From: Jim Gillogly <jim@acm.org>
Date: Mon, 13 Feb 95 17:11:09 PST
To: cypherpunks@toad.com
Subject: Re: Excel 5 Encryption
In-Reply-To: <199502140019.TAA23023@jax.jaxnet.com>
Message-ID: <199502140110.RAA17460@mycroft.rand.org>
MIME-Version: 1.0
Content-Type: text/plain



> bwern@jax.jaxnet.com (Ben Wern) writes:
> I was wondering if anyone out there has played with or 'broken' Microsloths
> encryption, especially in it's Excel from?

Accessdata of Orem Utah (1-800-658-5199) sells cracks for many of them.
So does John Kuslich (602-863-9274); I think his prices are lower.
I don't personally known or endorse either of 'em.

I append a message with some code for doing 4.0 -- I haven't tried it, and
don't know if it works for 5.0.  It's in Basic, but I didn't perpetrate it.

	Jim Gillogly
	Mersday, 24 Solmath S.R. 1995, 01:05
___________________________________________________________________________

Newsgroups: alt.security
Path: rand.org!usc!news.service.uci.edu!ihnp4.ucsd.edu!agate!howland.reston.ans.net!cs.utexas.edu!convex!news.duke.edu!solaris.cc.vt.edu!swiss.ans.net!newsgate.watson.ibm.com!hawnews.watson.ibm.com!news
From: agriffiths@vnet.ibm.com (Alan Griffiths)
Subject: Re: Excel pass crack
Sender: news@hawnews.watson.ibm.com (NNTP News Poster)
Message-Id: <CwH0Jo.15sv@hawnews.watson.ibm.com>
Approved: myself
Date: Wed, 21 Sep 1994 08:21:24 GMT
Lines: 103
Reply-To: agriffiths@vnet.ibm.com (Alan Griffiths)
Disclaimer: This posting represents the poster's views, not necessarily those of IBM.
References: <Rw+xX1t.cinepott@delphi.com>
Nntp-Posting-Host: nhbrp75.caanerc.uk.ibm.com
Organization: LORAL CAA NERC Project
X-Newsreader: IBM NewsReader/2 v1.01

In <Rw+xX1t.cinepott@delphi.com>, Bob <cinepott@delphi.com> writes:
>Someone was looking for a crack to excel's passwords, apparently they
>forgot their password ? Well I found these helpful tidbits posted
>previously.
> 
>|>Encryption of Ms Excel files
>|>    From: Fabio Ottolina <fabio@tdc.dircon.co.uk>
>|>   Date: 29 Jan 1994 12:51:18 GMT    (1 screen)
>|>
>|>    I have saved an Excel 4.0 for Windows file with password-protection, and
>|>I can't remember the password (how remarkably stupid! :-)).
>|>Is there any way to crack the password-protection of Excel files?

You may find the following program of help. I am sorry it's in QBasic but that's the
only free language I have at present. The program removes document protection from
Excel worksheets. I haven't tested it extensively so there are no guarantees or warranties.
Always keep a backup copy of your files etc...

The protection scheme does two things:

 1. When you protect your document, Excel hashes your password to a 16 bit value, stores
    it somewhere and sets a few flags to say that the document is protected.

 2. When Excel saves a protected document it encrypts the content of each block using 16
    different alphabetic substitutions. This allows Excel to read and display protected
    documents before knowing their password. The program below unscrambles a protected
    document, removes an extra 8 byte block at the beginning, and resets the flags and
    passwords to zero.

I don't know if it can cope with all combinations of protection available in Excel. It
works fine on the simple protect document option. Similarly, charts etc. will probably
get munged since I don't think the titles etc get scrambled.

Hope this stuff is of use to someone.       Alan.

PS. Ironically enough, I found Excel of great value in recovering the set of magic numbers
used in the program. It allowed me to very quickly generate and evaluate possible decryption
formulae!

-------------------cut here------------------------------
DECLARE FUNCTION decrypt$ (c$, adr&, blen%)
DEFINT A-Z
DIM SHARED magic(15)
FOR i = 0 TO 15
  READ magic(i)
NEXT
DATA 196, 115, 164, 32, 60, 91, 212, 23, 240, 31, 40, 19, 240, 75, 180, 3

COLOR 14, 1
CLS
INPUT "Enter input Cyphertext filename: ", cf$
INPUT "Enter output Plaintext filename: ", pf$
OPEN pf$ FOR BINARY ACCESS WRITE AS #1
OPEN cf$ FOR BINARY ACCESS READ AS #2

chdr$ = INPUT$(18, #2)
phdr$ = LEFT$(chdr$, 10)
PUT #1, , phdr$
fp& = 10
cbh$ = INPUT$(4, #2)
WHILE NOT EOF(2)
  PUT #1, , cbh$
  blen = ASC(MID$(cbh$, 3, 1)) + 256 * ASC(MID$(cbh$, 4, 1))
  btyp = ASC(MID$(cbh$, 1, 1)) + 256 * ASC(MID$(cbh$, 2, 1))
  fp& = fp& + 4
  IF blen > 0 THEN
    cblk$ = INPUT$(blen, #2)
    x$ = decrypt$(cblk$, fp& - 4, blen)
    IF blen = 2 THEN
      SELECT CASE btyp
        CASE 18, 19, 99
          x$ = STRING$(2, 0)
      END SELECT
    END IF
    PUT #1, , x$
  END IF
  fp& = fp& + blen
  cbh$ = INPUT$(4, #2)
WEND
CLOSE #1
CLOSE #2
END

FUNCTION decrypt$ (c$, adr&, blen)
  offset = (adr& + blen) AND 15
  d$ = STRING$(blen, 0)
  FOR i = 1 TO blen
    c = ASC(MID$(c$, i, 1))
    crot = ((c * 8) MOD 256) OR (c \ 32)
    ctst = magic(offset)
    clss = (2 * (crot AND ctst)) AND 255
    d = (256 + crot + ctst - clss) AND 255
    MID$(d$, i, 1) = CHR$(d)
    offset = (offset + 1) AND 15
  NEXT
  decrypt$ = d$
END FUNCTION
-------------------cut here------------------------------

Alan Griffiths        CAA NERC Project    agriffiths@vnet.ibm.com
Tel: +44-705-561325                       Fax: +44-705-214094

All opinions expressed are my own and do not represent IBM in any way
___________________________________________________________________________