Does anyone know how Database connection strings are stored?

I am in the midst of reverse engineering flow and associated files.

One thing I am a bit stuck on is how db connections are stored.

If you open the NDF file for a “ConnectionData” node you will see something called an “IRT” node, which looks something like this:


As you can see there is a big long encoded string here, which I am presuming contains the connection name, and all the details of the database connection.

But I cannot work out how to descramble it.

Any ideas? Anyone recognise the encoding? I tried base 64 decoding but seemed come out with garbage… could it be binary? I am assuming its serialized from Java some its probably not too complicated…

Ok, so I’ve figured it out kinda. It is base 64 encoded, and it appears to be a binary blob, but most of the content is readble in a hex editor. So I am guessing it’s a binary serialization of a java class, or just a text file with some non standard bytes at the start.

Here is a powershell script to extract it into a binary file, which you can then peruse with a hex editor:

 # starting string from NDF file
$content = "CwQAAAABBQEEGQBjAG8A ... "

# get as byte array, decoding from base 64
$var = [System.Convert]::FromBase64String($content)

# save to file to current directory
[io.file]::WriteAllBytes((pwd).Path + "\binary.bin",$var)

Appears these blobs are serialized using

Does anyone know how to convert this type to/from a hand-editable xml? may lead you to what you’re after. That non-public service points to I assume you can pick up the trail from there (I dunno if it will lead to what you’re looking for though).

1 Like