######################################################################## Trend Micro OfficeScan encrypted MD5 passwords by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ######################################################################## Trend Micro OfficeScan encrypts the MD5 hashes of the stored passwords (master, uninstall and unload) in the file Ofcscan.ini sometimes called also settings.ini. That means you will not able to retrieve the original password but ONLY it's MD5 hash. The strings you see in this file have a name that finishes ever with the _Pwd text and have the format !CRYPT!HEX_STRING like the following examples: Master_Pwd=!CRYPT!0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789A Uninstall_Pwd=!CRYPT!0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789A Unload_Pwd=!CRYPT!0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789A The hash after !CRYPT! is passed to a function which decrypts it using the keys Virus3761267Trend and Windows7621673NT. Actually I don't have time to work on an open source version of this algorithm so an enough quick solution for decrypting these *_Pwd hashes is using a debugger (like the great Ollydbg http://www.ollydbg.de) and set a breakpoint at the offset in which starts the decryption (in Ollydbg when the executable is loaded or the process is attached press CTRL+G, type the offset and then press F2, when you reach the function press F8 for advancing step-by-step). The following are the decryption and ecryption offsets of some versions of PccNTMon.exe: 5.5.0.2021 decrypt: 00419d4e encrypt: 00419ca3 5.58.0.1063 decrypt: 004193ae encrypt: 00419303 5.58.0.1164 decrypt: 0041a2ae encrypt: 0041a203 6.5.0.1402 decrypt: 0041594e encrypt: 004158a3 7.0.0.1160 decrypt: 0041593e encrypt: 00415893 7.0.0.1206 decrypt: 0041592e encrypt: 00415883 7.3.0.1020 decrypt: 00417a1e encrypt: 00417973 Example of assembly code at the decryption offset: 0041593E 51 PUSH ECX ; output buffer for the decryption 0041593F 68 08A24400 PUSH pccntmon.0044A208 ; ASCII "Windows7621673NT" 00415944 68 F4A14400 PUSH pccntmon.0044A1F4 ; ASCII "Virus3761267Trend" 00415949 8D95 0060FFFF LEA EDX,DWORD PTR SS:[EBP+FFFF6000] 0041594F 52 PUSH EDX ; encrypted hash 00415950 E8 4BF8FFFF CALL pccntmon.004151A0 ; the decryption function 00415955 83C4 10 ADD ESP,10 00415958 8D85 03C0FEFF LEA EAX,DWORD PTR SS:[EBP+FFFEC003] ; EAX points to the MD5 hash The decrypted MD5 hash (so from encrypted hash to the original MD5 hash of the password) will be pointed by EAX (the LEA instruction) and it's just the string which starts from the third char of the output buffer. Output buffer after the decryption: 1230123456789ABCDEF0123456789ABCDEF | | | MD5 hash the 3 useless bytes Since this is a MD5 hash there are some good chances to retrieve the original password using an online MD5 cracker like the excellent service at Milw0rm: http://www.milw0rm.org/cracker/ A different thing instead are the proxy passwords which are handled using the PWDDecrypt and PWDEncrypt functions in PWD.DLL. This method is used by the Proxy_Pwd and Internet_Proxy_Pwd encrypted strings in Ofcscan.ini and by the ProxyPwd password located in the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Pc-cillinNTCorp\CurrentVersion I have not tested it but the result should be the plain-text password. ########################################################################