Decrypt Remote Desktop Mobile Password

• Download RDP decrypt (source and ARMv4i executables) - Decrypts password from \\Windows\\default.rdp file on Windows Mobile device

Introduction

I found the article about decrypting saved RDP passwords here and here.

Fortunately, decrypting a saved Windows Mobile password is not as complicated as on Desktop PCs. There is no entropy (???) etc.

As soon as you start RemoteDesktopMobile (RDM) and click connect and RDM gets a connection, it saves a \Windows\default.rdp file. If [] Save Password was checked, the RDP file will have the encrypted password inside:

SavePassword:i:1
UserName:s:rdesktop
ServerName:s:192.168.0.2
Password:b:0200000000000000000000000000000000000000000000000800000072006400
700000000E66000010000000100000004CFEE422373E146637825EE7851B71FC00000000048
000001000000010000000B2FA8F5915DFCAEB13259CE40170B7CB20000000586A82315B38AA
75F0A05282F96C377EE2BBEA10303F444610DA12778ECEB5BD14000000D00E0D0662873F436
D21EF7D1C50F2FADF0CB7C8

You will also find all other optional settings from the connect and options dialog in the file.

In contrast to DesktopPC, the encryption always uses only the number of bytes needed for the password and is NOT filled up to 512 bytes. Secondly, there is no real user management on Windows Mobile and so you only need one flag (CRYPTPROTECT_UI_FORBIDDEN) during encrypt and decrypt. The description string for CryptProtectData is always “rdp”.

DATA_BLOB blobIn, blobOut;
blobIn.cbData = pSizeIn;
blobIn.pbData = (PBYTE )pByteTemp;// szPass;
blobOut.cbData = 0;
blobOut.pbData = NULL;
if (!CryptProtectData(&blobIn, L"rdp", NULL, NULL, NULL, 
	CRYPTPROTECT_UI_FORBIDDEN, &blobOut))
{
...
DATA_BLOB blobIn, blobOut;
blobIn.cbData = nBytes;
blobIn.pbData = pPassBytes;
blobOut.cbData = 0;
blobOut.pbData = NULL;
if (!CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, 
	CRYPTPROTECT_UI_FORBIDDEN, &blobOut))
{
...

The only hard problem (for me) was the converting of hex strings back to byte array and reading the rdp file into a string.

The attached sample apps (MINOR ERROR CHECKING!) show how to decrypt and encrypt RDP passwords. When you click [Start], the sample app will open an existing default.rdp file and show you the unencrypted password.

For encrypt, the unicode (!) string is used including the terminating \0! When you decrypt the byte array getting back from CryptUnprotectData(), the terminating \0 of the Unicode string is included.

As with rdp files on desktop PC, you cannot use the default.rdp created on one device on another device. The decryption will only work correctly on the same device!

BTW: If you try to port this to C#: CryptProtectData and CryptUnprotectData are available in CoreDll.DLL, there is no separate crypt32.dll on Windows Mobile 5/6.