SecurityXploded.com
Exposing the Password Secrets of Trillian - www.SecurityXploded.com
 
 
Exposing the Password Secrets of Trillian
 
 
 
See Also
 
 
Contents
 
 
About Trillian
Trillian is the most popular universal messenger with 450+ rich features. It supports almost all IM clients including Gtalk, Windows Live, AIM, Yahoo, ICQ etc.

It also features IMAP/POP3 based email clients which can help you to manage your inbox while chatting with friends. It also supports popular social networks such as Facebook, Twitter which makes it one stop tool for keeping track of all your IM/Social/Email activities.


Trillian Messenger
 
Trillian is available for multiple platforms including Desktop, Web as well as Mobile platforms keeping things up to date no matter where you go.
 
 
 
Trillian Password Storage Location
Like most instant messengers, Trillian also stores the main user account (identity) password in the local disk so that user do not have to enter the password every time. Note that the password is stored only if user has opted to 'Save Password'.

Earlier version of Trillian (Version 3.x < 4.x) stored all IM account passwords in the install location of Trillian,
C:\Program Files\Trillian\Users\Default
For each IM account, it uses unique files such as yahoo.ini for Yahoo Messenger, msn.ini for MSN, aim.ini for AIM etc.

Latest version of Trillian Astra (Version 4.x - Version 5.x) stores only main account passwords (called as Identity or Astra password) in the 'accounts.ini' file at below mentioned location. But all other IM account passwords (such as Yahoo, Gtalk, AIM, MSN etc) are stored on the servers.
[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Trillian\users\global\

[Windows Vista & Windows 7]
C:\Users\<username>\AppData\Roaming\Trillian\users\global\
Here is the typical example of accounts.ini file in which user name & encrypted password is stored for each user account.
[Account000]
Account=security.test
Display Name=Security Test
Password=ODc1NEU123g1NUVGQjRGQzAxQzJDQTk45A==
Status=
Status Override=0
Status Message=
Save Password=1
Last Login=1287233739
For each account it contains section named '[Account<number>]' under which all information for that account is stored. Username is stored in the field named 'Account=' and password is stored in the field 'Password='.
 
 
 
Internals of Trillian Password Encryption
Earlier versions (3.x) of Trillian store the encrypted password directly where as later versions (4.x - 5.x) encode it using BASE64 algorithm before storing the password.

All versions uses same encryption algorithm for secure storing of the password. Each character in the password is XORed with Trillian Magic bytes to yield the final password.

Here is the array of magic bytes,
 
BYTE bMagicTrillian[]={ 243, 38, 129, 196, 57, 134, 219, 146, 113, 163, 185, 230, 83, 122, 149, 124, 0, 0, 0, 0, 0, 0, 255, 0, 0, 128, 0, 0, 0, 128, 128, 0, 255, 0, 0, 0, 128, 0, 128, 0, 128, 128, 0, 0, 0, 128, 255, 0, 128, 0, 255, 0, 128, 128, 128, 0, 85, 110, 97, 98, 108, 101, 32, 116, 111, 32, 114, 101, 115, 111, 108, 118, 101, 32, 72, 84, 84, 80, 32, 112, 114, 111, 120, 0 };
 
 
 
Trillian Password Decryption Operation
 
Here are the detailed steps for decrypting the Trillian account password.
 
1.Retrieve and Decode the stored Password
As mentioned earlier, Trillian stores the account password in the local disk. You need to retrieve the Trillian username & associated password from this file for each stored account. Then use the BASE64 algorithm to decode it and get the encrypted password. Note that BASE64 decoding is required for newer versions only.
 
2. Decrypt the Trillian Password
 
Trillian uses magic bytes which is XORed with encrypted password to get the original password.

Here is code example which perform the Trillian password decryption operation,
 
BYTE bMagicTrillian[]={ 243, 38, 129, 196, 57, 134, 219, 146, 113, 163, 185, 230, 83, 122, 149, 124, 0, 0, 0, 0, 0, 0, 255, 0, 0, 128, 0, 0, 0, 128, 128, 0, 255, 0, 0, 0, 128, 0, 128, 0, 128, 128, 0, 0, 0, 128, 255, 0, 128, 0, 255, 0, 128, 128, 128, 0, 85, 110, 97, 98, 108, 101, 32, 116, 111, 32, 114, 101, 115, 111, 108, 118, 101, 32, 72, 84, 84, 80, 32, 112, 114, 111, 120, 0 };


for(i=0; strEncPassword[2*i] && strEncPassword[2*i+1]; i++)
{
  a = strEncPassword[2*i];

  if( a >= '0' && a <= '9' )
    c = a - '0';
  else
    c = 0xA + (a - 'A');

  a = strEncPassword[2*i+1];
  if( a >= '0' && a <= '9' )
    a = a - '0';
  else
    a = 0xA + (a - 'A');

   c = (c << 4) + a;

  //Xor encrypted password with Magic char
  strClearPassword[i] = c ^ bMagicTrillian[i];
}

//null terminate the password
strClearPassword[i]=0;

printf("Final decrypted Trillian password is %s", strClearPassword);
 
In each step of the decryption operation, two characters from encrypted password representing one byte are taken and XORed with corresponding byte from the Magic array. At the end of the operation we will get the original Trillian password.
 
 
 
Recovering Trillian Password using TrillianPasswordDecryptor
TrillianPasswordDecryptor is a dedicated tool to recover Trillian account passwords. It can automatically detect the currently installed version of Trillian and recover the passwords accordingly. It supports all Trillian version starting from 3.x to latest beta version 5.x.
TrillianPasswordDecryptor
 
 TrillianPasswordDecryptor is a portable tool which does not require installation and work across wide range of platforms starting from Windows XP to Windows 7. You can also use our other tool, IMPasswordDecryptor to recover the Trillian passwords along with other instant messenger passwords.
 
 
 
Reference
 
Some of the content in this article is based on the following source
Trillian Passwords by whatsmypass.com
 
 
 
Conclusion
Above article explains how Trillian stores the account password using its own proprietary encryption algorithm and shows how one can manually decrypt such password to recover the original password.

Note that it does not mean lapse on Trillian Security as only authorized user can view and decrypt the stored passwords. But due to nature of its password storage mechanism, you are advised to exercise caution while granting others access to your system.
 
 
 
See Also