struct.error: unpack_from requires a buffer of at least 16 bytes

[svennd]

Was trying this code, and ran on this issue : (I changed the key name to Client-p) as this seems to be the new value;

  File "dbx-key-win-dpapi.py", line 101, in <module>
    r.open('Software\\Dropbox\\'+key_name).value('Client-p').value())
  File "/usr/lib/python2.7/site-packages/DPAPI/probe.py", line 38, in __init__
    eater.DataStruct.__init__(self, raw)
  File "/usr/lib/python2.7/site-packages/DPAPI/Core/eater.py", line 128, in __init__
    self.parse(Eater(raw, endianness="<"))
  File "/usr/lib/python2.7/site-packages/DPAPI/Probes/dropbox.py", line 56, in parse
    self.dpapiblob = blob.DPAPIBlob(data.eat_string(dpapi_len))
  File "/usr/lib/python2.7/site-packages/DPAPI/Core/blob.py", line 52, in __init__
    eater.DataStruct.__init__(self, raw)
  File "/usr/lib/python2.7/site-packages/DPAPI/Core/eater.py", line 128, in __init__
    self.parse(Eater(raw, endianness="<"))
  File "/usr/lib/python2.7/site-packages/DPAPI/Core/blob.py", line 63, in parse
    self.provider = "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x" % data.eat("L2H8B")
  File "/usr/lib/python2.7/site-packages/DPAPI/Core/eater.py", line 70, in eat
    v = struct.unpack_from(fmt, self.raw, self.ofs)
struct.error: unpack_from requires a buffer of at least 16 bytes```

[dfirfpi]

Hi @svennd , unfortunately it seems that Dropbox changed "something"... I don't use it so actually I can't provide much help, without a reverse of the changes...

[caulifish]

Hi @svennd, I am facing the same issue as you and took some time to find out how to interpret the Client-p key. The "-p" suffix is defined as "UNENCRYPTED_KEY_NAME_SUFFIX". All it states, is that the data stored in the value is not DPAPI encrypted.

For instance let's look at an example blob of Client-p from a Dropbox installation:

00  00 00 00 00 10 00 00 00  c9 2d 30 7b 45 4a e0 66  |.........-0{EJ.f|
10  0a 15 e6 e1 c5 61 a7 30  fc 28 c3 d5 ca 35 4f 71  |.....a.0.(...5Oq|
20  44 c6 2b ef e7 35 de 5b  00                       |D.+..5.[.|

The blob consists - just as before of 4/5 components:

• A version value (00 00 00 00) -> 0
• A payload length (10 00 00 00) -> 16
• The actual payload (c9 2d 30 ... 61 a7 30)
• The HMAC of the data (fc 28 c3 ... 35 de 5b)
• A nullbyte at the end of the data (00)

Previously the payload was encrypted through the Windows DPAPI. In the Dropbox version that you and I are facing the payload seems not to be encrypted anymore.

One can simply go on and generate the SQLite key from the payload (with using the same old APP_KEY): db_key = PBKDF2(SHA1, payload, APP_KEY, 1066, 16)

The db_key can then be used to decrypt the .db and .dbx files. Thus in my case I didn't even need to know the Windows password to decrypt the Dropbox databases.

[svennd]

Thanks @caulifish I assumed DPAPI was no longer used in these versions, but I could not decypher the meaning; I also no longer have access to the dropbox data in question, so I can't verify. But It sounds like you are correct; thanks ! (and congrats for finding it)

[dfirfpi]

@caulifish thanks! I've re-opened the issue to review and test your findings.

[rkagerer]

@dfirfpi In case it helps, I can confirm the findings of @caulifish are correct.

I used the info he provided to change the path of my Dropbox 143.4.4161 folder. I suspect (but am not certain) the rollout of the '-p' suffix and elimination of DPAPI occurred around the time the desktop application switched to running in the context of a Windows service (at which point DataProtectionScope.CurrentUser would have gotten a bit trickier).