Thursday 28 June 2012

Microsoft Excel 2003 encryption scanner

(Edit 6/4/2013 - You will want the latest version at https://github.com/GavinSmith0123/crackxls2003 or https://github.com/GavinSmith0123/crackxls2003/tags rather than what is below.)

Microsoft Excel 2003 spreadsheets which are encrypted are encrypted with 40 bits of encryption.

No free program exists to scan keys to decrypt such files. I have taken a step towards such a program existing with the following file:

http://pastebin.de/27599

This is mostly complete, but requires to be linked against the low-level function involved in the MD5 algorithm, operating on a single 64-byte block. The "md5-fast.S" file linked to from here works. There is surely the same function in the implementation of the OpenSSL MD5 functions, but it is not provided as a publicly callable function.

Compile with something like "cc -O5 -fomit-frame-pointer -march=native -mtune=native crackxls2003.c -o xls_crack -lssl md5-fast.S".

I haven't put much work into the interface. It should be invoked with something like './xls_crack "7c dc fa a2 cd d2 2c 6a c8 f0 9f 3b 8b 72 ee f8" "d0 b0 64 e3 92 b2 6e 12 d0 5c 4a fe bc 66 35 8f" 1d da 30 05 8f'. The first argument is the "verifer" field, the second is the "verifierHash" field. The remainder of the arguments tell you where to start checking the key space. (The example I've given has the correct encryption key (which came from the password "monkey") which you can use to check the program is working.) These two fields can be obtained using a program like "poledump" in conjunction with the file format reference.

It processes keys at the rate of about a month per key space on my computer. On an x86 machine, it may be possible to make it go faster using SSE instructions. I have heard you can make it go very fast using GPU memory, but I cannot test this as my computer has none.

Once the encryption key is obtained, the demonstration version of "guaexcel" can be used to decrypt the file.
Obvious improvements would be to extend it to a complete program at both ends, extracting the necessary data from the encrypted file and decrypting the file after the correct key is obtained.

Let me know if you successfully used this code.

Links:

Crack password - RC4 40 bit decryption of documents - second part
Excel RC4 Encryption Algorithm
MS Office 40-bit key searching on GPU