nono/xor_me
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
Latest commit68600e2 · | ||||
Repository files navigation
== Usage for doc files ==
Get key/hash values for a given doc file.
$ ./xor_doc some.doc
Could be a XOR-ciphered doc file.
nKey d10d
nHash cc1f
Try some password on this file.
$ ./xor_me toto 0xd10d 0Xcc1f
Key: d10d
Hash: cc1f
FAIL! toto
Try the good password on this file.
$ ./xor_me 0824 0xd10d 0Xcc1f
Key: d10d
Hash: cc1f
Good guess: 0824
== Usage for xls files ==
Get key/hash values for a given xls file.
$ ./xor_xls some.xls
Bored by reading the specs... Just pick up a XOR encryption pattern
Record type FilePass with 2F 00.
followed by 00 06 for size.
followed by 00 00 for wEncryptionType XOR.
followed by what you want: 2 bytes for key, 2 bytes for hash.
WARNING: little endian, you should permute bytes
00000210 06 03 00 00 86 00 00 00 2f 00 06 00 00 00 9a 49 |......../......I|
00000220 61 cc e1 00 02 00 b0 04 c1 00 02 00 ca a4 e2 00 |a...............|
Try some password on this file.
$ ./xor_me 4242 0x499a 0Xcc61
Key: 499a
Hash: cc61
FAIL! 4242
Try the good password on this file.
$ ./xor_me 1950 0x499a 0Xcc61
Key: 499a
Hash: cc61
Good guess: 1950
== Bruteforcing the password ==
$ ./brute_force 0x499a 0xcc61
Key: 499a
Hash: cc61
20
20
20
Password: '1950'
It is limited to password with up to 8 chars. It works well for short
password and can take several hours for password with 7 or 8 chars.
== Limitations ==
Only XOR, only XLS, only DOC. Nothing more nothing less.
== References ==
- Slides Pacsec 2009 "Analyzing Word and Excel Encryption
An operational solution" from Eric Filiol, filiol@esiea.fr
ESIEA - Laval - Operational Cryptology and Virology Lab
- [MS-DOC]: Word (.doc) Binary File Format, June 2010.
- [MS-XLS]: Excel Binary File Format (.xls) Structure Specification, March 2011.
- [MS-OFFCRYPTO] Microsoft Corporation, "Office Document Cryptography Structure Specification", June 2008.
== Samples ==
You can find two samples of encrypted files (one doc and one xls) in the
`samples` directory.
== Licences ==
- All files excerpt binarycodec.cxx and binarycodec.hxx:
Copyright (C) 2011 Benoît Sibaud <bsibaud@april.org>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License version 3
only, as published by the Free Software Foundation.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License version 3 for more details
(a copy is included in the LICENSE file that accompanied this code).
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
- binarycodec.cxx and binarycodec.hxx files:
Copyright 2000, 2010 Oracle and/or its affiliates.
OpenOffice.org - a multi-platform office productivity suite
This file is part of OpenOffice.org.
OpenOffice.org is free software: you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License version 3
only, as published by the Free Software Foundation.
OpenOffice.org is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License version 3 for more details
(a copy is included in the LICENSE file that accompanied this code).
You should have received a copy of the GNU Lesser General Public License
version 3 along with OpenOffice.org. If not, see
<http://www.openoffice.org/license.html>
for a copy of the LGPLv3 License.
