Kasper: Stuffit 5 Password Recovery

Greg Esposito

I don’t profess to be an expert programmer or a skilled security researcher, but I’ve spent a lot of time over the last dozen plus years working on recovering old passwords in StuffIt archives. StuffIt was the popular compression tools for Mac users until the Mac OS X-era, when it was overtaken by the standard ZIP format (and price per gigabyte of storage reached a point where compression just wasn’t as critical). You can still purchase Stuffit Deluxe 2011 for both Windows and Mac, but for most people there will never be a need.

Kasper-Logo

A few years ago, I wrote an application called Kasper that used the native StuffIt Deluxe command line tools to brute force an archive’s password using a wordlist. This was, to put it bluntly, an exercise in watching paint dry (35 words per second- sped up to about 435 words per second with the SDK- which needs to be licensed). While I was successful in getting access to a simple four letter dictionary word password, it was clear the speed at which the tool ran (even on modern machinery) was not going to deliver results.

File-Comparison-blog

By running a similar script that, rather than break a single archive, just created thousands of archives with varying passwords, I was able to find out that, thankfully, it appears that the StuffIt 5 password scheme always hashes a password to the same 10 hexadecimal value. I could build a Rainbow Table with that knowledge – a task which would take a large amount of time the first run through, but then would be searchable afterwards.

pw

Even with that, the wordlist would be extravagantly huge (almost 66GB when compressed as a GZIP for every possible 5 character password). Thankfully, the author of the excellent unarchive utility The Unarchiver provided enough data on his site for a non-programmer like myself to recreate the algorithm the password hash in Perl. Using that data, it was easy enough to write a 20 line script to hash a password and compare it to the defined password hash. Speeding this process up was the maskprocessor utility from the hashcat password recovery suite. With this combination, the tool was able to recover a password in a little over half an hour after trying over a billion combos – a rate of almost 500,000 words per second – with the ability to run as many attempts at once as your machine can handle. A dual processor quad core machine can easily run 8 iterations at once without taking a hit – allowing, for example, one to grind out 1-8 character passwords at once.

Hash-Collisions

An interesting find from one of the first passwords recovered this way was when the user told me that he was positive the recovered password (the aam?$Qk one from the earlier screenshot) was not his original password. Obviously hashing algorithms can have collisions- and the double hashing at 40-bit lengths that this algorithm used certainly meant it was possible. Another user provided me with almost 700 archives with passwords – running the script against all these archives for a few days (on only 5 possible characters) recovered a few passwords that were hash collisions. Both the original password and the collision hash to the same value – and therefore both work to decrypt.

StuffitTypesStuffitXIcon-blogs

Unfortunately, this solution only works for Stuffit archives from the version 5 days, which on a Mac OS 9-era machine would be visibly different than a StuffIt 4 or 1.5.1-era file. The StuffIt 5 format was before the barely-used StuffIt X format, but after the very well established StuffIt 4 format was around. StuffIt 4 files are particularly nasty as they utilize a data and a resource fork on the Macintosh- meaning that transferring the file to a Windows PC almost guarantees data loss and corruption. For super ancient StuffIt 1.5.1 or earlier archives, which would date from the early 1990s, there is a rather easy resource fork hack to replace the password. Someday I hope to have a solution for StuffIt 4 that doesn’t involve using the incredibly slow StuffIt Deluxe CLI tools (which also require a registered copy of StuffIt Deluxe). Most likely it will be after a breakthrough by the author of The Unarchiver that I can translate over to a simple script.

65 thoughts on “Kasper: Stuffit 5 Password Recovery

  1. I HAVE A SITX ENCRYPTED WITH PERSONAL DATA, 474 MB OF PHOTOS, PASS 8 CHARACTERS NUMBERS AND LETTERS . I CAN SEE IN THE HEX EDITOR

    StuffIt!°6˜‹
    ¢¢+ªÖ*+±Rõµ∂õπ¢õ{#¨
    õ∞fõe#‹õi#Ñ
    õ€FX*õq#LõÎF∏UõÛF+õ˜çp≠õ`#ú+õ≈FxØõ…F*õõç∞®õ—FòTõ´çpSõ≥ç0™õw·™õ·F8´õÀçÆõ”ç0¨õ∑·≤+«ª·¥õ◊{fiVõÁ{é+õÔ˜8ºÆõ¿áÁõÖ=flWõâ=Å
    õ{*õë=õ+{nTõ3{F*õwˆ8\©õ°=g*õK{fi©õS{Ü*õ∑ˆ8\™õc{NU+ØÌÜ∑*õÁˆµp¨õÔÌk·µ
    õ¡}-<Wõã˚Z¯^õì˚Z¨õ7˜µp±õ£˚Z8YõW˜µfõg˜µp¥õÔÓk·’
    õ√˚Zx∂õó˜µ›
    õߘµp∏õoÔk·Â
    õ«˜µtõØÔk·€õœÔk·Ò
    õflfl◊¬◊++ª·Ûõ~øõ *õ6 ,®õ&Tõ+6 ‹Põ3

    CAN YOU CONTACT ME PLEASE

    Reply

  2. Hello,

    I’ve read about kasper a few times. I have a .sitx file that I made in 2010 that I can’t remember the password. It is a .sitx file. Can you help?

    Reply

    1. SITX files currently have no method of attack other than raw brute force. Unfortunately, brute force speeds are in the hundreds (versus millions or billions) of tries per second. At that speed, recovery is only possible if you are quite certain of your password and just need some twiddling to find the actual password (as in, change cases, swap numbers for letters, etc.).

      A raw attack would take forever. Do you believe you have an idea of the original password?

      Reply

    1. Absolutely!

      For anyone, any .sit files you have please comment or contact me and we can extract the hash for Stuffit 5 (which we’ll definitely break) or the MKEY for Stuffit 4 (which we can hopefully break… today or someday). If you comment with an email address with your name, we can keep your email address private 🙂

      Reply

      1. I have a sitx “sitting” here and waiting to be decrypted. pictures of mine from 2005.
        hash = 9be16e38ab

        Reply

        1. If you had a .sit file that had that hash, I’ll get it solved for you. If it was indeed a .sitx, you’ll be out of luck however. I’ll follow up with you directly with an update!

          Reply

  4. Hi Greg,

    I have an old Stuffit Archive from 2000 which I’d love to get back in to. Is there any chance you could walk me through using your script?

    Much obliged!

    Aaron

    Reply

    1. Hi!

      I do a few password recoveries a year, and it makes me very happy to help.

      The easiest way to get a Stuffit Password back is to extract the hash and send it to me. This doesn’t expose any data, just the key. I believe I confirmed that an .SEA and a .SIT from that era are really just the same thing, but we may have to get deeper. Anyone can email me at bobkiwi AT mac DOTCOM (or gmail) to talk to me.

      The hashes are locatable with a hexeditor as seen in this pic (at http://i2.wp.com/kiwidget.com/wp-content/uploads/2013/03/File-Comparison-blog.png ) – always stuck between 00-05 and the A5-A5-A5-A5 characters.

      If you can get me that, that’d be great! I should be able to get some password candidates.

      If you don’t see that, please send me the view you get. If it’s Stuffit 4, we’ll have to follow up. For Stuffit 5 this can be done on Windows or Mac OS, but Stuffit 4 we need to be careful of data and resource forks.

      Reply

    1. That .pl was the Perl version of Kasper, so basically it was encoding password candidates with the MD5 algorithm used by Stuffit 5 and then it would quit whenever a match to a predefined hash was found. Why I called it md5_dump I’m not too sure- but nowadays it’s just called Kasper.exe. It’s a lot more understandable now for me than those days!

      Reply

  6. Hi Greg
    Some time ago I asked for help with a SITX file. 6. At that time you did not have time and I understood. The problem is that since 1 year suffer a neurodegenerative disease that is making me very dicifil walk and write on the keyboard MAC. That file contains mages of the happiest time of my life that I would like to see while I can but I know it is not easy to recover a password.
    You could send a screenshot of the hex file to find the hash and see if you can help me? Since already thanks
    Sergio

    Reply

    1. Sergio, I still have your emails from back in January 2014. Since 2014, recovery of Stuffit 4-era passwords is on paper 50% possible within an acceptable amount of time, also only needing a picture of the hex file’s hash.

      Stuffit X-era files do not operate under the same logic. I’ll reach out to you via email to discuss what options we may have.

      Reply

  7. I have this stuffit file from the late 90’s, not sure what version though (the file is sitting on a PC). The header is [SIT!….∏˛rLau.’..cæÒPçç.Image 001.] (Image 001 is the name of one of the files). Any idea where to find the hash?

    Reply

    1. That header aligns with a Stuffit 4 era file.

      The hash is located in the MKEY entry in the Resource Fork. However, the resource fork is only kept on a Macintosh, or if it stored in a compressed format that saves the resource and data fork (like Stuffit 5 or newer).

      If you have the file, try to open it in a resource fork aware hex editor like 0xED on Mac OS X. If there is no resource fork, you are in trouble. Try to see if you have a copy of the archive on perhaps an old Mac OS formatted disk.

      Let me know if you need any help!

      Reply

        1. Oh, you were successful in finding the MKEY resource! That’s great. I’ll have a go at it.

          I haven’t made a direct post on the caveats for Stuffit 4, but my challenges are that there will be false positives (and unlike Stuffit 5, only the real password works and not other hash hits), that the logic only works for passwords up to 8 characters (9 characters or more I can’t get working), and speedwise it will take a full week just to try all combos for 6 characters.

          But I will give it a try and keep trying to improve things with time. Please hold out hope! And if you have any ideas about your passwords length, whether it was all lower or mixed lower and upper characters, had numbers, symbols, etc. let me know. I’ll knock out a run of lower, upper, numbers, and symbols up until 6 characters over the next week.

          My good old Mac Pro 2007 (at 3GHz) runs at about 1.1 to 1.2 million tries a second. I’d love to get a 5GHz machine nowadays. I’ve benchmarked a 3.4GHz i7-2600 at 40% faster. I’m hoping an eventual 5GHz machine will run at two to three times the speed (with even more if I used the Intel compiler).

          Reply

          1. The file name seemed to be a clue of what the password was. And based on when i did it, most likely to be one word, all lowercase, no spaces, no symbols and 8-10 characters

        2. Okay, with your information about what you think you recall the password being… let’s give this one that really stood out to me a try: “stapler”

          Best of luck!

          Reply

          1. Yeah, that got into it. Even though it was 18 years since I opened it, it was pretty much what I assumed it was… a few embarrassing photos. Oh well, at least I know what it is now;)

            Thanks for all the help!

            FYI, the file was called “papr.sit” as soon as you said “stapler” I knew thats what it was

  8. I found some old .sit files from 2002. I thought I could remember the password if I worked through it for a while. None of my attempts worked for me. Are you looking for more passwords to crack?

    Reply

  9. Hi Greg,
    Are you looking for .SEA files to decrypt? I have a Stuffit .SEA file probably made in 2001 or 2002. It’s probably a Stuffit 5-era file – as I believe I found the hash in a hex editor. I’m not sure if it works the same as a .SIt file though. Many thanks!

    Reply

    1. Absolutely! I’ve found SEAs to be pretty much the same as SIT files, so I’m expecting a win if it’s Stuffit 5 era. I’ll reach out to you to get the hash, and hopefully it’ll be cracked by the end of the week!

      Reply

  10. Hi Greg, it’s impressive you are still going at this. I have some old SIT! files of records that I password protected *decades* ago and need to access, but can’t seem to recall the password I used. I believe SIT! means they are 1.5.1 files, and I do actually still have them on an OS9 machine if I have to open them there. You mention a resource fork editing method to bypass the passwords, but I can’t find any description of this process. I assume it means using RedEdit which I believe I have, but any other help (or pointers) would be appreciated, thanks!

    Reply

    1. Thanks for your kind words Richard, I appreciate it!

      In my world, there are four types of Stuffit password systems – the original 1.5-era files, the Stuffit 4-era, the Stuffit 5-era, and the Stuffit .sitx-era. The method for recovering the 1.5-era files is an MKEY replacement, but actual 1.5-era files are extremely rare.

      A lot of people have MKEY Stuffit 4 files. There is hope for these, but it comes with large caveats- the process is only for passwords 8 characters or less and will throw many “false positives” that fail to actually unlock the files (unlike Stuffit 5, where most any hash collision will work!)

      It’s been many years since I’ve made a wrapup post for Stuffit Password Recovery, and I’ve got my system in place, so I figure I’ll write something up. I’ll also reach out to you to see about recovering your file – perhaps you choose a weak password that will stand out!

      Reply

  11. Hey Greg!

    I wondered if you have any luck on how to crack SIT4 archives? Other than bruteforcing the archive. I got dozens of archives I created back in 1997 and can’t remember the password.

    Thanks,

    Reply

    1. Joseph, I have a method for recovering SIT4 archives using bruteforce at… manageable speeds. It also has the restriction of only working if the password was 8 characters or less, and it has to find the exact correct password, unlike SIT5 where any hash match will work. I’ll privately reach out to you to see if you can get the MKEY data so I can attempt a recovery for you!

      Reply

  12. Hi Greg, Thanks for working out all of this!

    I hope you can help me recover some long lost files from 2002. The file header says
    StuffIt (c)1997-2001 Aladdin Systems, Inc., http://www.aladdinsys.com/StuffIt/

    If I understand right, all you need is the following? A5000563 D93DFA99 A5A5A5A5 (or would that be just 63 D93DFA99?)

    Any help would be really appreciated.

    Reply

  13. Hello,

    Something a bit different. I used ShrinkWrap 3.0 by Aladdin Systems to create encrypted mountable volumes. Worked great until I forgot the password 17 years later. Any experience with password recovery and ShrinkWrap? I can’t seem to find the hash indicators as mentioned in previous posts. I recall choosing ShrinkWrap over Stuffit for a lot of use cases since it was on-the-fly.

    Let me know if you’re up to the challenge and I can share some hex samples.

    Reply

    1. Matt,

      Sorry I missed your comment. It sounds like a good challenge, I’ll try to see what I can find, and I have my old Classic Macs nearby to try to make my own test archives.

      Reply

      1. Good job!
        Any news on the ShrinkWrap decryption?

        I have the same problem as Matt and I am trying to figure out if I can apply the stuffit decryption algorithm from the Unarchiver to the ShrinkWrap images but I am not sure if that will work out.

        Reply

        1. Thanks for dropping by. Let me spool up a test install and some test archives of ShrinkWrap and take a look. No promises, but I hope to help!

          Reply

          1. Great to hear back from you and thank you for trying to help.
            Would it help if I shared what I found out so far? It’s not much but I have prepared some ShrinkWrap images with known passwords and there might be some clues about the algorithm in there.

            What I found out is:
            – My unencrypted and encrypted images have exactly the same size, so no metadata in the data fork i guess
            – The encrypted data is repeated after 512 bytes if the plain text is also the same (in my case the images contain mostly zeroes)
            – There is some data in the resources. 4 bytes in there are directly related to the password (and probably the first 4 bytes of the plain data, but I could not verify that because they are always only zeroes). The same password (and probably same plain text) always leads to the same 4 bytes.
            – In my experiments the 4 bytes in the resources are always the same as the first four bytes from the data, so they seem rather pointless. It would be interesting to see how both would react if the plain text data wasn’t just zeroes.
            – I think creating the encrypted image again with the same input and password generates exactly the same file, so there seems to be no random salt., but i have to verify that.

            Feel free to contact me under my email address and I can send you the files.

            Does that resemble the encryption used in any of the Stuffit versions?

            Also do you think it would be feasable to brute force the 40 bit key if the algorithm could be reverse engineered but no shortcut is found?

  14. Hi Greg,

    Not sure if you can help but you are my last hope… I have an old SITX archive from 2010 with some video in it that I need to open and although I thought I knew the password it is a word with various letters swapped for numbers I cannot work it out…

    I know the SITX archives with brute force is pretty long winded but as I know the what the password roughly should be does that give any hope?

    Here’s hoping!

    Thanks, Steve.

    Reply

  15. Hi Greg!

    I stumbled across your site after spending god-knows-how-long trying to remember the password for a stuffit archive I made back in 2002. Not sure which version of Stuffit it is but I’m hoping you might try to help me figure out my password. I used File Peek to get the hash values:

    MD5 Hash: 478ffcb80576e9172c4e395b79598b87

    SHA1 Hash: 530343dbb54fb18b70394b0eb37ef827c8063c02

    SHA256 Hash: dd395dced6e1f3524e307ccc395a69bbc20621d993731dbacac1140840c0184b

    Did I do that right? Anyway, I’d appreciate any help you can provide. Happy to buy you a coffee or a beer or both for your expertise! Cheers!

    Reply

    1. Erik, thanks for your comment! Those are hashes, but not the ones I need. I will email you on the one you commented from to move forward and hope for the best, I hope we succeed!

      Reply

    1. Awesome! I’m so glad the Hashcat module worked for you! You’re the first person to report using it outside of my testers and that really makes me happy.

      Reply

  19. I have an old .sit file left by a coworker. The password already forgotten.
    From your information above I can extract the hash: 3D C2 DA 17 A2
    Can you help me to recover the password?

    Reply

    1. Hello!

      Thanks for stopping by my blog.

      You submitted a Stuffit 5 Hash of 3dc2da17a2, can you try the following passwords? Hopefully one works for you!

      fjdkttz2
      wx153s3c
      H4jfukyu
      P6vc113p
      Jtxn2uy!
      fkpka59x
      jxxnx1sz
      ibva2t7v
      4u6u35a$
      ei1rvl3te

      Let me know if it works! I’d also be very interested in hearing what files you were able to rescue. Hearing how my work helps others makes me so happy!

      Reply

  20. Hej Greg,

    i have a .sea with uncertain content from ’98 that i would love to take a look at. Would you be so kind to contact me?

    Thanks!

    Reply

    1. I have reached out to you by email, but just in case this gets you, please submit the hash to me – it should be similar .sit and .sea if it’s all Stuffit5 era.

      I need the hash values from the files as in the pic here: http://i2.wp.com/kiwidget.com/wp-content/uploads/2013/03/File-Comparison-blog.png

      You can get that data on macOS using software like Hex Fiend http://ridiculousfish.com/hexfiend/ or on Windows I use HxD https://mh-nexus.de/en/hxd/ .

      The hash is near the start, usually with a 00-05 before it and A5-A5-A5 after it. I usually like a picture of the surrounding data just to verify.

      Reply

  21. Hello,

    I have a stuffit file. I believe it is stuffit 5 (late 90’s, early 00’s). Hash is C1 18 2F 99 B9.

    If you have time, could you provide me with some options that will hopefully unlock?

    Thanks

    D

    Reply

    1. Please give this a try!

      This is read as hash:password

      c1182f99b9:1969

      So try 1969

      Let me know if that works!

      Reply

      1. That did work. Thank you very much.

        I am hoping to find a few more files as I go through old CDs and HDDs. Could you give the syntax for hashcat to try these? Found the mode of 24700, but I was not getting any results.

        Thanks for sharing from your hard work.

        D

        Reply

        1. I’m glad to hear!

          I need to make a new post showing all the changes and new solutions. Maybe before 2022 is over!

          Here’s the hashcat command you want:

          hashcat.exe -m24700 -a3 -o cracked.txt hash.txt –keep-guessing

          –keep-guessing is important, because otherwise you’ll only get one hash collision. I guess that’s all you really need, but I like having options- or to find the real password vs. a collision!

          Reply

  22. Howdy! I have an excerpt from an old .sit file, “A5000590 86FA9C77 A5”

    Are you still performing this service? Thank you sir!

    Reply

  23. Actually two .sit files: A50005A9 0A0C1D61 A5 and A5000590 86FA9C77 A5 (already submitted). Thanks again!

    Reply

    1. Please give these a try!

      This is read as hash:password

      a90a0c1d61:Emhimmle
      9086fa9c77:8unny
      9086fa9c77:O0cjk756

      So the first file, try Emhimmle

      The second file, try either/both of 8unny and/or O0cjk756

      Let me know if that works!

      Reply

  24. Hey Greg, I’m having trouble locating the hash in a stuffit archive from around 2002 — not sure what version was used. Based on your earlier comments, I’ve used HexFiend to search for “A5A5A5”, but that string doesn’t occur in the file.

    Can you suggest what else I can search for to identify the version?

    Reply

    1. Hello, I will email you. I have a suspicion that you may instead have a Stuffit4 era file, or HexFiend was looking in the text field not the hex field.

      Reply

  25. Hi Greg,

    Stumbled across your page after many attempts to find someway to expand an old stuffit file from yesteryear, I’ve opened it up with a hex editor and found these items of interest;

    StuffIt (c)1997-1998 Aladdin Systems, Inc., http://www.aladdinsys.com/StuffIt/
    and also i guess this is the string you’d require,
    0000000005ABB8E9D374A5A5A5A5

    I did try to have a go at Kasper, not sure what i done but seemed to get stuck on the first ‘word’ from the text file.

    I’d be greatly appreciative if you could provide some assistance.

    Reply

    1. Hello! I’ll email you directly, but for the record here is one possible password for your hash abb8e9d374:

      hellof

      Give that a try!

      Reply

  26. Any breakthroughs on Stuffit4 MKEY hashes? I’ve got a Stuffit 4 .sea file with the MKEY of “8269 E16B 00EC 2EB7” that I’d like to break open.

    Reply

  27. Hi, I found a few old SIT Files that are password protected. They have MKey resources I can see in ResEdit.

    These are:
    8667 96B3 7F48 1568
    E5B0 D277 89E1 2402
    5A7E 0636 E226 C536

    Can you help me or give a direction on how to open these files? Thank you so much already now 🙂

    Reply

  28. HI Greg,

    This is the hash I’ve found for my Stuffit archive. Can you help?

    77269FD272

    Between the 0005 and A5A5A5A5 as you mentioned.

    Reply

  29. Greg, I just wanted to say thanks for your good work on Kasper!

    Using Kasper 4 and maskprocessor I was able to recover two password-protected v4.0 SEAs I had made as a kid in 1998. It may be of interest that they both had the same password but different MKEYs.

    MKEY: A9B2 664E 1A21 D82E PW: ‘sitach’
    MKEY: E389 F76C 43F7 F443 PW: ‘sitach’

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *