Advanced ZIP Password Recovery 0.93 (c) Elcom Ltd., 1997-98
-----------------------------------------------------------
Note: this is the pre-release version of the program.


Contents
--------

  Description
  Requirements
  Usage
  Known bugs and limitations
  Future enhancements
  Performance
  Registration
  Technical support
  Where to get the latest version


Description
-----------

This program (Advanced ZIP Password Recovery, or simply AZPR)
can be used to recover your lost password for ZIP archive. At
the moment, there is no known method to extract the password
from the compressed file; so, the only available method is
simple "brute force" attack.

Well, there are a lot of programs like this around, but
all of them have their own "pros" and "cons". Here is a brief
list of AZPR advantages:

- The program is smart enough to avoid giving you "false"
  matches, as many others do. If it says that the password is
  here, then it really is.
- You can estimate the maximum time the program will take to run
  using the "benchmark" feature.
- You can interrupt the program at any time and resume its
  execution later from the same point.
- The program is customizable: you can set the password length
  (or length range) and the character set to be used to generate
  the passwords.
- No special virtual memory requirements.
- The program can run in the background mode.
- The native version for DEC Alpha (running Windows NT) is
  available.


Requirements
------------

- Windows 95 (any version) or Windows NT 4.0 running on Pentium
  or DEC Alpha CPU
- about 300 kilobytes of hard disk space
- patience...


Usage
-----

The program is a console application and therefore has to
be executed from the command prompt. The syntax is:

>AZPR [options] zip-filename

Where the options are:
  (for brute force attack)
    /bench      - don't crack, do benchmark only
    /min:x      - x is a minimum password length (def. is 1)
    /max:x      - x is a maximum password length (def. is 5, max. is 15)
    /c:dsce     - password charset, any combination of:
                  'd' for digits (default)
                  's' for small letters
                  'c' for capital letters
                  'e' for special symbols
  (for dictionary-based attack)
    /d[:name]   - dictionary name (def. is "dic.txt")
    /all        - try all uppercase/lowercase combinations
    /first      - try to try to capitalize first letter only
  (common)
    /background - background execution
    /save:x     - save state every 'x' minutes

You can use any combination of the above options. For example,
if you want to crack the file "test.zip" and know that the
password contains digits and small letters only, and the length
of the password is up to 7 characters, use the following syntax:

>AZPR test.zip /max:7 /c:ds

The option "/min:1" was not used here because 1 is the minimum
length by default.

The special symbols are:

~@#$%^&*()_+-=[]{},.\\\"/?:;`'

and the space character.

If you do not specify the "charset" option ("/c"), the program
will assume that the password contains digits only.

When the program is running, it periodically updates the status,
as:

Tested 1500000 of 6309658355 passwords (0.02%)

The "/bench" switch may help you to estimate how long the
program will need to run. Just use it together with any other
switches, for example:

>AZPR test.zip /max:5 /c:dsce /bench

After about a minute (the actual time may vary depending on the
speed of your CPU), you'll see a message like this:

Analysing archive... done.
Total number of passwords to verify: 6309658355
Estimated performance of your computer:
   220653 passwords per second
   13239180 passwords per minute
   794350800 passwords per hour
   19064419200 passwords per day
...and so cracking can take about 7 hour(s) and 56 minute(s)
Press any key to exit...

Note that the time you see is approximated; this is the maximum
time the program will spend guessing the password, if you set
the correct options -- for the above example, the password is 5
characters long (or less) and consists of digits, letters (small
or capital) and special characters.

If you want to interrupt AZPR when it is running, feel free to
do so by pressing Ctrl-Break or Ctrl-C: the program will save
the options you've used along with the last password which has
been verified in "AZPR.INI" file. The next time you start the
program (with or without parameters), it'll ask you:

Continue to crack C:\PROJ\ZIP\test.zip?

Just press Y to continue or N to crack another file.

If you have a good dictionary (see a very simple example in
"dict.txt"), you may also wish to try the dictionary-based
attack, for example:

>AZPR /d:dic.txt /all test.zip

The program will try to use all strings listed in "dic.txt" as
the passwords. If an optional key "/all" is applied, then all
lowercase/uppercase combinations will be verified. For example,
if you have a word "warez" in your dictionary, the password
"WaReZ" will be found.

The /first switch stands for checking all passwords (from
dictionary) two times: first time -- "as is", and second time
-- with the first letter capitalized. For example, if you typed
the following command line:

>AZPR /d:dic.txt /all test.zip

and your dictionary contains the following words:

kitten
cRaCk
PASSWORD

then the program will verify the following passwords:

kitten
Kitten
cRaCk
CRaCk
PASSWORD

When the program is running in dictionary mode, its status line
looks like the following:

Tested 770000 passwords (line 3)

Some very good dictionaries (wordlists) can be found at:
  ftp://sable.ox.ac.uk/pub/wordlists/
  ftp://ftp.cdrom.com/pub/security/coast/dict/wordlists/
  ftp://ftp.cdrom.com/pub/security/coast/dict/dictionaries/

Another good dictionary (about 1,400,000 words) is available at:

ftp://math.uwaterloo.ca/pub/security/bigdict.gz

If the password is found, the program displays it:

Password for F:\PROJ\ZIP\TEST.ZIP: 999999
Press any key to exit...

The password is also saved into the text file with the .PSW
extension (for an example above, in "TEST.PSW").

If all possible passwords are verified without success (so
the valid one has not been found), the message is:

No valid passwords found -- sorry
Press any key to exit...

If you feel that AZPR (when running) takes too much of your
CPU time, try the "/background" switch. When it is used, the
program is running at IDLE priority, which means that it
does its work when the CPU has no other things to do. For
example, if you're typing a text in Microsoft Word, and the
Word itself takes 30% of the processor power, then AZPR will
use the rest -- 70%, and you will not see any performance
decrease.

The "/save" option is very useful if you're not sure how
reliable your environment (Windows) is. Using it, you can ask
AZPR to save its state every few minutes, for example:

AZPR /c:ds /max:7 /save:5 TEST.ZIP

With such command line, the program will "dump" all options
and current password every 5 minutes to the "resume-file"
(AZPR.INI), end even if the power fail will hapeen and your
computer will be rebooted when AZPR is working, you'll be able
to resume program, like if you've pressed Ctrl-C recently.


Known bugs and limitations
--------------------------

- If the archive contains two or more encrypted files, the
  program will assume that all of them are encrypted with the
  same password.
- The program is not able to find the password some very small
  files, compressed with Deflat:N method, or not compressed at
  all.
- The program may cause an exception after running for a very
  long time (a few days).


Future enhancements
-------------------

As we already noted, this version is actually a "pre-release".
We know that it can be improved, and here are some facilities
we're going to implement:

- Ability to select totally custom (user-defined) character set.
- Generating passwords based on user-defined regular
  expressions.
- User interface (GUI).
- Running as a service under Windows NT.
- "Known plaintext" attack.
- Working on SMP systems (when more than one CPU is available).
- Further performance optimizations.

If you have any ideas how the program can be improved, please
don't hesitate to contact us! Your comments are very appreciated.


Performance
-----------

Well, the program speed actually may very from 20000 to 200000
passwords per second (on an average Pentium-166 computer). If
your archive (the ZIP file you're cracking) contains only one
encrypted file, you'll get the first figure. If two or more --
the second. Where does this difference come from?

To get the best performance, AZPR doesn't try to decrypt the
whole compressed file. Instead, it just decrypts the header
(using the next-in-sequence password generated based on the
options you set) and checks its CRC code. The problem is: the
CRC of the header may match even if the password is incorrect;
usually this happens for 1 of 250 (random) passwords. Now we
have to check if this password is the one we're looking for; and
the program tries to decrypt the whole file (not only the
header) using it. This takes much longer...

But if the archive contains 2 or more files, we can check the
second header first, instead of decrypting the file. And the
chance that the CRC of the second header will match the random
(incorrect) password is 1 divided by 250*250 = 62500; so we'll
call the "full" decrypt/unpack routine (which is slow) rarely.


Registration
------------

This program is distributed as shareware (look at "license.txt"
for details). Being unregistered, it has some limitations:

- The charset used to generate the possible passwords is limited
  to digits and small letters only.
- The minimum password length ("/min" option) cannot be set.
  The default value (1) is always used.
- The maximum password length ("/max" option) is 7.
- For the dictionary-based attack, "/all" (case-insensitive) and
  "/first" (try to capitalize first letter) options are not
  available.

After you register (look at "register.txt" for details), we'll
send you your personal registration code. You have to apply it
to the program using the special "/register" switch in the
command line:

>AZPR /register

The program will display the dialog asking you to enter the code;
after you do so (you can use cut'n'paste to avoid typing
errors), it will have full functionality.

Please note that your registration will be valid for all future
versions of AZPR.


Technical support
-----------------

For technical support, please contact Mr.Vladimir Katalov
at kitten@elcomsoft.com.


Where to get the latest version
-------------------------------

The latest version of AZPR is always available from our
web page at http://www.elcomsoft.com/azpr.html.
