Quicken Payroll Password Obfuscation

19 Mar 2012

What do you do if your historical records used to be kept in Quicken Payroll, but all the staff that had passwords left?

While the data is clearly all in the data files in cleartext, if a previous employee wants a copy of their Payment Summary from years ago, running strings on the database doesn't really help.

If you proceed by guessing passwords, it will display ominous messages about "2 retries left", but never fear - you're running on a copy of the datafile (right?).

The 'file' utility recognises some of the data files as Clarion Developer data files, so the best way to open a QPB file (according to random internet forums) is with "TOPSCAN.EXE" (from Clarion 5 or up).

Once you're in TOPSCAN.EXE, select the subfile users, and you'll find a table with the important columns username and password.

After a few seconds of analysis I determined the following things:

  • All passwords started with the prefix "-*E *"
  • Two of the passwords started with exactly the same ciphertext - one had 2 extra characters
  • All characters in the passwords were in the same range (0xc1 - 0xd5)

On a hunch, I subtracted 128 from each value of the "encrypted" content and out popped the passwords - It turns out that the encryption/obfuscation technique they used is just setting the high bit.