EnScript to decode Yahoo chats in unallocated
Awhile back I created an EnScript to search for keywords that may appear in encrypted yahoo chat logs in unallocated. You can read about that EnScript here.
After creating that EnScript, I created a second one to parse the encrypted chat logs that you may find in unallocated. The following EnScript can be used to decode the chats that you may find in unallocated.
Before running the Enscript, click the cursor on the first character of the UNIX time stamp of the found Yahoo log data in unallocated. The structure of the Yahoo log files are date, type, user, size, message, the a dword null (see below). Once you click the cursor on the first byte of the UNIX timestamp, then run the EnScript and you will need to provide the local Yahoo user name, as this is used as the XOR key.
3 comments:
Lance, thanks for the time and effort you provide in developing these EnScripts. They are very much appreciated.
mark
Lance,
I didn't have a specific keyword to use on your first Yahoo enscript, so here is what I did. I did a keyword search for:
\x47|\x48|\x49|\x4a|\x4b\x06\x00{3,3}\x00|\x01\x00{3,3}[^\x00]\x00{3,3}
I immediately found hits in unallocated that obviously denote a chat of about 15 back and forth texts. I placed my cursor on the first Unix time character and ran your script. It's been running for 10 minutes now, which seems a bit long since the chat was not that large.
Will this keyword search work with your second script?
Mark
Update on the above comment. The script does work on my keyword search hits, with a few issues. During one process there were roughly 30 chat fragments all in a row, but the script would not complete. I shut it down, and the console did show all of the results. In another instance the script gave me an error (I can't recall the wording right now), but it also returned the results in the console window. All in all the script has worked for me. I'm just not sure about the minor issues.
mj
Post a Comment