Ever wondered how to decrypt HPQPswd encrypted passwords? So did I when, for the first time, I came across a strange file called
password.bin with a magic value of
It was easy to establish a link between this strange file and
HpqPswd.exe as the
password.bin file was accompanied by
BIOSConfigUtility64.exe (an HP BIOS/UEFI configuration utility part of the HP System Software Manager). HP describes the HPQPswd utility as a utility that accepts a user entered password, encrypts the password and then stores it in a file for use by the BIOS.
After looking at the HPQPswd import table, it was clear that it was leveraging the Windows cryptographic API. By using API Monitor it was possible to trace how the utility uses the API (tested with “thispassword” as the password).
Using the API Monitor memory editor on address
0x064f0918 (more information at CryptImportKey documentation) it was possible to obtain the byte array that contains the
PUBLICKEYSTRUC blob header followed by the encryption key (in this case the key is in plaintext, but even if it wasn’t, it could be used as is).
Mapping the above hexadecimal dump to the structure results in the following.
This structure is followed by the length of the key
0x00000020 (starting at byte 9 of the hexadecimal dump) and the key itself (starting at byte 13). Now that the encryption key was obtained, the next step was to understand the format for the file that will store the encrypted password. Once again by using the API Monitor memory editor on address
0x0654be20 (more information at CryptEncrypt documentation) it was possible to obtain the test password in encrypted form. Follows the hexadecimal dump.
Looking at the resulting file hexadecimal dump.
It was then possible to understand the file format:
With this information at hand, I created a small C# utility that is able to decrypt HPQPswd encrypted passwords. Suffice to say the decryption of the
password.bin file was successful.
More information on the utility can be found in its project page. Hope it is helpful ;)