A practical use of c'punk brain power.

nobody at shell.portal.com nobody at shell.portal.com
Tue Oct 4 15:52:01 PDT 1994

bogus at no.return.address sez:

:Greetings c'punks!
:  I have an Excel 4.0 spreadsheet to which I do not have the password.
:Do any of you know a clever way to break the Excel protection either
:by divining the password or removing the layer of encryption in the

I reply:

Found this on alt.security, you said any help appriciated so here goes.
Pleeeeeeeze, no flames.

Newsgroups: alt.security
From: agriffiths at vnet.ibm.com (Alan Griffiths)
Subject: Re: Excel pass crack
Sender: news at hawnews.watson.ibm.com (NNTP News Poster)
Message-ID: <CwH0Jo.15sv at hawnews.watson.ibm.com>
Approved: myself
Date: Wed, 21 Sep 1994 08:21:24 GMT
Lines: 103
Reply-To: agriffiths at vnet.ibm.com (Alan Griffiths)
Disclaimer: This posting represents the poster's views, not necessarily those of IBM.
References: <Rw+xX1t.cinepott at delphi.com>
Nntp-Posting-Host: nhbrp75.caanerc.uk.ibm.com
Organization: LORAL CAA NERC Project
X-Newsreader: IBM NewsReader/2 v1.01

In <Rw+xX1t.cinepott at delphi.com>, Bob <cinepott at delphi.com> writes:
>Someone was looking for a crack to excel's passwords, apparently they
>forgot their password ? Well I found these helpful tidbits posted
>|>Encryption of Ms Excel files
>|>    From: Fabio Ottolina <fabio at tdc.dircon.co.uk>
>|>   Date: 29 Jan 1994 12:51:18 GMT    (1 screen)
>|>    I have saved an Excel 4.0 for Windows file with password-protection, and
>|>I can't remember the password (how remarkably stupid! :-)).
>|>Is there any way to crack the password-protection of Excel files?

You may find the following program of help. I am sorry it's in QBasic but that's the
only free language I have at present. The program removes document protection from
Excel worksheets. I haven't tested it extensively so there are no guarantees or warranties.
Always keep a backup copy of your files etc...

The protection scheme does two things:

 1. When you protect your document, Excel hashes your password to a 16 bit value, stores
    it somewhere and sets a few flags to say that the document is protected.

 2. When Excel saves a protected document it encrypts the content of each block using 16
    different alphabetic substitutions. This allows Excel to read and display protected
    documents before knowing their password. The program below unscrambles a protected
    document, removes an extra 8 byte block at the beginning, and resets the flags and
    passwords to zero.

I don't know if it can cope with all combinations of protection available in Excel. It
works fine on the simple protect document option. Similarly, charts etc. will probably
get munged since I don't think the titles etc get scrambled.

Hope this stuff is of use to someone.       Alan.

PS. Ironically enough, I found Excel of great value in recovering the set of magic numbers
used in the program. It allowed me to very quickly generate and evaluate possible decryption

-------------------cut here------------------------------
DECLARE FUNCTION decrypt$ (c$, adr&, blen%)
DIM SHARED magic(15)
FOR i = 0 TO 15
  READ magic(i)
DATA 196, 115, 164, 32, 60, 91, 212, 23, 240, 31, 40, 19, 240, 75, 180, 3

COLOR 14, 1
INPUT "Enter input Cyphertext filename: ", cf$
INPUT "Enter output Plaintext filename: ", pf$

chdr$ = INPUT$(18, #2)
phdr$ = LEFT$(chdr$, 10)
PUT #1, , phdr$
fp& = 10
cbh$ = INPUT$(4, #2)
  PUT #1, , cbh$
  blen = ASC(MID$(cbh$, 3, 1)) + 256 * ASC(MID$(cbh$, 4, 1))
  btyp = ASC(MID$(cbh$, 1, 1)) + 256 * ASC(MID$(cbh$, 2, 1))
  fp& = fp& + 4
  IF blen > 0 THEN
    cblk$ = INPUT$(blen, #2)
    x$ = decrypt$(cblk$, fp& - 4, blen)
    IF blen = 2 THEN
      SELECT CASE btyp
        CASE 18, 19, 99
          x$ = STRING$(2, 0)
    END IF
    PUT #1, , x$
  fp& = fp& + blen
  cbh$ = INPUT$(4, #2)

FUNCTION decrypt$ (c$, adr&, blen)
  offset = (adr& + blen) AND 15
  d$ = STRING$(blen, 0)
  FOR i = 1 TO blen
    c = ASC(MID$(c$, i, 1))
    crot = ((c * 8) MOD 256) OR (c \ 32)
    ctst = magic(offset)
    clss = (2 * (crot AND ctst)) AND 255
    d = (256 + crot + ctst - clss) AND 255
    MID$(d$, i, 1) = CHR$(d)
    offset = (offset + 1) AND 15
  decrypt$ = d$
-------------------cut here------------------------------

Alan Griffiths        CAA NERC Project    agriffiths at vnet.ibm.com
Tel: +44-705-561325                       Fax: +44-705-214094

All opinions expressed are my own and do not represent IBM in any way

More information about the cypherpunks-legacy mailing list