Thursday, May 26, 2016

All Saved Loion

Google Chrome:

Chrome s are stored in a SQLite file the sites name and sites username is in clr text but the is seeded in a Triple DES aorithm. The file is called Web Data and is stored in the following loion

XP – C:\Documents and Settings\Username\Local Settings\Appliion Data\Google\Chrome\User Data\Default

Vista – C:\Users\Username\Appdata\Local\Google\Chrome\User Data\Default


Note- I have just rlised the new version of trillian the s made be stored/encrypted differently.

Trillian s are stored in .ini files the first character of the is encrypted with XOR with the 243 then the is converted into hex. The file is based on what the is for so if it was icq it would be icq.ini (for new versions I think they are all stored in a file called accounts.ini or something similar if you open it up with notepad you will see all the data + the encrypted ). The files are stored in the following loion:

XP (old version) – C:\Program Files\Trillian\users\

XP (new version) – C:\Documents and Settings\Username\Local Settings\Appliion Data\Trillian\user\global – I am not sure on exact but it is somewhere there.

Vista (old version)- C:\Program Files\Trillian\users\

Vista (new version)- C:\Users\Username\Appdata\Roaming\Trillian\user\gl obal

MSN / Live Messenger:

MSN Messenger version 7.x: The s are stored under H_CURRENT_USER\Software\\IdentityCRL\C reds\[AccountName]

Live Messenger version 8.x/9.x: The s are stored in the Credentials file, with entry name begins with “Live:name=”. They a set of Win API functions (Credential API’s) to store its’ security data (Credentials). These functions store user information, such as names and s for the accounts ( Live ID credentials). Live ID Credential records are controlled by the operating system for ch user and for ch session. They are attached to the “target name” and “type”. If you are familiar with SQL you can think of target name and type as the primary . Table below lists most frequently used fields in Live ID Credential records.


Paltalk s are using the same encryption aorithm. Paltalk s are stored in the registry. To encrypt the new Paltalk looks at the of the C:\ and performs a mix with the Nickname. The resulting string is then mixed again with the and some other constants. The final string is then end and written to the registry.

AIM, ICQ and Yahoo Messenger s that are stored by Paltalk are end by BASE64 aorithm.

The s are stored in the Registry, under H_CURRENT_USER\Software\Paltalk\[Account Name]

Google Talk:

Google Talk s are end/ded using Crypto API. Encrypted Gmail s are stored by Google Talk in the registry under H_CURRENT_USER\Software\Google\Google
Talk\Accounts\[Account Name]


The s are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
These files are loed inside the profile folder of Firefox, in [ Profile]\Appliion Data\Mozilla\Firefox\Profiles\[Profile Name]
Also, 3.db, loed in the same folder, is used for encryption/decription of the s.

Yahoo Messenger 6.x:

The is stored in the Registry, under H_CURRENT_USER\Software\Yahoo\Pager
(”EOptions string” value)

Yahoo Messenger 7.5 or later:

The is stored in the Registry, under H_CURRENT_USER\Software\Yahoo\Pager – “ETS” value.
The value stored in “ETS” value cannot be recovered back to the original .


AIM uses Blowfish and base64 aorithms to encrypt the AIM s.
448-bit word is used to encrypt the with Blowfish. The encrypted string is then end using base64. The s are stored in the Registry, under H_CURRENT_USER\Software\America Online\AIM6\s


s are stored in a .xml file loed in Filezilla on appdata their is sources for this

Internet Explorer 4.00 – 6.00:

The s are stored in a secret loion in the Registry known as the “Protected Storage”.
The base of the Protected Storage is loed under the following :
“H_CURRENT_USER\Software\\Protected Storage System Provider”.

You can browse the above in the Registry Editor (RegEdit), but you won’t be able to watch the s, because they are encrypted.
Also, this cannot sily moved from one computer to another, like you do with regular Registry .

Internet Explorer 7.00 – 8.00:

The new versions of Internet Explorer stores the s in 2 different loions.
AutoComplete s are stored in the Registry under H_CURRENT_USER\Software\\Internet Explorer\liForms\Storage2.

HTTP Authentiion s are stored in the Credentials file under Documents and Settings\Appliion Data\\Credentials , together with login s of LAN computers and other s.


The s are stored in wand.dat filename, loed under [ Profile]\Appliion Data\Opera\Opera\profile

Outlook Express (All Versions):

The POP3/SMTP/IMAP s Outlook Express are also stored in the Protected Storage, like the s of old versions of Internet Explorer.

Outlook 98/2000:

Old versions of Outlook stored the POP3/SMTP/IMAP s in the Protected Storage, like the s of old versions of Internet Explorer.

Outlook 2002-2008:

All new versions of Outlook store the s in the same Registry of the account settings.

The accounts are stored in the Registry under H_CURRENT_USER\\ NT\CurrentVersion\ Messaging Subsystem\Profiles\[ProfileName]\9375CFF0413111d3B88A00104B2A6676\[Account Index]

If you use Outlook to connect an account on Exchange server, the is stored in the Credentials file, together with login s of LAN computers.


The file is loed under [ Profile]\Appliion Data\Thunderbird\Profiles\[Profile Name]
You should srch a filename with .s extension.


The main of Digsby is stored in [ Profile]\Appliion Data\Digsby\digsby.dat
All other s are stored in Digsby servers.

No comments:

Post a Comment