I don’t profess to be an expert programmer or a skilled security researcher, but I’ve spent a lot of time over the last dozen plus years working on recovering old passwords in StuffIt archives. StuffIt was the popular compression tools for Mac users until the Mac OS X-era, when it was overtaken by the standard ZIP format (and price per gigabyte of storage reached a point where compression just wasn’t as critical). You can still purchase Stuffit Deluxe 2011 for both Windows and Mac, but for most people there will never be a need.
A few years ago, I wrote an application called Kasper that used the native StuffIt Deluxe command line tools to brute force an archive’s password using a wordlist. This was, to put it bluntly, an exercise in watching paint dry (35 words per second- sped up to about 435 words per second with the SDK- which needs to be licensed). While I was successful in getting access to a simple four letter dictionary word password, it was clear the speed at which the tool ran (even on modern machinery) was not going to deliver results.
By running a similar script that, rather than break a single archive, just created thousands of archives with varying passwords, I was able to find out that, thankfully, it appears that the StuffIt 5 password scheme always hashes a password to the same 10 hexadecimal value. I could build a Rainbow Table with that knowledge – a task which would take a large amount of time the first run through, but then would be searchable afterwards.
Even with that, the wordlist would be extravagantly huge (almost 66GB when compressed as a GZIP for every possible 5 character password). Thankfully, the author of the excellent unarchive utility The Unarchiver provided enough data on his site for a non-programmer like myself to recreate the algorithm the password hash in Perl. Using that data, it was easy enough to write a 20 line script to hash a password and compare it to the defined password hash. Speeding this process up was the maskprocessor utility from the hashcat password recovery suite. With this combination, the tool was able to recover a password in a little over half an hour after trying over a billion combos – a rate of almost 500,000 words per second – with the ability to run as many attempts at once as your machine can handle. A dual processor quad core machine can easily run 8 iterations at once without taking a hit – allowing, for example, one to grind out 1-8 character passwords at once.
An interesting find from one of the first passwords recovered this way was when the user told me that he was positive the recovered password (the aam?$Qk one from the earlier screenshot) was not his original password. Obviously hashing algorithms can have collisions- and the double hashing at 40-bit lengths that this algorithm used certainly meant it was possible. Another user provided me with almost 700 archives with passwords – running the script against all these archives for a few days (on only 5 possible characters) recovered a few passwords that were hash collisions. Both the original password and the collision hash to the same value – and therefore both work to decrypt.
Unfortunately, this solution only works for Stuffit archives from the version 5 days, which on a Mac OS 9-era machine would be visibly different than a StuffIt 4 or 1.5.1-era file. The StuffIt 5 format was before the barely-used StuffIt X format, but after the very well established StuffIt 4 format was around. StuffIt 4 files are particularly nasty as they utilize a data and a resource fork on the Macintosh- meaning that transferring the file to a Windows PC almost guarantees data loss and corruption. For super ancient StuffIt 1.5.1 or earlier archives, which would date from the early 1990s, there is a rather easy resource fork hack to replace the password. Someday I hope to have a solution for StuffIt 4 that doesn’t involve using the incredibly slow StuffIt Deluxe CLI tools (which also require a registered copy of StuffIt Deluxe). Most likely it will be after a breakthrough by the author of The Unarchiver that I can translate over to a simple script.