File encrypted! How can I open it!! HELP!!

Search This thread

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
I'm kind of lost here. On hex editor, I searched favorites.list. That's what it highlighted?

Here is another favorites.list dumper specially for you. Based on your screenshot.
1610490663727-png.5185485

It makes three files Favorites.list1.zip which can be used with my password tester.
Favorites.list2.zip has the extra tail in it. Favorites.list3.zip has a bit more just for checking.
(And making them all public doesn't reveal nothing of you...)

I could not do this any easier for you than this...:p
 

Attachments

  • Favorites.list_dumper2_[cxz].zip
    16.7 KB · Views: 5
Last edited:

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
My Favorites.list.zip made about normal. Normal enough that some other tools might give it green light and don't complain about it. For plaintext-attack it might not work, not with the older tools anyway, but bruteforce etc. methods work. Also something like the SureZip Recovery might work, but for that at least five files is needed from the zip file...
 

Attachments

  • Favorites.list.zip
    414 bytes · Views: 4
Last edited:

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
That's why I really wanted to try and separate 1 of the files in there and share publicly.

Well...? It should not be difficult now...

Could not get that Kraken thing to work. Failed in error after start but some better if run as long as this thread is old, could be quite close to success by now...

I finally read something about zip format... (I usually like to figure out things the hard way.)

They have used data description that is what that tail is. Above compressed data is also file sizes. So, removed from one place and put into two...
-- > ZIP64 format...
00000000 50 4B 03 04 2D 00 09 08 08 PK..-....
Compression is somehow wrong as one can see that compressed is bigger than the original. Zipcrypto Store it should be. Strong encryption flag is not set.
 
Last edited:

AkiraPerera04

Senior Member
Apr 15, 2018
167
7
Well...? It should not be difficult now...

Could not get that Kraken thing to work. Failed in error after start but some better if run as long as this thread is old, could be quite close to success by now...

I finally read something about zip format... (I usually like to figure out things the hard way.)

They have used data description that is what that tail is. Above compressed data is also file sizes. So, removed from one place and put into two...
-- > ZIP64 format...

Compression is somehow wrong as one can see that compressed is bigger than the original. Zipcrypto Store it should be. Strong encryption flag is not set.

Hi, thanks for your message. Hmmm, sounds pretty complicated. So the idea is to extract the favorites file, then crack that file right?

Alright, you sent quite a lot of information recently. As of now, what should I be doing? (Sorry, I just got a bit lost lol!)

Thanks!

EDIT: "Close to success". Sorry, I'm not understanding.
 

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
Hi, thanks for your message. Hmmm, sounds pretty complicated. So the idea is to extract the favorites file, then crack that file right?
Right.
Alright, you sent quite a lot of information recently. As of now, what should I be doing? (Sorry, I just got a bit lost lol!)
You should share that zip dumped (or all three), so others, if they like, could try their methods/tools if any. I can edit it same way I did mine if necessary.

Or, you can continue on your own... ¯\_(ツ)_/¯

Thanks!

EDIT: "Close to success". Sorry, I'm not understanding.

Well, closer anyway... if run almost 2 months...
 

AkiraPerera04

Senior Member
Apr 15, 2018
167
7
So, you found the right spot. Now just take a screen shot like mine. If necessary scroll it a bit up like two lines so that the word "PK" is showing. And so that at the end shows ÿÿÿÿÿÿÿÿ or as hex FF FF FF... That small bit. My Favorites.list is included in the last WonderShare-Zip-Password-Tester_[cxz].zip, also the zip so if interested one can test the bat and get the password used for it...

Or use the tool...

I chose the Favorites.list because it doesn't give any info. And also because it might be used in known-plaintext attack... What I noticed that my backup was packed using deflate while yours was deflate64, but there is tools for that format too...

Alright, I found the "favorites.list" again. Scrolled up a bit and saw the PK. Here's the screenshot.
1611083898930.png


Is that alright?

Thanks.
 

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
Alright, I found the "favorites.list" again. Scrolled up a bit and saw the PK. Here's the screenshot.
View attachment 5192575

Is that alright?

Thanks.

If you open that first zip you'll see that is starts about the same spot but is just a bit bigger. See that D4? That is the size we still need.

So, hex D4 or 212 bytes more down needed...

Why this trouble as the batch does it for you?

Anyways at least I would like to test some more basenames for it.

As Dr.Fone didn't work for me very well, I tried Cheat Engine to search values from its memory.
Could not find those that I had put to the basenames list. Maybe I didn't try all, but anyways it must be something quite simple like
it's in their other programs. But what, dammit.
 

AkiraPerera04

Senior Member
Apr 15, 2018
167
7
If you open that first zip you'll see that is starts about the same spot but is just a bit bigger. See that D4? That is the size we still need.

So, hex D4 or 212 bytes more down needed...

Why this trouble as the batch does it for you?

Anyways at least I would like to test some more basenames for it.

As Dr.Fone didn't work for me very well, I tried Cheat Engine to search values from its memory.
Could not find those that I had put to the basenames list. Maybe I didn't try all, but anyways it must be something quite simple like
it's in their other programs. But what, dammit.

Oh, I just followed what you said before.

I just don't feel safe to have a batch file automate a task when I'm not sure what it's doing.

So how much higher should I scroll up? I thought that was fine.
 

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
Okay. But you can see that it's just a batch file doing basic dd commands. And you see the results even...

Next 14 lines DOWN after that you now sent. That is the minimum needed... noT much...
 
Last edited:

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
Alright cool. Can you explain why it had to be selected like that? It seems a bit random.

So what happens now?

Thanks!

I don't know. (It was you who made it a bit difficult - but it's better safe than sorry...)

Maybe someone with more knowledge comes and shows us how it's done giving us just the right password.. LOL
Probably not on next week, but at least now it's possible...

It could have been any file but for plain-text attack the favorites is ideal as in its case we know it's contents. Or can be pretty damn sure.
Now, somebody just trick a Wondershare product to do a zip without any password and we're done really. Or if someone with knowledge does some similar zip having the same specs but no encryption...
Also I haven't tested any new plain-text tools yet.. So, maybe these days everything doesn't have to be so exact - maybe...

edit: crc-32 value matches mine, so our favorites.list is the same.
 
Last edited:

AkiraPerera04

Senior Member
Apr 15, 2018
167
7
I don't know. (It was you who made it a bit difficult - but it's better safe than sorry...)

Maybe someone with more knowledge comes and shows us how it's done giving us just the right password.. LOL
Probably not on next week, but at least now it's possible...

It could have been any file but for plain-text attack the favorites is ideal as in its case we know it's contents. Or can be pretty damn sure.
Now, somebody just trick a Wondershare product to do a zip without any password and we're done really. Or if someone with knowledge does some similar zip having the same specs but no encryption...
Also I haven't tested any new plain-text tools yet.. So, maybe these days everything doesn't have to be so exact - maybe...

No, as in, why was that amount of info necessary. (What was wrong with the short one I shared initially).

Alright I see! So as of right now, we're waiting for someone to chime in, or for yourself to crack it with bruteforce?

Thanks.
 

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
The first one contained just the name of the file and it size. This next one has it and the file itself encrypted.

I try my own tool first - and most likely fail miserably...
But it's a start at least... And maybe I'll play with some other options too...

And then someday, after a year or twelve, I might answer to this thread: I finally cracked it!
The pass is: ******* (f... I forgot the rest...)
 

AkiraPerera04

Senior Member
Apr 15, 2018
167
7
The first one contained just the name of the file and it size. This next one has it and the file itself encrypted.

I try my own tool first - and most likely fail miserably...
But it's a start at least... And maybe I'll play with some other options too...

And then someday, after a year or twelve, I might answer to this thread: I finally cracked it!
The pass is: ******* (f... I forgot the rest...)

Ahhh right that makes sense.

I see haha! I appreciate you helping out, I really hope you can figure out that password! That would be the best thing ever honestly lol!

As for now, is there anything else I can do now to help?

Thanks!
 

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
As for now, is there anything else I can do now to help?

Thanks!

Well, you could do the same as my dumper bat using that hex editor.
Like this. Press ctrl+e. Put hex 37113E36 to the first field and 128 to the last (lenght). Then ok and copy it ctrl+c. Then make a new file ctrl+n. Paste ctrl+v and save ctrl+s. And upload that file here.
It's the same as the Favorites.list2.zip. That is that tail is included.
 

CXZa

Senior Member
Apr 9, 2013
646
198
cxzstuff.blogspot.com
best thing ever

I extracted the text from you pic, but do the above anyway.
Or do Like this. Press ctrl+e. Put hex 37113E36 to the first field and 128 to the last (lenght). Then ok and go analysis alt+a, checksums c and there select crc-32 and ok. If the value is not 12E53A1A then the OCR failed and I have a typo...
Then do what is in previous post and upload here or PM the file...
 
Last edited:

AkiraPerera04

Senior Member
Apr 15, 2018
167
7
Well, you could do the same as my dumper bat using that hex editor.
Like this. Press ctrl+e. Put hex 37113E36 to the first field and 128 to the last (lenght). Then ok and copy it ctrl+c. Then make a new file ctrl+n. Paste ctrl+v and save ctrl+s. And upload that file here.
It's the same as the Favorites.list2.zip. That is that tail is included.

Hi, thanks for your message.

How exactly is this helping the situation?

"tail", I remember you mentioned that before. What does that mean?

Thanks.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    Because I'm talking about that other package and programs inside it. You are still trying to use the command line versions...
    Do this, it's simpler...

    NOOO WAYYYY!!!!!! IT ACTUALLY WORKED!! I wish I could pay u a billion pounds loll!! I would never have figured any of this out, and probably would never have gotten the contents back.
    Can't believe it honestly, started this thread months ago and honestly wasn't expecting the backup to be retrieved!!

    A random key you posted earlier just worked when prompted with the password.


    All of my files and stupid photos on my S4 are all retrieved!! Dating back as far as Christmas 2014!!

    Thanks for all of your effort in this, appreciate it a ton. I'm sooo happpppyy!!


    Perhaps a moderator should pin/take notice on this thread, an amazing success story from a member at the XDA forums haha! Great advertising lol!!
    1
    Yes, that looks like a Wondershare backup file for sure...

    Updated the batch file and readme too. Now it says if there is no list files. Also paths with spaces work now. Same download address.

    Dude, you're a God in disguise. IT WORKED. Thank you. THANK YOU. I am speechless. 3 years I tried and here you are my savior. THANK YOU again, from the bottom of me heart.
  • 1

    Alright, so I tried that exact file you linked. I dragged my bak file over the bat file and let it run. It didn't work!!

    Any ideas? Sees uncrackable at the moment lol! So annoying!

    Thanks.
    1
    Me again:

    As you were already told the password is stored in AES 256 encrypted manner within the archive - keywords: Archive Decrpytion Header, Archive Extra Data Record.

    AFAIK there is no publicly-known way to extract - will say: decipher - the AES key with non-trivial probability, given any number of plaintext-ciphertext pairs, in a practical amount of time using a practical amount of computing resources.

    My advice: Stop wasting your time with this, or take the password-protected archive to NSA in order to decipher it - may be they have the appropriate tools and computer resources. :)
    1
    I think what jwoegerbauer is saying is you might need a supercomputer to crack it.

    Ah, either that or I'll just leave my pc on for a few weeks lol!
    1
    New version of WonderShare Zip Password Tester
    Download: https://yadi.sk/d/KLBMhwOL-or45g

    Updated. Now you can use spaces in passwords. Also added new default Dr.Fone password to the basenames.txt. Got it from the memory using Cheat Engine...

    What @AkiraPerera04 could do is get a Mac, virtual or real one and install every damn Wondershare software into it. And then grab those passwords from the memory. Cheat Engine is available for Mac too. Use program id (in installer filename or Info.plist / InfoPlist.strings ) as a search string. Try also UTF-16 strings.

    VirtualBox_IE11 - Win7_22_01_2021_20_58_08.png
    1
    get a Mac, virtual

Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone