Looking at the resulting file hexadecimal dump. Once again by using the API Monitor memory editor on address 0x0654be20 (more information at CryptEncrypt documentation) it was possible to obtain the test password in encrypted form. Now that the encryption key was obtained, the next step was to understand the format for the file that will store the encrypted password. This structure is followed by the length of the key 0x00000020 (starting at byte 9 of the hexadecimal dump) and the key itself (starting at byte 13). Mapping the above hexadecimal dump to the structure results in the following. Using the API Monitor memory editor on address 0x064f0918 (more information at CryptImportKey documentation) it was possible to obtain the byte array that contains the PUBLICKEYSTRUC blob header followed by the encryption key (in this case the key is in plaintext, but even if it wasn’t, it could be used as is). By using API Monitor it was possible to trace how the utility uses the API (tested with “thispassword” as the password). HP describes the HPQPswd utility as a utility that accepts a user entered password, encrypts the password and then stores it in a file for use by the BIOS.Īfter looking at the HPQPswd import table, it was clear that it was leveraging the Windows cryptographic API.
It was easy to establish a link between this strange file and HpqPswd.exe as the password.bin file was accompanied by BIOSConfigUtility64.exe (an HP BIOS/UEFI configuration utility part of the HP System Software Manager).
Ever wondered how to decrypt HPQPswd encrypted passwords? So did I when, for the first time, I came across a strange file called password.bin with a magic value of _HPPW12_.
0 kommentar(er)
