Citrix ICA files can optionally contain the password used to authenticate the connection.

Here are two PowerShell functions that can perform the required encryption and decryption.
I’ve made these functions so that I can programmatically create a whole bunch of ICA files which I can then use to connect to all my servers without having to type the password when I connect (or manually change all the files when my password changes).

function Citrix-Encode {

    param ($s = "", $k = $null)

    if ($k -eq $null) {
        $k = Get-Random 256

    $p = $k -bxor ($k -bor [int][char]'C')

    $e = ($s.Length + 1).ToString("x4") + $k.ToString("x2")

    $s.ToCharArray() |% {
        $c = $_ -bxor $p -bxor $k
        $e += $c.ToString("x2")
        $p = $c

    return $e

function Citrix-Decode {

    param ($s = $null)

    $l = [regex]::split($s, '(?<=\G.{2})')

    $n = [convert]::toint16($l[0]+$l[1],16) + 1
    $k = [convert]::toint16($l[2],16)

    $p = $k -bxor ($k -bor [int][char]'C')
    $d = ""

    $l[3..$n] |% {
        $c = [convert]::toint16($_,16)
        $d += [char]($c -bxor $p -bxor $k)
        $p = $c

    return $d

Example of use:

PS> Citrix-Encode "abcd1234"

PS> Citrix-Decode "0009aa8a428b45de46df41"

The obfuscation that Citrix uses is shown to be relatively simple – just using an initial key and then some simple XOR stuff. The decode function does not do any validation of it’s input, it just assumes that it will be fed a valid hex string.

This code also needs way more comments …