0

i'm trying to get the hex binary (\x**) of a base64 decode result from the Local State of chrome.

When i decode the base64 of my encrypted key using

[System.Convert]::FromBase64String($local_state.os_crypt.encrypted_key)

I get an byte array, but not hex, what i want is something like base64.b64decode("BASE64_ENCODED_STRING") from the base64 module of python I don't know how to achieve this result in powershell, so if anyone could help, i would apreciate :)

My current :

$local_state=Get-Content -Path "$($env:LOCALAPPDATA)\\Google\\Chrome\\User Data\\Local State" | ConvertFrom-Json
[System.Convert]::FromBase64String($local_state.os_crypt.encrypted_key)

Exemple of difference between powershell and python: Python output : b'\x01\x00\x01' Powershell Output : 01 00 01

Dapkz
  • 13
  • 4
  • Do you mean like this?: `[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Local_State.os_crypt.encrypted_key)) | Format-Hex` – KG-DROID Aug 03 '23 at 12:39
  • Nope, not like this, My current code is ```[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($local_state.os_crypt.encrypted_key))``` and i get -> https://pastebin.com/raw/301y9RGb (in the pastebin), what i want is -> https://pastebin.com/raw/ubYCtiqD (in the pastebin) – Dapkz Aug 03 '23 at 12:48
  • As a starting point, this encodes all bytes as hex: `-join ([System.Convert]::FromBase64String($local_state.os_crypt.encrypted_key) | % { '\x{0:x2}' -f $_ })` – zett42 Aug 03 '23 at 13:06
  • its better but still not the good thing, i should keep like ascii letters etc, like, abcdefghijklmnopqrstuvwxyz and special chars should not be converted as hex, soooo yeah, strange encryption, i dont know what the creator of the base64 python module did, i get https://paste.bingner.com/paste/w8v3x/raw its better but not what i want : https://pastebin.com/raw/ubYCtiqD – Dapkz Aug 03 '23 at 13:16
  • As an aside: ``\`` chars. aren't special in PowerShell - no need to escape them as ``\\`` – mklement0 Aug 03 '23 at 13:18
  • 2
    Can you show your python code for comparison. That’ll give a reference for what the code is doing that you’re trying to reproduce in Powershell… – mclayton Aug 03 '23 at 15:32

1 Answers1

1

Using the ConvertFrom-SecureString cmdlet:

$SecureString = Read-Host -AsSecureString
$Hex = $SecureString | ConvertFrom-SecureString

Default (hexadcimal) output

$Hex
01000000d08c9ddf0115d1118c7a00c04fc297eb01000000da4b9d0c09bdb140b3060606f3557e12000000000200000000001066000000010000200000003e5e7e364bba09ff85c69e5ab52d6503c9782f2e6fb280e6d5259adb194d5872000000000e8000000002000020000000fbaff7af38d8a7fa03283907bd428a0160ab0e17748eaef159767f3dac4699c310000000700931ab89b21c663e2d8c55eb62328d40000000883276253b23475ea08afacaba679cc97cfb17a16c8155bcc4f1d4210ebcc7506c4e1d94b94aa18d9454c9795ce4e857a063267027c36f1c8ae1ba64da3d1863

Not sure wherefore you need this format:

$Hex -replace '..', '\x$&'
\x01\x00\x00\x00\xd0\x8c\x9d\xdf\x01\x15\xd1\x11\x8c\x7a\x00\xc0\x4f\xc2\x97\xeb\x01\x00\x00\x00\xda\x4b\x9d\x0c\x09\xbd\xb1\x40\xb3\x06\x06\x06\xf3\x55\x7e\x12\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x10\x66\x00\x00\x00\x01\x00\x00\x20\x00\x00\x00\x79\x5d\x5a\x40\xed\xde\xc7\xea\xad\x34\xe3\x95\x05\x9b\x6c\x62\xc9\x0f\x46\xa9\xe3\xb2\x8f\x44\xe1\x05\xe4\xd2\xe1\x53\x82\xad\x00\x00\x00\x00\x0e\x80\x00\x00\x00\x02\x00\x00\x20\x00\x00\x00\x9f\x46\x73\x15\x59\x55\x4b\xd6\x49\xc8\x7f\x65\xc6\x65\xf5\x46\xc8\x82\xc7\x2b\x1f\xc0\xac\x85\x09\x29\x57\x53\x0a\xde\x1c\x03\x10\x00\x00\x00\x57\x73\xd9\xfc\xe1\xe0\x00\x63\x33\xcf\x8d\xf1\xd0\xad\xb7\xf0\x40\x00\x00\x00\x8d\x54\x05\xae\x06\x15\x25\x74\xfd\x5c\xf6\x6e\xb3\xce\xf0\xa7\xd6\x32\x6b\xb5\x18\xe8\xd1\x85\xf1\xf2\x45\x13\x8e\xbc\x15\x38\x84\x14\xb1\xdb\x89\x9c\x74\xb2\xa1\xf6\xf8\x48\x1f\x61\x5f\x26\xe9\x2c\x78\x2d\xeb\x3c\x81\x1b\x74\x77\x2a\x5d\x31\x80\x20\xb4

Actual Bytes

$Bytes = [byte[]] -split ($Hex -replace '..', '0x$& ')
"$Bytes"
1 0 0 0 208 140 157 223 1 21 209 17 140 122 0 192 79 194 151 235 1 0 0 0 218 75 157 12 9 189 177 64 179 6 6 6 243 85 126 18 0 0 0 0 2 0 0 0 0 0 16 102 0 0 0 1 0 0 32 0 0 0 121 93 90 64 237 222 199 234 173 52 227 149 5 155 108 98 201 15 70 169 227 178 143 68 225 5 228 210 225 83 130 173 0 0 0 0 14 128 0 0 0 2 0 0 32 0 0 0 159 70 115 21 89 85 75 214 73 200 127 101 198 101 245 70 200 130 199 43 31 192 172 133 9 41 87 83 10 222 28 3 16 0 0 0 87 115 217 252 225 224 0 99 51 207 141 241 208 173 183 240 64 0 0 0 141 84 5 174 6 21 37 116 253 92 246 110 179 206 240 167 214 50 107 181 24 232 209 133 241 242 69 19 142 188 21 56 132 20 177 219 137 156 116 178 161 246 248 72 31 97 95 38 233 44 120 45 235 60 129 27 116 119 42 93 49 128 32 180

Base64

[Convert]::ToBase64String($Bytes)
AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA2kudDAm9sUCzBgYG81V+EgAAAAACAAAAAAAQZgAAAAEAACAAAAB5XVpA7d7H6q0045UFm2xiyQ9GqeOyj0ThBeTS4VOCrQAAAAAOgAAAAAIAACAAAACfRnMVWVVL1knIf2XGZfVGyILHKx/ArIUJKVdTCt4cAxAAAABXc9n84eAAYzPPjfHQrbfwQAAAAI1UBa4GFSV0/Vz2brPO8KfWMmu1GOjRhfHyRROOvBU4hBSx24mcdLKh9vhIH2FfJukseC3rPIEbdHcqXTGAILQ=

Round trip

$Base64 = <your base64> # e.g.: 'AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA2kudDAm9sUCzBgYG81V+EgAAAAACAAAAAAAQZgAAAAEAACAAAAB5XVpA7d7H6q0045UFm2xiyQ9GqeOyj0ThBeTS4VOCrQAAAAAOgAAAAAIAACAAAACfRnMVWVVL1knIf2XGZfVGyILHKx/ArIUJKVdTCt4cAxAAAABXc9n84eAAYzPPjfHQrbfwQAAAAI1UBa4GFSV0/Vz2brPO8KfWMmu1GOjRhfHyRROOvBU4hBSx24mcdLKh9vhIH2FfJukseC3rPIEbdHcqXTGAILQ='
$Bytes = [System.Convert]::FromBase64String($Base64)
$Hex = -Join $Bytes.Foreach{ $_.ToString('x2') }
$SecureString = $Hex | ConvertTo-SecureString
$SecureString | ConvertFrom-SecureString -AsPlainText

Related: #19948 Convert*-SecureString cmdlets enhancements

iRon
  • 20,463
  • 10
  • 53
  • 79
  • sorry in french : https://pastebin.com/raw/jhTSUmaz – Dapkz Aug 03 '23 at 13:37
  • @Dapkz, please [only use English](https://stackoverflow.com/help/how-to-ask) and [text (no pictures)](https://meta.stackoverflow.com/a/285557). "*Unable to update password. The new password entered does not meet domain length, complexity, or history specifications.*" that is probably because you used **my** example base64 string and [Data Protection API](https://en.wikipedia.org/wiki/Data_Protection_API) only works under the same account on the same PC (by design as that includes the security). For the round trip, you will need to start from the beginning (and create your own base64 string). – iRon Aug 03 '23 at 13:53
  • no, i've used the encrypted key of the local state – Dapkz Aug 03 '23 at 14:00
  • `$local_state=Get-Content -Path "$($env:LOCALAPPDATA)\\Google\\Chrome\\User Data\\Local State" | ConvertFrom-Json $key = $local_state.os_crypt.encrypted_key $Bytes = [System.Convert]::FromBase64String($key) $Hex = -Join $Bytes.Foreach{ $_.ToString('x2') } $SecureString = $Hex | ConvertTo-SecureString $SecureString | ConvertFrom-SecureString -AsPlainText ` – Dapkz Aug 03 '23 at 14:00
  • 1
    Anyways, you should be able to confirm that this works up and down (under your own account). This means that the key (`$local_state.os_crypt.encrypted_key`) is either created under another (DPAPI) account, that it is created with another encryption than the **Advanced Encryption Standard (AES) encryption algorithm** or that a [custom -Key/-SecureKey](https://learn.microsoft.com/powershell/module/microsoft.powershell.security/convertfrom-securestring#-key) is used to secure it. As this tends to go another direction that the original question, I suggest you open a new question for this. – iRon Aug 03 '23 at 14:17
  • As you apparently got this working for python (or???), I suggest you open a specific question of what you do in python together with your [mcve] of what you tried in PowerShell. – iRon Aug 03 '23 at 14:26