feat(windows): Chrome App-Bound Encryption implementation (#573)

* build(abe): add zig-cc payload build system + C reflective loader
* feat(abe): add reflective injector and Go ABE key-retriever primitives
* feat(abe): wire ABERetriever into DefaultRetriever chain + --abe-key CLI
* feat(abe): route Chromium v20 ciphertext through AES-GCM with ABE key

Author: slimwang

.gitignore

@@ -11,6 +11,14 @@
 !go.mod
 !go.sum
 
+# === Native (C) source for embedded ABE payload ===
+# Only source files are tracked; compiled binaries (*.bin) are
+# intentionally ignored and rebuilt by CI via `make payload`.
+!*.c
+!*.h
+!Makefile
+!Makefile.frag
+
 # === Project root config ===
 !.gitattributes
 !.gitignore

Makefile

@@ -0,0 +1,17 @@
+GO     ?= go
+GOEXE  ?= hack-browser-data
+
+include crypto/windows/abe_native/Makefile.frag
+
+.PHONY: build build-windows clean
+
+build:
+	$(GO) build -o $(GOEXE) ./cmd/hack-browser-data
+
+build-windows: $(ABE_BIN)
+	GOOS=windows GOARCH=amd64 CGO_ENABLED=0 \
+	  $(GO) build -tags abe_embed -trimpath -ldflags="-s -w" \
+	  -o $(GOEXE).exe ./cmd/hack-browser-data
+
+clean: payload-clean
+	rm -f $(GOEXE) $(GOEXE).exe

browser/browser_windows.go

@@ -13,12 +13,14 @@ func platformBrowsers() []types.BrowserConfig {
 			Key:         "chrome",
 			Name:        chromeName,
 			Kind:        types.Chromium,
+			Storage:     "chrome",
 			UserDataDir: homeDir + "/AppData/Local/Google/Chrome/User Data",
 		},
 		{
 			Key:         "edge",
 			Name:        edgeName,
 			Kind:        types.Chromium,
+			Storage:     "edge",
 			UserDataDir: homeDir + "/AppData/Local/Microsoft/Edge/User Data",
 		},
 		{
@@ -31,6 +33,7 @@ func platformBrowsers() []types.BrowserConfig {
 			Key:         "chrome-beta",
 			Name:        chromeBetaName,
 			Kind:        types.Chromium,
+			Storage:     "chrome-beta",
 			UserDataDir: homeDir + "/AppData/Local/Google/Chrome Beta/User Data",
 		},
 		{
@@ -55,12 +58,14 @@ func platformBrowsers() []types.BrowserConfig {
 			Key:         "coccoc",
 			Name:        coccocName,
 			Kind:        types.Chromium,
+			Storage:     "coccoc",
 			UserDataDir: homeDir + "/AppData/Local/CocCoc/Browser/User Data",
 		},
 		{
 			Key:         "brave",
 			Name:        braveName,
 			Kind:        types.Chromium,
+			Storage:     "brave",
 			UserDataDir: homeDir + "/AppData/Local/BraveSoftware/Brave-Browser/User Data",
 		},
 		{

browser/chromium/decrypt.go

@@ -20,8 +20,7 @@ func decryptValue(masterKey, ciphertext []byte) ([]byte, error) {
 		// v11 is Linux-only and shares v10's AES-CBC path; only the key source differs.
 		return crypto.DecryptChromium(masterKey, ciphertext)
 	case crypto.CipherV20:
-		// TODO: implement App-Bound Encryption (Chrome 127+)
-		return nil, fmt.Errorf("v20 App-Bound Encryption not yet supported")
+		return crypto.DecryptChromium(masterKey, ciphertext)
 	case crypto.CipherDPAPI:
 		return crypto.DecryptDPAPI(ciphertext)
 	default:

browser/chromium/decrypt_test.go

@@ -63,12 +63,3 @@ func TestDecryptValue_V11(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, plaintext, got)
 }
-
-func TestDecryptValue_V20(t *testing.T) {
-	// v20 App-Bound Encryption is not yet implemented.
-	// TODO: add successful decryption cases when implemented.
-	ciphertext := append([]byte("v20"), make([]byte, 32)...)
-	_, err := decryptValue(nil, ciphertext)
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "v20")
-}

cmd/hack-browser-data/dump.go

@@ -8,6 +8,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/moond4rk/hackbrowserdata/browser"
+	"github.com/moond4rk/hackbrowserdata/crypto"
 	"github.com/moond4rk/hackbrowserdata/log"
 	"github.com/moond4rk/hackbrowserdata/output"
 	"github.com/moond4rk/hackbrowserdata/types"
@@ -22,6 +23,7 @@ func dumpCmd() *cobra.Command {
 		outputDir    string
 		profilePath  string
 		keychainPw   string
+		abeKey       string
 		compress     bool
 	)
 
@@ -34,6 +36,12 @@ func dumpCmd() *cobra.Command {
   hack-browser-data dump -f cookie-editor
   hack-browser-data dump --zip`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if abeKey != "" {
+				if err := crypto.SetABEMasterKeyFromHex(abeKey); err != nil {
+					return fmt.Errorf("--abe-key: %w", err)
+				}
+			}
+
 			browsers, err := browser.PickBrowsers(browser.PickOptions{
 				Name:             browserName,
 				ProfilePath:      profilePath,
@@ -86,6 +94,9 @@ func dumpCmd() *cobra.Command {
 	cmd.Flags().StringVarP(&outputDir, "dir", "d", "results", "output directory")
 	cmd.Flags().StringVarP(&profilePath, "profile-path", "p", "", "custom profile dir path, get with chrome://version")
 	cmd.Flags().StringVar(&keychainPw, "keychain-pw", "", "macOS keychain password")
+	cmd.Flags().StringVarP(&abeKey, "abe-key", "k", "",
+		"Windows only: pre-decrypted Chrome ABE master key (64 hex chars / 32 bytes). "+
+			"When set, skips the in-process elevation_service injection.")
 	cmd.Flags().BoolVar(&compress, "zip", false, "compress output to zip")
 
 	return cmd

crypto/abe_embed_windows.go

@@ -0,0 +1,25 @@
+//go:build windows && abe_embed
+
+package crypto
+
+import (
+	_ "embed"
+	"fmt"
+)
+
+//go:generate make -C ../.. payload
+
+//go:embed abe_extractor_amd64.bin
+var abePayloadAmd64 []byte
+
+func getPayloadForArch(arch string) ([]byte, error) {
+	switch arch {
+	case "amd64":
+		if len(abePayloadAmd64) == 0 {
+			return nil, fmt.Errorf("abe: amd64 payload is empty (build system bug)")
+		}
+		return abePayloadAmd64, nil
+	default:
+		return nil, fmt.Errorf("abe: arch %q not supported in this build", arch)
+	}
+}

crypto/abe_stub_other.go

@@ -0,0 +1,7 @@
+//go:build !windows
+
+package crypto
+
+func SetABEMasterKeyFromHex(_ string) error { return nil }
+
+func GetABEMasterKey() []byte { return nil }

crypto/abe_stub_windows.go

@@ -0,0 +1,12 @@
+//go:build windows && !abe_embed
+
+package crypto
+
+import "fmt"
+
+func getPayloadForArch(arch string) ([]byte, error) {
+	return nil, fmt.Errorf(
+		"abe: payload not embedded in this build (rebuild with -tags abe_embed; arch=%s)",
+		arch,
+	)
+}

crypto/abe_windows.go

@@ -0,0 +1,46 @@
+//go:build windows
+
+package crypto
+
+import (
+	"encoding/hex"
+	"fmt"
+	"sync"
+)
+
+var (
+	abeCLIKeyMu sync.RWMutex
+	abeCLIKey   []byte
+)
+
+func SetABEMasterKeyFromHex(hexKey string) error {
+	if hexKey == "" {
+		return fmt.Errorf("abe: empty hex key")
+	}
+	b, err := hex.DecodeString(hexKey)
+	if err != nil {
+		return fmt.Errorf("abe: decode hex key: %w", err)
+	}
+	if len(b) != 32 {
+		return fmt.Errorf("abe: key must be 32 bytes (got %d)", len(b))
+	}
+	abeCLIKeyMu.Lock()
+	abeCLIKey = b
+	abeCLIKeyMu.Unlock()
+	return nil
+}
+
+func GetABEMasterKey() []byte {
+	abeCLIKeyMu.RLock()
+	defer abeCLIKeyMu.RUnlock()
+	if len(abeCLIKey) == 0 {
+		return nil
+	}
+	out := make([]byte, len(abeCLIKey))
+	copy(out, abeCLIKey)
+	return out
+}
+
+func ABEPayload(arch string) ([]byte, error) {
+	return getPayloadForArch(arch)
+}