Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Apr 2014 22:54:12 +0200
From: Nicolas RUFF <>
Subject: Re: BMC Patrol password representations

Acta Est Fabula

I downloaded the tool from:

Both CTLTOOL.EXE and BMCPWK.DLL files were present in archive.

The key is hardcoded indeed.

The following Python script will successfully decrypt all provided
hashes - please let me know if it does not work for you.

If you wonder where 'key' and 'iv' come from, they were generated by
OpenSSL 0.9.7c EVP_BytesToKey() routine called as such:

    cipher = EVP_get_cipherbyname("des-cbc");


    EVP_BytesToKey(cipher, dgst, salt,
        (unsigned char *) password,
        strlen(password), 1, key, iv);

... where password is 'Acta Est Fabula'.

@ Nicolas Collignon: you wasted 15 minutes of my holiday time. Luckily
for you, I accept compensations both in bitcoins and beers :)

- Nicolas RUFF

#!/usr/bin/env python

from Crypto.Cipher import DES

h_list = [ "qRvQlJa8fP2coTEKUS3GMpP+JgOI++Vu", # password
"mXO2dM2nG8ycoTEKUS3GMpP+JgOI++Vu", # password
"yqPtMPfb2O+coTEKUS3GMpP+JgOI++Vu", # password
"Jx/+e9ELvnacoTEKUS3GMpP+JgOI++Vu", # password
"MNCeVG86eAGcoTEKUS3GMjOl7fkSjnT55U4ERhrW2PQ=", # passwordpassword
"uPef75JsmPScoTEKUS3GMjOl7fkSjnT55U4ERhrW2PQ=", # passwordpassword
"9DlFoY5JCzycoTEKUS3GMjOl7fkSjnT5IEoCjMbsWAL25GCJKOLe0A==", #

def my_decrypt(data):
    keybin = "9927cf23060444d9".decode("hex")
    iv ="f7f7b3785607488a".decode("hex")
    c =, DES.MODE_CBC, iv)
    return c.decrypt(data)

# also removes the padding
def check_padding(data):
    last = ord(data[-1])
    if ((last < 1) and (last > 8)):
        raise PaddingError
        for i in range(last):
            if (ord(data[-(i+1)]) != last):
                raise PaddingError
    return data[:-(last)]

def full_decrypt(data):
    step0 = data.decode('base64')
    step1 = my_decrypt( step0[8:] )
    step2 = check_padding(step1)
    print data, " = ", step2

for h in h_list:

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.