Remote Desktop Manager 密码存储解密

源自数证杯 2025 个人赛 PC 分析。
刚开始没发现仿真可以直接点开看密码，直接去互联网机搜索解密算法了，搜到算法了但是没有密码，就很急。

密码解密算法

有一篇分析解密算法的文章: https://www.anquanke.com/post/id/264191
GitHub 也找到了代码: https://github.com/CaledoniaProject/Remote-Desktop-Manager-decrypter
解密算法是 3DES-ECB，解密密钥直接按连接类型硬编码。SSH 的密码是{D6037472-976A-4EAB-8135-DE779F4EDF29}，RDP 的密码是{9E6D0FD3-AD2B-4fe1-BBAC-F520BF2F1AE1}。

然而案例里的连接类型是 ARD，ARD 实际使用的是 VNC，只能从软件里找硬编码的密钥了。
默认设置中存储连接配置使用数据源 SQLite，数据库文件路径:
%LocalAppData%\Devolutions\RemoteDesktopManager\Connections.db
读取 Connections 表中题目要求的连接，类型是 VNC，显然网上找的密钥不能用。

<?xml version="1.0"?>
<Connection>
  <DocumentationExternalType>Default</DocumentationExternalType>
  <ConnectionType>AppleRemoteDesktop</ConnectionType>
  <CreatedBy>DESKTOP-ROUF72C\Saki</CreatedBy>
  <CreationDateTime>2025-10-08T07:04:28</CreationDateTime>
  <ID>7336edaa-df71-4cdc-9229-51d866c515e6</ID>
  <KeyboardHook>OnTheLocalComputer</KeyboardHook>
  <Name>Linux</Name>
  <OpenEmbedded>true</OpenEmbedded>
  <MetaInformation>
    <PasswordHistory>
      <PasswordHistory>
        <LoggedModifiedBy>DESKTOP-ROUF72C\Saki</LoggedModifiedBy>
        <ModifiedBy>DESKTOP-ROUF72C\Saki</ModifiedBy>
        <ModifiedDateTime>2025-10-08T07:04:28</ModifiedDateTime>
        <SafePassword>0xPEcc0gC7U=</SafePassword>
      </PasswordHistory>
    </PasswordHistory>
  </MetaInformation>
  <VNC>
    <AuthentificationType>Ard</AuthentificationType>
    <Host>192.168.114.51</Host>
    <MsSafePassword>GfK3y3OCjag=</MsSafePassword>
    <MsUser>root</MsUser>
  </VNC>
</Connection>

那么就要逆向找密钥了，先搜索已知的两个密钥，定位密钥硬编码的位置。
RDP 密钥:

1
2
3

public class RDPConnection : BaseConnection {
  private static string Key() => "{9E6D0FD3-AD2B-4fe1-BBAC-F520BF2F1AE1}";
}

SSH 密钥:

1
2
3

public class TerminalConnection : BaseConnection {
  private static string Key() => "{D6037472-976A-4EAB-8135-DE779F4EDF29}";
}

搜索所有继承 BaseConnection 类的连接类，找到所有算法的硬编码密钥。VNC 的密钥如下:

1
2
3

public class VNCConnection : BaseConnection {
  private static string Key() => "{FBF6C5D3-9E59-49ff-A87A-D09300CA11D5}";
}

还有近一百种其他类型连接的加密密钥，都列在下面了。

远程连接需要一个秦始皇

public class ActiveDirectoryConsoleConnection : BaseConnection {
  private static string Key() => "{BB1254C5-C00A-4F59-9B73-CF61D546E295}";
}

public class AddOnConnection : BaseConnection, IComparer<KeyFieldValue> {
  private static string Key() => "jjkdsflkjdf45g65ewrirendu3rewv";
}

public class AIConnection : BaseConnection {
  private static string Key() => "{BF3009AE-3CB2-4944-92D4-57FFCC87CA32}";
}

public class AlternateConnection : BaseConnection {
  private static string Key() => "{BB1C6CE8-06AD-442F-A558-20BC56D34A2C}";
}

public class AppleRemoteManagementConnection : BaseConnection {
  private static string Key() => "{0BEA6D3F-53BD-40C4-8910-D9F6334ABC2A}";
}

public class AwsConnection : BaseConnection {
  private static string Key() => "{795FEA2F-50E2-493F-BA88-653C294D1F53}";
}

public class AwsIamConnection : BaseConnection {
  private static string Key() => "{B7C46E20-8059-4695-B026-843AC7CD3125}";
}

public class AzureBastionConnection : BaseConnection {
  private static string Key() => "{C0535CEF-0A21-42DF-A62E-A8BA64275589}";
}

public class AzurePIMConnection : BaseConnection {
  private static string Key() => "{9FADE345-A2E0-4C31-A953-4D66E040783D}";
}

public class AzureStorageConnection : BaseConnection {
  private static string Key() => "{21200EF3-C1F6-4FE6-85EE-7C70C3145F71}";
}

public class BaseConnectionOverride {
  private static string Key() => "{FE89D686-CC25-48d2-BE44-88EB9B7BBB87}";
}

public class BoxNetConnection : BaseConnection {
  private static string Key() => "{A539B767-FFAF-462F-8F90-89CE2DD1094B}";
}

public class CloudBerryRemoteAssistantConnection : BaseConnection {
  private static string Key() => "{C0A7BA20-82B2-4105-B87C-827D5E9F5632}";
}

public class CmdConnection : BaseConnection {
  private static string Key() => "{77D9BF28-3740-4fdd-8CE3-398BCB0C57D2}";
}

public class ConnectionEvents : BaseConnection {
  private static string Key() => "{EECA861B-1442-4a4f-9B34-AB0DF8C4284B}";
}

public class ConnectionMetaInformation : BaseConnection {
  private static string Key() => "{359F98FA-A3C3-4D76-9F00-8749F26B1D6A}";
}

public class ConnectionOTP : BaseConnection {
  private static string ObfuscationKey() => "{C4F13FCA-E839-42EC-9F1C-0B2865EAE460}";
}

public class CredentialsConnection : BaseConnection {
  private static string Key() => "{BE136E76-C36B-4499-A834-D2892526847B}";
}

public class CyberArkDashboardConnection : BaseConnection {
  private static string Key() => "{DD2FCB11-C32D-462A-9C0E-1192C0D082D2}";
}

public class CyberArkPrivilegeCloudConnection : BaseConnection {
  private static string Key() => "{D65526DA-74CE-4422-921E-56DD733F05D6}";
}

public class CyberArkPSMConnection : BaseConnection {
  private static string Key() => "{8071AC7E-5FC3-4257-BD0B-904D5056C6DE}";
}

public class DamewareConnection : BaseConnection {
  private static string Key() => "{5B06EB99-25F9-462c-860B-58DF12DF0742}";
}

public class DataEntryConnection : BaseConnection, IWebConnection {
  private static string Key() => "{F97C5192-D36A-4fdd-8D95-7B8F153BC150}";
}

public class DataReportConnection : BaseConnection {
  private static string Key() => "{D7088559-81FA-4374-8B3C-A2C7D085DF1C}";
}

public class DCVConnection : BaseConnection {
  private static string Key() => "{7FAC56D0-201C-452E-9EEE-F37B4C4DF609}";
}


public class DellRemoteAccessControllerConnection : BaseConnection {
  private static string Key() => "{8483E6B0-3CC5-4B7E-A34C-36B2D25B71FE}";
}

public class DevolutionsGatewayConnection : BaseConnection {
  private static string Key() => "{9ABC0DFC-5721-4E7F-9201-0CCAEE737B2A}";
}

public class DevolutionsGatewayTunnelConnection : BaseConnection {
  private static string Key() => "{8410726a-dd4e-11ed-b5ea-0242ac120002}";
}

public class DocumentConnection : BaseConnection {
  private static string Key() => "{E8CB427E-9725-4796-91AF-3BFB492AF3D3}";
}

public class DropBoxConnection : BaseConnection {
  private static string Key() => "{5FC98897-92ED-481c-82AE-4C73145823C8}";
}

public class FileExplorerConnection : BaseConnection {
  private static string Key() => "{8F94A5F4-9753-462d-8D30-F9FAF9939BFD}";
}

public class FtpConnection : BaseConnection {
  private static string Key() => "{EBDBC0BD-F7CB-4cf1-9CF5-266909C480BC}";
}

public class GoogleCloudConnection : BaseConnection {
  private static string Key() => "{53DF1AD8-8AC7-4503-9796-900D59977277}";
}

public class GoogleDriveConnection : BaseConnection {
  private static string Key() => "{53DF1AD8-8AC7-4503-9796-900D59977277}";
}

public class GoogleWorkspaceConnection : BaseConnection {
  private static string Key() => "{E87D94B2-1564-4E3A-9fA8-CC37C1D2D97A}";
}

public class GoToAssistConnection : BaseConnection {
  private static string Key() => "{9858CF89-D8B7-4F28-81B4-E7BE43E10A2D}";
}

public class GroupConnection : BaseConnection {
  private static string Key() => "{DEC5891B-0E61-4995-81FE-8F9F1AF000BF}";
}

public class HostConnection : BaseConnection {
  private static string Key() => "{5B32F3B8-ABDC-4EA0-80BA-93D2657D2EC2}";
}

public class HPIntegratedLightsOutConnection : BaseConnection {
  private static string Key() => "{B826E796-F042-42D3-B069-F5C970DCCB15}";
}

public class HyperVConnection : BaseConnection {
  private static string Key() => "{25D598A2-7CFC-4f27-9149-02B884DD5E6C}";
}

public class IntelConnection : BaseConnection {
  private static string Key() => "{CAF388EA-0982-40ED-9F19-D500F181F6D6}";
}

public class InventoryReportConnection : BaseConnection {
  private static string Key() => "{C07A1A38-9705-4DD9-A2B1-EE3367B7A632}";
}

public class ITermConnection : BaseConnection {
  private static string Key() => "{CE3338B5-A1FA-496D-9098-BC4E54B1C3AE}";
}

public class JumpDesktopConnection : BaseConnection {
  private static string Key() => "{77341895-E3D1-499A-94AF-1E15216732FE}";
}

public class MsSQLServerConsoleConnection : BaseConnection {
  private static string Key() => "{5266949E-177B-4506-AD5E-1EB51ABB5111}";
}

public class PamConnection : BaseConnection {
  private static string Key() => "{c79983d4-d1d8-4fa4-a969-f0d4ac910261}";
}

public class PamProviderConnection : BaseConnection {
  private static string Key() => "{c79983d4-d1d8-4fa4-a969-f0d4ac910261}";
}

public class PamScriptConfiguration : BaseConnection {
  private static string Key() => "{c79983d4-d1d8-4fa4-a969-f0d4ac910261}";
}

public class PowerShellConnection : BaseConnection {
  private static string Key() => "{3DFEB8E0-B8C4-46B3-BD47-C73FED094619}";
}

public class ProxmoxConnection : BaseConnection {
  private static string Key() => "{98BEAEEE-5055-48C0-B91F-9F36FA5F6E84}";
}

public class ProxyTunnelConnection : BaseConnection {
  private static string Key() => "{0BC86374-56EF-4608-AF8D-BD92DC62B63C}";
}

public class PuttyConnection : BaseConnection {
  private static string Key() => "{9E6D0FD3-AD2B-4fE1-BBAD-F520BF2F1AE1}";
}

public class RadminConnection : BaseConnection {
  private static string Key() => "{31843699-3F29-488A-9844-D53DF42C5720}";
}

public class RDGatewayConnection : BaseConnection {
  private static string Key() => "{47CF6C51-E5F8-433B-A4F1-2ED408B19AE9}";
}

public class RDPConnection : BaseConnection {
  private static string Key() => "{9E6D0FD3-AD2B-4fe1-BBAC-F520BF2F1AE1}";
}


public class ReportToolConnection : BaseConnection {
  private static string Key() => "{C455DD5E-77FC-4715-A8C9-38F0FDA4C715}";
}

public class RootConnection : BaseConnection {
  private static string Key() => "{6382B30C-FBAB-49D0-AC47-96831E384676}";
}

public class RunAsConnection : BaseConnection {
  private static string Key() => "{4709B280-588F-4004-BBD6-E303C57B2FB6}";
}

public class S3Connection : BaseConnection {

  private static string Key() => "{5FC98897-92ED-481c-82AE-4C73145823C8}";
}

public class SalesforceCloudConnection : BaseConnection {
  private static string Key() => "{9001A972-E1CD-4D5E-999E-0A3E7E236129}";
}

public class ScpConnection : BaseConnection {
  private static string Key() => "{D55AAA6D-B38B-4A6C-95FC-BBF9BD84385B}";
}

public class ScriptConnection : BaseConnection {
  private static string Key() => "{5F1E8D54-3539-4084-A6BE-8AF4D8D70721}";
}

public class ShortcutConnection : BaseConnection {
  private static string Key() => "{CF48D698-54C3-4F7E-90DA-8AAEFFD9C32C}";
}

public class SkyDriveConnection : BaseConnection {
  private static string Key() => "{0C129621-A698-4ED4-AAD8-2C122C545C5A}";
}

public class SMBConnection : BaseConnection {
  private static string Key() => "{BF3009AE-3CB2-4944-92D4-57FFCC87CA32}";
}

public class SNMPReportConnection : BaseConnection {
  private static string Key() => "{151B7571-CA52-4B03-B036-218D21605EF4}";
}

public class SplashtopDashboardConnection : BaseConnection {
  public static string Key() => "{587CCFAA-07B9-41DF-9A7C-1C3EDCA8DF80}";
}

public class SyncConnection : BaseConnection {
  private static string Key() => "{D1678DBD-23A7-43BC-B5CD-B928286C7F99}";
}

public class TeamViewerConnection : BaseConnection {
  private static string Key() => "jjkdsflkjdf45g65ewrirendu3rewv";
}

public class TerminalConnection : BaseConnection {
  private static string Key() => "{D6037472-976A-4EAB-8135-DE779F4EDF29}";
}

public class TerminalServerConnection : BaseConnection {
  private static string Key() => "{1B86BACE-9B7D-4CB2-BDB8-4CDEE5C86D43}";
}

public class TicketingServiceNowConnection : BaseConnection {
  private static string Key() => "{67387B8F-2BDB-4D1A-B6B0-E75DD1F32FB2}";
}


public class ToolConnection : BaseConnection {
  private static string Key() => "{9B5F2E23-E0A0-4e6a-8232-9D9E1D16EF2A}";
}

public class VMRCConnection : BaseConnection {
  private static string Key() {
    return AddOnServices.ObfuscationKey() + "{CBBA08E3-9B7E-4e4d-A306-33E47BFE05C9}";
  }
}

public class VMWareConnection : BaseConnection {
  private static string Key() => "{25D598A2-7CFC-4f27-9149-02B884DD5E6C}";
}

public class VNCConnection : BaseConnection {
  private static string Key() => "{FBF6C5D3-9E59-49ff-A87A-D09300CA11D5}";
}

public class VPNConnection : BaseConnection {
  private static string Key() => "d3214f56sdhgfbnmksfjlrir234734879";
}

public class WebConnection : BaseConnection, IWebConnection {
  private static string Key() => "{545727BB-9372-4f05-B560-CD97D49E1BF2}";
}

public class WebDavConnection : BaseConnection {
  private static string Key() => "{C26AAC4C-2924-41B4-8605-03D9B7ED5643}";
}

public class XenServerConnection : BaseConnection {
  private static string Key() => "{C9556DA2-45FC-4B3F-A00E-09886B4AF62B}";
}

解密后得到密码uika

import hashlib
import base64
from cryptography.hazmat.decrepit.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import Cipher, modes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding

key_seed = "{FBF6C5D3-9E59-49ff-A87A-D09300CA11D5}"
md5_hash = hashlib.md5(key_seed.encode('utf-8')).digest()

encrypted_password = "GfK3y3OCjag="
ciphertext = base64.b64decode(encrypted_password)

cipher = Cipher(algorithms.TripleDES(md5_hash), modes.ECB(), backend=default_backend())
decryptor = cipher.decryptor()
decrypted_padded = decryptor.update(ciphertext) + decryptor.finalize()

unpadder = padding.PKCS7(64).unpadder()
unpadded_data = unpadder.update(decrypted_padded) + unpadder.finalize()

print(unpadded_data)

b'uika'

试着解密下192.168.114.66的密码kqc/46efIr4=，结果是T0m0r1n。
PasswordHistory的SafePassword使用的密码在PasswordHistory类中。

1
2
3

public class PasswordHistory {
  private static string Key() => "{AC0D3D07-88DC-460D-B47B-CD3E9023F081}";
}

用这个密钥解密历史密码2pG8negw2CA=，得到tomorin。

彳艮彳亍

密钥存储

那么问题又来了，RDM 的官方文档里还写了一个存储在%LocalAppData%\Devolutions\RemoteDesktopManager\RemoteDesktopManager.enc的密钥是干嘛的呢。文件里LocalKeyStored中存储了 Base64 格式的密钥。

<?xml version="1.0"?>
<OptionEncryption>
  <LocalKeyStored>UQZti/6QhFxB99KrC8JE6h3wgTApPFaaqapAZxES32A=</LocalKeyStored>
</OptionEncryption>

先找到密钥存储文件对应的变量。

public abstract class ApplicationDescriptor {
  public string OptionEncryptionFileName => this.OptionBaseFileName + ".enc";
  public string OptionSensitiveFileName => this.OptionBaseFileName + ".stv";
}

如果设置了对本地文件启用 DPAPI 加密，应该要先解密文件，解密后读取LocalKeyStored。

public static class OptionManager {
  private static void DoLoadOptionEncryption() {
    if (File.Exists(FileManager.CurrentOptionEncryptionFileName)) {
      if (!OptionManager.optionsInternal.EnableDPAPICryptographyOnLocalFiles && !PolicyManager.Policy.ForceEnableDPAPICryptographyOnLocalFiles) {
        FileManager.DecryptFile(FileManager.CurrentOptionEncryptionFileName);
      }
      try {
        OptionManager.OptionEncryption = (OptionEncryption) SerializationManager.LoadObjectFromFile(FileManager.CurrentOptionEncryptionFileName, typeof (OptionEncryption));

找LocalKeyStored的调用，看着是加密stv用的。

1	option.OptionSensitivePacked = LocalEncryptionManager.Encrypt(bytes, optionEncryption.LocalKeyStored);

看样子还根据设备是否启用 FIPS 模式选择加密方式。

public static class LocalEncryptionManager {
  public static byte[] Encrypt(byte[] data, byte[]? key = null) {
    return LocalEncryptionManager.IsFIPSMode ? Managed.Encrypt(data, key, version: CipherTextVersion.V1) : Managed.Encrypt(data, key);
  }
  ...
    if (Registry.LocalMachine.OpenSubKey("System\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy")?.GetValue("Enabled") is int num)
  ...
}

最终调用了一个 Native 的加解密。

public static class Managed {
  public static byte[] Encrypt(byte[] data, byte[] key, byte[] aad = null, CipherTextVersion version = CipherTextVersion.Latest) {
    if (data == null || data.Length == 0)
      return (byte[]) null;
    if (key == null)
      throw new DevolutionsCryptoException(ManagedError.InvalidParameter);
    long errorCode1 = Native.EncryptSizeNative((UIntPtr) (ulong) data.Length, (ushort) version);
    if (errorCode1 < 0L)
      Utils.HandleError(errorCode1);
    long length = aad != null ? (long) aad.Length : 0L;
    byte[] result = new byte[errorCode1];
    long errorCode2 = Native.EncryptNative(data, (UIntPtr) (ulong) data.Length, key, (UIntPtr) (ulong) key.Length, aad, (UIntPtr) (ulong) length, result, (UIntPtr) (ulong) result.Length, (ushort) version);
    if (errorCode2 < 0L)
      Utils.HandleError(errorCode2);
    return result;
  }

  public static byte[] Decrypt(byte[] data, byte[] key, byte[] aad = null, ILegacyDecryptor legacyDecryptor = null) {
    if (data == null || data.Length == 0)
      return (byte[]) null;
    if (key == null)
      throw new DevolutionsCryptoException(ManagedError.InvalidParameter);
    long length = aad != null ? (long) aad.Length : 0L;
    byte[] array = new byte[data.Length];
    long num = Native.DecryptNative(data, (UIntPtr) (ulong) data.Length, key, (UIntPtr) (ulong) key.Length, aad, (UIntPtr) (ulong) length, array, (UIntPtr) (ulong) array.Length);
    if (num < 0L) {
      if (legacyDecryptor != null && Enum.IsDefined(typeof (NativeError), (object) (int) num) && (int) num == -11)
        return legacyDecryptor.Decrypt(data, key);
      Utils.HandleError(num);
    }
    Array.Resize<byte>(ref array, (int) num);
    return array;
  }
}

public static class Native {
  private const string LibName = "DevolutionsCrypto";
}

看了下 Native 像是 Rust 写的，丢给 Gemini 逆，应该是根据加密数据前的标志位判断加密算法，实际用了 AES-256-GCM 或 XChaCha20-Poly1305。具体算法不逆了，直接调库。解出来好像也不是什么重要的数据，也可能因为这份样本中没存什么重要数据。

import ctypes
import base64

DLL_PATH = r"C:\Program Files\Devolutions\Remote Desktop Manager\runtimes\win-x64\native\DevolutionsCrypto.dll"
DevolutionsCrypto = ctypes.CDLL(DLL_PATH)

DevolutionsCrypto.Decrypt.argtypes = [
    ctypes.POINTER(ctypes.c_ubyte),
    ctypes.c_size_t,
    ctypes.POINTER(ctypes.c_ubyte),
    ctypes.c_size_t,
    ctypes.POINTER(ctypes.c_ubyte),
    ctypes.c_size_t,
    ctypes.POINTER(ctypes.c_ubyte),
    ctypes.c_size_t
]
DevolutionsCrypto.Decrypt.restype = ctypes.c_long

def Decrypt(data: bytes, key: bytes, aad: bytes = b""):
    data_len = len(data)
    key_len = len(key)
    aad_len = len(aad)
    result_buffer_type = ctypes.c_ubyte * data_len
    result_buffer = result_buffer_type()
    
    data_ptr = (ctypes.c_ubyte * data_len).from_buffer_copy(data)
    key_ptr = (ctypes.c_ubyte * key_len).from_buffer_copy(key)
    
    if aad:
        aad_ptr = (ctypes.c_ubyte * aad_len).from_buffer_copy(aad)
    else:
        aad_ptr = ctypes.cast(None, ctypes.POINTER(ctypes.c_ubyte))

    decoded_len = DevolutionsCrypto.Decrypt(
        data_ptr, data_len,
        key_ptr, key_len,
        aad_ptr, aad_len,
        result_buffer, data_len
    )

    return bytes(result_buffer[:decoded_len])


with open(r"C:\Users\Saki\AppData\Local\Devolutions\RemoteDesktopManager\RemoteDesktopManager.stv", "rb") as f:
    stv_bin = f.read()

key = base64.b64decode("UQZti/6QhFxB99KrC8JE6h3wgTApPFaaqapAZxES32A=")

plaintext = Decrypt(stv_bin, key)
print(plaintext.decode("utf-8"))

<?xml version="1.0"?>
<OptionSensitive>
  <DataSources>
    <SQLiteConnectionDataSource>
      <DBID>08cb0446-f46d-4b31-baea-71e97484918c</DBID>
      <DisableAutoRefresh>false</DisableAutoRefresh>
      <ID>ea23d670-1099-45f3-99ee-db96f7576b36</ID>
      <IsAccessRequestAutoRefreshSupported>true</IsAccessRequestAutoRefreshSupported>
      <IsDefault>true</IsDefault>
      <LastKnownOfflineMode>Disabled</LastKnownOfflineMode>
      <Name>Local Data Source</Name>
      <OfflineMode>Disabled</OfflineMode>
      <Database>C:\Users\Saki\AppData\Local\Devolutions\RemoteDesktopManager\Connections.db</Database>
      <RequiresPassword>false</RequiresPassword>
    </SQLiteConnectionDataSource>
  </DataSources>
  <OptionMigrationVersion>2022.3.12.0</OptionMigrationVersion>
</OptionSensitive>