Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Office / Excel encryption

6 views
Skip to first unread message

Ryan Moore

unread,
Feb 9, 2001, 5:08:51 PM2/9/01
to
I am an idiot who encrypted an Excel file and forgot the password. I'm also
incredibly cheap (and poor), so I don't want to pay for a program to
crack(a.k.a. recover) the file passwords ($29.95 for guaranteed results).
My only saving graces may be that I like crypto, I can and am willing to
read, and I know enough programming and math to get by.

I'm looking for a pointer to any information on the encryption used by
Microsoft in the Office products, specifically Excel 97. I've read that
there are "significant enhancements" between O95 and O97 such that it is no
longer trivial to crack '97 passwords, but I can't find anything that
contains information as to what the original was or how it has been
improved.

According to the Elcom Advanced Office 97 Password Recovery tool (demo),
there are at least 4 possible different ways to password-protect an excel
file:
Write protection
Book protection
Shared book protection
Sheet protection

I haved searched Microsoft's site and the web for information about
encryption and password protection, but to no avail. There are many links
to Recovery Companies, but I haven't found any useful information. I want
to make my own cracker, let it brute-force for a month or whatever is
necessary.

I know somebody has this information. I only hope that A) That somebody is
willing to share and B) it's not proprietary/non-disclosure/we'll shoot you
if you tell anyone kind of stuff.

Anybody?

- Ryan Moore, spam-fr...@dullsville.com


Paul Rubin

unread,
Feb 9, 2001, 5:57:50 PM2/9/01
to

CMan

unread,
Feb 11, 2001, 10:28:59 PM2/11/01
to
Ok, here's the deal:

Learn about structured storages. You will need to know this to be able to
access the "1Table" structure in the Excel file. The 1Table structure
contains three 16 byte numbers. The first is a random salt. The second is
a an MD5 hashed nonce encrypted using RC4 with a key (K). This encrypted
hash is stored as a second 16 byte number in 1Table. The nonce is encrypted
using key (K) and MD5 hashed then stored as a third 16 byte number in
1Table.

The key (K) is calculated in the following way:

The password (expressed in unicode) is MD5 hashed. The first five bytes of
the password hash are put into an array with the 1st 16 byte number (the
salt) stored in the 1Table structure. The salt is repeatedly concatenated
with the password and then padded according to the MD5 algorithm. The MD5
hash is taken. The first five bytes of this hash are saved and then padded
and MD5 hashed again. The first five bytes of this hash along with a counter
byte become the RC4 key for encrypting/decrypting the document. The counter
periodically re-keys the RC4 engine by incrementing the counter byte modulo
8.

This key is first MD5 hashed before RC4 key scheduling. This hash is the key
(K).

An approach to guessing the password is thus to brute force guess the
password and decrypt the second and decrypt and hash the third 1Table number
until there is a match. (The MD5 hash of the decrypted third number when MD5
hashed should equal the RC4 decrypted second number). This will work for
short, poorly chosen passwords. It will not work for well chosen passwords
because there is not enough time in the universe to do all the math
required.

There is a better way to recover the document. This is to recover the five
byte value which is the document key, add the counter byte and decrypt the
document. This method will always recover the document and can be
accomplished on hardware costing less than $1200 in a few days.

Use four Abit BH6 motherboards, four overclocked Celeron 300A processors.
Boot the motherboards disklessly from your network (use Linux of course, you
will have to recompile the kernel to get the NFS to mount properly...)
Make sure you have the eproms on the network cards properly configured to
run bootpd on start-up.

You will need to run PVM software or just manually divvy up the keyspace by
telneting to the individual motherboards and running shell scripts. If you
want to get fancy, you can run a free X-Windows client on a Windows machine
and control the whole shebang from your windows machine. Of course you will
have to cnt-alt-del occasionally on the windows unit but Linux will just
keep going and going and going...

On the second day, you can write Windows software to create a Word process,
jam load the recovered key and make Word do the document decryption.

Oh, the whole thing will run faster if you optimize your MD5 and RC4 code
taking into consideration the dual pipelined Celeron architecture and use
assembler code optimized for instruction pairing.

That's all there is to it. Good luck.


John E. Kuslich

--
CRAK Software
http://www.crak.com
Password Recovery Software
QuickBooks, Quicken, Access...More
Spam bait (credit E. Needham):
root@localhost
postmaster@localhost
admin@localhost
abuse@localhost
webmaster@localhost
postm...@127.0.0.1
enfor...@sec.gov
cyber...@nasaa.org


"Paul Rubin" <phr-...@nightsong.com> wrote in message
news:7xd7cr8...@ruckus.brouhaha.com...
> Try www.crak.com.

rcg

unread,
Feb 12, 2001, 3:20:08 AM2/12/01
to
I wrote a vba program several years ago that would try random
passwords in a loop until it opened a password protected excel file.
It typically opened a file protected with a 4 char password in a
couple of hours (running on a 100 MHz 486, win 95).

At the time, word used a different language model (word basic) that I
was unable to use the same idea on (the error handling was different).

If you are interested, I think I could locate the sorce code. It
might work on newer versions of excel or (more likely), it could
perhaps be modified.

Bob.

0 new messages