Comments on: Reversing WebSphere {xor} password protection

By: Guillaume

Guillaume — Wed, 01 Dec 2010 17:33:06 +0000

Here is a Python one liner that does the same thing.

“”.join(map(chr, map(lambda x : ord(x) ^ 0x5F, base64.b64decode(‘LDo8LTor’))))

I will wrap it up in a script and update this post.

By: Andy Jones

Andy Jones — Mon, 29 Nov 2010 11:01:18 +0000

this is my Perl script:
#!/usr/bin/perl
$ENV{PATH} = “”;

chomp ($EncryptedPassword = `/var/www/cgi-bin/waspass $ARGV[0]`);

print “Content-type: text/html\n\n”;
print “\n”;
print “\n”;
print “WAS Password Decoder\n”;
print “\n”;

print “\n”;
print “WAS PASSWORD DECODER\n”;
print “\n”;
print “The decoded password is: $EncryptedPassword \n\n”;
print “\n”;
print “\n”;

By: Andy Jones

Andy Jones — Mon, 29 Nov 2010 10:52:37 +0000

sorry, that should read:

… I think its something to do with the putc command …

By: Andy Jones

Andy Jones — Mon, 29 Nov 2010 10:49:54 +0000

Hi,
Trying to get the decoder to display the results in a browser but having a problem as they seems to disappear in a black hole … I am using a perl script to call the compiled C version … if I run it from the command line the results (input encoded password and decoded result) are displayed in the terminal session, if I call the perl script (which is in cgi-bin) from a browser no results are returned to the browser (other html text that I have included in the perl script is displayed) . I have very limited knowledge of perl and C (not a developer) … can you help please … I think its something to do with the getc command outputting to stdout:

putc(*p++ ^ ‘_’, stdout);

Thanks!
Andy

By: Thomas

Thomas — Thu, 09 Sep 2010 08:16:42 +0000

On WebSphere v6 you can do it as well:

C:\Rational\SDP\6.0\runtimes\base_v6\lib>..\java\bin\java -cp ffdc.jar;bootstrap.jar;emf.jar;securityimpl.jar;iwsorb.jar;ras.jar;wsexception.jar com.ibm.ws.secu
rity.util.PasswordDecoder {xor}LDo8LTor

By: Austin

Austin — Tue, 02 Dec 2008 17:33:25 +0000

Many thanks!