Unknown excel password encoding
#11
Given this string:
Code:
$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8

The following parts are all hex values:
Code:
bd72fadd630f6706d2265bb2670744d8
ffd55bec1246280becc69478087b5e45
19871af11d8ff42d730128763a13229cf67ee6e8

If you take a look at the file in a hex editor, you can do a search for these values. If you do, you can get their extended (ANSI) ASCII representations, like so:
Code:
½rúÝcgÒ&[²gDØ
ÿÕ[ìF( ìÆ”x{^E
‡ñô-s(v:"œö~æè

If you go beyond the "e6e8", the next 64 bytes look something like this:
Code:
AF E9 FC 3D 24 C6 36 8C 5C DD 13 C2 00 00 00 00 00 00 00 00 3C 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 43 00 6F 00 6E 00 74 00 61 00 69 00 6E 00 65 00 72 00 2E 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00

And in ASCII this is:
Code:
¯éü=$Æ6Œ\ÝÂ��������<���M�i�c�r�o�s�o�f�t�.�C�o�n�t�a�i�n�e�r�.�D�a�t�a�S�p�a�c�e�s��������

Notice the ê at the beginning of the string. Null characters are replaced with � in this string. Does this look familiar?

I found this Excel message very funny.

Quote:Caution: If you lose or forget the password, it cannot be recovered. It is advisable to keep a list of passwords and their corresponding workbook and sheet names in a safe place.

The password you supplied is not correct. Verify that the CAPS LOCK key is off and be sure to use the correct capitalization.

Cannot be recovered? Keep a list of password and their corresponding workbook? That place is called Post-It on the left corner of your monitor. It's like keeping the PIN for your bank account inside your wallet.
Reply
#12
hi, buddies, i am new to this hashcat world. i forget password of my excel 2007 file, tried to crack it with office2hashcat.py & office2john.py but all in vain. i don't remember the exact length or any mask characters of the password. i tried all the passwords which i usually used to. it may contain upper case, lower case, numeric, and special characters, with a length of 4 to 12. is there any way to get the exact length of my password or to get only first 3 character of password, without running into weeks or months ??
Reply
#13
thanks for sharing this information.

Reply
#14
Lightbulb 
(12-20-2021, 04:55 PM)andy_larkin Wrote:
(12-20-2021, 03:33 PM)Snoopy Wrote:
(12-20-2021, 01:28 AM)andy_larkin Wrote: Hello, I've got hex encoded password for 2007 excel .xlsx file (using 9400 rule). When I'm converting hex string to ascii one of symbols look like that: ê. Excel throw invalid password error. I'm using excel 2016 to open file. UTF codecs can't convert hex to text because of start byte error. My question: Is that possible to open excel with hex string? I really can't find information about it. If not possible, what you can recommend for my situation?

looks like your converter doesnt convert special utf-8 hex chars like german umlauts äöü (which naturally dont belong to plain ascii

try this one

50e4737377f67264 > Pässwörd

https://www.rapidtables.com/convert/numb...ascii.html

Thank you for answer, I've tried a lot of standart converting tools and encoding algorithms and it won't work anyway( I think in this case some not standart encoding was used. But hashcat some way getting password bytes and trying to decode excel file with it, so I think there should be some way to do it.

https://www.rapidtables.com/convert/numb...ascii.html this one is not working too(

Hello, @andy_larkin,
As you asked in your question, "UTF codecs can't convert hex to text because of start byte error. " This manual conversion method requires much time. However, despite putting your efforts into such work, try using an online hex-to-text converter. It will assist you u perform fast online conversions by saving your time. You can easily decode hex values and get the accurate textual form within just a few instances.

Let me help you with this: 
https://www.duplichecker.com/hex-to-text.php
Reply