I will talk through how to use the program. Download and install poledump. I prepared an encrypted Excel document with the password "monkey". The file is called "protected_document.xls". I run poledump as follows:
bash $poledump protected_document.xls SummaryInformation (208) Workbook (13023) CompObj (114) DocumentSummaryInformation (244)
The Excel file is something called an "OLE Compound Document", which comprises several "streams". The command above is listing the streams in the file. The stream we are interested in is called "Workbook". Display the contents of this stream as follows:
bash $poledump protected_document.xls Workbook | head
09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 ................
06 04 00 00 2f 00 36 00 01 00 01 00 01 00 c8 e8 ..../.6.........
e2 cf c9 73 e9 68 e5 a0 0c 11 de ae 86 d2 7c dc ...s.h........|.
fa a2 cd d2 2c 6a c8 f0 9f 3b 8b 72 ee f8 d0 b0 ....,j...;.r....
64 e3 92 b2 6e 12 d0 5c 4a fe bc 66 35 8f e1 00 d...n..\J..f5...
02 00 b0 04 c1 00 02 00 9f 84 e2 00 00 00 5c 00 ..............\.
70 00 f5 29 4a 0b c7 90 85 91 3f 43 02 9f 95 e7 p..)J.....?C....
da 6e a3 a3 ed 67 d8 8f 7b 36 b0 27 95 f8 46 f2 .n...g..{6.'..F.
22 f6 16 e2 94 ee 20 ac c1 2a 72 d2 97 f7 a7 b6 "..... ..*r.....
db f6 dd 4a c7 95 78 8f 24 9c 59 ba 02 2e 60 3d ...J..x.$.Y...`=
bash $
I have bolded the bytes we are interested in. The first 16 bytes "c8 e8 .. d2" are the Salt field. The next 16 "7c .. f8" is the Verifier field, and the next 16 "d0 .. 8f" is the VerifierHash.
You can read more about the file format here. I'll note that the bytes "2f 00" (in little endian, decimal 47) on the second line introduce the "FilePass" record (a list of record type numbers is here). The first two bytes "09 08" (decimal 2057) introduce the "BOF" field.
No comments:
Post a Comment