From: nobody@shell.portal.com
Date: Tue, 4 Oct 94 15:52:01 PDT
To: cypherpunks@toad.com
Subject: Re: A practical use of c'punk brain power.
Message-ID: <199410042251.PAA10233@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


bogus@no.return.address sez:

:Greetings c'punks!
:  I have an Excel 4.0 spreadsheet to which I do not have the password.
:Do any of you know a clever way to break the Excel protection either
:by divining the password or removing the layer of encryption in the
:file?
:

I reply:

Found this on alt.security, you said any help appriciated so here goes.
Pleeeeeeeze, no flames.

Newsgroups: alt.security
From: agriffiths@vnet.ibm.com (Alan Griffiths)
Subject: Re: Excel pass crack
Sender: news@hawnews.watson.ibm.com (NNTP News Poster)
Message-ID: <CwH0Jo.15sv@hawnews.watson.ibm.com>
Approved: myself
Date: Wed, 21 Sep 1994 08:21:24 GMT
Lines: 103
Reply-To: agriffiths@vnet.ibm.com (Alan Griffiths)
Disclaimer: This posting represents the poster's views, not necessarily those of IBM.
References: <Rw+xX1t.cinepott@delphi.com>
Nntp-Posting-Host: nhbrp75.caanerc.uk.ibm.com
Organization: LORAL CAA NERC Project
X-Newsreader: IBM NewsReader/2 v1.01

In <Rw+xX1t.cinepott@delphi.com>, Bob <cinepott@delphi.com> writes:
>Someone was looking for a crack to excel's passwords, apparently they
>forgot their password ? Well I found these helpful tidbits posted
>previously.
> 
>|>Encryption of Ms Excel files
>|>    From: Fabio Ottolina <fabio@tdc.dircon.co.uk>
>|>   Date: 29 Jan 1994 12:51:18 GMT    (1 screen)
>|>
>|>    I have saved an Excel 4.0 for Windows file with password-protection, and
>|>I can't remember the password (how remarkably stupid! :-)).
>|>Is there any way to crack the password-protection of Excel files?

You may find the following program of help. I am sorry it's in QBasic but that's the
only free language I have at present. The program removes document protection from
Excel worksheets. I haven't tested it extensively so there are no guarantees or warranties.
Always keep a backup copy of your files etc...

The protection scheme does two things:

 1. When you protect your document, Excel hashes your password to a 16 bit value, stores
    it somewhere and sets a few flags to say that the document is protected.

 2. When Excel saves a protected document it encrypts the content of each block using 16
    different alphabetic substitutions. This allows Excel to read and display protected
    documents before knowing their password. The program below unscrambles a protected
    document, removes an extra 8 byte block at the beginning, and resets the flags and
    passwords to zero.

I don't know if it can cope with all combinations of protection available in Excel. It
works fine on the simple protect document option. Similarly, charts etc. will probably
get munged since I don't think the titles etc get scrambled.

Hope this stuff is of use to someone.       Alan.

PS. Ironically enough, I found Excel of great value in recovering the set of magic numbers
used in the program. It allowed me to very quickly generate and evaluate possible decryption
formulae!

-------------------cut here------------------------------
DECLARE FUNCTION decrypt$ (c$, adr&, blen%)
DEFINT A-Z
DIM SHARED magic(15)
FOR i = 0 TO 15
  READ magic(i)
NEXT
DATA 196, 115, 164, 32, 60, 91, 212, 23, 240, 31, 40, 19, 240, 75, 180, 3

COLOR 14, 1
CLS
INPUT "Enter input Cyphertext filename: ", cf$
INPUT "Enter output Plaintext filename: ", pf$
OPEN pf$ FOR BINARY ACCESS WRITE AS #1
OPEN cf$ FOR BINARY ACCESS READ AS #2

chdr$ = INPUT$(18, #2)
phdr$ = LEFT$(chdr$, 10)
PUT #1, , phdr$
fp& = 10
cbh$ = INPUT$(4, #2)
WHILE NOT EOF(2)
  PUT #1, , cbh$
  blen = ASC(MID$(cbh$, 3, 1)) + 256 * ASC(MID$(cbh$, 4, 1))
  btyp = ASC(MID$(cbh$, 1, 1)) + 256 * ASC(MID$(cbh$, 2, 1))
  fp& = fp& + 4
  IF blen > 0 THEN
    cblk$ = INPUT$(blen, #2)
    x$ = decrypt$(cblk$, fp& - 4, blen)
    IF blen = 2 THEN
      SELECT CASE btyp
        CASE 18, 19, 99
          x$ = STRING$(2, 0)
      END SELECT
    END IF
    PUT #1, , x$
  END IF
  fp& = fp& + blen
  cbh$ = INPUT$(4, #2)
WEND
CLOSE #1
CLOSE #2
END

FUNCTION decrypt$ (c$, adr&, blen)
  offset = (adr& + blen) AND 15
  d$ = STRING$(blen, 0)
  FOR i = 1 TO blen
    c = ASC(MID$(c$, i, 1))
    crot = ((c * 8) MOD 256) OR (c \ 32)
    ctst = magic(offset)
    clss = (2 * (crot AND ctst)) AND 255
    d = (256 + crot + ctst - clss) AND 255
    MID$(d$, i, 1) = CHR$(d)
    offset = (offset + 1) AND 15
  NEXT
  decrypt$ = d$
END FUNCTION
-------------------cut here------------------------------

Alan Griffiths        CAA NERC Project    agriffiths@vnet.ibm.com
Tel: +44-705-561325                       Fax: +44-705-214094

All opinions expressed are my own and do not represent IBM in any way