3080 |
PROD0045YI56T?TX |
FV!WOP5UKXO8$LV$ |
none | threedegrees 1.0.0352 |
PROD0046K9O#QFXY |
8{B7#LEX_V5HV@SQ |
none | threedegrees musicmix |
# All key pairs (sorted by PROD number)
PUBLIC KEY |
PRIVATE KEY |
XOR values |
Introduced with... |
|---|---|---|---|
PROD0038W!61ZTF9 |
VT6PX?UQTM4WM%YR |
0xB7 |
Client Version 5.0.0124 |
PROD0039E3VGM%GB |
B7WRX$T9S3875{68 |
0xA6 |
Client Version 4.7.0031 |
PROD00444_M6XYJT |
UMJBL@QN17VEI{5L |
none | MacOS Client 3.0.0 |
PROD0045YI56T?TX |
FV!WOP5UKXO8$LV$ |
none | threedegrees 1.0.0352 |
PROD0046K9O#QFXY |
8{B7#LEX_V5HV@SQ |
none | threedegrees musicmix |
PROD00504RLUG%WL |
I2EBK%PYNLZL5_J4 |
0xA6, 0xB7 |
Client Version 4.7.2009 |
PROD00517IFH4@RV |
MYRED!3QTCFWG@9G |
0xB7 |
Client Version 5.1.0701 |
PROD0058#7IL2{QD |
QHDCY@7R1TB6W?5B |
0xB7 |
Client Version 6.0.0250 |
PROD0061VRRZH@4F |
JXQ6J@TUOGYV@N0M |
0xB7 |
Client Version 6.0.0268 |
PROD0062I2RVG#RV |
LPOFJ{8L6AM2N!G_ |
0xB7 |
PocketPC Client 3.1.3080 |
PROD0066X_86JBY8 |
%_IP#M2WDG247}@I |
0xB7 |
Client Version 6.0.0101 |
PROD0074Z}QA4HPI |
5JHDY@F5_KLEF?3O |
0xB7 |
MacOS Client 4.0.0 |
PROD0075THRTM{7! |
WLJIQ$8LDLNI_J4Q |
0xB7 |
Client Version 6.0.4074 |
PROD0076ENE8*@AW |
CEQJ8}OE0!WTSWII |
0xB7 |
Client Version 6.2.0133 |
PROD008955JTJ_S7 |
DHCPQ$8JI5HD3{4L |
0xB7 |
Client Version 7.0.0205 |
PROD0090YUAUV{2B |
YMM8C_H7KCQ2S_KL |
0xB7 |
Client Version 7.0.0225 |
PROD00974#MT*RC2 |
LMCVO*18PQJ3H!K3 |
0xB7 |
Client Version 7.0.0604 |
PROD0101{0RM?UBW |
CFHUR$52U_{VIX5T |
0xB7 |
Client Version 7.0.0777 |
PROD0102LUNTP%M? |
JD5QT%#ILEBP5?LI |
0xB7 |
MacOS Client 5.0.0 |
PROD0104U6VVM{UJ |
VK67B}379XYM5}$T |
0xB7 |
Client Version 7.5.0160 |
PROD01065C%ZFN6F |
O4BG@C7BWLYQX?5G |
0xB7 |
Client Version 8.0.0290 |
PROD0112J1LW7%NB |
RH96F{PHI8PPX_TJ |
0xB7 |
Client Version 8.0.0787 |
PROD0113H11T8$X_ |
RG@XY*28Q5QHS%Q5 |
0xB7 |
Client Version 8.1.0106 |
PROD0114ES4Z%Q5W |
PK}_A_0N_K%O?A9S |
0xB7, none |
Client Version 8.1.0178 |
PROD0116PE?TSI1_ |
EXFK#_48PJR82_3G |
0xB7 |
Client Version 9.0.1407 |
PROD0118R6%2WYOS |
YIXPX@5I2P0UT*LK |
0xB7 |
Client Version 8.5.1235 |
PROD0119GSJUC$18 |
ILTXC!4IXB5FB*PX |
0xB7, none |
Client Version 8.5.1288 |
PROD0120PW!CCV9@ |
C1BX{V4W}Q3*10SM |
none | Client Version 14.0.8050 |