07-31-2018, 11:27 AM
Hi!
A friend of mine has a e-learning software with a bug in printing option. The exe-file is about 700 mb, so I guessed, that the texts and images are compressed in it. I was right. Its a kind of ZIP-sfx.
I extracted that zip-part with zip -J file.exe. In that zip file are html-files and images with dates about 2011-2012.
7zip shows "ZipCrypto Deflate" and zip -v shows:
I could get a plaintext version of that file, this program used Internet Explorer Cache when running, but only some files are there, not all.
JTR shows this info and kind of hash:
ver 2.0 bz.zip->index.html PKZIP Encr: cmplen=942, decmplen=2652, crc=6F3DED1D
$pkzip2$3*1*1*0*8*24*1ccf*7dd5*......hex.....*$/pkzip2$
I gave it a try to crack, but after days, nothing.
I tried pkcrack too. I used this index.html plaintext file without success, maybe because of wrong filesize.
Index.html has 942 bytes compressed in the encrypted zip.
My plaintext zip has 915 bytes, same deflate normal settings.
Any ideas to get password?
A friend of mine has a e-learning software with a bug in printing option. The exe-file is about 700 mb, so I guessed, that the texts and images are compressed in it. I was right. Its a kind of ZIP-sfx.
I extracted that zip-part with zip -J file.exe. In that zip file are html-files and images with dates about 2011-2012.
7zip shows "ZipCrypto Deflate" and zip -v shows:
Quote:index.html
offset of local header from start of archive: 809
(0000000000000329h) bytes
file system or operating system of origin: MS-DOS, OS/2 or NT FAT
version of encoding software: 2.0
minimum file system compatibility required: MS-DOS, OS/2 or NT FAT
minimum software version required to extract: 2.0
compression method: deflated
compression sub-type (deflation): normal
file security status: encrypted
extended local header: yes
file last modified on (DOS date/time): 2012 Mar 19 18:33:22
32-bit CRC value (hex): 6f3ded1d
compressed size: 942 bytes
uncompressed size: 2652 bytes
length of filename: 10 characters
length of extra field: 0 bytes
length of file comment: 0 characters
disk number on which file begins: disk 1
apparent file type: binary
non-MSDOS external file attributes: 000000 hex
MS-DOS file attributes (20 hex): arc
There is no file comment.
I could get a plaintext version of that file, this program used Internet Explorer Cache when running, but only some files are there, not all.
JTR shows this info and kind of hash:
ver 2.0 bz.zip->index.html PKZIP Encr: cmplen=942, decmplen=2652, crc=6F3DED1D
$pkzip2$3*1*1*0*8*24*1ccf*7dd5*......hex.....*$/pkzip2$
I gave it a try to crack, but after days, nothing.
I tried pkcrack too. I used this index.html plaintext file without success, maybe because of wrong filesize.
Index.html has 942 bytes compressed in the encrypted zip.
My plaintext zip has 915 bytes, same deflate normal settings.
Any ideas to get password?