office2hashcat.py error

[mailmuncher2000]

There has been a bug in this office2john / office2hashcat python script for a long time for ppt files that no one seems to have wanted to fix or admit too. So I took up the challenge. The original author seems to admit to the buggyness: "# BUGGY: PersistDirectoryAtom and PersistDirectoryEntry processing"

Should probably let the guys on https://github.com/magnumripper/JohnTheRipper know about this but feeling lazy. If you do let them know please give me credit. Ill probably get around to it soon enough anyways heres how I fixed it:

Replace:

Code:

   # BUGGY: PersistDirectoryAtom and PersistDirectoryEntry processing
   i = 0
   stream.read(4)  # unused
   while i < encryptSessionPersistIdRef:
       i += 1
       persistOffset = unpack("<L", stream.read(4))[0]

With this:

Code:

   # print("recLen: %d" % recLen)

   # PersistDirectoryAtom and PersistDirectoryEntry processing
   byteCount = 0
   while byteCount < recLen:
       persistData = unpack("<L", stream.read(4))[0]
       byteCount += 4
       persistId = persistData & 0xFFFFF
       cPersist = (persistData >> 20) & 0xFFF

       # print("persistId: %d" % persistId)
       # print("cPersist: %d" % cPersist)
       for i in range(persistId,persistId+cPersist):
           # print("i: %d" % i)
           persistOffset = unpack("<L", stream.read(4))[0]
           byteCount += 4
           # print("byteCount: %d" % byteCount)
           if i == encryptSessionPersistIdRef or byteCount == recLen:
               break

Details: There was a problem with how PersistDirectoryAtom and PersistDirectoryEntry processing is done. Yes its tricky cause you have to deal with a 20 bit persistId and 12 bit cPersist variables. See page 43 in [MS-PPT].pdf in the zip files: http://download.microsoft.com/download/2...tocols.zip

Let me know if that works for you. I actually haven't tested it extensively but it should work much better then the old code.