

              GuaExcel (Guaranteed Excel Decryptor)
        MS Excel 97/2000 .xls encrypted files decryptor

                            v. 1.6

        (c) Copyright PSW-soft 2000-2005 by P. Semjanov


1. Objectives and characteristics.
2. Working with the program.
  2.1. Running 2, 5, 10-clients and unlimited GuaExcel versions.
3. Ordering and contact information.
4. FAQ.
5. Special thanks.


THIS PROGRAM  IS DISTRIBUTED  "AS IS".  USE IT  AT YOUR OWN RISK.
GuaExcel comes with ABSOLUTELY NO WARRANTY. The AUTHOR  also DOES
NOT GUARANTEE releasing any future VERSIONS of the program.

This  program has two versions:

  1)   FREEWARE DEMO (with  some   limitations)   that    can  be
distributed freely under  following conditions: the  program code
should not  be changed  and has  to be   distributed in  original
form.  Any   commercial  use  of  this  version   is  prohibited.
Support of this  version also is not guaranteed.

  2) COMMERCIAL (fully-functional)  that can't be  distributed in
any form with out written explicit permission of the author.

Also, there are some commercial version modifications.


1. Objectives and characteristics.

The program  GuaExcel decrypts MS Excel 97/2000 (v. 8.0 and 9.0)
and  Excel  XP / 2003 / 2005  (default  40-bit  encryption  mode
only) files encrypted  with  password for  opening  (do  not use
it to find passwords for workbook, individual  sheets, read-only
and others passwords).  But it is not PASSWORD recovery program,
the decryption of any file is GUARANTEED regardless  of password
used.  (If  you're using  Excel  6.0/7.0  there  are  a  lot  of
decryption  utilities.  Moreover,  French  version of  MS  Excel
allows  much faster  decrypting  and you don't need this program
in this case).

It is  well  known  that  Excel starting  from  v. 8.0 uses a RC4
stream    encryption    that    is    cryptographically   strong.
(Un)fortunately, because  of U.S.  crypto export  regulation  key
length is  only 40   bits. Not  long ago  it was  impossible  for
individuals to test all keys,  but nowadays, the power of  modern
PC is sufficient for that procedure.

To crack ANY Excel 97/2000 password you need to  test 2^40  keys.
(No matter how  long the password  is, what charset  and national
symbols uses). It's implemented in this program, and at the speed
about 2.000.000  keys/s on  Core 2  Duo E6300  and you  will need
about 8 days to finish it. (Surely, in average you will need only
a half of this time). The faster computer you've got, the earlier
password is found.

To speed  up cracking  simple distributed  and/or miltiprocessor/
multicore computing mechanism is included in GuaExcel program (*)

(*) - not in DEMO version

All keyspace is divided to 16384 (0-16383) "megakeys"  (they  are
simply   called   "keys"   below)   and   each   of  them  can be
tested in parallel on separate computer. One key testing  time is
about  0.5-1 minute  on  Core 2 Duo.  So, if you've  got  hundred
computers  in your  LAN,  you could  find the right  key in a few
minutes.

GuaExcel also  supports file-independent (super)  keys.  They are
testing 2 times slower, but if you'll find such key for one file,
any other file with the same password can be decrypted instantly.


2. Working with the program.

There are local and  network GuaExcel  versions. Please  read the
appropriate section.

You  may run  GuaExcel program  under  Win32  (Windows  95/98/Me,
Windows NT/2000/XP) and Linux. 

2.1. Running 2, 5, 10-clients and unlimited GuaExcel versions

To use the power of several computers,and also of dual/dual-core/
SMP computers  GuaExcel provides distributed computing mechanism:
the  shared file  (with .key  extension)  is  created in  current
directory at the first program run.  Thus, you will need  to have
WRITE PERMISSION to  the current (shared)  directory.  (Also  you
need write permission  to the temporary directory). Do not delete
nor modify this file if you are not sure that this is right thing
to do.

You may  interrupt and  run again  any client  in any time. Don't
worry if some client is accidently interrupted by powering off  -
the worst thing could happen is you'll need to restart some (all)
clients. There  is no  situation when  information about  already
tested keys  will be  lost (that's  why you  shouldn't modify the
.key file).

Normally, there should be no  interrupted keys in the .key  file,
but  they  could appear if computer accidentally powers off or if
you interrupt the program, running on Windows NT. To resolve  the
problem  with the interrupted keys please look at the messages of
the LAST client finished. If it says, "ATTENTION: There are  some
possibly   interrupted  keys", rerun this  client with /r  option
and the  same keyspace. The  program  will retest all interrupted
keys.

Please note since 1.2 GuaExcel version  first running client  may
be  considered as  "server". The decryption  takes  place on this
client only.   This is  useful for  you, no  need to  control all
clients.  Therefore,  first  client  should  always  be   running
(see FAQ for details).


2.1.1. For key searching, use the following command line:

   GuaExcel [options] <xls_file> [<start_key> [<end_key>]],
where:

<xls_file> is  Excel 97/2000  file  with  password (for opening).

Parameters in [] brackets are optional:
   <start_key> is a key to start from (0-16383), default = 0;
   <end_key> is a last key to test (0-16383), default = 16383.

When the  right key is found, the  .xls file  will be  decrypted.
Because of  .xls  file format is complex  and  non-documented the
decryption  procedure  may  fail (and  file will  be  corrupted),
therefore making   a backup   copy of   your file  is  ABSOLUTELY
NECESSARY.

Options available on any clients are:
   /pXYZ     uses crypto functions #X,Y,Z
   /s	     searches for file-independent key  

Options available on first clients only:

   /r        restarts cracking after any accident;
   /1        forces first client mode

/r option may  be useful  if  an accident  has  occurred, such as
power was off or decryption  failed for some reason. This  option
sets  the  number of running  clients  to  zero  and  convert all
interrupted keys (see below) to "not tested" ones.  Of course, it
doesn't  change any  other keys,  already  tested  keys  won't be
tested again. NOTE: Use /r option when no clients are running.

/s option  is useful if you've  got a lot of files and  know they
are encrypted with the  same password.  When you'll  find the key
(using  this option) for one  file,  all  the  rest files can  be
decrypted with found key instantly (see 2.2.2).  NOTE:  searching
for such  key is 2 times slower, so it  makes sense for 3 or more
files with the same password. Is not possible to run some clients
with /s option and others without it.

/pXYZ option may be used if automatic procedure for choosing best
code for your processor does it incorrectly. In this case you may
manually  set up which  crypto  functions  should  be used.  Some
information  about available crypto functions  may be obtained by
/t option.

/1 option  should  be  used  to  start first  client again  after
interruption. No need  to interrupt other  clients when  starting
first one.

During the  search, the  file with  .key extension  is created in
current directory at  the first run of the GuaExcel  program.  Do
not delete nor modify this file if you are not sure that this  is
right thing to do.

When the  right key is found, the  .xls file  will be  decrypted.
Because  of  .xls  file  format  is  complex  and  non-documented
the decryption procedure  may fail (and file will be  corrupted),
therefore making   a backup   copy of   your file  is  ABSOLUTELY
NECESSARY.

Normally,  there  should  be  no   interrupted  keys  in the .key
file, but   they   could appear  if computer  accidentally powers
off or if  you interrupt the  program, running on  Windows NT. To
resolve the problem with the interrupted keys  please look at the
messages when GuaExcel finishes.  If it  says,  "ATTENTION: There
are  some possibly interrupted keys", rerun it with /r option and
the same keyspace. The program  will retest all interrupted keys.


2.1.2. To decrypt Excel file with known key or password, use:

   GuaExcel /p <known_password> <xls_file>  or
   GuaExcel [/s] <xls_file> <known_key>
where:

<xls_file> is  Excel  97/2000  file  with  password (for opening).
<known_password> is the password for this file.
<known_key> is 10-digits hex number (for example, 123456789A).
/s option indicates the <known_key> is file-independent key (see
above)

   Decrypting with known password may be useful if, for  example,
you  wish  to  recover  your  broken  file.  Most Office recovery
software  don't  support encrypted  files.  This GuaExcel feature
gives a chance to recover such file.


2.1.3. Useful examples on running GuaExcel on one single-core,
single-processor computer:

   Although the  sections above  may be  considered too  complex,
normally running GuaExcel is very simple:

1) To crack the TEST.XLS file, use:
   GuaExcel TEST.XLS

It will test all possible keys and decrypt the file when the  key
is found. Note  again, it may  take a long  time on one  computer
(the program prints how long exactly).

The  program  can   be  interrupted  by  pressing Ctrl-C once and
continued by  running with  the same  options (no  need to change
the keyspace range - it will be picked up automatically).

2)  If  some  accident  has  occurred  (such  as  power  was off,
decryption failed etc), you  may continue from  the last untested
key by using:

   GuaExcel /r TEST.XLS

3) To decrypt file TEST.XLS with password PASS, use:
   GuaExcel /p PASS TEST.XLS

4) To decrypt TEST.XLS using the key 'A0 B1 C2 D3 E4':

   GuaExcel TEST.XLS A0B1C2D3E4

if key is file-dependent (valid for this file only) or

   GuaExcel /s TEST.XLS A0B1C2D3E4

if key is independent.

2.1.4. Useful examples on running GuaExcel on the multicore,
multiprocessor computer:

1) Start as many copies of the program as many phisical CPU/cores
you've got:

   GuaExcel TEST.XLS


2.1.5. Useful examples on running GuaExcel on the network

1)  To  crack  TEST.XLS  file  on  several computers on  the LAN,
copy the   GuaExcel  program  and TEST.XLS  file to   the  shared
directory and use the simple command line:

   GuaExcel TEST.XLS

The first started client is special, and will actually decryption
do. Any client can be interrupted by pressing Ctrl-Break once and
continued by  running with  the same  options (no  need to change
the keyspace range  - it will  be picked up  automatically). When
interrupting first client, to continue it use special /1  option,
like:

   GuaExcel /1 TEST.XLS

3) To  crack  TEST.XLS on two  divided  LANs or  on  two  divided
computers (e.g. at home and at work), use:

   GuaExcel TEST.XLS 0 8191   - on first LAN
   GuaExcel TEST.XLS 8192     - on second LAN

   Use the similar command lines on several LANs. Note the number
of available clients will be reduced on every LAN.

3) To search for file-independent  key, run every client with  /s
option:

   GuaExcel /s TEST.XLS

   When the key  for this  file will be found, all files with the
same password  can be decrypted instantly (see example 5).
NOTE: searching for  such key is 2 times slower.

4)  If  some  accident  has  occurred  (such  as power was off or
decryption  failed  for some reason),  you may continue  from the
last untested key by running on FIRST client:

   GuaExcel /r TEST.XLS

Any  other clients should not be running at this time, start them
in normal way.

3. Ordering and contact information.

Program support URLs are
    http://www.password-crackers.com/crack/guaexcel.html

Here  you  find  the  link  to  ordering  page.  There are  four
commercial versions:
     2 client version         - $25;  (for individual users)
     5 clients (max) version  - $42.95;
    10 clients (max) version  - $59;  (to use on networks)
    unlimited version         - $150.

You can also contact to author:
    e-mail: pavel@semjanov.com
    

A lot of great password crackers are at
    http://www.password-crackers.com

Although I already mentioned that I will not  accept any claims,
I  shall be grateful  to  here  about obvious errors, such as:

- the program hangs  at brute force;
- the   program  does   not  find   the  key   of  a  given  file
although all keys were tested.

I appreciate any constructive ideas for improving this program.


4. FAQ.

4.1. Questions about all GuaExcel versions

4.1.1. How to interrupt and continue searching?

The  program can  be interrupted  by pressing Ctrl-Break once and
continued by  running with  the same  options (no  need to change
the keyspace range - it will be picked up automatically).

(*) Continuing is  impossible in  freeware version.

See also Q. 4.3.1.

4.1.2. What do the values in .key file mean?

First 16 bytes are  special. The byte   with n  offset  mean  the
state of (n-16)  key and  may  be one of   3 values: 0  - key  is
not tested yet, 1 - key was  tested and is not  right, 2 - key is
testing now (or may be interrupted key).

So, if  after the  test of a given  keyspace is completed,  there
are still some values (in this keyspace) which are  not equal  to
1, then there must  be a bug in  the program. Those  keys,  which
have  not  been  tested,   can  be  tested by simply running  the
program on this keyspace again with /r option.

4.1.3. I've got  Pentium 4/3000  computer, but key testing time
is extremely large.

Make   sure   that   other   CPU   hungry   programs   (including
3D-screensavers) are not running simultaneously.

4.1.3a. One key testing time  is 2 times longer under  Windows NT
than under MS-DOS or Windows 95.

Give 100% CPU time to the program.  Easiest way to do it is click
on  blank space on  the taskbar and  next  click on  the  program
window.

4.1.4. How can I test if your program is working?

Run GuaExcel  on test.xls file in the  archive and  wait until it
finishes testing key 8211:

   GuaExcel TEST.XLS 8211

The  password for this file is 'nyxo'. To test /s option, use the
following command line:

   GuaExcel /s TEST.XLS 1675

4.1.5. I've got a message "XXXXX is not Excel 97/2000 file".  How
to crack it?

Maybe the program is right?

4.1.6. The full keyspace has been tested, no key found.

Please check for the interrupted keys in .key file (see q. 4.1.2)
or  just simply run program  again with /r option. If it is still
fails, it's a bug.

4.1.7. Your program  found a key, successfully  decrypted  a file
and Excel still can not open it...

First, don't despair. The found key is correct and your file  can
be decrypted. Another method  exists to read your  document (only
if you made backup copy of your file). If you are legal  customer
of commercial version of the  program, just contact me.   I DON'T
SUPPORT  FREEWARE  PROGRAM,  but  it's  not  too late to became a
legal customer.

4.1.8. Is it possible to speed up your program?

On Pentium Pro  architecture processors (including  Celeron, PII,
PIII) is  not  possible.  On Pentium 4 (and similar) architecture
is may be possible to improve speed by using SSE insructions more
intensively. Althought I currently have no plans to optimize this
software on other architecture (IA-64 etc)  please contact if you
are interested in.

4.1.9. I'm  using UNIX,  OS/2, BeOS  etc.  Will  such  version be
available?

Possibly. (Linux  i386 version  is already  available). Regarding
other OS and  platforms, bear in  mind that GuaExcel is optimized
exclusively for Pentium II/4/AMD architecture and please read the
previous question.

4.1.10. I'm  sure all  of my  files are  encrypted with  the same
password.  Can I decrypt file without searching the key for  each
of them?

YES!  Files with the  same  password  DON'T  have the  same  key,
because it depends on  file ID etc. Use /s option for file-
independent key searching.

4.1.11. How to run GuaExcel in the low priority?

Under Windows NT/2000/XP use
	start /low GuaExcel <parameters>

4.1.12. How  to  run  GuaExcel  on  the dual/dual-core  processor
computer?

Just start two copies of the program with the same options.

4.1.12a. Should I start 2 copies of GuaExcel on my HyperThreading
processor?

Curiously enough,  but on some  modern Pentium  4 Prescott it may
help, on  other  (older) P4  it  has  no sence. You  can  try  to
experiment yourself.

4.1.13. I've got a message  "your file is corrupted and  can't be
decrypted".

It means  your file  has some  internal structure (BIFF)  errors.
The key for such file  can be  found with  big  probability,  but
the  decryption  will fail  (it needs some manual  work).  Sorry,
I can't  help  you  with such  file, because  is not a decryption
error.

4.1.14. How to  decrypt file without the prompt  and shutdown the
computer?

You need to use simple .bat file, like:
	echo y|guaexcel your_file.xls
	pshutdown -k
where pshutdown is the utility from www.sysinternals.com site.


4.2. Questions about freeware (demo) version.

4.2.1. What  are  the  differences  between  demo and  commercial
version?

Demo  version  demonstrates  some   of  the  commercial   version
features, including testing  for file-independent key.  It should
be used to check if your file is parsed correctly and to estimate
time needed to decrypt file  on your computer. If you've  got the
message  like  "Your  file  is  parsed  and  can be cracked", the
commercial version  will work  fine with  this file.  To test the
decryption  procedure,  just  save  any  Excel  file with  'nyxo'
password  and  run demo version on it.  Demo version suppory this
fixed password only!

Demo version also does not contain:

a) Distributed mechanism
b) Starting and ending key arguments


4.3. Questions about network versions.

4.3.1. Program displays "no more  clients  (N)  allowed  in  this
keyspace", although less than N clients are running.

You incorrectly interrupted some clients.  Stop others and use /r
option.

4.3.2. Can I use /f and /s options together?

/f option is now obsolete.

4.3.3. My file is confidential and I don't want to  remain  it in
shared directory. What to do?

You can remove your file after seeing the message "Client XX ready"
and copy  it back when the  prompt  for  decryption  will appear.

4.3.4. The key has been found  on one of the clients while  first
client was stopped. How to decrypt file in this situation?

Just start first client with /1 option.


4.4. Error messages.

4.4.1. I've got next error message:

a) "Permission denied"

Check  your  file  is  neither  Read-Only  nor  used  by  another
program.  Also  check  you  have  write permission to the current
directory.

b) "There are running clients with different options"

Your run previous clients with /s option and current one  without
it or vice-versa.

5. Special thanks.

  To Eric Young for his great SSLeay library.
  To Caolan McNamare for his not less great wv library.
  To Arturo Tena for yet another great cole library.
  To Phil Frisbie, Jr. for CPU identification function.
  To Alexander Perematko for correcting this doc.

Good luck!

Pavel Semjanov, St.-Petersburg.

