############################################################ ############
Trend Micro OfficeScan encrypted MD5 passwords
by Luigi Auriemma
e-mail:
aluigi@autistici.org
web: aluigi.org
############################################################ ############
Trend Micro OfficeScan encrypts the MD5 hashes of the stored passwords
(master, uninstall and unload) in the file Ofcscan.ini sometimes called
also settings.ini.
That means you will not able to retrieve the original password but ONLY
it's MD5 hash.
The strings you see in this file have a name that finishes ever with the
_Pwd text and have the format !CRYPT!HEX_STRING like the following
examples:
Master_Pwd=!CRYPT!0123456789ABCDEF0123456789ABCDEF0123456789 ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789A
Uninstall_Pwd=!CRYPT!0123456789ABCDEF0123456789ABCDEF0123456 789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789A
Unload_Pwd=!CRYPT!0123456789ABCDEF0123456789ABCDEF0123456789 ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789A
The hash after !CRYPT! is passed to a function which decrypts it using
the keys Virus3761267Trend and Windows7621673NT.
Actually I don't have time to work on an open source version of this
algorithm so an enough quick solution for decrypting these *_Pwd hashes
is using a debugger (like the great Ollydbg
http://www.ollydbg.de) and
set a breakpoint at the offset in which starts the decryption (in
Ollydbg when the executable is loaded or the process is attached press
CTRL+G, type the offset and then press F2, when you reach the function
press F8 for advancing step-by-step).
The following are the decryption and ecryption offsets of some versions
of PccNTMon.exe:
5.5.0.2021
decrypt: 00419d4e
encrypt: 00419ca3
5.58.0.1063
decrypt: 004193ae
encrypt: 00419303
5.58.0.1164
decrypt: 0041a2ae
encrypt: 0041a203
6.5.0.1402
decrypt: 0041594e
encrypt: 004158a3
7.0.0.1160
decrypt: 0041593e
encrypt: 00415893
7.0.0.1206
decrypt: 0041592e
encrypt: 00415883
7.3.0.1020
decrypt: 00417a1e
encrypt: 00417973
Example of assembly code at the decryption offset:
0041593E 51 PUSH ECX ; output buffer for the decryption
0041593F 68 08A24400 PUSH pccntmon.0044A208 ; ASCII "Windows7621673NT"
00415944 68 F4A14400 PUSH pccntmon.0044A1F4 ; ASCII "Virus3761267Trend"
00415949 8D95 0060FFFF LEA EDX,DWORD PTR SS:[EBP+FFFF6000]
0041594F 52 PUSH EDX ; encrypted hash
00415950 E8 4BF8FFFF CALL pccntmon.004151A0 ; the decryption function
00415955 83C4 10 ADD ESP,10
00415958 8D85 03C0FEFF LEA EAX,DWORD PTR SS:[EBP+FFFEC003] ; EAX points to the MD5 hash
The decrypted MD5 hash (so from encrypted hash to the original MD5 hash
of the password) will be pointed by EAX (the LEA instruction) and it's
just the string which starts from the third char of the output buffer.
Output buffer after the decryption:
1230123456789ABCDEF0123456789ABCDEF
| |
| MD5 hash
the 3 useless bytes
Since this is a MD5 hash there are some good chances to retrieve the
original password using an online MD5 cracker like the excellent service
at Milw0rm:
http://www.milw0rm.org/cracker/
A different thing instead are the proxy passwords which are handled
using the PWDDecrypt and PWDEncrypt functions in PWD.DLL.
This method is used by the Proxy_Pwd and Internet_Proxy_Pwd encrypted
strings in Ofcscan.ini and by the ProxyPwd password located in the
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Pc-cillinNTCorp\CurrentVersion
I have not tested it but the result should be the plain-text password.
############################################################ ############