Zip Password BruteForcer.

[mIKE]

Kevin said:

Oh yeah, in my next release I have changed that, you must be using something like Delphi 5? Just remove those lines and it should be ok.

Kevin

Okay, I got 3.05 to compile in D5 by removing those lines.

The one little app I tested seems unaffected by the change to 3x. In general, that's good, but it also means that the difficulty I was having decrypting one file remains. It's the same file I mentioned eralier in this thread that deals with the "Brute-Forcer" program.

Oddly, I can now generate the same error on a different encrypted zip file. Some files in this zip can be tested with my entire list of passwords and not report any problem. But with some other combinations of filenames and passwords from my list (in a text file), the program crashes on the .FileIsOK test.

I'll let you know if I come up with anything interesting in solving this.

[ELiTE]

Hi, Kevin. (I know that your gonna kill me, but what can i say.) ;D

I used your VCLZip utility to make a zip file with one file passworded "zzzg", with these options :
- MultiMode : mmNone.
- Compression level : 0. (if i used more than 0 it gaves me an error)
- Password : zzzg
it tooks my PC about 6 seconds to give me the right pass. (using CRC and HeaderByte method)

i changed the compression level to 6 and the algorithm gaves me an error when it reached the password

"abjf" ( if i change the encrypted file it gaves me the same error but at a different password.)

This is the exception i have when the error occurs, EZCompressionError with message 'error'.
what do you think Kevin.

BTW : i still don't have the Pass for 3.05, the version i use is 3.04 and it's not passworded.

PD.

[Kevin]

PD,

Are you using the evaluation version of VCLZip? If so, what version of Delphi/BCB are you using?

When you create the password protected files with the VCLZip Zip Utility, will the VCLZip Zip Utility unzip it without any problem?

Kevin

[ELiTE]

Yes i am using an evaluating version, what's wrong with that?

And yes it's unzipping it well.

[Kevin]

Nothing is "wrong" with that, but it lets me know that version 3.05 won't do you any good because currently that is a registered version only. The evaluation versions are still at 3.04, I haven't had a chance to update the evaluation versions yet.

By asking if the VCLZip Utility will unzip the files correctly, I was isolating the problem to the password utility, or at least to the actions caused by the password utility.

I had not updated the password recovery utility for quite awhile so, it could possibly need some work.

Kevin

[ELiTE]

Well, Thanks a lot Kevin I have made the project and it works fine to me with some limitations like 30,000 passwords per sec only whereas other programs do it 10,000,000 passwords per seconds, but at least it worked

Anyways I'll put a link to the project here later if anyone interested! It's a client/server project BTW.

Have a good time all here and Thanks for your efforts
ELiTE.

[toonces]

ELiTE:

I've returned to struggle with password cracking, and I'm about to revisit the Brute Forcer program that Kevin wrote, even though I had a lot of difficulty with it 16 months ago. It sounds like you have created some sort of Brute Forcer that you are offering. How can I get it?

I'll even trade you for what I call my "elegant guesser" program that works with a text file of passwords to try. It could serve as a basis for something a lot more sophisticated if one of us wanted to work with it. For instance, if you know the "standard elements" you tend to use in your passwords, then it would be cool to enhance the program to assemble passwords to test from all permutations of the "elements" listed in a text file. Then one could offer the option of iterating over all case variations of each password thus constructed. Okay, so I don't have time to do that now, but at least the program already works with all listed passwords, and offers some add-suffix options to make it easier to try some variations without modifying the text file.

And what ZIP-cracker did you find that tries 10M passwords per second?

mIKE (aka Toonces)

[toonces]

I purchased the "Visual Password Recovery Processor" (ZipCure.com) program, and it reports that it's covering 12 million potential passwords per second. I say "covering" and not "testing" because I suspect that they are exploiting something in the engineering of a ZIP file that allows them to eliminate groups of passwords without testing all of them. Good for them, but after 5.5 hours of processing on a ThinkPad T60p (2GB RAM, 2Ghz Dual Core processor, 7,200 RPM drive) it had barely scratched the surface of a 12-character password.

And the "Dictionary" method doesn't offer what I want. Specifically, I don't want to test against millions of known words. Instead, I want to test permutations of a much smaller set of words or password "elements" that I know that I use. The logic of a plain-match dictionary scheme is easy and my program already has it, so the power of a plain-match scheme is in the size of the dictionary... but it still will only work of the password is just one word.

My idea for a permutation-match scheme wouldn't be that hard to implement either, but without using the group-elimination scheme that ZipCure uses, it might take as long (weeks) to test the millions of permutations from a small dictionary of elements (maybe 12 elements) as it would for ZipCure to cover trillions of passwords. Now I'm wishing I didn't get in the habit of using such long passwords. I don't know when I'll have the time to do the work needed to implement this scheme, but I doubt it would take more than a day or two.

[jerbear]

Hi Kevin

Any chance you could make this, prp200.exe, available for download again.

Interested in this myself.

In process of writing a backup routine around VCLZip for staff PC's that will be configured specifically for each of their PC's. They do get to add their own password so a utility such as this would be handy.

Got 150 PC's to do and chances are, one of them will forget their password or mistype it when they originally enter it.

Thanks

Jerbear

[lauro]

Hi Kevin,
I tried our friend's Elite example however it only works when we met the size of the password. Does some exist sorts things out of discovering the size of the password of the file before turning the routine?
Tanks
Lauro.

[Kevin]

Unfortunately there is no way to know the length of the password from the zip file itself.