Encoding Citrix passwords with PowerShell
Citrix ICA files can optionally contain the password used to authenticate the connection.
Here are two PowerShell functions that can perform the required encryption and decryption.
I’ve made these functions so that I can programmatically create a whole bunch of ICA files which I can then use to connect to all my servers without having to type the password when I connect (or manually change all the files when my password changes).
function Citrix-Encode {
param ($s = "", $k = $null)
if ($k -eq $null) {
$k = Get-Random 256
}
$p = $k -bxor ($k -bor [int][char]'C')
$e = ($s.Length + 1).ToString("x4") + $k.ToString("x2")
$s.ToCharArray() |% {
$c = $_ -bxor $p -bxor $k
$e += $c.ToString("x2")
$p = $c
}
return $e
}
function Citrix-Decode {
param ($s = $null)
$l = [regex]::split($s, '(?<=\G.{2})')
$n = [convert]::toint16($l[0]+$l[1],16) + 1
$k = [convert]::toint16($l[2],16)
$p = $k -bxor ($k -bor [int][char]'C')
$d = ""
$l[3..$n] |% {
$c = [convert]::toint16($_,16)
$d += [char]($c -bxor $p -bxor $k)
$p = $c
}
return $d
}
Example of use:
PS> Citrix-Encode "abcd1234" 0009aa8a428b45de46df41 PS> Citrix-Decode "0009aa8a428b45de46df41" abcd1234
The obfuscation that Citrix uses is shown to be relatively simple – just using an initial key and then some simple XOR stuff. The decode function does not do any validation of it’s input, it just assumes that it will be fed a valid hex string.
This code also needs way more comments …
Bri
Bri 
Thank you!! This is exactly what I have been looking for!
[haven’t checked in here for a while]
Glad you find it useful!
Also available as a PowerShell module at https://github.com/nairby/citrix-ica-password