IMZ/IMD files on a service partition

As you probably know models that come without a recovery CD have a hidden service partition with lots of IMZ, CRI and few IMD files in \RECOVERY dir.

I was trying to decrypt passwords stored in CRI files. I only managed to do this for IMZs which are in fact password-protected zip files.

Code:

ENCYPTED    DECRYPTED PASSWORD
BMGR        be0d
HURRICANES  xwbdbgmlbu
HUURICANES  xwvdbgmlbu
hurricanes  ?????????? (IMZ)
STANLEYCUP  u1kmkblhvi
TVTPASS     2b0ilsu
CK2AAPL	    iq????? (IMD)
CK2UAPL	    iq????? (IMD)
CKD158A     iqyrabm
CKD164T     iqyrhk2
CKD170T     iqyrzm2
CKD171A     iqyrzpm
CKD173T     iqyrzd2
CKD174T1    iqyrzk2q
CKD179T	    iqyrzs2
CKD185T1    iqyrc`2q
CKD192T     iqyrtj2
CKD196T     iqyrtg2
CKD197T     iqyrty2
CKD199T     iqyrts2
CKD204A     iqylnkm
CKD205T     iqyln`2

I was wondering if anyone of you found passwords required to open IMD files (PowerQuest Drive Image). They contain partition image that is restored when turning machine into a factory state. These passwords begin with iq..... but there are still 5 unknown characters. In my case encrypted passwords for IMD are CK2AAPL and CK2UAPL because it's a Polish Windows XP Home SP2. In your case it could be CK2AAUS or CK2AAEN. It will take too much time to find them using brute-force. Finding the algorith used to encrypt these passwords is also impossible at the moment (too little data).
That's why I'm asking you to post both encrypted and decrypted passwords for you IMZ files -- if you found any. I bet the same algorithm was used. Finally it would be possible to write a small utility to decode passwords stored in CRI files.

 

Robert, you're my god !

I had had a zip password recovery program running for 2 hours when I found your post.
I badly needed this 'HURRICANES' password encrypted/decrypted, so that I could get to the WinDVD setup files.
This encrypting of preloaded software is really sick...

So here's my contribution in return.

My other passwords are :

Code:

BKD010F   bqyoqmu
BKD023F   bqyokdu
BKD0025F  bqyonjbt
BKD037A   bqyoeym
BKD047F   bqyolyu
CM2ZCFR   iejfhsd

They were much easier to find once I realized they're the same length as the unencrypted passwords and with a few letters already know...

I have no IMD file here, the whole system image is just a zip file as well.
From my last password, you can guess the third letter of your IMD passwords is a 'j'.
And from your TVTPASS password, you can also guess the fifth letter is an 'l'.

But here's more.
I put all our already known matches in a table.
Horizontally are all the characters used in an unencrypted password.
Vertically is the character's position in the password.
Then you get the corresponding encrypted character.



So you already know the password is encrypted char by char, and that a given character in a given position always yields to the same encrypted char.

With a bit of observation, it becomes quite clear that:
* for a given source char, the encrypted char cycles every third position (see r, s, t, 2)
* for every 3 juxtaposed positions, the encrypted chars are following up in the reverse order (see f, t, all the digits)

So for any column where I had at least one letter, I could deduce the whole column.
And then I found out that letters A-M had the same encrypted char as letters N-Z, and just the same for digits and letters J-S.

In the end, I got to this table, which is pretty complete.



I just miss the matching encrypted char for D/Q/7 at position 1/4/..., but a single missing char should be trivial to find.

And your IMD passwords should be:

Code:

CK2AAPL	    iqjmlgl
CK2UAPL	    iqjxlgl

 

Great! The password you suggested are correct! It's fantastic you noticed how to decrypt them. But I was not sure that the fifth letter in my CK2AAPL password is l (iq..l..) because I thought that everything depends on the first character of the password.

As I promised, here is the utility which can easily decode them ( download CRI_DEC.EXE). I hope you'll find it useful. It properly decrypts passwords consisting of arbitrary ASCII characters. So it also worked with my lower-case "hurricanes" password. At the moment it is not possible to encode passwords, because I don't have much time now. I'm going on holidays tomorrow and I'm not packed yet. I will add this functionality when I'll be back.

 

That's nice of you.
I don't think I'll need to decrypt any of these IMZ files anytime soon, but I'm pretty sure someone else will find it useful.

I'm a little confused by your use of "encrypt" and "decrypt" (or "encode" and "decode").
To me HURRICANES is the clear text password, which encodes as xwbdbgmlbu, which in turn is used as an encyption key for the actual data.
Just like the ! E(%password%) instruction on the unzip command line in the CRI file calls an Encode macro.

Transforming an encoded password back to its cleartext form doesn't seem feasible. (Is it even needed?)
An encoded char can match multiple cleartext chars, so you just cannot guess which one was used.
Well, sure, you can always come up with a working cleartext password.
Did you plan to use this to inject software in the service partition? Yeah, maybe someone could find a use for it then.

Have a nice holiday!

 

List Complete...^^

 

hi there, i am using X61 and is trying to recover Diskeeper Home from my recovery partition. I tried using the table to generate the password for the file 4XDWX4A_.IMZ but was unable to expand the file as the password is not correct.. can anyone help me??

 

help from anyone??

 

IBM/Lenovo may very well have changed the way they encrypt IMZ files...
I'll try and have a look on a T61 here.

 

They didn't. Emptycan managed to decrypt passwords on his X61 (I wrote PM to him).