Re: Access and decrypt Chrome cookies on Windows

my $DataOut;
my $pDataOut = pack('LL', 0, 0);
[download]

In my limited understanding of pack(), $pDataOut simulates a memory pointer pointing to address 0. LL 2 longs: 0 and 0. Now I don't know what the size of a memory pointer in windows 32/64bit is and how does that relate to the size of a long according to Perl's pack().

I think the problem is that you need to allocate memory for receiving the decrypted data in, via the API call's last parameter (#7). Thankfully I run a totally windows-free environment, so I can't try it, but perhaps replacing the above with:

my $pDataOut = " "x1000; # just saying, this will allocate at least 1000 bytes I guess

Once you jump over this hurdle, let's see how to read that memory you get back.

FYI (from https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata#syntax):

Edit: fixed below as it was referring to CryptProtectData

DPAPI_IMP BOOL CryptUnprotectData(
  [in]            DATA_BLOB                 *pDataIn,
  [out, optional] LPWSTR                    *ppszDataDescr,
  [in, optional]  DATA_BLOB                 *pOptionalEntropy,
                  PVOID                     pvReserved,
  [in, optional]  CRYPTPROTECT_PROMPTSTRUCT *pPromptStruct,
  [in]            DWORD                     dwFlags,
  [out]           DATA_BLOB                 *pDataOut
);

typedef struct _CRYPTOAPI_BLOB {
  DWORD cbData;
  BYTE  *pbData;
} ...
[download]

Edit: Oh I get it perhaps $pDataOut just creates "enough" space to receive a memory pointer to the decrypted data, so it does not matter where it points to (re: 0LL). So, perhaps the size of a memory pointer in your system is not equal to the size of 2 Perl/pack longs. Try bigger!

Edit2: Yep, this can be possible as in the doc it does not say that you need to allocate it, only to free it, so the API allocates it for you, so just increase the size of pDataOut?:

[out] pDataOut
A pointer to a DATA_BLOB structure that receives the encrypted data. W
+hen you have finished using the DATA_BLOB structure, free its pbData 
+member by calling the LocalFree function.
[download]

p.s. Cookie, cookie, give me a cookie hehehe I was seriously told off at my alma mater for recreating this, now that its memory has faded I would be expelled.

bw, bliako

Comment on Re: Access and decrypt Chrome cookies on Windows Select or Download Code

Replies are listed 'Best First'.
Re^2: Access and decrypt Chrome cookies on Windows by Discipulus (Canon) on Nov 30, 2022 at 12:20 UTC
Thanks bliako, your guess is not so bad :) infact with the line `my $pDataOut = " "x1000;` the program runs without any issue but if I print `$new_value` it is always `0` and so if I inspect the copied DB using DBeaver I find `value` column with all `0` and the expiration set to `99999999999999999` So the decryption didnt happened. L* There are no rules, there are no thumbs.. Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.	[reply] [d/l] [select]
Re^3: Access and decrypt Chrome cookies on Windows by bliako (Monsignor) on Nov 30, 2022 at 13:08 UTC
Win32::API shows how to work with structures and perhaps this way one can eliminate some of those packs. So this is another angle (thankfully untested): Edit: I have just edited this 3 mins after, because I was using the CryptProtectData Win32::API::Struct->typedef( DATA_BLOB => qw{ DWORD cbData; BYTE pbData; }) or die; Win32::API->Import('user32', <<EOP) or die; BOOL CryptUnprotectData( DATA_BLOB pDataIn, LPWSTR ppszDataDescr, DATA_BLOB pOptionalEntropy, PVOID pvReserved, CRYPTPROTECT_PROMPTSTRUCT pPromptStruct, DWORD dwFlags, DATA_BLOB pDataOut ) EOP # if all went well you have imported CryptUnprotectData() my $datain = Win32::API::Struct->new('DATA_BLOB'); $datain->{'cbData'} = pack('LL', length($encryptedData)+1; $datain->{'pbData'} = unpack('L!', pack('P', $encryptedData)); my $dataout = Win32::API::Struct->new('DATA_BLOB'); # call the imported func my $result = CryptUnprotectData($datain, pack('L', 0), 0, pack('L', 0) +, pack('L4', 16, 0, 0, unpack('L!', pack('P', 0))), 0, $dataout); my $len = $dataout->{'cbData'}; my $dat = unpack('P'.$len, pack('L!', $dataout->{'pbData'})); print "result ($len bytes) : '$dat'\n"; [download]	[reply] [d/l]
Re^4: Access and decrypt Chrome cookies on Windows by Discipulus (Canon) on Dec 01, 2022 at 06:49 UTC
Hello again bliako, thanks for your effort sailing into perilous seas of Win32. I must admit I understand very little of what you are doing. More or less I suppose you are using `Win32::API::Struct->typedef` to cerate a new type of win32 struct, then you import the OS call via `Win32::API->Import` using the brand new struct for incoming data in the funciotn, right? If I put your code in the right place this should be the result: Read more... (4 kB) But.. I get `Decrypting cookies... Unknown Win32::API::Struct 'DATA_BLOB' at chrome-cookies-gist.pl line +65. Unknown Win32::API::Struct 'DATA_BLOB' at chrome-cookies-gist.pl line +68. Undefined subroutine &main::CryptUnprotectData called at chrome-cookie +s-gist.pl line 70.` [download] I've read the documentation, but sincerely it looks like pittograms to me :) Thank you a lot anyway bliako! L* There are no rules, there are no thumbs.. Reinvent the wheel, then learn The Wheel; may be one day you reinvent one of THE WHEELS.	[reply] [d/l] [select]


P is for Practical
	PerlMonks