wvDecrypt, decrypt MS Word 6/95/97/2000 documents
What is It wvDecrypt is a subpart of the wv (http://www.wvWare.com) project, this module
implements Microsoft Word 95/97/2000 decryption. Its is released seperately
under the BSD licence rather than the GPL, explicitly to allow it to be reused
with code that is not under the GPL.
Install To compile this first get wv version 0.5.31 of wv (later versions of wv should
have this code integrated into it) from http://www.wvWare.com.
Firstly with wv do the usual.
now run make in the toplevel dir of this wvDecrypt package.
The document test97.doc is encrypted with the password password1 so...
./wvDecrypt97Test password1 test97.doc
will verify that password1 is the correct password for test97.doc and will
start decrypting the file.
Some quick background on word 97/2000 files Each word 97 file consists of a bundle of ole2 streams, the Table stream, the
WordDocument stream, and others such as the SummaryInformation stream, the
DocumentSummaryStream and sometimes a Data stream.
en.01 is the extracted table stream from test97.doc
en.02 is the extracted WordDocument stream from test97.doc
tablefd (when wvDecrypt is run) is the decrypted tablefd mainfd (when wvDecrypt
is run) is the decrypted mainfd, i.e. where the main text is.
The table stream contains the salt that is used by the decryption process, and
is itself encrypted. So the wvDecrypt97Test program validates the password and
outputs the decrypted table stream to the file named "tablefd". The main
document stream is decrypted to the file "mainfd"
Most of the code you see here is not mine, what was, got rewritten by Fauzan
Mirza. I provided the wv api into the word document and put the bits of
knowledge everyone had together. The CREDITS file lists those involved, and
what they did.
As promised in previous versions of this document, the wvDecrypt is now
released under the BSD licence, so anyone can use this whether as part of a
proprietary project or not. The mails agreeing to this from all the parties
involved in the creation of this module are in the BSD.agreement subdir of the
Word97 decryption is now a known mechanism. Thanks all !! It was a little
surprising that it was so long between word97 being released and a publically
available compatible decryption engine becoming available, but that gap is
The one small thing missing is to use an ole2 streams library such as libole2
to put the streams back together into a decrypted word document, rather than
the seperated streams, as it stands it does exactly what I wanted for the wv
library. Its should be pretty trivial to wrap it back into a word doc, you will just have
to set the fEncrypted bit in the fib to 0, to show that the doc is decrypted.
A brief overview of the process
This is a simplified version of how it works, with hand waving substituted for
Word97 encrypts its data with the rc4 encryption algorithm by RSA.
Initially a unicode password is taken and some bytes appended, this password is
passed through a varient of the standard md5 hash algorithm.
The non standard hash is tricky, and Im far from sure what benefit over
standard md5 the modified md5 hash has.
There are some salt bytes in the header which are run through a test using the
password to verify that the transformed bytes are the same as another
set of stored hashed salt values. If they are equal the the password is
correct, and the decryption routine proper can begin.
The password hash is taken as the key for the the rc4 algorithm. At each 512
byte boundary of the data the rc4 algorithm is rekeyed by taking the password
hash and setting some of its bytes to an ever incremented count of the 512
View the source to see exactly how it all works.
Word 95 Decryption The document test95.doc is encrypted with the password
./wvDecrypt95Test password1 test95.doc
will verify that password1 is the correct password for
test95.doc and will start decrypting the file.
Some quick background on word 95 files Each word 95 files consists of a number of streams but unlike word97 only one
is of importance, i.e. the WordDocument stream.
encrypt95.01 is the extracted WordDocument stream from test95.doc
mainfd (when wvDecrypt is run) is the decrypt mainfd
The word95 code was written by me personally and is also released under the BSD
licence unlike the rest of wv, but like the rest the of wvDecrypt module,
because I want to see the password stuff as widely distributed as possible.
The word95 decryption is simpler than the word97 one, but might not be 100%
complete as it is freshly added in here. It also should be the exact same as
word 6 encryption, though someone has to test that for me.
The same issue as for 97 exist for wrapping the streams back into a complete
The Word 95 encryption is better known than that of 97, and its a pretty
trivial repeated XOR ing of the contents, in fact its trivial enough that there
is enough redundant information in the header to make it very possible to crack
the document without password.
Other Tools & Links If you want something to investigate ole2 streams
try the perl laola at http://wwwwbs.cs.tu-berlin.de/~schwartz/pmh/laola.html
More information on the wv library can be got at http://www.wvWare.com
Caolan McNamara (2000) <firstname.lastname@example.org>