search

kimci86 / bkcrack

Crack legacy zip encryption with Biham and Kocher's known plaintext attack.
zlib License
1.69k stars 163 forks source link

An unexpected error occurred when decrypting Zip files(ZipCrypto+Deflate) #113

Closed hanli2016 closed 10 months ago

hanli2016 commented 11 months ago

English is not my native language, The following content is machine-translated。

First of all thank you for making this very useful tool. It has been working fine before, but today I encountered a problem. After many tests, I constructed the following process to reproduce the problem. 1、Given two compressed package files, bookinfo.zip and bookinfo_.zip, their passwords are both 123, and the internal bookinfo.dat has the same beginning "[General Information]" bookinfo.zip

bookinfo_.zip

D:\bkcrack\install>bkcrack.exe -L bookinfo.zip
bkcrack 1.6.0 - 2024-01-03
Archive: bookinfo.zip
Index Encryption Compression CRC32    Uncompressed  Packed size Name
    0 ZipCrypto  Deflate     b72fbde3           38           53 bookinfo.dat

D:\bkcrack\install>bkcrack.exe -L bookinfo_.zip
bkcrack 1.6.0 - 2024-01-03
Archive: bookinfo_.zip
Index Encryption Compression CRC32    Uncompressed  Packed size Name
    0 ZipCrypto  Deflate     8900abf5           40           57 bookinfo.dat

2、Using the example you gave in other issues, I first obtained the compressed plaintext using the command below. (I use windows11 x64 system)

D:\bkcrack\install>echo [General Information] | python .\tools\deflate.py -l 5 | xxd
00000000: 8b76 4fcd 4b2d 4acc 51f0 cc4b cb2f ca4d  .vO.K-J.Q..K./.M
00000010: 2cc9 cccf 8b55 e0e5 0200                 ,....U....

3、Use the following command to decrypt the compressed package,bookinfo.zip and bookinfo_.zip。

D:\bkcrack\install>bkcrack.exe -C bookinfo_.zip -c bookinfo.dat -x 0 8B764FCD4B2D4ACC51F0CC4BCB2FCA4D
bkcrack 1.6.0 - 2024-01-03
[23:29:13] Z reduction using 9 bytes of known plaintext
100.0 % (9 / 9)
[23:29:13] Attack on 718817 Z values at index 6
100.0 % (718817 / 718817)
[23:34:20] Could not find the keys.

D:\bkcrack\install>bkcrack.exe -C bookinfo.zip -c bookinfo.dat -x 0 8B764FCD4B2D4ACC51F0CC4BCB2FCA4D
bkcrack 1.6.0 - 2024-01-03
[23:35:36] Z reduction using 9 bytes of known plaintext
100.0 % (9 / 9)
[23:35:37] Attack on 747282 Z values at index 6
Keys: e0be8d5d 70bb3140 7e983fff
31.2 % (233292 / 747282)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 233292
[23:37:23] Keys
e0be8d5d 70bb3140 7e983fff

4、Just like the decryption result shown above, I cannot decrypt bookinfo_.zip. The difference between the two zip files is that the second line of the bookinfo.dat file is different.After my test ,I Found the reason why it cannot be decrypted is that they contain inconsistent numbers of Chinese characters. Quicker_20240105_002725

What's causing this? Can you help me?"

kimci86 commented 10 months ago

Hello, thank you for clearly describing your issue.

The problem is that your bookinfo.dat files are compressed completely differently by deflate compression algorithm even though they are very similar.

To understand this, let's use bkcrack to decipher compressed data:

$ bkcrack -C bookinfo.zip -c bookinfo.dat -d bookinfo.deflate --password 123
$ bkcrack -C bookinfo_.zip -c bookinfo.dat -d bookinfo_.deflate --password 123

Then let's have a look at how data is compressed using infgen:

$ infgen bookinfo.deflate
! infgen 3.2 output
!
last
fixed
literal '[General Information]
literal 13 10 202 233 195 251 '=
literal 177 228 198 181 181 231 212 180 '12
end
$ infgen bookinfo_.deflate
! infgen 3.2 output
!
last
stored
data '[General Information]
data 13 10 202 233 195 251 '=
data 177 228 198 181 181 231 212 180 188 188 202 245
end

We can see one file is compressed using deflate's predefined Huffman tree ("fixed" mode), but the other file is not. Instead it contains plain data after the deflate block header ("stored" mode).

What you have tried in step 2 is to recreate the beginning of the "fixed" block. It can be used successfully to crack bookinfo.zip as you can see.

In order to crack bookinfo_.zip, you would have to run bkcrack with a part of the "stored" block. A part of a deflate "stored" block is easy to create if you known some uncompressed data: you just have to offset the data by 5 bytes to skip the stored block header.

This is how you can do it:

Does that solve your issue?

hanli2016 commented 10 months ago

I have solved the problem using the ideas you provided, thank you!