Table of contents:

Introduction

Challenges (CHL commands) require a key pair (for the QRY command) to be solved.

The following is a list of valid key pairs.

If you know of a key pair not on this list, or just the Public Key associated with a client, feel free to contact me.

Format of the Public Keys (except the first msmsgs@msnmsgr.com one) seems to be "PROD", then four digits, the first being a 0, then 8 random characters.
The four digits seem to increase by at least 1 every time a new key pair is made.

Private keys seem to have a format of 16 random characters.

Random characters in both cases will match the regular expression of [A-Z0-9{}!@*%_?$#].

The function to deobfuscate the keypairs is usually as such:

/* (Object.Array[Number], Number) -> string */
function deobfuscateString(arrayOfObfuscatedChars, xorValue) {
	var xorValue = xorValue||arrayOfObfuscatedChars[arrayOfObfuscatedChars.length-1];
	var resultStr = "";
	for (var i = 0; i < arrayOfObfuscatedChars.length; i++) {
		var value = arrayOfObfuscatedChars[i];
		resultStr += String.fromCharCode(value ^ xorValue);
	}
	return resultStr;
}

Finding keypairs

With a disassembler

You can usually find keypairs by looking in a disassembler using these steps:

  1. Search for the string %hs&CLCID=0x%04x&Country=%hs.
  2. Enter the function that uses this string (OnMNSRequestURLResult).
  3. Go to the first cross-reference that references this function (OnMNSRequestURLResult).
  4. Go to the cross-reference for the new function.
  5. In the CHotmailService::vftable, go down 5 times, and enter the function.
  6. Name this function OnMNSLockChallenge.
  7. Find a function that is used early on that uses a \0 or \x01 as a parameter.
  8. Name this function GetLKString.
  9. Find the last function used in GetLKString.
  10. Define the function as such:
void Unobfuscate (char * stringToDeobfuscate, char * buffer, int length, unsigned char xorConstant);
  1. Return to GetLKString.
  2. In an if-block, look for the usage of stringToDeobfuscate. Call this CHALLENGE_PUBLIC_KEY.
  3. Outside of the if-block, look for another usage of stringToDeobfuscate. Call this CHALLENGE_PRIVATE_KEY.
  4. Follow references of CHALLENGE_PUBLIC_KEY and CHALLENGE_PRIVATE_KEY.
  5. If possible, set the types of both constants to char[17].
  6. Copy the 17 bytes of both values and save somewhere for referencing.
  7. Use the deobfuscateString function above or an equivalent to deobfuscate the keys.
  8. If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
  9. Copy deobfuscated keys.

With a hex editor

  1. Search for the ASCII string "0123456789abcdef", case-sensitive.
  2. Look for two obfuscated keys.
  3. Use the deobfuscateString function above or an equivalent to deobfuscate the keys.
  4. If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
  5. Copy deobfuscated keys.

With a binary pattern matching tool

  1. Search for B7 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B7.
  2. Replace B7 with another XOR value if required.
  3. Look around area for obfuscated keys.
  4. Use the deobfuscateString function above or an equivalent to deofbuscate the keys.
  5. If you need the XOR value, it is the last character of the obfuscated key (due to being null-terminated).
  6. Copy deobfuscated keys.

With a hex editor (PresenceIM.dll versions)

  1. Search for the ASCII string "PROD0", case-sensitive.
  2. Copy deobfuscated keys.

All key pairs (sorted by type, then version)

PUBLIC KEY PRIVATE KEY XOR values Introduced with...
msmsgs@msnmsgr.com Q1P7W2E4J9R8U3S5 none, 0xC5 Client Version 3.6.0038
PROD0039E3VGM%GB B7WRX$T9S3875{68 0xA6 Client Version 4.7.0031
PROD00504RLUG%WL I2EBK%PYNLZL5_J4 0xA6, 0xB7 Client Version 4.7.2009
PROD0038W!61ZTF9 VT6PX?UQTM4WM%YR 0xB7 Client Version 5.0.0124
PROD00517IFH4@RV MYRED!3QTCFWG@9G 0xB7 Client Version 5.1.0701
PROD0066X_86JBY8 %_IP#M2WDG247}@I 0xB7 Client Version 6.0.0101
PROD0075THRTM{7! WLJIQ$8LDLNI_J4Q 0xB7 Client Version 6.0.4074
PROD0058#7IL2{QD QHDCY@7R1TB6W?5B 0xB7 Client Version 6.0.0250
PROD0061VRRZH@4F JXQ6J@TUOGYV@N0M 0xB7 Client Version 6.0.0268
PROD0076ENE8*@AW CEQJ8}OE0!WTSWII 0xB7 Client Version 6.2.0133
PROD008955JTJ_S7 DHCPQ$8JI5HD3{4L 0xB7 Client Version 7.0.0205
PROD0090YUAUV{2B YMM8C_H7KCQ2S_KL 0xB7 Client Version 7.0.0225
PROD00974#MT*RC2 LMCVO*18PQJ3H!K3 0xB7 Client Version 7.0.0604
PROD0101{0RM?UBW CFHUR$52U_{VIX5T 0xB7 Client Version 7.0.0777
PROD0104U6VVM{UJ VK67B}379XYM5}$T 0xB7 Client Version 7.5.0160
PROD01065C%ZFN6F O4BG@C7BWLYQX?5G 0xB7 Client Version 8.0.0290
PROD0112J1LW7%NB RH96F{PHI8PPX_TJ 0xB7 Client Version 8.0.0787
PROD0113H11T8$X_ RG@XY*28Q5QHS%Q5 0xB7 Client Version 8.1.0106
PROD0114ES4Z%Q5W PK}_A_0N_K%O?A9S 0xB7, none Client Version 8.1.0178
PROD0118R6%2WYOS YIXPX@5I2P0UT*LK 0xB7 Client Version 8.5.1235
PROD0119GSJUC$18 ILTXC!4IXB5FB*PX 0xB7, none Client Version 8.5.1288
PROD0116PE?TSI1_ EXFK#_48PJR82_3G 0xB7 Client Version 9.0.1407
PROD0120PW!CCV9@ C1BX{V4W}Q3*10SM none Client Version 14.0.8050
macmsgr@msnmsgr.com A8J3D5F7L3K2V6F4 none MacOS Client 2.0r037
PROD00444_M6XYJT UMJBL@QN17VEI{5L none MacOS Client 3.0.0
PROD0074Z}QA4HPI 5JHDY@F5_KLEF?3O 0xB7 MacOS Client 4.0.0
PROD0102LUNTP%M? JD5QT%#ILEBP5?LI 0xB7 MacOS Client 5.0.0
PROD0062I2RVG#RV LPOFJ{8L6AM2N!G_ 0xB7 PocketPC Client 3.1.3080
PROD0045YI56T?TX FV!WOP5UKXO8$LV$ none threedegrees 1.0.0352
PROD0046K9O#QFXY 8{B7#LEX_V5HV@SQ none threedegrees musicmix

All key pairs (sorted by PROD number)

PUBLIC KEY PRIVATE KEY XOR values Introduced with...
PROD0038W!61ZTF9 VT6PX?UQTM4WM%YR 0xB7 Client Version 5.0.0124
PROD0039E3VGM%GB B7WRX$T9S3875{68 0xA6 Client Version 4.7.0031
PROD00444_M6XYJT UMJBL@QN17VEI{5L none MacOS Client 3.0.0
PROD0045YI56T?TX FV!WOP5UKXO8$LV$ none threedegrees 1.0.0352
PROD0046K9O#QFXY 8{B7#LEX_V5HV@SQ none threedegrees musicmix
PROD00504RLUG%WL I2EBK%PYNLZL5_J4 0xA6, 0xB7 Client Version 4.7.2009
PROD00517IFH4@RV MYRED!3QTCFWG@9G 0xB7 Client Version 5.1.0701
PROD0058#7IL2{QD QHDCY@7R1TB6W?5B 0xB7 Client Version 6.0.0250
PROD0061VRRZH@4F JXQ6J@TUOGYV@N0M 0xB7 Client Version 6.0.0268
PROD0062I2RVG#RV LPOFJ{8L6AM2N!G_ 0xB7 PocketPC Client 3.1.3080
PROD0066X_86JBY8 %_IP#M2WDG247}@I 0xB7 Client Version 6.0.0101
PROD0074Z}QA4HPI 5JHDY@F5_KLEF?3O 0xB7 MacOS Client 4.0.0
PROD0075THRTM{7! WLJIQ$8LDLNI_J4Q 0xB7 Client Version 6.0.4074
PROD0076ENE8*@AW CEQJ8}OE0!WTSWII 0xB7 Client Version 6.2.0133
PROD008955JTJ_S7 DHCPQ$8JI5HD3{4L 0xB7 Client Version 7.0.0205
PROD0090YUAUV{2B YMM8C_H7KCQ2S_KL 0xB7 Client Version 7.0.0225
PROD00974#MT*RC2 LMCVO*18PQJ3H!K3 0xB7 Client Version 7.0.0604
PROD0101{0RM?UBW CFHUR$52U_{VIX5T 0xB7 Client Version 7.0.0777
PROD0102LUNTP%M? JD5QT%#ILEBP5?LI 0xB7 MacOS Client 5.0.0
PROD0104U6VVM{UJ VK67B}379XYM5}$T 0xB7 Client Version 7.5.0160
PROD01065C%ZFN6F O4BG@C7BWLYQX?5G 0xB7 Client Version 8.0.0290
PROD0112J1LW7%NB RH96F{PHI8PPX_TJ 0xB7 Client Version 8.0.0787
PROD0113H11T8$X_ RG@XY*28Q5QHS%Q5 0xB7 Client Version 8.1.0106
PROD0114ES4Z%Q5W PK}_A_0N_K%O?A9S 0xB7, none Client Version 8.1.0178
PROD0116PE?TSI1_ EXFK#_48PJR82_3G 0xB7 Client Version 9.0.1407
PROD0118R6%2WYOS YIXPX@5I2P0UT*LK 0xB7 Client Version 8.5.1235
PROD0119GSJUC$18 ILTXC!4IXB5FB*PX 0xB7, none Client Version 8.5.1288
PROD0120PW!CCV9@ C1BX{V4W}Q3*10SM none Client Version 14.0.8050