PDA

View Full Version : Cracking w97 files


dipeshrestha
April 9th, 2002, 07:04
Dear friends,

I am facing problem while cracking the password protected word document. i generally use bpx hmemcpy in softice to have a break in software. but it does not seems to work with Word or excel. Can anyone help me with that

thanx in advance

dipeshrestha

Aimless
April 9th, 2002, 07:42
Hullo,

If you are trying the "MEMORY-ECHO" trick to find the password in W97, then forget it. You will NOT get it, because it is not stored and not compared.

As far a bpx hmemcpy is concerned, if you are using the Win NT and above, this no longer exists.

A better way would be:

1. Enter your password
2. Ctrl-D into SoftICE
3. addr winword
4. bpx getwindowtexta
5. Press OK once you are out of SoftICE

If that does not work:

1. Enter your password
2. Ctrl-D into SoftICE
3. addr winword
4. hwnd winword
5. Check for the EDIT class topmost
6. bmsg xxxxx wm_gettext
7. Press OK once you are out of SoftICE

Remember, password protection means that the file gets encrypted. You might try to ask this question on the Encryption Board here on RCE.

...Have Phun

dipeshrestha
April 9th, 2002, 09:30
Hi aimless,

actually i'm using win 98. now i will try what u have said. thank you a lot. if problem persist i will again contact u.

dipeshrestha

foxthree
April 9th, 2002, 10:39
erm... I suppose, both methods wouldn't work in this case. I tried with Word 2000. No WM_GETTEXT there. My suggestion would be to break on the WM_LBUTTONDOWN:

i.e. bmsg <handle of OK button> WM_LBUTTONDOWN

Signed,
-- FoxThree

PS: Word 97 MD5-RC4

DakienDX
April 9th, 2002, 16:02
Hello foxthree !

Word 97 uses RC4?

In 1997 the US government hadn't yet legalized to export cryptography with more than 40 bit from the USA.
MD5 has a 128bit output, so what bits should be passed to the RC4 function? Only the first 40 bit?

Shall we accuse M$ because of weapon-export-violation?

naides
April 9th, 2002, 16:07
I may have misunderstood your request, but there are word and excel pasword recovery utils floating on the web. give it a search.

foxthree
April 9th, 2002, 19:44
Hi DakienDX:

I'd refer you to:
http://www.password-crackers.com/crack1.html#office97

I also post a snippet of Pavel Semjanov's PC FAQ on Office 97 Password Cracking:

"But because of US export regulations Office 97 uses 40-bit key. So encrypted files can be decrypted without password knowledge in a few days by searching for this key. Some companies ..."

If you take a look it is MD5 and RC4 with 40-bit keys. Though, I don't *really* know if 40-bits out of 128 are used for RC4, I do know that the crypto is RC4 [this one is for sure ] Also, I do know about ITAR Act and that it was relaxed only recently.

Thanks,

Signed,
-- FoxThree

PS: Dakien, don't get me wrong, but I *DO* tend to do my research before posting Cheers!!!

DakienDX
April 9th, 2002, 21:28
Hello foxthree !

The link is dead.
At least I get an "Error 403 Permission Denied".

I haven't read anything describing how M$ Word encrypts file, but it was just logical that it wasn't able to use 128 bit in 1997 outside of the USA.

Maybe I've asked in a wrong way, but I didn't doubt that Word uses RC4, only that it uses 128 bit as key.

foxthree
April 10th, 2002, 07:07
Hi Dakien:

Thanks for being cool

Yes, the link gives 403, but I used Google "cache".

Thanks,

Signed,
-- FoxThree

mike
April 10th, 2002, 15:41
Hi DakienDX, foxthree!

As far as I know, I was the first one to disassemble the thing. This was way back before I'd heard of Fravia or SoftIce or IDA. So I disassembled the thing via MSVC 5's code watch. The addresses kept changing because sometimes the DLL would get loaded into a different part of memory. I had pages of code taped to my wall that I had copied & pasted into word pad.

Anyway, the password test algorithm goes like this:
Code:

a=Lo40(MD5(pw in unicode, no terminating NULL))
b=concat(a,first)
c=Lo40(MD5(concat(16 b's)))
RC4Init(c);
RC4Decrypt(second);
RC4Decrypt(third);
d=MD5(second);
if d==third, password is correct.

Lo40 are the first five bytes of the input.
first, second, third are three 16-byte values found in the word file right after the string 00 01 00 01
concat("now","here"=="nowhere"

To decrypt a file, you just have to brute force the 40 bits of c.

To decrypt all files w/ the same password, you just have to brute force the 40 bits of a.

Every file can be decrypted with a nine-character single-case alpha password, since 26^9 ~=2^42.

mike
April 10th, 2002, 15:46
If anyone cares, DakienDX's been asking about cracking MS Word 97 files in the Newbies forum and I posted the pw test algorithm over there.

DakienDX
April 10th, 2002, 16:14
Hi mike !

I've put the two threads together so that they stay as one unit. It's OK to discuss this in the RCE Cryptographics.

Thank you for sharing your knowledge about the topic. I wasn't really interested in the Word 97 password protection, but if anybody feels he needs some more information, I'll help to keep the topic up to date.

mike
April 10th, 2002, 17:11
MS *did* violate crypto export laws with their PWL file. The password is hashed 9x using md5 to derive a 128-bit key which is fed to RC4 to encrypt the contents of the PWL file. Pick a new user name, a long password, store a resource in the PWL file (which can be up to 32 K) and log off. The PWL file is secure storage.

(This only applies to the update of the update that ended up in win98. There are a LOT of problems with early versions of PWL files.)

foxthree
April 10th, 2002, 20:45
Hi Mike:

Thanks for your post. However, I have one small question. Supposing, say we manage to brute force c (2^40 computations is not that big) but using 'c' how do we get back the clear-text password.

Since:
c=Lo40(MD5(concat(16 b's)))
to get b's from c we need to do Inv(MD5) which is 128-bits!

Are you referring to just decrypt the document based on 'c' or getting back the plain-text password? If it is the former, I understand (since you've got 'c', u just do the RC4 decrypt), but how to get the plain-text password

Signed,
-- FoxThree

mike
April 10th, 2002, 21:09
Quote:
Are you referring to just decrypt the document based on 'c' or getting back the plain-text password? If it is the former, I understand (since you've got 'c', u just do the RC4 decrypt), but how to get the plain-text password ???

It is the former, and you understand ;D

You have to do a second brute-force to get 'a' and a third brute-force to get a working password. The second and third brute-forces go very vast compared to the first one, since there's no rc4 setup.

All of this can be optimized out the wazoo with MMX instructions.