KDE Pasword Obfuscation

I regularly forget passwords. Today I couldn't remember my Jabber password. Fortunately I had it stored in Kopete on another machine. Looking in the .kde/share/config/kopeterc file I found a line

Password=[some unreadable non-letter ASCII]

How can I decrypt this? Obviously there must be some simple obfuscation at work. Googling around a bit and looking through Kopete's source I found the function that did this obfuscation: KStringHandler::obscure.
Looking at it's source it's quite obvious how to un-obfuscate the password:

  1. Open kopeterc in a hex editor
  2. Look for the "Password=" string. The following bytes are your password.
  3. Realize that these are three-byte chunks: [EF][BE][XX]. The first two bytes stay always the same.
  4. Subtract each third byte from 0x1001F. This will give you a two byte value (0xFFXX)
  5. strip off the leading 0xFF
  6. Look up the remaining byte in an ASCII chart
  7. repeat steps 4-6

Obviously this algorithm won't work for Unicode strings. If you should find time to write a program to do this, just write a wrapper for the obscure() function. However, if you don't have time or skills to do this, do it by hand as laid out above.

[I document this here because I already forgot how to do this once]

Previous Post
Next Post
Leave a comment

5 Comments

  1. anonymous

     /  May 1, 2008

    Anonymous writes:Had exactly the same problem, found this page while googling, thanks for providing the solution.

    Reply
  2. anonymous

     /  April 17, 2009

    salahuddin66 writes:

    everything worked well for me except numeric value (i have to subtract 0x40 from the calculated value).my combination of 1st and 2nd was "EF BE"but i found in the numeric value it was "EF BF"thanks for the posting password recovered….🙂

    Reply
  3. anonymous

     /  May 24, 2009

    FreeFull writes:Thanks, I recovered my Gadu-Gadu password thanks to this!

    Reply
  4. anonymous

     /  October 14, 2009

    Anonymous writes:Hey, great help!At fist I didn't understand when to subtract 0x40.Now I got it:I only have to subtract 0x40, if the chunk consists of "bf" and "ef".If it is a "be" and "ef" chunk, I must not subtract anything.Sorry guys, I am a slow thinker…😀

    Reply
  5. anonymous

     /  July 31, 2010

    corny writes:Thanks a lot for this article. I have just written a ruby function to unobfuscate these strings:http://gist.github.com/502029

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: