Advanced ZIP Password Recovery 2.2 ========================================== (c) 1999 Elcom Ltd (V.Katalov, A.Malyshev) Contents -------- Description Requirements Usage Known bugs and limitations Tips & tricks Future enhancements Registration Technical support Where to get the latest version Ombudsman statement Description ----------- This program (Advanced ZIP Password Recovery, or simply AZPR) can be used to recover your lost password for ZIP archive. At the moment, there is no known method to extract the password from the compressed file; so, the only available methods are "brute force" and dictionary-based attacks. Well, there are a lot of programs like this around, but all of them have their own "pros" and "cons". Here is a brief list of AZPR advantages: - The program has a convenient GUI (Windows user interface). - The program is very fast: up to 20 million passwords per minute (on Pentium-200/MMX). - The program can work with archives containg one encrypted file only. - All compression methods are supported. - Self-extracting archives are supported. - The program is customizable: you can set the password length (or length range), the character set to be used to generate the passwords, and a couple of other options. - You can select the custom character set for brute-force attack non-english characters are supported). - Dictionary-based attack is available. - The maximum password length is not limited (in registered version). - No special virtual memory requirements. - You can interrupt the program at any time, and start from the same point later. - The program can work in the background, using CPU only when it is in idle state. The next versions will have much more useful features, of course. Requirements ------------ - Windows 95 (any version), or Windows 98, or Windows NT 4.0 running on Pentium CPU - 4 megabytes RAM (plus some additional memory, if the ZIP archive contains "stored" files) - less than 1 megabyte of hard disk space - patience... Usage ----- The program is a windows application and have powerful graphical user interface (GUI). You can run this program from "Advanced ZIP Password Recovery" group created by the installation program. You have to select the following: ZIP password-encrypted file ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Just the name of ZIP archive you'd like to get the password for. Use the "Browse" button to pick it from the list. Password length ~~~~~~~~~~~~~~~ Maximum and minimum length of the password to verify. Type of attack ~~~~~~~~~~~~~~ Brute-force or dictionary attack. You can select both of those; if the dictionary attack (which is much faster and executed first) fails - brute-force attack will be performed. Brute-force range options ~~~~~~~~~~~~~~~~~~~~~~~~~ Instructs the program what characters have been used in the password), if you have this information. You can choose from all capital letters, all small letters, all digits, all special symbols and the space; or just all printable (includes all of the above). The special characters are: !@#$%^&*()_+-=<>,./?[]{}~:;`"\'| Alternatively, you can define your own charset. Just mark the "Custom charset" checkbox and click on "Define" button (on the toolbar). In the input window enter all chars of your password range; for example: if you remember that your password was entered in the bottom keyboard row ("zxcv...") - your password range should be "zxcvbnm,./" (or in caps: "ZXCVBNM<>?"). You can also define the both of these: "zxcvbnm,./ZXCVBNM<>?". In addition, you can load and save custom charsets, or combine them using the "Add charset from file..." button. Just a note about "Convert to OEM encoding" option in the "User Defined Charset" option. Be sure to select it if the password contain any non-english characters, and the archive has been created by DOS-based ZIP utility (like PKZIP 2.04g). Otherwise, the password will not be found. Start from password ~~~~~~~~~~~~~~~~~~~ This option may help if you know what the first character of the password is. For example, if you're sure that the small letters have been used (from 'a' to 'z'), the length is 5, and the the password definitely starts with 'k', than type 'kaaaa' here. Please also note, that if you press the "Stop" button when AZPR is working, the program writes the current password to this window ("Start from password"). It can be used later to restart the program from the same point. Dictionary options ~~~~~~~~~~~~~~~~~~ Simply select the desired dictionary file. In addition, you can select an option "Try to capitalize first character" or "Try to capitalize all characters" -- it may really help if you're not sure about the register the password has been typed in. For example, for the word "password" (in dictionary), the program will also try the "Password" (if the first option is checked), and the "PASSWORD" (if the second one is checked). The small, but really effective dictionary is included into AZPR distribution: "english.dic" (about 27,000 words). Some other very good ones are available at: ftp://sable.ox.ac.uk/pub/wordlists/ ftp://ftp.cdrom.com/pub/security/coast/dict/wordlists/ ftp://ftp.cdrom.com/pub/security/coast/dict/dictionaries/ Also, please have a look at our "Password Recovery Software" page -- you'll find a few dictionaries, wordlists and dictionary generators there, as well as the links to related sites: http://www.elcomsoft.com/prs.html Priority ~~~~~~~~ Backround or high. If you want to start AZPR as a "background" process, which will work only when CPU is in idle state -- you have to select "Normal". If you want to increase the performance -- please select "High", but it will decrease the performance of all *other* applications running on your computer. Save and Read setup ~~~~~~~~~~~~~~~~~~~ You can save you current AZPR setup into specified INI-file. When you press the "Save setup" button, the "Save file" dialog appears. Just select an INI-file name (e.g. "myarch.ini"), or select an existing INI-file for overwriting. You can read your setup later -- simply press a "Read setup" button. AutoSave ~~~~~~~~ If you'd like AZPR to save its state perodically, please check the appropriate option, and select the time (in minutes). If you'll do that, AZPR will create (and update) a restore file "~azpr.ini" (in the same folder where your archive is located; similar to one created when using the "Save setup" button), and even if your computer will stop resonding (or on power fail), you'll be able to restore breaking the password from the last saved state. Enabling this option is *strongly* recommended. Interface options ~~~~~~~~~~~~~~~~~ Just now only one option is there -- "Minimize to tray". If it is enabled, the program window will disappear from Windows desktop when pressing the "minimize" button in the top-right corner of the window (or selecting an appropriate item is system menu); the small icon will be created in the "tray" area of the task bar (near the system clock). Just double-click on that icon to restore the window. When (if) the password is found, the program shows it, as well as the number of passwords which have been tested, and the program speed: 'qwert' is a valid password for this file Processed 1760765 passwords time = 22 second(s) speed = 80034 passwords/second If all possible passwords (in the given range) have been verified without success (so the valid one has not been found), the message is: Password not found in specified range Processed 256976 passwords time = 1 second(s) speed = 256976 passwords/second If you stopped your recovery by pressing a "Stop" button - the current step of brute-force is saved in "Start from" field. Now you can press a "Start" button again and recovery will be continued from this step. Known bugs and limitations -------------------------- - When the files in archive are "stored" (no compression, just encryption) -- the performance might be lower than expected (especially on large files), because decrypting the whole file is required. - AZPR may fail to recover the password for multi-volume archive, or give a message that the archive is corrupted, or even crash on it. - If the archive contains two or more encrypted files, the program assumes that all of them are encrypted with the same password. - For some specific archives, AZPR may start to eat memory very fast (due to some memory leaks which are still there), resulting the crash after a few minutes. Tips & tricks ------------- Files fith different passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you're sure that the files inside ZIP archive have been encrypted with different passwords, AZPR might not be able to find the correct password. The workaround is: make a backup copy of your archive; remove all files from the archive, keeping only ones which definitely have the same password (may be, just one file); and run AZPR on the archive you'll get. When (if) AZPR will find the correct password, create an another new archive, keeping the next posion of files with the same password. If *all* the files have different passwords, you're in trouble -- too much time for recovering them will be required; but that's the onliest thing you can do. Selecting the options ~~~~~~~~~~~~~~~~~~~~~ If you have no idea how long the password is and what characters it may contain, run the dictionary-based attack first. If it will fail, try the brute-force with the following options (character set and password length range): Charset Length Passwords Time --------------------------------------------------------------- all printable 1..5 7,820,126,720 3.5 hours digits, small/capital, space 6 62,523,502,592 29 hours digits, small letters, space 7 94,931,877,888 43 hours digits, capital letters, space 7 94,931,877,888 43 hours small letters, space 8 282,429,521,920 5+ days capital letters, space 8 282,429,521,920 5+ days digits, space 8..11 313,821,429,760 6+ days The third column shows the total number of password combinations (with the given charset and password length), and the last column shows the maximum time required for recovering the password (assuming that the speed is 600,000 passwords per second -- the real value for Pentium II CPU). Dictionary-based attacks ~~~~~~~~~~~~~~~~~~~~~~~~ As noted above, dictionary-based attack is *very* effective -- so, please try it first. Moreover, if you know the "structure" of the password (for example, the characters at some positions), it is recommended to create your own dictionary based on the rules you have. There are a lot of dictionary generators around there, some ones (developed by 3rd parties) are available from our "Password Recovery Software" page: http://www.elcomsoft.com/prs.html The password generator may also help if you "almost" remember the password, but probably missed one or two characters, or typed an extra ones, or just mistaken a little bit -- some generators allow to "mutate" the word and print/save all similar ones (as a wordlist/dictionary which can be used with AZPR). Future enhancements ------------------- We know that the program could be improved, and here are some facilities we're going to implement: - Ability to select the password mask using regular expressions. - Selecting particular file (in archive) to crack. - Running as a service under Windows NT. - Separate "benchmark" option for estimating the required time and password reliability. - Command-line parameters. - Creating log file. - "Known plaintext" attack. - More dictionary attack options (mutations). - Working on SMP systems (when more than one CPU is available). - Network Password Recovery. - Further performance optimizations. If you have any ideas how the program can be improved, please don't hesitate to contact us! Your comments are very appreciated. Registration ------------ This program is distributed as shareware (look at "license.txt" for details). Being unregistered, it does not allow to set the maximum password length more thans 5, and select the "try to capitalize first character" and "try to capitalize all characters" options for dictionary-based attack. After you register (look at "order.txt" for details), we'll send you your personal registration code. You'll just have to click the "Register" button; the program will open the input window to enter the registration code; after you do so (you can use cut'n'paste to avoid typing errors), it will have the full functionality. Please note that your registration will be valid for *all* future versions of AZPR -- i.e., the upgrades (minor and major) are free for registered users. Technical support ----------------- For technical support, please contact us at support@elcomsoft.com. In the subject of your mail, please write "AZPR x.y" (where x.y is the version number), followed by "problem", "suggestion" or whatever else. Where to get the latest version ------------------------------- The latest version of AZPR is always available from our web page at http://www.elcomsoft.com/azpr.html. Other password recovery products (for ARJ archives, Microsoft Access 95/97 databases, Microsoft Word/Excel 97 and Windows NT are available from our server at http://www.elcomsoft.com/prs.html. Ombudsman statement ------------------- Elcom Ltd is a member of the Association of Shareware Professionals (ASP). ASP wants to make sure that the shareware principle works for you. If you are unable to resolve a shareware-related problem with an ASP member by contacting the member directly, ASP may be able to help. The ASP Ombudsman can help you resolve a dispute or problem with an ASP member, but does not provide technical support for members' products. Please write to the ASP Ombudsman at 157-F Love Ave., Greenwood, IN 46142 USA, FAX 317-888-2195, or send email to omb@asp-shareware.org.