Code: Select all
>>> f = open("filename.ple", "r")
>>> text = f.read()
>>> print text
MPLE2<<ä
>>> That's really nice info you provided there palleetnigga wrote:.PLE files are Messenger Plus! encrypted chat log files.
MPLE2 are the characters at the beginning of the file that identify it as such a file.
The stuff after MPLE2 is binary data, the actual content of the file. Rendered as ASCII the first few bytes look like "<<ä". It's pretty safe to say that the file contents are not plain ASCII, so representing them that way is useless.
The reason Python only read the first few bytes and no further is because you didn't open the file in a binary mode such as "rb".
If you want to decrypt the file, you'll most likely need a key. You'll also need to know how the file is decrypted, for which you'll probably have to look at the Messenger Plus! assembly. If you want to brute-force it you'll have to try every key, which is probably infeasible.
That's odd. How big is the file? Can you upload it some place like Rapidshare?moudy wrote:now, I did open the file in "rb" mode
it gave me as before
Assuming Messenger Plus! has some sort of log viewer, the code to decrypt the log files will be in there. You'd have to disassemble the binary and find the decryption routine.moudy wrote:About the encryption algorithm, how can I find it ?
Hello.
I just thought I'd post this up here incase it helps anyone. Attached is a tool to encrypt or decrypt log files, I'll bring out a tool which will encrypt/decrypt a whole directory when I have more time.
To decrypt Messenger Plus! log files (C++):
Fileformat of .ple files
First 10 bytes are the same for all log files.
const char standardHeader[] = {0x10,0x01,'M','P','L','E','1','<','<',0};
The next 4 bytes, I'm not sure what they are for, but in all log files I've seen they are
const char unknownbytes[] = {1,0,0,0};
After this is the length of the password check string (4 bytes). This is usually 13
Then comes the encrypted password check string. Ill talk about how to decrypt it later.
All that was the header. For the rest of the file, it is in multiple chunks of data.
Each of these chunks start with the 'signature' :
const char sig[] = {0xE9,0xFF,0xA3,0x00};
After this, there is the length of the following data (4 bytes).
Then there is the encrypted text.
To decrypt text :
Messenger Plus! uses the CryptoAPI to encrypt and decrypt text.
This is set up with the following call
CryptAcquireContextW(&hProv,L"MessengerPlusEncryptProvider",L"Microsoft Enhanced Cryptographic Provider v1.0",1,0);
I discovered that for some reason, the password is scrambled, and that the password is unicode (2 bytes).^o)
The algorithm for this in pseudo code is:
for i = 0 to length of password - 1
newpassword = password + password [i + 1]
next i
newpassword[last letter] = password[last letter] + password[0]
The calls to continue setting up so that you can decrypt text are:
CryptCreateHash(hProv,0x8003,0,0,&hHash);
CryptHashData(hHash,newpassword,len,0);
CryptDeriveKey(hProv,0x6801,hHash,0x800000,&hKey);
This final call gives you a HCRYPTKEY which you can use in the CryptEncrypt and CryptDecrypt functions on the text
Sorry if this is all a bit confusing, I dont think i formatted it, or explained it very well :$
Solus
Edit - I replaced the file with one which has the VC runtime library statically linked, so it *should* work now
Edit 2 - Ok, so I converted it all to unicode, and made a few changes so it'll run on computers which haven't got Messenger Plus on.
.exe File Attachment: mpLogs.exe (56 KB)
Yes.moudy wrote:in case you want leet, I'll upload the file on rapid share, and ill send you the link in a message.
Messenger Plus! Live installs a separate executable named Log Viewer.exe that lets you decrypt log files on the command line provided a log file and a password. You could either write a script to run the tool repeatedly with different passwords on the same file until it succeeds, or disassemble it so you can use the decryption code in your own brute forcer.moudy wrote:Now I read in other posts that in msn plus! live a stronger encryption algorithm is used, so basically I was to search if I can find it some where, or I have to reverse engineer the application my self. ( which basically I have no knowledge in )
