1994-10-04 - Re: A practical use of c’punk brain power.

Header Data

From: nobody@shell.portal.com
To: cypherpunks@toad.com
Message Hash: 13bcd622bab475a7414e54e09cf5f210f5df115a5016b062b2ffdc657944e3c8
Message ID: <199410042251.PAA10233@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1994-10-04 22:52:01 UTC
Raw Date: Tue, 4 Oct 94 15:52:01 PDT

Raw message

From: nobody@shell.portal.com
Date: Tue, 4 Oct 94 15:52:01 PDT
To: cypherpunks@toad.com
Subject: Re: A practical use of c'punk brain power.
Message-ID: <199410042251.PAA10233@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain

bogus@no.return.address sez:

:Greetings c'punks!
:  I have an Excel 4.0 spreadsheet to which I do not have the password.
:Do any of you know a clever way to break the Excel protection either
:by divining the password or removing the layer of encryption in the

I reply:

Found this on alt.security, you said any help appriciated so here goes.
Pleeeeeeeze, no flames.

Newsgroups: alt.security
From: agriffiths@vnet.ibm.com (Alan Griffiths)
Subject: Re: Excel pass crack
Sender: news@hawnews.watson.ibm.com (NNTP News Poster)
Message-ID: <CwH0Jo.15sv@hawnews.watson.ibm.com>
Approved: myself
Date: Wed, 21 Sep 1994 08:21:24 GMT
Lines: 103
Reply-To: agriffiths@vnet.ibm.com (Alan Griffiths)
Disclaimer: This posting represents the poster's views, not necessarily those of IBM.
References: <Rw+xX1t.cinepott@delphi.com>
Nntp-Posting-Host: nhbrp75.caanerc.uk.ibm.com
Organization: LORAL CAA NERC Project
X-Newsreader: IBM NewsReader/2 v1.01

In <Rw+xX1t.cinepott@delphi.com>, Bob <cinepott@delphi.com> writes:
>Someone was looking for a crack to excel's passwords, apparently they
>forgot their password ? Well I found these helpful tidbits posted
>|>Encryption of Ms Excel files
>|>    From: Fabio Ottolina <fabio@tdc.dircon.co.uk>
>|>   Date: 29 Jan 1994 12:51:18 GMT    (1 screen)
>|>    I have saved an Excel 4.0 for Windows file with password-protection, and
>|>I can't remember the password (how remarkably stupid! :-)).
>|>Is there any way to crack the password-protection of Excel files?

You may find the following program of help. I am sorry it's in QBasic but that's the
only free language I have at present. The program removes document protection from
Excel worksheets. I haven't tested it extensively so there are no guarantees or warranties.
Always keep a backup copy of your files etc...

The protection scheme does two things:

 1. When you protect your document, Excel hashes your password to a 16 bit value, stores
    it somewhere and sets a few flags to say that the document is protected.

 2. When Excel saves a protected document it encrypts the content of each block using 16
    different alphabetic substitutions. This allows Excel to read and display protected
    documents before knowing their password. The program below unscrambles a protected
    document, removes an extra 8 byte block at the beginning, and resets the flags and
    passwords to zero.

I don't know if it can cope with all combinations of protection available in Excel. It
works fine on the simple protect document option. Similarly, charts etc. will probably
get munged since I don't think the titles etc get scrambled.

Hope this stuff is of use to someone.       Alan.

PS. Ironically enough, I found Excel of great value in recovering the set of magic numbers
used in the program. It allowed me to very quickly generate and evaluate possible decryption

-------------------cut here------------------------------
DECLARE FUNCTION decrypt$ (c$, adr&, blen%)
DIM SHARED magic(15)
FOR i = 0 TO 15
  READ magic(i)
DATA 196, 115, 164, 32, 60, 91, 212, 23, 240, 31, 40, 19, 240, 75, 180, 3

COLOR 14, 1
INPUT "Enter input Cyphertext filename: ", cf$
INPUT "Enter output Plaintext filename: ", pf$

chdr$ = INPUT$(18, #2)
phdr$ = LEFT$(chdr$, 10)
PUT #1, , phdr$
fp& = 10
cbh$ = INPUT$(4, #2)
  PUT #1, , cbh$
  blen = ASC(MID$(cbh$, 3, 1)) + 256 * ASC(MID$(cbh$, 4, 1))
  btyp = ASC(MID$(cbh$, 1, 1)) + 256 * ASC(MID$(cbh$, 2, 1))
  fp& = fp& + 4
  IF blen > 0 THEN
    cblk$ = INPUT$(blen, #2)
    x$ = decrypt$(cblk$, fp& - 4, blen)
    IF blen = 2 THEN
      SELECT CASE btyp
        CASE 18, 19, 99
          x$ = STRING$(2, 0)
    END IF
    PUT #1, , x$
  fp& = fp& + blen
  cbh$ = INPUT$(4, #2)

FUNCTION decrypt$ (c$, adr&, blen)
  offset = (adr& + blen) AND 15
  d$ = STRING$(blen, 0)
  FOR i = 1 TO blen
    c = ASC(MID$(c$, i, 1))
    crot = ((c * 8) MOD 256) OR (c \ 32)
    ctst = magic(offset)
    clss = (2 * (crot AND ctst)) AND 255
    d = (256 + crot + ctst - clss) AND 255
    MID$(d$, i, 1) = CHR$(d)
    offset = (offset + 1) AND 15
  decrypt$ = d$
-------------------cut here------------------------------

Alan Griffiths        CAA NERC Project    agriffiths@vnet.ibm.com
Tel: +44-705-561325                       Fax: +44-705-214094

All opinions expressed are my own and do not represent IBM in any way