Site Root : wvDecrypt

wvDecrypt, decrypt MS Word 6/95/97/2000 documents

What is It

wvDecrypt is a subpart of the wv ( project, this module implements Microsoft Word 95/97/2000 decryption. Its is released seperately under the BSD licence rather than the GPL, explicitly to allow it to be reused with code that is not under the GPL.


To compile this first get wv version 0.5.31 of wv (later versions of wv should have this code integrated into it) from

Firstly with wv do the usual.

 make install

now run make in the toplevel dir of this wvDecrypt package.

The document test97.doc is encrypted with the password password1 so...

 ./wvDecrypt97Test password1 test97.doc

will verify that password1 is the correct password for test97.doc and will start decrypting the file.

Some quick background on word 97/2000 files

Each word 97 file consists of a bundle of ole2 streams, the Table stream, the WordDocument stream, and others such as the SummaryInformation stream, the DocumentSummaryStream and sometimes a Data stream.

en.01 is the extracted table stream from test97.doc en.02 is the extracted WordDocument stream from test97.doc

tablefd (when wvDecrypt is run) is the decrypted tablefd mainfd (when wvDecrypt is run) is the decrypted mainfd, i.e. where the main text is.

The table stream contains the salt that is used by the decryption process, and is itself encrypted. So the wvDecrypt97Test program validates the password and outputs the decrypted table stream to the file named "tablefd". The main document stream is decrypted to the file "mainfd"

Most of the code you see here is not mine, what was, got rewritten by Fauzan Mirza. I provided the wv api into the word document and put the bits of knowledge everyone had together. The CREDITS file lists those involved, and what they did.

As promised in previous versions of this document, the wvDecrypt is now released under the BSD licence, so anyone can use this whether as part of a proprietary project or not. The mails agreeing to this from all the parties involved in the creation of this module are in the BSD.agreement subdir of the release.

Word97 decryption is now a known mechanism. Thanks all !! It was a little surprising that it was so long between word97 being released and a publically available compatible decryption engine becoming available, but that gap is filled now.

The one small thing missing is to use an ole2 streams library such as libole2 to put the streams back together into a decrypted word document, rather than the seperated streams, as it stands it does exactly what I wanted for the wv library. Its should be pretty trivial to wrap it back into a word doc, you will just have to set the fEncrypted bit in the fib to 0, to show that the doc is decrypted.

A brief overview of the process

This is a simplified version of how it works, with hand waving substituted for true details.

Word97 encrypts its data with the rc4 encryption algorithm by RSA.

Initially a unicode password is taken and some bytes appended, this password is passed through a varient of the standard md5 hash algorithm.

The non standard hash is tricky, and Im far from sure what benefit over standard md5 the modified md5 hash has.

There are some salt bytes in the header which are run through a test using the password to verify that the transformed bytes are the same as another set of stored hashed salt values. If they are equal the the password is correct, and the decryption routine proper can begin.

The password hash is taken as the key for the the rc4 algorithm. At each 512 byte boundary of the data the rc4 algorithm is rekeyed by taking the password hash and setting some of its bytes to an ever incremented count of the 512 blocks.

View the source to see exactly how it all works.

Word 95 Decryption

The document test95.doc is encrypted with the password password1, so...

 ./wvDecrypt95Test password1 test95.doc

will verify that password1 is the correct password for test95.doc and will start decrypting the file.

Some quick background on word 95 files

Each word 95 files consists of a number of streams but unlike word97 only one is of importance, i.e. the WordDocument stream.

encrypt95.01 is the extracted WordDocument stream from test95.doc

mainfd (when wvDecrypt is run) is the decrypt mainfd

The word95 code was written by me personally and is also released under the BSD licence unlike the rest of wv, but like the rest the of wvDecrypt module, because I want to see the password stuff as widely distributed as possible.

The word95 decryption is simpler than the word97 one, but might not be 100% complete as it is freshly added in here. It also should be the exact same as word 6 encryption, though someone has to test that for me.

The same issue as for 97 exist for wrapping the streams back into a complete word document.

The Word 95 encryption is better known than that of 97, and its a pretty trivial repeated XOR ing of the contents, in fact its trivial enough that there is enough redundant information in the header to make it very possible to crack the document without password.

Other Tools & Links

If you want something to investigate ole2 streams try the perl laola at

More information on the wv library can be got at

Caolan McNamara (2000) <>

Download Package

Last generated at Sat Nov 2 12:10:04 2013 Caolán McNamara <> Created with WebMake/0.5