ZEXPL2.EXE and TOOLS.

ZIP EXPLODER for ZIP 2.x
Version 1.0.
The fastest cracking routines in smallest code !

NOTE FOR RUSSIAN READERS :
---------------------------��� � ��ਠ�� ��� ��樨 ��室���� ��

������ �� .

TRADEMARKS.
------------Sorry, it's very hard work, so :
All product names are registered trademarks
owners.

of their respective

HISTORY OF PROGRAM'S EVOLUTION.
--------------------------------Okay, now let the story goes.
About a year ago I stole the archive with sources made by one of
C-mans. I always like such funny stuff, and I was trying to unpack that
file immediately. I was very suprised by message appeared on my display :
"PKUNZIP:

(W12)

Warning! Skipped encrypted file: TAPE.C"

It was the deal of honor to steal this sources anyway. So I had
started to write some ZIP Exploder. The very first version of ZIP
Exploder was invented to crack Imploded english text files with 3
Shannon-Fano trees. It was because PKZIP version up to 1.2 uses
previously computed SFT tables for all such files. The way to check
password was :
Update the keys with password,
Decrypt 12-bytes stub and compare
the very high word of stub with high word of file's CRC,
If compared Ok - decrypt the first 16 bytes of file
and compare they with text files' standard SFT table,
If compared - then we found the RIGHT password.
Unfortunately, that version of Exploder did not save the computation state periodically, performed straight keys updating and (oh)
had some bugs. I and my friend Dummy Animator have killed it so it
will never appear anywhere.

One of my friends downloaded me the (non)famous ZIPCRACK in the
summer 1993. That program was very curved and its performance wasn't
big enough. Password search was limited by 5 characters and this
kludge was very inconvenient in use. It updates keys with all of the
passwords notwithstanding updates the password string from its end.
Although ZIPCRACK didn't help me to get sources from the archive I
had, it kicked me to make second step in the way of Exploder. After I
got access to 386 I added CPU checking to it and started searching.
Sources and ZIP Exploder itself was downloaded to several BBS in
Russia. In this version was introduced new way of key updating now keys updated with only changed letters. You may feel the difference in speed looking at following calculations :
Old version of Exploder does the straight updating and decode
11+1/256 stub bytes before check the stub decoded properly.
Time needed to do this with one password :
pswdlen*(n)+(11+1/256)*n, where "n" is time for updating one key.
New version decodes the same number of bytes in stub, but update
keys with only changed bytes. Now "m" is number of available password letters :
(1+1/(m)+1/(m^2))*(n)+(11+1/256)*n.
If pswdlen is 5 symbols, then difference is about 33 percents !
New version of ZIP Exploder was show the speed about 4,500 passwords
per second on AT 286/16 !
It's everything ok, but here came PKZIP 2.04a. None of two programs
could crack it. It's not a very hard thing to see what phrase
"Improved Password Protection" did mean. All I could see was that
password verification had been done by comparing only one byte !!!!!
First byte taken from 12-byte stub, second - most high byte CRC32 !
I have NO COMMENTS.
After I had seen what PKZIP does I wrote my own program. It's a
program we are talking about - ZEXPL2.EXE. This program can crack
a password for a number of files - and even better if you have many
encrypted files. Now the principle of work is :
Compute keys after password using technique described above,
loop
Decode stub and compare check bytes for each data record,
while compared Ok and some data is available.
if All data compared Ok then we're have correct password !
Most of frequently entered loops are coded using register vars.
Speed marks on my AT 386SX/20 and 486DX/50 show :
Machine
Non-optimized version
Optimized version
(type)
(pswds/sec)
(pswds/sec)
-------------------------------------------386SX
7300
8700
486DX
21200
25600
I can brag about my program speed, can't I ?

LIMITATIONS
------------WARNING !!!!!!!!!!!!
The following paragraphs are VERY IMPORTANT !
PLEASE READ THEM CAREFULLY !
This program was invented to beat the archive compressed and encrypted by PKZIP 2.04 or earlier versions. No warranties given to Explode files compressed by higher versions of PKZIP.
The goal of program is to Explode passwords from archive where
one password was used for all the files. You may write your own
version of EXTRHDR (see below).
HOW TO USE ZEXPL2.EXE AND EXTRHDR.COM.
---------------------------------------What do you have now ? I think it's encrypted archive, ZEXPL2,
and EXTRHDR. The very first thing what you should do is to extract
information from the encrypted archive. Run "EXTRHDR archive.zip"
for it. All necessary information will be extracted to file ENCRHDRS.DAT.
Second step is to create list of used characters. This set of
characters used in each password letter is stored in file AVAIL.CHR.
WARNING !
No CR, LF, FF or EOF symbols are need ! You may include this symbols ONLY if you are SURE THEY WERE USED IN ORIGINAL PASSWORD !
Now you may run the ZEXPL2 to start password searching.
Every time ZEXPL2 finds password passed all tests, it will beep
three times, display great message about current situation and add
password to the end of file PASSWORD.TXT. It's your responsibility to
take care about messages displayed by ZEXPL2! My advice is to periodically check file PASSWORD.TXT and try new passwords you have found
in.
SOME TECHNICAL NOTES.
----------------------First, if you have archive with multiply passwords you have to
write your own version of EXTRHDR. Following is format of file
ENCRHDRS.DAT :
Byte offset
------------0

Length
-------12d

12d

1

13d

3

Value
------12-byte crack resistance header of
file
The very high byte of file CRC to
compare with
Align bytes not used by ZEXPL2.

Several words about AVAIL.CHR.
Password search is simple bytes substitution. It means sequentially try strings "aaa","aab","aac",...,"aba","abb",abc" etc.
Even one extra symbol will result several millions addititional
passwords. It's very important to specify character set as careful
as it possible. DO NOT ADD CR,LF or EOF symbols to end of charset
file AVAIL.CHR !!!!!!!!!!!!!!!!!!
Whether found password correct or not depends on how many files
you had to extract with EXTRHDR. Each file reduces probability of
incorrect password to 1/256 times (one byte range). One extracted
file - 1/256 (0.39%), two files - 1/65536 (0.0015%), three files 1/16777216 (0.00000596%). Twelve extracted files make you sure that
found password will be the only one correct for this set of files.
It's because PKZIP's encryption scheme is limited by 12 bytes random number generator.
THANKS ! GOES TO ...
---------------------Dmitry A.Lemechov and Leopold A.Kaganov - just for they funny
characters,
Rinat A.Sadretdinov (better known as Dummy Animator) - for his
help on editing this text and programming advices,
Alexey Nikolaev and Serguey Berkovitch - for their help in FIDO
orientation,
My parents - I can't say only "Thank !" to them, but I have not
enough good words ...,
My brother Timka - very wonderful guy !,
Phil Katz - for documentation on earlier version of PKZIP, and I
hope he will supply next versions of PKZIP with it,
And many, many, many other peoples I (don't) know...
TO ALL OF YOURS !!!!!
With best regards,
Serguey A.Zefirov,
December 1993.
P.S.
Wanna next version ?
Don't your copy of ZEXPL2 work properly ?
Do you have any suggestions or you have found bugs ?
Please write to :
117465, Russia, Moscow, Generala Tyuleneva st., 17,69,
Serguey Alexandrovitch Zefirov.
P.P.S

Password of ARJ archive can be found within not more than week
of work. All the work can be done (even better done) manually.
My two experiences of ARJ Exploding were succeed in two hours.
P.P.S.
ZEXPL2 passed test I gave to it - at the time I was writing this
message ZEXPL2 had succesfully found password for sources of another
c-man. It's funny, isn't it ?
; *****************************************************************************
; English text ends here
; *****************************************************************************
; *****************************************************************************
; ����� ��� � ��ਠ�� ��� ��樨.
; *****************************************************************************
� ������������ ��������� :
---------------------------The english text is above. Where were you all the time ?
�������� �����.
----------------�� �祭� ���୮� ���� , ��� � :
�� ����(���)

����� ����� �த�

���� � �� ����� �-

� ������� ��������(�।��� ).
������� �������� ���������.
----------------------------� , �� ��砫��� �� ⠪ �

�����.

����� ���� ����� � ����

��娢 � ��室������ �������

祫�����-�譨��. �� ��� ��� �祭�

���� �� � � ���

� �� � � ��宦�

����� �� � (

�祭� ।��), � �訫 ������ ᥡ� � �� ���

� ���

. ������, �।� -

������, ����� PKUNZIP �ਭ��� �뢮����

�ய�饭��� "�����祭���"

�饭�� �

���.

�� ���, �� �뫮 ����� ��� �ண ����-�� ����騪� �����
��� ������ �� �譨���. ��� � �� � ������...
��१ ��� �� �뫠 �� � �� � ����� ���뢠 �. �ਭ 樯 ��
���� � � �뢠��� ��

, �� PKZIP ���

������ �� 1.2 � ��-

����� �� �� ��� ��� ⠡ॢ
���� ��� ��ॢॢ쥢 �������-����. ��

� ⠡���� �� ��� �� �� ���

����� ��

� ��� . �� �����

����, � ������� �ண �� � �� �� � � �����

� �� ����� ������ � �� ��� ⠡���. �� � �뫮

����.

�� �� �� ����� � ��� �� ������⢠ ������⪮� - �� �뫮 ��‫�� � ���� ���ﭨ‬

�����ண� ������� ��ॡ�

� �����筮�

������ �訡��. �� �, ��� ��� ��� � �
�� �� �� ��� �����.
��

93 ���� �� ���� ��㧥�

�� ZIPCRACK, ���� ��� �����
���

���� ��� �����,

�ப� (��)�������� �ண ��饬 �� ���. �� �� ।��� ��-

�, ��� �� ���� ����� �ண ��. ����� �� � �� 5 � , ���-

��� ���������� ����,

������

����த��� �,

�� ����, � ���� ���殢. ��� �� ��� ��
��ன ���

��� �����প�

386,

���� �� ���� ��

���뢠 �.

���� ����� ���뢠 �

�ঠ�� ���� 쭮� ���襭�� ���-

��� �� �� - ��ப� �� � ��������� ��稭�� � ����, � ���������� ���祩 �ந���������
���� �먣��� �

쪮 ��� �����������

�����. ��

��� ����� 30% �� ����� �� � � 5 � .

����‫ �ﭨ‬:

len - ����� �� �, m - ������

� ����� ����樨

�� �, n - �६� ���������� ������ ����, � �६� ��‫����� ��אַ‬����� ���祩 � �।��� 쭮� � �ન

�� :

(len)+10+1/256)*(n). 15,39 �� len=5.
��� ���������� � ���� :
((1+(1/m)+1/(m^2))+10+1/256)*n.
�� ��㫠 �� ������ �� ����� !
��������� �

�孨�� ����� ����� ���뢠 � ��������

����� 4500 �� �� �

����

� �� ��設� AT 286/16 !

������, ��� �� ��� PKZIP 2.04. �� ���� �� ���� �� ��� �ண� ��� � ����� �� � �����. ����� ��諮�� ��������

, �� �

��� �� PKZIP'� ���뢠���� "���� ��� ����襭��� ��� ��� ������". ��������� �� "�� ����, � �祭� ����" - ����� � �ન
�� ���訬
��ઠ

��� ��� �� ����� � CRC

쪮 �� ���

!

���, ��, �� ����
��

��, �ந�������� ��-

�, ��� �

��ঠ� ?

�� �� �

�� ������ PKZIP, � ����

��� �ண �� - ZEXPL2. ������ � �ઠ �� � �����⢫���� ⠪��
�� �� :
��ந��� ���

�� ������ ������ � � ����� ��� ,

横� ��� ������� �� �
�������� ���� � � �� ��� ����� ����,

�� ��諮 � ��� � ��� �� 横� � ��३� � �� ��
�� �,

��३� �

���饬� �����,

����� 横��

�ன���� �� ����� � �� ����稫� � ���� �� �

��� ���, 3 ����
��� , � ����設�

����� ��������� � ॢॣ����� 386 � ��� ��-

横��� ������ ���� � ���������� ���祩

�믮����� � � �짮������ ॢॣ��� �� ��६�����. ���� � �ਢ��
१����� �ண���� ���� �ண �� �� ���� AT 386SX/20 � AT 486DX/50.
��� ��設�
-----------386SX
486DX

���� . �����

� ��. �����

(�� ��/ᥪ)
(�� ��/ᥪ)
----------------- ---------------7300
8700
21200
25600

������� १����� �� �� 10, � �� 8 ���� - ������, � ?
� � �, ��� ����� 墠�����

����� ���� �ண ��.
�����������.
--------------

�������� !!!!!!!!!!!!!!
���� ���騥 ������ ������ ����� !!!!!!

���� ����� ������ �� ����� 쭮 !!
�� �ண �� (ZEXPL2) �।�����砫��� ��� ������ ��娢�
��������� � ����� �� �� �� ��
娢�� �

��. ��� � ��� ������ ��-

�묨 �� ‫���� ﬨ‬室��� �ਬ����� �ண ��, ��������-

��� EXTRHDR, �� ��� �����祭��
����

-

��� � ��������� �� ��. (���

�⢥��� ���뢠 �).

�ண ��

�������� ��� ������ �� � PKZIP ���

2.04, ��� � ��� ������� �� , �� ��� � �

������ ��

���� � �� -

���騬� ����‫ ﬨ‬PKZIP'�.
��� ������������ ZEXPL2 ?
--------------------------������� EXTRHDR � �� ��

- ������ ��娢�. �� ������� ��-

�ଠ��, ����室���� ��� ZEXLP2 �
����

� � ����

����

���� ��

� ENCRHDRS.DAT. ����� ����

����� �� � - AVAIL.CHR. � �

��

����, ����� �� ������� ������� � �� �.

�������� !
�� ���� ��������� � ���� ���� ������ �������� �������, ��������
������ � ����� ����� !!!
��

���� ���-�� �室�� � ��ப� �� �.

������ ����� ���� �� ZEXPL2 � �� ��� �
� AVAIL.CHR.
��

���� ENCRHDRS.DAT

�, ��� ZEXPL2 ��襫 �� �, ��襤訩 ���� � �ᥬ�

����, � �� �����뢠�� ��� �� �, ��������, �뤠��
��������� �� � � �������� ��� �
� �

� � ������ - �蠩�

�� �ਢ���

�饭�� �

� PASSWORD.TXT. � � �� ��

� ! � ��筮

���� ��ਮ��-

� PASSWORD.TXT � � ����� ���� �� �.
��������� ����������� ���������.
----------------------------------

��ଠ�

�� ENCRHDRS.DAT :

���饭��
--------

�����
-----

0

���祭��
---------------���� ����� �� ������

12d

���������

(���� 12 ���� ��

�����
��

��)

12d

1d

���訩 ���� CRC32

13d

3d

�� ������� - �� � ������.

�� ������� �

�� �����

����� :

�� ��� ��ॡ�� �� �� ���� �

���饬 ���浪� :

aaa,aab,aac,...,aba,abb,abc � �.�., � ���� 쭮 �� ���
� ������

����, �� ��� ���� ��譨�

�� �쪮 �

��� ����� ��������

��� �ண �� �� ������ �� ��.

���� ���

�, �� �������� �� � � ����, � ���樠�쭮

�ய��樮���쭠 ��������
����

��

���, �� ��� �� ��娢�. ���ਬ��,

� ���� ���� ��� �訡�� 1/256 (0,39%), ���

(0,0015%) , ��
���� � ��

�� - 1/16777216 (0,00000596%). ���������

������

���� ��

�� - 1/65536
���

७����� � � ��쭮�� �� �. �� �뢥-

��� ������� ��砩��� �ᥫ, � �� ��� PKZIP'��.
� ������ "������� !" ...
--------------------------

������ ����客� � �������� :) �������� - � ����

!,

������ ���� ���� (Dummy Animator) - �� ������ �� ���� ��
������ ��

�� ��� �� �

��� �� �ண �� ����,

������ ��������� � �� � ��મ���� - �� �� ������ � �ਥ��樨
� ����ਭ� ����,
���� த� � - ����� �������筮 ���� "��� � !", �� �
���� ���, � �� ���� � � � � ...,
����� ���� ����� - �� ���� ��訩 ��७� ���� ���� - �� ��� ���� �� PKZIP'��
��

���騥 ���

PKZIP'� ����

����� ��,

�� ���� ?,

��� ��� , � � �������,

� � , � , �

�� ��, ���� � (��)���� !
���� ���, ������ !

� ������訬� ��������‫ﬨ‬,
�� � ���� � �� ��� ,
������� 1993.
P.S.
���� ��-� �� ? ��� ��諨 ��ન ?
���� :
117465, �����, �� �, �.���� � � ����, 17, 69,
�� � ���� � ��� ��� �.
P.P.S.
����, �� � � ARJ ����� ������ ���-� �� ������ � ��襬 ��砥. �� ���

�, ����� � ���뢠� �� � ARJ, � �2 �� ����

��.

P.P.P.S.
����� � ���� �

, �� ��� �ண �� � 譮 �믮����� �� �

������� - ���� � ��室�� � ����, ��� ���뫠 �� � � ��室�����
�� ������ �譨��. �� 4(����) ������ !
#