Digsby is popular multiprotocol IM client that lets you chat with all your friends on AIM, MSN, Yahoo, ICQ, Google Talk, and Jabber with one simple to manage buddy list. It also has social networking feature that lets you keep connected with your friends through popular social network sites such as Facebook, Twitter, LinkedIn, Myspace etc. All these features together with ease of use made it one of the popular IM client around the world in short duration of time.

Digsby stores only main account password locally and all other IM account passwords (such as Yahoo, Gmail, AIM) are stored in the servers. The main account password is stored in the ‘logininfo.yaml’ file at following location,

[Windows XP]
C:\Documents and Settings\<user_name>\Local Settings\Application Data\Digsby

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Local\Digsby

It is always challenging to reverse and discover how a certain application encrypts the password as most apps uses their own unique methods and different algorithms.  I was onto the same challenge, when I set to decrypt the Digsby password as I already knew it uses some kind of encryption algorithm with derived key.

It took me around 16 hours of reversing spanned across several days and nights to get to the final password. As usual drive was very interesting and pleasure of cracking it down successfully was immense.

Newer version of Digsby uses better key generation mechanism than the previous one which used just static string as the key for encryption algorithm.Here are the interesting stuffs on how Digsby encrypts the password and how to decrypt it.

Digsby uses the combination of Product Id, Install Date and Digsby username to compute the key for encryption algorithm.  It concatenates all these 3 together to form one string and the computes the SHA1 hash of it.  This generates the 20 byte hash which is used as the key to encryption algorithm.

Next it takes the password stored from ‘logininfo.yaml’ file which is stored in BASE64 format.  It decodes this password using BASE64 decoder to get the encrypted password,. This encrypte password is of the same length as original password.  So mere BASED64 decoding of the stored password will get you the length of the password.

Then this encrypted password is decrypted using the RC4 algorithm using the previously generated SHA1 hash as the key. During reversing I completely  reversed this RC4 algorithm itself. For me it look like some kind of XOR and SWAP routines to decrypt the password and I thought this may be proprietary algorithm used by Digsby.  It is later that I discovered that this in fact is RC4 algorithm after going through documentation of RC4 algorithm.

Overall it was very interesting experience reversing the algorithm and getting the right on the target.  This will come as part of our new tool, IMPasswordDecryptor which will help you to instantly recover passwords stored by popular IM clients.

Source : http://nagareshwar.securityxploded.com/2010/06/08/art-of-decrypting-digsby-password/