I can offer help on how to do user passwords. It will take a programmer (not me), but the solution is very straight forward. I am assuming they are using a hash for a password. If they aren’t, then the solution will be much easier, but you will have to look into that yourself. For most people it will figure out every password.
1) You need to figure out how password hashes are created on x-cart. For example, it might be md5([password]) or it might be md5([password] . [salt_string]) or md5(reverse(md5([password]))), etc, etc
2) Then you need to decide on a range of passwords char lengths. Hopefully x-cart has password constraints (ie, passwords must be between 5-10 chars). Any passwords that fall outside of the range will not be “decrypted” Most passwords, in my experience, are between 5 and 10 chars.
3) Next, you must create a program taht re-iterates through every possible combination given the possible password length and character set (a-z0-9). You will build a hash database of every possible value. This database will be quite large when you are done. It will record the original string along with the resulting hash.
4) Finally, you cycle through each member and look up their password in the hash database.
IF the hash is as simple as md5([password]) you can find premade databases such as http://gdataonline.com/. That database has 1,133,759,416 entries