Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
De-obfuscates macOS /etc/kcpassword file used for automatic login
#!/bin/bash
#kcpasswordDecode (20210911) Copyright (c) 2021 Joel Bruner (https://github.com/brunerd)
#Licensed under the MIT License
#input a string to decode as argument $1 or to read in a file call like this:
#kcpasswordDecode.sh "$(< filepath)"
#given a string from /etc/kcpassword will XOR it back and truncate padding
function kcpasswordDecode {
#ascii string
local thisString="${1}"
local i
#macOS cipher hex ascii representation array
local cipherHex_array=( 7D 89 52 23 D2 BC DD EA A3 B9 1F )
#converted to hex representation with spaces
local thisStringHex_array=( $(echo -n "${thisString}" | xxd -p -u | sed 's/../& /g') )
#cycle through each element of the array
for ((i=0; i < ${#thisStringHex_array[@]}; i++)); do
#use modulus to loop through the cipher array elements
local charHex_cipher=${cipherHex_array[$(( $i % 11 ))]}
#get the current hex representation element
local charHex=${thisStringHex_array[$i]}
#if cipher and character are NOT the same (they also XOR to 00)
if [ "${charHex}" != "${charHex_cipher}" ]; then
local encodedString+=$(printf "%02X" "$(( 0x${charHex_cipher} ^ 0x${charHex:-00} ))" | xxd -r -p)
else
break
fi
done
#return the string without a newline
echo -n "${encodedString}"
}
#this just echoes it out use without a newline
kcpasswordDecode "${1}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment