how does this perl script work

[reaper]

I am trying to learn perl, and I'm not sure, while I understand perl regular expressions a bit, this program is confusing me.

what does the if line test for.  you can see the arguments it's getting from the same program written in c here.

while <> says while there is standard input do this for each line?  I'm not sure

http://insecure.org/sploits/cisco.passwords.html

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
          0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
          0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );

while (<>) {
        if (/(password|md5)\s+7\s+([\da-f]+)/io) {
            if (!(length($2) & 1)) {
                $ep = $2; $dp = "";
                ($s, $e) = ($2 =~ /^(..)(.+)/o);
                for ($i = 0; $i < length($e); $i+=2) {
                    $dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];
                }
                s/7\s+$ep/$dp/;
            }
        }
        print;
}
# eof

[quadz]

My perl is about 8 years rusty...

But anyway, there are several constructs in perl that operate on $_ or @_ if no variable is specified.

so...

while (<>) {
        if (/(password|md5)\s+7\s+([\da-f]+)/io) {
 # ...
        }
}

can be rewritten to use explit variables, like:

while ($line = <>) {
        if ($line =~ /(password|md5)\s+7\s+([\da-f]+)/io) {
 # ...
        }
}


(Hopefully I'm still remembering this correctly...)


Regards,

[peewee_RotA]

Best PERL resource that I found
http://www.perlmonks.org/


Be sure to stop by the Obfuscation section to see some really unreadable scripts
http://www.perlmonks.org/?node=Obfuscated%20Code

[reaper]

I like perl, it can be harder to read imo, but I started messing with it, and it seemed easy, and I know C somewhat so that helped.  I think it's going to be my language of choice, Ruby is one I would consider looking into, but I haven't really seen it yet, Python I just don't really like, sorry the whitespace thing is way to weird for one. Quadz, why do you like Ruby as opposed to Perl.

while (<>) {
        if (/(password|md5)\s+7\s+([\da-f]+)/io) {

Perl regular expressions are complicated for sure, at least to me when you throw in greedy and non-greedy matching, and efficency with compiling them or not. http://www.troubleshooters.com/codecorn/littperl/perlreg.htm#Greedy

I'm going to try and comment this program , I just haven't had the time because i'm learning perl and it's going to take me a bit.
But I think I got the if condition.  From the C program I see it takes a router config file, or a switch plus the encrypted password, then strips out the password from the config, or just takes the pass and runs the same algorithm against the encrypted pass that the router would have to (not the routers fault it has to decrypt it).

Here is the if condition (pretty simple really):
while (<>)
if (/(password|md5)\s+7\s+([\da-f]+)/io)

<> is the input operator, perl will take files as arguments and concactanates them. <> reads from the input line by line with while.  so input is the router config, and we're searching for the encrypted password by matching against the following pattern in the config text.

expression modifiers are at the end /io is case insensitive (i), (o) is compile regex once, speeds it up in this circumstance by creating some low level byte code I guess, instead of the perl interpreter doing more...

Here is the if condition :: (commas and () are mine, the literal stuff i'm sure you get..)

**"password or md5, plus a space, 7 one or more times,a space one or more times, (a single digit or a through f one or more times)"**

I'm pretty sure that's the correct interpretation of the regex.  The rest of the code is just the algorithm doing funky stuff with the encypted pass (the original algorithm in reverse)

For fun i'm going to comment it.  Should be a great exercise


$_ is the current default input (like one line during a while loop on the input operator)
@_ is incoming parameters go a subroutine (used to these being called functions)

[quadz]

Quadz, why do you like Ruby as opposed to Perl.

I landed a job in 1999 that required a lot of Perl programming.  I enjoyed Perl a lot, because it had so much expressive power in its syntax compared to languages I'd used previously like C, C++ and Java.

One can accomplish quite a bit with one line of Perl-syntax.

But I started to sour on Perl the more I tried to do OO-style programming with it.  While I prefer a language not force me to do OO, I also prefer the language to make OO very easy to write when I want it.  In Perl OO was cleverly grafted on to the language with the 'bless' keyword, but I found actually writing OO code in Perl to be so tedious as to feel not worth my time.  Which is the opposite of what I want.

In 2001, I wrote a fair amount of Python code.  Like Perl, OO was also grafted onto Python.  But at least in Python they made it enough of a part of the language that it's not tedious to write OO code in Python.  (Though it still feels a bit tacked-on in areas, such as the explicit "self" argument as the first parameter of each method definition, and when making method calls on the 'current' object.  Even C++ manages to improve on that.)

For me--and this is purely personal preference--Python also feels like a bit of an authoritarian language to me.  As though somebody decided there was one correct way to do things, and I often found myself disagreeing.

At Rubyconf 2007, matz, the creator of ruby gave a talk on programming languages, while wearing a Python shirt.

Matz observed: Turing Theory => Language does not matter, at least in theory. [...] What makes the difference? Not the language itself. It's the attitude of the users. Python users believe in the one true way. Ruby users like diversity. I said that I liked all programming languages, except for a few.

In 2005, Pythonista Ian Bicking asserted that ruby users were wrong to embrace ruby's open classes: "You can monkeypatch code in Python pretty easily, but we look down on it enough that we call it “monkeypatching”. In Ruby they call it “opening a class” and think it’s a cool feature. I will assert: we are right, they are wrong."

But matz replied, "... “open class” is so strong (often too strong), we can break things easily. In other word, Ruby trust you to give you sharp knives, where Python don’t. From the Python point of view, it’s wrong, I guess."

So--perhaps I'm getting a little ahead of myself since you asked about Ruby and Perl, and here I'm talking about Ruby and Python.  But anyway, for me, I didn't find the Python community's "one true way" approach a good fit for my own style, and yes--I prefer a language that trusts me with sharp knives.

As for Ruby, I started learning it in 1999 also, maybe six months after I'd begun writing a lot of Perl code.

From my point of view, ruby has accomplished a remarkable synthesis between Perl's "swiss army chainsaw" gritty flexibility, and Smalltalk's clean comprehensive OO capabilities.

For example, in Ruby we don't lose Perl's strengths for writing quick'n'dirty command line programs.  Here's a ruby one-liner to read data from one-or-more files, and print the number of unique IP addresses found in all the data:

  ruby -e 'p ARGF.read.scan(/\d{1,3}(\.\d{1,3}){3}/).uniq.size' *.log

Ruby and Perl both offer a similar level of syntactic power for one-liners like that, which I think is cool.

And, like Perl and Python, Ruby doesn't force anyone to write OO style code.

But, unlike the others, Ruby was designed with OO in mind from the beginning, and it shows.  Object Oriented code is extremely clean and easy to write in Ruby.

Everything is an object:

  5.times {print "hello"}

Creating new classes is trivially easy:

  class Foo
    def huzzah
      puts "Greetings and salutations!"
    end
  end

  f = Foo.new
  f.huzzah

  Greetings and salutations!


Also, similar to Python, ruby comes with an interactive shell (irb).  I keep irb open at all times while I'm programming in ruby, because it's convenient to be able to just type code in and try it out.

Example, sending a UDP status packet to tastyspleen.net::vanilla from the interactive ruby shell:

>> require 'socket'
=> true
>> sock = UDPSocket.open
=> #<UDPSocket:0x2cb6108>
>> sock.send("\xFF\xFF\xFF\xFFstatus\0", 0, "tastyspleen.net", 27912)
=> 11
>> x = sock.recvfrom(65536)
=> ["\377\377\377\377print\n\\Q2Admin\\1.17.44-tsmod-2\\mapname\\ware1\\anticheat\\1\\maxspectators\\4\\gamedate\\Jan 15 2009\\gamename\\baseq2\\INFO2\\NO BOTS, HACKS, CHEATS PLEASE\\INFO1\\All Skill Levels Welcome\\cheats\\0\\timelimit\\15\\fraglimit\\30\\dmflags\\16404\\deathmatch\\1\\version\\R1Q2 b7759 i386 Jun  5 2008 Linux\\hostname\\tastyspleen.net::vanilla\\maxclients\\32\n0 232 \"Onslow\"\n0 18 \"Pybie\"\n0 57 \"Obama\"\n0 21 \"SillyBilly-CRU\"\n0 5 \"WallFly[BZZZ]\"\n", ["AF_INET", 27912, "tastyspleen.net", "74.54.186.226"]]

# the above is the raw UDP response data...
# let's print it out a little nicer:

>> print x[0][4..-1]
print
\Q2Admin\1.17.44-tsmod-2\mapname\ware1\anticheat\1\maxspectators\4\gamedate\Jan 15 2009\gamename\baseq2\INFO2\NO BOTS, HACKS, CHEATS PLEASE\INFO1\All Skill Levels Welcome\cheats\0\timelimit\15\fraglimit\30\dmflags\16404\deathmatch\1\version\R1Q2 b7759 i386 Jun  5 2008 Linux\hostname\tastyspleen.net::vanilla\maxclients\32
0 232 "Onslow"
0 18 "Pybie"
0 57 "Obama"
0 21 "SillyBilly-CRU"
0 5 "WallFly[BZZZ]"


... I find it quite handy to be able to experiment with code interactively like that.


So, for me, Ruby's kind of a best of both worlds blend of Perl and Smalltalk.


Regards,

quadz

[reaper]

Interesting, I mainly write scripts, which i'm sure Ruby is good at, does it work with text as well as perl? I'm wondering what the advantages of perl might be, i'm guessing maybe all the CPAN modules.  I do like the interactive shell.  The OO stuff i'm just getting familiar with, I believe in perl 5 the OO stuff is pretty built in and up to standards (so I read), but I don't know much about that.  Other than reading:
dog->speak  "a dog goes bark"
cat->speak   "a cat goes meow,"

So far I haven't had a need for the OO stuff, other than working with existing code that uses it.
 
could also send and recieve the status like this:
perl -e 'print "\xFF\xFF\xFF\xFFstatus\0"' | netcat -u tastyspleen.net 27912


\Q2Admin\1.17.44-tsmod-2\mapname\tastydm2\anticheat\1\maxspectators\4\gamedate\J                                              an 15 2009\gamename\baseq2\INFO2\NO BOTS, HACKS, CHEATS PLEASE\INFO1\All Skill L                                              evels Welcome\cheats\0\timelimit\15\fraglimit\30\dmflags\16404\deathmatch\1\vers                                              ion\R1Q2 b7759 i386 Jun  5 2008 Linux\hostname\tastyspleen.net::vanilla\maxclien                                              ts\32
0 33 "aaaahhhh"
5 187 "o mulek piranha"
27 53 "name"
1 163 "Reznath-HUN"
5 48 "Mongo"
8 189 "kill"
16 55 "dad"
3 142 "Malibu Stacy"
0 75 "ramirez"
4 196 "King Drangons"
1 53 "instance"
24 83 "Prophet(COW)"
2 46 "Turd"
0 181 "cycatakurwa"
0 0 "Vodka Martini"
13 75 "Quartz"


regarding that perl script,
this is confusing me:
if (!(length($2) & 1))


so we got the line with the encypted password from the config file from the if condition matching on the regex.
then I guess the above line works on the current line, and does some bitwise anding, to get rid of a bad match or something.
length just gets the second character from the line, but i'm not sure what is going on, other than I believe it is anding two bits, and making sure they are not on.
http://www.cs.cf.ac.uk/Dave/PERL/node36.html

edit:
that's totally wrong
 if (!(length($2) & 1))

$2 is the second sub match of the regex, so it is ([\da-f]+) , which is just a hex string of any length.  so it is doing some type and anding, and I believe looking for an even match..

[QwazyWabbit]

while(<>)

This is the magical input loop, it reads stdin. This allows it to accept command line arguments or file input if the command line specifies a file. The script can be commanded, fed files, or piped and it won't care.

 if (!(length($2) & 1))

This is the kind of idiom that makes me want to puke when I see perl code. It is taking the second product of the pattern match that was last executed and determining if it's length is odd or not. The inversion of the result makes it even more difficult to decide which path is the odd path and which is the not-odd path in the block. gag, retch, puke.

[reaper]

while(<>)

This is the magical input loop, it reads stdin. This allows it to accept command line arguments or file input if the command line specifies a file. The script can be commanded, fed files, or piped and it won't care.

if (!(length($2) & 1))

This is the kind of idom that makes me want to puke when I see perl code. It is taking the second product of the pattern match and determining if it's length is odd or not. The inversion of the result makes it even more difficult to decide which path is the odd path and which is the not-odd path in the block. gag, retch, puke.

hmmm, I think you got it.
$2 is the second sub match of the intial regex, so $2= a string of hex characters
we run length on that string...
so if you have FFFF, length returns 4
we take 4 and do (4 & 1) , which is some type of anding where odd is true, then we just not (!) that.  The paranthesis seem pretty straightforward, it's going to do what's in them, and *then* not it.  Seems all order of operations is like that, so other than being more explicit, the logic seems normal.

so...we are looking for an even amount of characters in the hex string, why is that confusing?  Assuming you already know what $2 represents, because I didn't and that's what threw me off.  I'm guessing you want things more explicit, which would be much easier to understand, but after know what's going on a bit (a comment or two would of been a lot easier..) it seems straightforward, since you do what's in () first.

just my 2 cents

#grabbing line in router config with encrypted password, and operating on the encrypted pass by running the original algorithm in reverse

@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
          0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
          0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );

#sending script config file as input,as usual perl reads in files, arguments and <> will operate on them, they are concactanated to input

while (<>) {

#test for "password or md5, plus a space, plus 7 zero or more times, plus one or more spaces, plus a hex character one or more times, i modifier = case insenstivie, o modifier = compile regex once

        if (/(password|md5)\s+7\s+([\da-f]+)/io) {

#testing the second sub match ($2), length is run on the match of hex values, so FFFF=4, we are making sure  4 is NOT odd.  1 & 1 returns true, 2 & 1 returns false......
            if (!(length($2) & 1)) {
                $ep = $2; $dp = "";
                ($s, $e) = ($2 =~ /^(..)(.+)/o);
                for ($i = 0; $i < length($e); $i+=2) {
                    $dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++];
                }
                s/7\s+$ep/$dp/;
            }
        }
        print;
}
# eof

getting there : )

[QwazyWabbit]

Because the output of (length(abc) & 1) is 1 and (length(abcd) & 1) is 0, so the inversion is redundant and only serves to make the script harder to read and maintain. And the ! is easy to miss when scanning the block. The fact that the script is short is irrelevant to it's maintainability. I suspect the author used it to make the body look nicer by putting the majority code deeper into the nesting. As your experience with it and commenting it shows, it's not exactly clear precisely what it is doing and why or when it will do it. Just another example of what makes me get a headache when I read perl.

You can safely say: if (!(length($2) & 1)) { #if length($2) is even, do...

P.S. I wrote perl for the backend of a web site for over a year for a gal who had no programming experience whatsoever and who thought daily changes to features in the front end wouldn't affect the back end. Ruby looks better than perl to me at this point.

[reaper]

Because the output of (length(abc) & 1) is 1 and (length(abcd) & 1) is 0, so the inversion is redundant and only serves to make the script harder to read and maintain.

The author was probably used to using the, &, bitwise operator, because he could of done "if(length($2) % 2 ==1)" or he just wanted it slightly shorter, I don't know.

Regarding your comment about running the algorithm in reverse, MD5 is a hash, it is a one-way function and cannot be reversed. You can apply passwords and compute their hash. If two MD5 hashes match, the password is the same.

MD5 is what is used now, it looks like the algorithm originally used was reverseable, where with MD5 this is possible , but not computationally feasible, i'm not cryptology expert, but that's the jist I believe.  You could however like you said, just run a dictionary attack and create the hashes from a password list and compare the hashes.

I give the script the hash, and it  certainly does come back with the password.  Maybe the same thing will happen with MD5 eventually, you'll link to the quantom Amazon.com supercomputer or whatever : )

The scheme used by IOS for user passwords was never intended to resist a
determined, intelligent attack; it was designed to avoid casual
"over-the-shoulder" password theft. The threat model was someone reading a
password from an administrator's screen. The scheme was never supposed to
protect against someone conducting a determined analysis of the
configuration file.

Because of the weak encryption algorithm, it has always been Cisco's
position that customers should treat any configuration file containing
passwords as sensitive information, the same way they would treat a
cleartext list of passwords.

Enable Secret Passwords
- -----------------------
Enable secrets are hashed using the MD5 algorithm. As far as anyone at
Cisco knows, it is impossible to recover an enable secret based on the
contents of a configuration file (other than by obvious dictionary
attacks).

Note that this applies only to passwords set with "enable secret", *not*
to passwords set with "enable password". Indeed, the strength of the
encryption used is the only significant difference between the two
commands.

[reaper]

Not sure what happened to your post, but if I deleted it, it was on accident..

[QwazyWabbit]

No, I deleted it. I originally thought the script was attacking the MD5 hashes but it only attacks the reversible password scheme.
If it sees the 'enable secret 5' line header it simply prints the line without attacking the hash.
Once I re-read the article I deleted my post but you had already begun to reply apparently. Sorry about that.

[quadz]

Interesting, I mainly write scripts, which i'm sure Ruby is good at, does it work with text as well as perl?

Yeah, I spent two years in Perl doing pure text processing jobs on large SGML datasets.  It was actually pretty fun.

Ruby and Perl are essentially equivalent in ease of text processing.  Both languages support regular expressions directly in the language syntax.  Both support the same manner of text <-> binary pack/unpack operations, single- and double-quote semantics, specifiable delimeters for quoted literals, string interpolation, here documents, etc. etc.

. . . BTW, another nice thing ruby's got built in by default is arbitrary precision integer arithmetic.  For ex:

>> 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
=> 2135987035920910082395021706169552114602704522356652769947041607822219725780640550022962086936575

>> 2**320 - 1
=> 2135987035920910082395021706169552114602704522356652769947041607822219725780640550022962086936575

>> "ThisIsABase36Number".to_i(36)
=> 304138581087363290458845912387

# for fun, convert base 36 into base 35
#
>> "ThisIsABase36Number".to_i(36).to_s(35)
=> "1dxlpmy7u4oowe0vynnw"

I'm wondering what the advantages of perl might be, i'm guessing maybe all the CPAN modules.  I do like the interactive shell.  The OO stuff i'm just getting familiar with, I believe in perl 5 the OO stuff is pretty built in and up to standards (so I read), but I don't know much about that.  Other than reading:
dog->speak  "a dog goes bark"
cat->speak   "a cat goes meow,"

Objects in perl are easy enough to use; but I find classes and methods tedious to implement in perl.  Tedious to the point where I would sometimes grudgingly fall back to writing procedural code in places where I really wanted an object, but felt it was too much of a PITA to bother with.

could also send and recieve the status like this:
perl -e 'print "\xFF\xFF\xFF\xFFstatus\0"' | netcat -u tastyspleen.net 27912

Sure, or:

ruby -e 'print "\xFF\xFF\xFF\xFFstatus\0"' | netcat -u tastyspleen.net 27912



But that's more showcasing netcat rather than ruby or perl.

I give the script the hash, and it certainly does come back with the password. Maybe the same thing will happen with MD5 eventually, you'll link to the quantom Amazon.com supercomputer or whatever : )

If the password space is small enough, a low-tech dictionary lookup can be used.  I think there are actually web sites out there with databases of MD5 sums for common words and passwords... so you type in the MD5 sum, and it spits out the passwords in its database that match the sum.

But if course, if the password can be any length, then there are an unlimited amount of passwords which hash to the same MD5 sum. 


Regards,

[QwazyWabbit]

Always good for some nugget.

http://www.codeproject.com/script/Surveys/Results.aspx?srvid=891

Hardly, scientific. Never a large enough population of responders IMO but it might give a general indication of the trend in the industry.

BTW, the FCS (Flight Control System) in the F-22 is written in C++ to very strict requirements for style, usage and test.

[reaper]

Objects in perl are easy enough to use; but I find classes and methods tedious to implement in perl.  Tedious to the point where I would sometimes grudgingly fall back to writing procedural code in places where I really wanted an object, but felt it was too much of a PITA to bother with.

Doesn't the new Perl have better OO than the old versions, or maybe that is the perl you're talking about "5.x"?  I have been getting some help with some OO stuff lately, since i've never used it.  I guess I could use procedural style in everything, but for larger projects OO might be a good idea for reuse.  I started learning OO, because sometimes I'll grab someone elses code, and it's in there..
It seems very foreign to me.  To me if I put everything in functions, it's modular and it's cool, I could even put portions of an app in separate .o files.  I guess my method would be copying functions, instead of creating new objects, but all in all i'm still a bit confused.
Although I do understand when I go duck->speak I get quack and dog->speak I get bark

could also send and recieve the status like this:
perl -e 'print "\xFF\xFF\xFF\xFFstatus\0"' | netcat -u tastyspleen.net 27912

Sure, or:

ruby -e 'print "\xFF\xFF\xFF\xFFstatus\0"' | netcat -u tastyspleen.net 27912



But that's more showcasing netcat rather than ruby or perl.

Still cool nonetheless : ).  I see NXServer, the only remote desktop for Linux that actually works well uses netcat, i'm not sure why it does though, but it does depend on netcat, and it does work better than VNC.  Not that you shouldn't normal just call the socket from Perl, it's pretty easy in Perl to.

I'm not liking using -e and -n with perl to evaulate code on the command line as opposed to an interactive shell. I do see there is a hacked up interactive shell for perl, but that's not really what I like, I like everything to just be installed and work together.  Not grab another script to have an interactive shell, at least that's what i'd prefer.

The things I'm liking with perl are the syntax, and the special variables, and operators, as well as all the CPAN modules , they've come quite handy to me like Net::Snmp.  I don't know I just like it, but I haven't tried Ruby other than the online interactive shell.

Always good for some nugget.

http://www.codeproject.com/script/Surveys/Results.aspx?srvid=891

Hardly, scientific. Never a large enough population of responders IMO but it might give a general indication of the trend in the industry.

BTW, the FCS (Flight Control System) in the F-22 is written in C++ to very strict requirements for style, usage and test.

I think that is valuable, but I don't think it's accurate.  Amazon and craigslist are written in Perl, Perl is huge on the internet, holding everything together, and it comes in handy for all types of IT work.  But when someone reports what they are using for a living I could see Perl falling short.
Also I think the categories are very broad, with embedded systems, and real time OS'es etc, you are cutting Perl right out of the loop, so maybe overall in all markets those numbers are more accurate.  But let's not forget what php, perl,python and ruby are doing, they are the glue that holds the internet systems together. Even Google has invested heavily in Python.


The Perl interpreter/compiler can try and understand what you're doing, and seems more advananced as far as I can tell than other systems:
http://en.wikipedia.org/wiki/Perl
wikipedia "Perl is distributed with some 120,000 functional tests. These run as part of the normal build process and extensively exercise the interpreter and its core modules. Perl developers rely on the functional tests to ensure that changes to the interpreter do not introduce bugs; conversely, Perl users who see that the interpreter passes its functional tests on their system can have a high degree of confidence that it is working properly."

Is it prone to errors, I guess it depends mostly on how you enforce style, and usage, it seems to have plenty of tests, and can even try and correct problems.

Although i'd prefer the F-22's flight system was programmed with ANSI C, i'm not sure how accurate that is, considering how advanced perl is, and the coding usage and standards could be achieved with Perl as well as C.

#!/usr/bin/perl
#grabbing the lines in the router configuration file with the encrypted passwords, and operating on the encrypted pass by running the original algorithm in a reverse manner

#hardcoded hex values with which we will XOR our password with to create the encrypted password
@xlat = ( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
          0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
          0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53 , 0x55, 0x42 );

while (<>) {
        if (/(password|md5)\s+7\s+([\da-f]+)/io) { #test for the lines with the encrypted pass "password 7 HEXSTRING"
            if (!(length($2) & 1)) { #testing that "HEXSTRING" is even, doing bit anding and want 1 returned for test
                $ep = $2; $dp = ""; #dp is going to be our password, ep is our encrypted pass
                ($s, $e) = ($2 =~ /^(..)(.+)/o); #place the first two chars of the encrypted pass in s, and the rest in e

#s is our key, it's where we start in the translate table.  who knows where it's originally derived from, the password or random.  either way there are only 26 possible values

#up to the length of the encrypted pass (not the first two chars of it, that's the key), loop through  in increments of 2
                for ($i = 0; $i < length($e); $i+=2) {

                    $dp .= sprintf "%c",hex(substr($e,$i,2))^$xlat[$s++]; #take two chars of the encrypted pass at a time (starting two chars into the encrypted pass, $e) ,convert them to hex, and XOR them against the a hex value in the xlat array, specifically the index of the xlate array based on the first two chars of the encrypted pass.  assign the ascci character representation, of the resulting XOR binary data to dp, keep adding to dp through the loop till the full pass is generated
                }
#woooah, got the real pass!, take the line with the encrypted pass and replace it with the real deal
                s/7\s+$ep/$dp/;
            }
        }
#print it out
        print;
}
# eof

The algorithm works on 1 key, the first two bytes of the encrypted pass, the key says where you start in the translate array of hex values.  You then just take two hex digits and xor them against that index, then step up one index in the array and xor the next two hex digits.  They could of shifted the bits before the XOR, and done some monkey business, and that would of been cool if you didn't have the source. But this could be guessed and was. Much,much,much easier in hindsight, but you can see if you just take the encrypted pass, compare it in memory, you could see it's double the length plus one.
Guess it's two for one, and a key, and it's using XOR, and there you go, you could just go through big passwords and compute the xlate array.  Guess that is why it has been reverse engineered, since IOS was leaked well after this exploit.

Cisco says it was never meant to be strong, but why are they using MD5 now; anyways I understand their point.  The router uses MD5 now for things that were using this algorithm before, where the router doesn't need to decrypt the password.

<?
echo "<div style=\"font-family:monospace\">";
// encrypted: fdgsdfgsdfgdsgf1
// real: adsfasfd

$xlat = array( 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41,
               0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c,
               0x64, 0x4a, 0x4b, 0x44, 0x48, 0x53, 0x55, 0x42 );

echo "<p>".nl2br(print_r($xlat,1))."</p>";
$encrypted = '082Fasdfasfdas';
$realpass = 'asdfasdf';

$key = substr($encrypted,0,2);
$startkey = base_convert($key,16,10);
echo "<p>$key:$startkey</p>";

$pass = str_split(substr($encrypted,2),2);
echo "<p>".print_r($pass,1)."</p>";
$newpass = '';
foreach ($pass as $key=>$val) {
     $newpass .= chr(base_convert($val,16,10)^$xlat[$key+$startkey]);
     echo "<p>character $key: $val (",base_convert($val,16,10),"), xlat: ",$xlat[$key+$startkey],", converted: $newpass</p>";
}

echo "<p>----------REVERSE</p>";

//$startkey = 8;
$startkey = rand(0,25);

$startpass = str_split($realpass);
echo "<p>",print_r($startpass,1),"</p>";
$encpass = str_pad(base_convert($startkey,10,16),2,"0",STR_PAD_LEFT);
echo "<p>$encpass</p>";

foreach ($startpass as $key=>$val) {
     $actualkey = $startkey + $key;
     if ($actualkey > 25) { $actualkey -= 26; }
     $thischar = str_pad(base_convert(ord($val)^$xlat[$actualkey],10,16),2,"0",STR_PAD_LEFT);
     $encpass.=$thischar;
     echo "step $key: $encpass<br />";
}

?>

the reverse in php, some stuff in there while debugging it, but it takes the encrypted pass and gives you the real one.  However you won't know the key, but there are only 26 possibilities.