/xor_me

Brute force doc/xls passwords

Primary LanguageC++GNU Lesser General Public License v3.0LGPL-3.0

== Usage for doc files ==

Get key/hash values for a given doc file.

$ ./xor_doc some.doc
Could be a XOR-ciphered doc file.
nKey  d10d
nHash cc1f

Try some password on this file.

$ ./xor_me toto 0xd10d 0Xcc1f
Key: d10d
Hash: cc1f
FAIL! toto

Try the good password on this file.

$ ./xor_me 0824 0xd10d 0Xcc1f
Key: d10d
Hash: cc1f
Good guess: 0824

== Usage for xls files ==

Get key/hash values for a given xls file.

$ ./xor_xls some.xls
Bored by reading the specs... Just pick up a XOR encryption pattern
Record type FilePass with 2F 00.
followed by 00 06 for size.
followed by 00 00 for wEncryptionType XOR.
followed by what you want: 2 bytes for key, 2 bytes for hash.
WARNING: little endian, you should permute bytes
00000210  06 03 00 00 86 00 00 00  2f 00 06 00 00 00 9a 49  |......../......I|
00000220  61 cc e1 00 02 00 b0 04  c1 00 02 00 ca a4 e2 00  |a...............|

Try some password on this file.

$ ./xor_me 4242 0x499a 0Xcc61
Key: 499a
Hash: cc61
FAIL! 4242

Try the good password on this file.

$ ./xor_me 1950 0x499a 0Xcc61
Key: 499a
Hash: cc61
Good guess: 1950

== Bruteforcing the password ==

$ ./brute_force 0x499a 0xcc61
Key: 499a
Hash: cc61
  20
    20
      20
Password: '1950'

It is limited to password with up to 8 chars. It works well for short
password and can take several hours for password with 7 or 8 chars.

== Limitations ==

Only XOR, only XLS, only DOC. Nothing more nothing less.

== References ==

- Slides Pacsec 2009 "Analyzing Word and Excel Encryption
  An operational solution" from Eric Filiol, filiol@esiea.fr
  ESIEA - Laval - Operational Cryptology and Virology Lab
- [MS-DOC]: Word (.doc) Binary File Format, June 2010.
- [MS-XLS]: Excel Binary File Format (.xls) Structure Specification, March 2011.
- [MS-OFFCRYPTO] Microsoft Corporation, "Office Document Cryptography Structure Specification", June 2008.

== Samples ==

You can find two samples of encrypted files (one doc and one xls) in the
`samples` directory.

== Licences ==

- All files excerpt binarycodec.cxx and binarycodec.hxx:

    Copyright (C) 2011 Benoît Sibaud <bsibaud@april.org>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Lesser General Public License version 3
    only, as published by the Free Software Foundation.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Lesser General Public License version 3 for more details
    (a copy is included in the LICENSE file that accompanied this code).

    You should have received a copy of the GNU Lesser General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.


- binarycodec.cxx and binarycodec.hxx files:

    Copyright 2000, 2010 Oracle and/or its affiliates.

    OpenOffice.org - a multi-platform office productivity suite

    This file is part of OpenOffice.org.

    OpenOffice.org is free software: you can redistribute it and/or modify
    it under the terms of the GNU Lesser General Public License version 3
    only, as published by the Free Software Foundation.

    OpenOffice.org is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Lesser General Public License version 3 for more details
    (a copy is included in the LICENSE file that accompanied this code).

    You should have received a copy of the GNU Lesser General Public License
    version 3 along with OpenOffice.org.  If not, see
    <http://www.openoffice.org/license.html>
    for a copy of the LGPLv3 License.