Reversing the WinSCP session password encryption

Edit: this article has been superseeded by a newer version, implemented in Phython: WinSCP session password decryption - Part 2


So today I decided to access my web hosting account via scp from my Linux partition. But of course, I had forgotten my password! So I used the “Offline NT Password & Registry Editor” to extract the necessary settings (from Windows 7 partition):

Open the file

C:\Users\<UserName>\NTUSER.dat

and inside regedit navigate (via “cd”) to

\Software\Martin Prikryl\WinSCP 2\Sessions\<SessionName>

From this key, you need the values “Password” (only possible if saved, very long string), “Host” and “UserName”.

Finally I reverse engineered the WinSCP source code, which was especially hard because it origins in Delphi, where all strings and arrays are 1-based. My final decrypter code:

Usage (using the values from the registry key):

./decrypter HostName UserName Password

I hope that this will save someone elses time, too!