How to get session information?

[SH659]

I want to convert tdata\D877F783D5D3EF8C\map[0-1] tdata\D877F783D5D3EF8C[0-1] files to another format that i can use.

At least I need to get auth_key from this files.

Is there any way to do it?

[atilaromero]

The map file does not have this info. You can use the bulkdecrypt to look in UserSettings, but I don't think the auth_key will be there. There is also the settings1 file, I don't remember what kind of information it stores. This tool decrypts it, but does not parse it.

[SH659]

Hmmm.. To auth into telegram desktop app need this two files (no less or more). I think they must contain login info. I already tried to find auth_key in bulkdecrypt but seems there only user settings no auth data. Can you give me some links to tdata structure information? Maybe you know where i need to look.

[atilaromero]

https://github.com/telegramdesktop/tdesktop/blob/dev/Telegram/SourceFiles/storage/localstorage.cpp

[ZX-zedex]

Hi. My question is how to change local passcode in map[0-1] by replacing some values in this file. Because if by using JTP we can get the hash of this maybe it can be replaced in the editor. Is there any chance to do it?

[atilaromero]

I've never heard about the local passcode or the JTP... But I don`t think they are at the map file. Maybe in the settings[0-1] file or in the encrypted userSetting.

On Fri, Aug 16, 2019 at 8:10 AM ZX-zedex notifications@github.com wrote:

Hi. My question is how to change local passcode in map[0-1] by replacing some values in this file. Because if by using JTP we can get the hash of this maybe it can be replaced in the editor. Is there any chance to do it?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/atilaromero/telegram-desktop-decrypt/issues/2?email_source=notifications&email_token=AACTTMYTFDAZDES7AKXPJQ3QE2DK7A5CNFSM4IK4CZFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4OLC7Q#issuecomment-521974142, or mute the thread https://github.com/notifications/unsubscribe-auth/AACTTM4GVUOR2HCQ7OIAMJ3QE2DK7ANCNFSM4IK4CZFA .

[ZX-zedex]

John The Ripper is the Kali Linux tool to get the passcode's hash from the tdata folder. If you launch the program It says that the hash loaded from map[0-1] file. That's why I am asking if it is possible to change it.

[ZX-zedex]

And could you explain how your program decrypts the files from tdata. Because I failed in trying to do that.

[atilaromero]

Following the bulk decrypt steps: It parse the streams at the map[0,1] file with tdata.ReadRawTDF(f), checking the checksum too;

Then the function encrypted.ReadEMap(rawtdf) assumes the 3 streams belong to a encrypted map, and are: Salt, KeyEncrypted, and MapEncrypted.

emap.Decrypt(password) calls emap.GetKey(password), that calls passkey := decrypt.CreateLocalKey([]byte(password), t.Salt) and then localkey, err := decrypt.DecryptLocal(t.KeyEncrypted, passkey)

So decrypt.CreateLocalKey does the main job, creating a passkey from a password and a salt. If all goes well, that passkey can decrypt the t.KeyEncrypted, which is the middle stream in the map[0,1] file. When decrypted, this middle stream is the localkey, which can be viewed with the "map getkey" options of telegram-desktop-decrypt.

Maybe the key that JTR gives you is this passkey, that can decrypt the middle stream, or it may be the localkey, I don't know.

The MapEncrypted stream just contains a list of type-cache_filename pairs. These files are decrypted using the localkey. The map list the type of the file, which is important only to parse the data, but does not affect decryption.

[ZX-zedex]

I need to find this passcode in Telegram Desktop, which is stored in the map[0-1] file.

I don't have any idea about the length of the password, which characters it contains and the strength of it. Is there any chance to find out it with your tool or maybe replace it in the map[0-1] file with the simplest one (ex. 1234).

Because whenever I run your script it shows me Wrong map key error etc.

[atilaromero]

No, the tool is only able to extract something if you have the password, or if the password was never set. It does not crack anything.

[Thoufak]

@SH659 Hi! Have you been able to extract the auth_key?

[SH659]

@SH659 Hi! Have you been able to extract the auth_key?

No :(

[zloishax]

Hi! Have you been able to extract the auth_key?

[Kolkapetkinsyn]

Hi! Have you been able to extract the auth_key?