Last active
November 17, 2022 14:34
-
-
Save brunerd/a96265078e33a1e281f3528d1308adb9 to your computer and use it in GitHub Desktop.
De-obfuscates macOS /etc/kcpassword file used for automatic login
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #kcpasswordDecode (20220729) Copyright (c) 2021 Joel Bruner (https://github.com/brunerd) | |
| #Licensed under the MIT License | |
| #specify file as input | |
| #kcpasswordDecode.sh /etc/kcpassword | |
| #given a filepath XOR to the it back and truncate padding | |
| function kcpasswordDecode() ( | |
| filepath="${1}" | |
| #no file | |
| if [ -z "${filepath}" ]; then | |
| [ ! -t '0' ] && echo "Redirected input no longer supported" >/dev/stderr | |
| echo "Please specify a file path" >/dev/stderr | |
| exit 1 | |
| #bad file | |
| elif [ ! -f "${filepath}" ]; then | |
| echo "$(basename "$0"): ${filepath}: No such file" >/dev/stderr | |
| exit 1 | |
| #file | |
| else | |
| #test for type of data | |
| case "$(file -b "${filepath}")" in | |
| #in some cases the kcpassword may be a hex representation in ASCII (10.10+) | |
| "ASCII text") | |
| #just space out the ASCII data into 2 byte couplets | |
| thisStringHex_array=( $(sed 's/../& /g' "${filepath}") ) | |
| ;; | |
| #otherwise treat as binary data | |
| *) | |
| #convert to hex representation with spaces | |
| thisStringHex_array=( $(xxd -p -u "${filepath}" | sed 's/../& /g') ) | |
| ;; | |
| esac | |
| fi | |
| #macOS cipher hex ascii representation array | |
| cipherHex_array=( 7D 89 52 23 D2 BC DD EA A3 B9 1F ) | |
| for ((i=0; i < ${#thisStringHex_array[@]}; i++)); do | |
| #use modulus to loop through the cipher array elements | |
| charHex_cipher=${cipherHex_array[$(( $i % 11 ))]} | |
| #get the current hex representation element | |
| charHex=${thisStringHex_array[$i]} | |
| #use $(( shell Aritmethic )) to ^ XOR the two 0x## values (extra padding is 0x00) | |
| #take decimal value and printf convert to two char hex value | |
| #use xxd to convert hex to ascii representation | |
| decodedCharacter=$(printf "%02X" "$((0x${charHex_cipher} ^ 0x${charHex:-00}))") | |
| if [[ "${decodedCharacter}" = "00" ]]; then | |
| break | |
| else | |
| printf "%02X" "$(( 0x${charHex_cipher} ^ 0x${charHex:-00} ))" | xxd -r -p > /dev/stdout | |
| fi | |
| done | |
| ) | |
| kcpasswordDecode "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
macOS Ventura changes the encoding in kcpassword to be an ASCII representation of hex data. While
filecan easily determine the type of data, it doesn't work so well if piped input or file redirection is used. To simplify things, only files are used as input sources now.