File encrypted! How can I open it!! HELP!!

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
I'm kind of lost here. On hex editor, I searched favorites.list. That's what it highlighted?
Here is another favorites.list dumper specially for you. Based on your screenshot.

It makes three files Favorites.list1.zip which can be used with my password tester.
Favorites.list2.zip has the extra tail in it. Favorites.list3.zip has a bit more just for checking.
(And making them all public doesn't reveal nothing of you...)

I could not do this any easier for you than this...:p
 

Attachments

Last edited:

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
My Favorites.list.zip made about normal. Normal enough that some other tools might give it green light and don't complain about it. For plaintext-attack it might not work, not with the older tools anyway, but bruteforce etc. methods work. Also something like the SureZip Recovery might work, but for that at least five files is needed from the zip file...
 

Attachments

Last edited:

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
That's why I really wanted to try and separate 1 of the files in there and share publicly.
Well...? It should not be difficult now...

Could not get that Kraken thing to work. Failed in error after start but some better if run as long as this thread is old, could be quite close to success by now...

I finally read something about zip format... (I usually like to figure out things the hard way.)

They have used data description that is what that tail is. Above compressed data is also file sizes. So, removed from one place and put into two...
-- > ZIP64 format...
00000000 50 4B 03 04 2D 00 09 08 08 PK..-....
Compression is somehow wrong as one can see that compressed is bigger than the original. Zipcrypto Store it should be. Strong encryption flag is not set.
 
Last edited:

AkiraPerera04

Senior Member
Apr 15, 2018
145
6
18
Well...? It should not be difficult now...

Could not get that Kraken thing to work. Failed in error after start but some better if run as long as this thread is old, could be quite close to success by now...

I finally read something about zip format... (I usually like to figure out things the hard way.)

They have used data description that is what that tail is. Above compressed data is also file sizes. So, removed from one place and put into two...
-- > ZIP64 format...

Compression is somehow wrong as one can see that compressed is bigger than the original. Zipcrypto Store it should be. Strong encryption flag is not set.
Hi, thanks for your message. Hmmm, sounds pretty complicated. So the idea is to extract the favorites file, then crack that file right?

Alright, you sent quite a lot of information recently. As of now, what should I be doing? (Sorry, I just got a bit lost lol!)

Thanks!

EDIT: "Close to success". Sorry, I'm not understanding.
 

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
Hi, thanks for your message. Hmmm, sounds pretty complicated. So the idea is to extract the favorites file, then crack that file right?
Right.
Alright, you sent quite a lot of information recently. As of now, what should I be doing? (Sorry, I just got a bit lost lol!)
You should share that zip dumped (or all three), so others, if they like, could try their methods/tools if any. I can edit it same way I did mine if necessary.

Or, you can continue on your own... ¯\_(ツ)_/¯

Thanks!

EDIT: "Close to success". Sorry, I'm not understanding.
Well, closer anyway... if run almost 2 months...
 

AkiraPerera04

Senior Member
Apr 15, 2018
145
6
18
So, you found the right spot. Now just take a screen shot like mine. If necessary scroll it a bit up like two lines so that the word "PK" is showing. And so that at the end shows ÿÿÿÿÿÿÿÿ or as hex FF FF FF... That small bit. My Favorites.list is included in the last WonderShare-Zip-Password-Tester_[cxz].zip, also the zip so if interested one can test the bat and get the password used for it...

Or use the tool...

I chose the Favorites.list because it doesn't give any info. And also because it might be used in known-plaintext attack... What I noticed that my backup was packed using deflate while yours was deflate64, but there is tools for that format too...
Alright, I found the "favorites.list" again. Scrolled up a bit and saw the PK. Here's the screenshot.
1611083898930.png


Is that alright?

Thanks.
 

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
Alright, I found the "favorites.list" again. Scrolled up a bit and saw the PK. Here's the screenshot.
View attachment 5192575

Is that alright?

Thanks.
If you open that first zip you'll see that is starts about the same spot but is just a bit bigger. See that D4? That is the size we still need.

So, hex D4 or 212 bytes more down needed...

Why this trouble as the batch does it for you?

Anyways at least I would like to test some more basenames for it.

As Dr.Fone didn't work for me very well, I tried Cheat Engine to search values from its memory.
Could not find those that I had put to the basenames list. Maybe I didn't try all, but anyways it must be something quite simple like
it's in their other programs. But what, dammit.
 

AkiraPerera04

Senior Member
Apr 15, 2018
145
6
18
If you open that first zip you'll see that is starts about the same spot but is just a bit bigger. See that D4? That is the size we still need.

So, hex D4 or 212 bytes more down needed...

Why this trouble as the batch does it for you?

Anyways at least I would like to test some more basenames for it.

As Dr.Fone didn't work for me very well, I tried Cheat Engine to search values from its memory.
Could not find those that I had put to the basenames list. Maybe I didn't try all, but anyways it must be something quite simple like
it's in their other programs. But what, dammit.
Oh, I just followed what you said before.

I just don't feel safe to have a batch file automate a task when I'm not sure what it's doing.

So how much higher should I scroll up? I thought that was fine.
 

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
Okay. But you can see that it's just a batch file doing basic dd commands. And you see the results even...

Next 14 lines DOWN after that you now sent. That is the minimum needed... noT much...
 
Last edited:

AkiraPerera04

Senior Member
Apr 15, 2018
145
6
18
Okay. But you can see that it's just a batch file doing basic dd commands. And you see the results even...

Next 14 lines DOWN after that you now sent. That is the minimum needed... now much...
Ah okay I see. Hold on.

Also, how do you know it's 14 lines as a minimum?
 

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
Alright cool. Can you explain why it had to be selected like that? It seems a bit random.

So what happens now?

Thanks!
I don't know. (It was you who made it a bit difficult - but it's better safe than sorry...)

Maybe someone with more knowledge comes and shows us how it's done giving us just the right password.. LOL
Probably not on next week, but at least now it's possible...

It could have been any file but for plain-text attack the favorites is ideal as in its case we know it's contents. Or can be pretty damn sure.
Now, somebody just trick a Wondershare product to do a zip without any password and we're done really. Or if someone with knowledge does some similar zip having the same specs but no encryption...
Also I haven't tested any new plain-text tools yet.. So, maybe these days everything doesn't have to be so exact - maybe...

edit: crc-32 value matches mine, so our favorites.list is the same.
 
Last edited:

AkiraPerera04

Senior Member
Apr 15, 2018
145
6
18
I don't know. (It was you who made it a bit difficult - but it's better safe than sorry...)

Maybe someone with more knowledge comes and shows us how it's done giving us just the right password.. LOL
Probably not on next week, but at least now it's possible...

It could have been any file but for plain-text attack the favorites is ideal as in its case we know it's contents. Or can be pretty damn sure.
Now, somebody just trick a Wondershare product to do a zip without any password and we're done really. Or if someone with knowledge does some similar zip having the same specs but no encryption...
Also I haven't tested any new plain-text tools yet.. So, maybe these days everything doesn't have to be so exact - maybe...
No, as in, why was that amount of info necessary. (What was wrong with the short one I shared initially).

Alright I see! So as of right now, we're waiting for someone to chime in, or for yourself to crack it with bruteforce?

Thanks.
 

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
The first one contained just the name of the file and it size. This next one has it and the file itself encrypted.

I try my own tool first - and most likely fail miserably...
But it's a start at least... And maybe I'll play with some other options too...

And then someday, after a year or twelve, I might answer to this thread: I finally cracked it!
The pass is: ******* (f... I forgot the rest...)
 

AkiraPerera04

Senior Member
Apr 15, 2018
145
6
18
The first one contained just the name of the file and it size. This next one has it and the file itself encrypted.

I try my own tool first - and most likely fail miserably...
But it's a start at least... And maybe I'll play with some other options too...

And then someday, after a year or twelve, I might answer to this thread: I finally cracked it!
The pass is: ******* (f... I forgot the rest...)
Ahhh right that makes sense.

I see haha! I appreciate you helping out, I really hope you can figure out that password! That would be the best thing ever honestly lol!

As for now, is there anything else I can do now to help?

Thanks!
 

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
As for now, is there anything else I can do now to help?

Thanks!
Well, you could do the same as my dumper bat using that hex editor.
Like this. Press ctrl+e. Put hex 37113E36 to the first field and 128 to the last (lenght). Then ok and copy it ctrl+c. Then make a new file ctrl+n. Paste ctrl+v and save ctrl+s. And upload that file here.
It's the same as the Favorites.list2.zip. That is that tail is included.
 

CXZa

Senior Member
Apr 9, 2013
604
192
73
cxzstuff.blogspot.com
best thing ever
I extracted the text from you pic, but do the above anyway.
Or do Like this. Press ctrl+e. Put hex 37113E36 to the first field and 128 to the last (lenght). Then ok and go analysis alt+a, checksums c and there select crc-32 and ok. If the value is not 12E53A1A then the OCR failed and I have a typo...
Then do what is in previous post and upload here or PM the file...
 
Last edited:

AkiraPerera04

Senior Member
Apr 15, 2018
145
6
18
Well, you could do the same as my dumper bat using that hex editor.
Like this. Press ctrl+e. Put hex 37113E36 to the first field and 128 to the last (lenght). Then ok and copy it ctrl+c. Then make a new file ctrl+n. Paste ctrl+v and save ctrl+s. And upload that file here.
It's the same as the Favorites.list2.zip. That is that tail is included.
Hi, thanks for your message.

How exactly is this helping the situation?

"tail", I remember you mentioned that before. What does that mean?

Thanks.