So I had to reverse engineer some software we use at the office the other day. It uses a hash to store its current users in a table, and we needed a way to monitor who was using the system when.

Their old version was easy… it used to store the users and machine names in a table in plain text. Users could only be logged out by clicking the logout button… if they closed the window, their account was left in limbo until they returned. The only official “supported” solution from the vendor was to login as that user then log them out. But that was a security nightmare and a royal pain.

We developed a simple web page that listed all the users… If there were too many logged in, we could check to see if someone had forgotten to logout. Then deleting their record would effectively kick them off and open up a new seat for a different user.

But then came an “upgrade” that introduced a “new” licensing mechanism. It doesn’t leave as many users logged in like it used to, but I dont think they improved it much. There are still many more users than we expect to see at some given times. However, it did succede in obfuscating who is logged on.

I started by running SQL profiler looking while running the user list function within the software. Found it only checks the licensed user table which uses the encrypted hash.

Noticed the hash was probably Base64… tried decoding that, but no dice. Since the new version is written in .Net, I started searching for Base64 c# encryption… found a few good examples since .Net includes several methods for this, but most of them used rijendel or AES… bottom line: they all used a damn good key and salt… not looking good for blindly decrypting.

So my next idea was to take a look at the DLLs included in the software. Did a quick search for a .Net decompiler and found JetBrains dotPeek which was free and seemed to be well respected.

15 minutes later, bingo: Security.LicenseKey.Decrypt(string EncryptedText)

This was more than I had expected. Not only did I find the method, it showed the key and IV… but then… not sure if I can take their programmers seriously now.

Though, no one in their right mind would guess that key… Security by celebrity?

In the end, since the method was exposed, my tool now uses the vendor’s dll to decrypt the hashes for me.