So in this case we're in luck:
There are 2 files in there (the UNLHA32 library files) which is a third party component they used and as such might be found on the internet if we're lucky (and we are).
The point here is that if you have access to an original unencrypted file which is encrypted in the zip, chances are extremely high that you can use the "plain-text" attack. AZPR from ElcomSoft can do such an attack.
So.... Googling for that library and you'll find a few versions. But if you wanna use a "plain-text" attack you need to find the exact same files which are in the encrypted archive. So, I downloaded many versions and started to compare the CRC32 checksums of them with the one used in the archive.
Most versions I found immediately (on the original homepage of UNLHA32) weren't the right ones (all newer versions).
So I Googled a bit deeper and found two older ones in some obscure corner of the net.
It turned out they used version 188.8.131.52 of the UNLHA32.DLL library.
But there is a problem:
For the "plain-text" attack to be effective you need to zip the original file with the _exact_ same zipping method (no problem there, the method can be looked up in the encrypted file attributes..."deflating" was used), but also with the _same_ program! This because many programs use all slightly different compression dictionaries and trees and thus the compressed files are slightly different too!
After trying a few different zip programs I already had installed (except winzip), I always ended up with a slightly wrong dictionary tree. So I gave up on that (cba to download and try more zip programs because it was already too late...yawn)....
Then I Googled for the documentation text file (UNLHA32.TXT) of version 184.108.40.206. Luckily I found it (same CRC32 as the one in the encrypted archive).
I tried to zip that (simply using Windows build-in zipper), and it came out exactly as what was needed (compressed size 12 bytes smaller than its encrypted counter part which means it is a potential match)
So, all what needed to be done now was to load up AZPR,
- select the encrypted archive (1
- select the "plain-text" attack (2
- select the normal unencrypted zip with UNLHA32.TXT in it ("plain-text path")
- press start button
40 seconds later: "Encryption keys successfully recovered
- save the unencrypted archive
- select the second encrypted archive (assuming the used password is the same... it was... if it wasn't I could have done another new "plain-text" attack since UNLHA32.TXT is also in the second encrypted archive)
- by now the found encrypted keys are saved in their respective boxes (3
), so all you need to do now is press the "decrypt zip using encryption keys" button (4
- save the second unencrypted archive