Didier Stevens

–prefix and –suffix can now also be filenames.

cut-bytes_V0_0_17.zip (http)
MD5: 86D0692C6303248639A740E7A2AC4525
SHA256: D4FCFBD2305D7E5E97AB993741DF95B4565A882B0CD7DBA061D09578A1DDADA7

This is an update for plugin plugin_biff.py.

Protected xls files (workbook protection, sheet protection) are protected with a password, but are not encrypted.

The password is hashed to a 16-bit hash called verifier, such a short hash gives ample opportunity for hash collisions.

I calculated passwords for all possible hash values (32768, or 0x8000) mostly with letters and digits, some with special characters (verifier table). This verifier table is not a rainbow table, because the table contains all possible hash values and a corresponding password.

If a verifier can not be cracked with a provided password list, the password will be taken from the verifier list.

Example: this spreadsheet has a sheet protected with password azeqsdwxc, which is not in the embedded password list (obtained from John The Ripper); thus the password from the verifier table is taken (bbbbhz):

Passwords azeqsdwxc and bbbbhz both hash to the same verifier value (0xd9b1), thus there is a hash collision, and both passwords can be used to unprotect the sheet.

oledump_V0_0_77.zip (http)
MD5: CC8E3BB7BFA8D6312F8371DADE414EE4
SHA256: 08A097FB2491072043BFD4032BEBC4B2994AEF94B99F3C68EFAEB56004AE7ECE

This is a bugfix release for @files.

hash_V0_0_13.zip (http)
MD5: 43419BBB95FC1321EC6098AE369DEC26
SHA256: 88BD3A7B71BB2C8579F49E76E8069E7A5A4B23DCF1DB1716E5E2C9F78BFF6D5B