README for cutepr/w - CuteFTP Password Recovery
by Wrighter the Pessimist (wrighterpessimist@yahoo.com)
Last updated 8/04/2002

Table of Contents
------------------------
1. Introduction and System requirments
2. Compiling cutepr/w
3. Running cutepr/w
4. The sm.dat database
5. Contact info

1. Introduction and System Requirements
=====================
Greetings! cutepr (CuteFTP Password Recovery) and cuteprw (Same, for
Windows) is a  utility designed to recover forgotten passwords that 
were stored in CuteFTP version 4.0 or 5.0. It will search through 
CuteFTP's database and display information about all the sites saved 
therein. This includes the username, password, hostname, and port. 

System requirements are as follows:
- Linux/Unix/BSD with gcc enabled
- or Windows 95/98/2000  

2. Compiling cutepr/w
====================
To compile cutepr on Linux, simply type: gcc -o cutepr cutepr.c
This should create the cutepr executable.

On Windows systems, compile with Borland C++ or MS Visual C++ with
the target set to Win32 console. Or, just run the provided executable
from the command line. 

3. Running cutepr/w
===================
On *ix machines, type ./cutepr filename
"filename" is most likely sm.dat. If you have renamed sm.dat, or if 
it exists in a different directory, change "filename" accordingly.
Examples:
./cutepr sm.dat
./cutepr /home/wrighter/sm.dat

On Windows machines, open the command prompt. Change directories to
where cutepr.exe is located. Then, simply type: cutepr filename
Again, "filename" is most likely sm.dat
Alternatively, you can drag the sm.dat file and drop it on the
cuteprw.exe executable.

4. The sm.dat Database
====================
Honestly, I must admit that I did not put a huge amount of effort into
completely analyzing the sm.dat file for everylittle bit of info in it.
I was primarily interested in being able to recover login/password 
pairs. This is what I found out:

Approximately the first 135 (v. 5.0) or 250 (v. 4.0) bytes are the file
header. I really did not discover any useful information in this area.
However, I will look at it more to try to find a version number in
there, as that would make it quite a bit easier to, well... skip the
header. ;-)

Following the header is the "site name" of the first user-entered FTP
site. The site name is a free-form string entered by the user that is
simply a "user-friendly" label. For example: "school," "my site," etc.

About 25 bytes after the site name is the host name of the site. The
host name is the actual server. For example: ftp.suse.com.

Following the hostname is the username that is used to login to the 
host. 

The next non-alphabetical character is a number which represents the 
size of the password. 

The password follows immediately after this number, and is, of course,
as many characters long as that number indicates. This is where sm.dat
becomes somewhat interesting. The password characters are "encrypted"
so that a person cannot simply open sm.dat in Wordpad and obtain a 
list of passwords. Each letter of the password is encypted by taking
its ASCII value (e.g., A=65 in ASCII), and subtracting a number from
it. The number that is used is bigger than the ASCII value of most 
alphanumeric characters, so the result is often a negative number. 
Wordpad and similar document viewing programs will read the negative 
number and display weird characters. The password is recovered by 
simply adding the number that was subtracted from the password 
characters. The ASCII character set (A-Z, a-z, 0-9,!@#$%^, etc.) are
divided into groups of eight. Either the number 184 or 200 is 
subtracted from the ASCII character, depending on which group it is
in. (Except a couple groups of punctuation characters, which have
different values subtracted from them.) 
For example:
184 is subtracted from the characters @ through G.
200 is subtracted from the characters H through 0.
184 is subtracted from the characters P through W. 
200 is subtracted from the characters X through _. 
And so on.
The exceptions are:
56 is subtracted from ! through '
72 is subtracted from ( through /
56 is subtracted from 0 through 7
72 is subtracted from 9 through ?

As one can see, this isn't really encryption at all. It appears
to be implemented just to hide passwords from ordinary document
viewers.

Moving on, two bytes after the password is the port on which the 
FTP server is running. The port actually takes two bytes. The first
is the port, and the second is what I call the "port multiplier." 
If the first value is 21, and the second is 0, then the port is 
simply 21. However, if the first value is negative and the second
value is zero, then the port is the first value plus 256. 
For example:
value1 = -44
value2 = 0
Port = -44 + 256 = 212

If the second value, the port multiplier, is not zero, then the 
port is the first number plus 256 multiplied by the port mulitplier.
For example:
value1 = 15
value2 = 39
Port = 15 + (39 * 256) = 9999

I find this a curious way of encoding the port. Why the makers of 
CuteFTP decided to do it this way is beyond me. Perhaps it is 
viewed as a security issue. Since port 21 is the default port for
and FTP server, that doesn't need to be encoded, since it is the
first port anyone would try anyway. However, if the FTP operator 
ran the server on a very high numbered port, llike 9999, in order
to evade port scanner, then perhaps encoding the port makes sense. 

Anyhow, the port is the last piece of information for each site. 
After the port, some 150 bytes or so later, the process repeats.

I hope this document has been useful and entertaining ;-) 

5. Contact Info
====================
For questions or comments, please feel free to email me at
wrighterpessimist@yahoo.com
 
