On 2002-04-25 10:28, sree_31 wrote:
Thanks a ton
But can u explain me in detail how it works
Excel password protection is not that hard
to break...in fact it's a joke. Here is
why, when an Excel *sheet* is being
protected with a password, a 16-bit (two byte) long hash is generated. To verify a
password, it is compared to the hash.
Obviously, if the input data volume is great,
numerous passwords will match the same hash.
This can be easily reproduced:
Protect a sheet (Tools-Protection-Protect Sheet) with the password "test" (no quotes)
Unprotect it with the password "zzyw" (again no quotes)
Book protection is somewhat more sophisticated.
The hash generation algorithm is the same as with sheet protection, however, the whole
document is being encrypted. This protection seem to be relatively stable at first sight,
but a more detailed analysis revealed that it
is not the password that is entered (or its
hash) which is used to encrypt the document,
but rather a fixed key stored in the MS Excel
program code.
This key is generated from the
password "VelvetSweatshop".
What a nice joke by Microsoft! Try to
protect a MS Excel workbook with this
password. The most surprising thing is that
no password is required to open the document.
Worksheet Encryption
Here is the algorithm to create the hash value:
- take the ASCII values of all characters
- shift left the first character 1 bit,
the second 2 bits and so on
(use only the lower 15 bits and rotate all higher bits, the highest bit of the 16-bit value is
always 0 [signed short])
- XOR all these values
- XOR the count of characters
- XOR the constant 0xCE4B
Example: The password is abcdefghij (10 characters)
a -> 0x61 << 1 == 0x00C2
b -> 0x62 << 2 == 0x0188
c -> 0x63 << 3 == 0x0318
d -> 0x64 << 4 == 0x0640
e -> 0x65 << 5 == 0x0CA0
f -> 0x66 << 6 == 0x1980
g -> 0x67 << 7 == 0x3380
h -> 0x68 << 8 == 0x6800
i -> 0x69 << 9 == 0x5201 (unrotated:0xD200)
j -> 0x6A << 10 == 0x2803 (unrotated:0x1A800)
count: 0x000A
constant: 0xCE4B
-------------------------
result: 0xFEF1
This value occurs in the PASSWORD record.
With thanks to
Charles Wyble
jackshck@yahoo.com