Unknown excel password encoding
#11
Given this string:
Code:
$office$*2007*20*128*16*bd72fadd630f6706d2265bb2670744d8*ffd55bec1246280becc69478087b5e45*19871af11d8ff42d730128763a13229cf67ee6e8

The following parts are all hex values:
Code:
bd72fadd630f6706d2265bb2670744d8
ffd55bec1246280becc69478087b5e45
19871af11d8ff42d730128763a13229cf67ee6e8

If you take a look at the file in a hex editor, you can do a search for these values. If you do, you can get their extended (ANSI) ASCII representations, like so:
Code:
½rúÝcgÒ&[²gDØ
ÿÕ[ìF( ìÆ”x{^E
‡ñô-s(v:"œö~æè

If you go beyond the "e6e8", the next 64 bytes look something like this:
Code:
AF E9 FC 3D 24 C6 36 8C 5C DD 13 C2 00 00 00 00 00 00 00 00 3C 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 43 00 6F 00 6E 00 74 00 61 00 69 00 6E 00 65 00 72 00 2E 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00

And in ASCII this is:
Code:
¯éü=$Æ6Œ\ÝÂ��������<���M�i�c�r�o�s�o�f�t�.�C�o�n�t�a�i�n�e�r�.�D�a�t�a�S�p�a�c�e�s��������

Notice the ê at the beginning of the string. Null characters are replaced with � in this string. Does this look familiar?

I found this Excel message very funny.

Quote:Caution: If you lose or forget the password, it cannot be recovered. It is advisable to keep a list of passwords and their corresponding workbook and sheet names in a safe place.

The password you supplied is not correct. Verify that the CAPS LOCK key is off and be sure to use the correct capitalization.

Cannot be recovered? Keep a list of password and their corresponding workbook? That place is called Post-It on the left corner of your monitor. It's like keeping the PIN for your bank account inside your wallet.
Reply
#12
hi, buddies, i am new to this hashcat world. i forget password of my excel 2007 file, tried to crack it with office2hashcat.py & office2john.py but all in vain. i don't remember the exact length or any mask characters of the password. i tried all the passwords which i usually used to. it may contain upper case, lower case, numeric, and special characters, with a length of 4 to 12. is there any way to get the exact length of my password or to get only first 3 character of password, without running into weeks or months ??
Reply
#13
thanks for sharing this information.

Reply