Enterprise Manager is a Windows application used to manage Microsoft SQL Server 7.0 and 2000. When configured to use SQL Server authentication, Enterprise Manager stores the connection credentials in the registry under the key

 

SQL2000: HKEY_CURRENT_USER\\Software\\Microsoft\\Microsoft SQL Server\\80\\Tools\\SQLEW\\Registered Servers X\\

 

and

 

SQL 7.0: HKEY_CURRENT_USER\\Software\\Microsoft\\MSSQLServer\\SQLEW\\Registered Servers X\\

 

 

SQL credentials are encrypted/decrypted using a simple XOR encryption algorithm illustrated below:

 

void xor_cred (char *credential, int len)

{

BYTE XorTable[]={0x67,0x66,0x3b,0x64,0x6b,0x6c,0x67,0x5e,0x25,0x24,0x5e,0x6c,0x3b,0x64,0x73,0x27,0x63,0x00};

int xorlen = strlen ((char*) XorTable);

for (int j=0,i=0; i<len; i++,j++)

{

if (j==xorlen) j=0;

credential[i] ^= XorTable[j];

}

}

 

SQL Server 2000 further protects the XOR encrypted credentials, before writing them into the registry, using the CryptProtectData function of "Crypt32.dll". By mean of this API, credentials can be decrypted only by the same user that previously created them and on the same machine too.

 

 

This feature decodes Enterprise Manager passwords from SQL Server 7.0 and 2000 stored in the registry.

How it works

If needed, it uses the "CryptUnprotectData" API from CRYPT32.DLL to decode the password; this function is called without entropy. At this point it performs the XOR decryption using the above algorithm.

Usage

Cain's Enterprise Manager Password Decoder dialog can be activated from the main menu under "Tools" or pressing the relative toolbar button.

Requirements

This tool requires to be executed on the same machine where the password was created and with the same user account too.