Officer Breaker is a simple program that removes the password from read-only protected files that belong to the Office Open XML format family (.pptx/.xlsx/.docx file types).
Please read the disclaimer before using this program or its source code.
GUI artwork by @Cioccolatodorima.
If you wish to build the project yourself you need:
- JDK 8 or JDK 11+ with JavaFX
- Apache Ant
- Go to the main repository folder and run:
ant -buildfile build.xml
- Open the executable file from
.dist/
folder of this repo.
Alternatively, download the prebuilt executable directly from the releases page.
All pptx/xlsx/docx files are part of the Office Open XML format family (for further reading please refer to OOXML Format Family -- ISO/IEC 29500 and ECMA 376 ).
For example, a standard .pptx file will have the following file tree structure:
myFile.pptx
.
├── docProps
│ ├── app.xml
│ ├── core.xml
│ ├── custom.xml
│ └── thumbnail.jpeg
├── ppt
│ ├── handoutMasters
│ ├── media
│ ├── media
│ ...
│ ...
│ ...
│ └── presentation.xml
├── _rels
│ ├── .rels
└── [Content_Types].xml
We can see this structure by opening the file using a program like 7zip or by changing the filetype to .zip and then opening it.
Each OOXML file type contains an .xml file with settings and preferences, including read-only protection. In our example the security element will be located inside presentation.xml
file which is located inside the ppt
folder of myFile.pptx
.
Inside presentation.xml
there is a specific element we will focus on called p:modifyVerifier which should look like this:
<p:modifyVerifier cryptProviderType="rsaAES" cryptAlgorithmClass="hash" cryptAlgorithmType="typeAny" cryptAlgorithmSid="14" spinCount="100000" saltData="3R1lmtJocEj5GzEGRn3MHA==" hashData="iR0jIUtVcGsTx62z/hqcbzaReLJemv$eZyqTlpWhl0Lph+osBKEiEYmyReJHmypMy6wj+VFmDGuNZvsMA9tX9g=="/>
The file editing is protected by a password which was salted and hashed which makes it nearly impossible to crack within reasonable time. But instead of trying to crack the password, we can just... Remove it. 🤷
Turns out that simply deleting the security element p:modifyVerifier as a whole will make myFile.pptx
behave as if it never had any password at all. This kind of security measure is a bit like the photo in the title of this repository - a good lock placed on the door handle... 😅
The program will create a copy of presentation.xml
, parse it and delete the security element. Once the element is deleted, the copied presentation.xml
will be replaced with the original presentation.xml
which will effectively remove the password from myFile.pptx
.
What makes this whole thing worse is the fact that we could simply remove the password created by the author, alter the file in some way and then return the original password of the author by inserting the same security element which was removed. This hurts the integrity of the whole OOXML format family.
Future versions of OOXML file type may make drastic changes of naming convention of elements or/and structure of the folders or/and files. This might make this repo deprecated but not obsolete if the same security measures will be taken in future versions.
If a "lock with different name" (the hashing) will be placed on the "door handle" (removable .xml
element), the file still could be altered/edited without a password. All that's needed is to find the new security element and simply remove it from the file.
This repository is for research purposes only, the use of this code is your responsibility.
I take no responsibility and/or liability for how you choose to use any of the source code available here. By using any of the files available in this repository, you understand that you are agreeing to use it only on files you own or received permission to use the code on.
This repository does not promote any hacking related activity. All the information in this repository is for educational purposes only.
Once again, all files available here are for education and/or research purposes ONLY.