I have been trying to get into an old ZIP archive where I still have some files from it, but I have some problems understanding how this all works. I believe I have the correct plaintext but it is somehow not working. Have a look at the following data, I got the plaintext by installing an older version of WinZIP (8.1).
The old encrypted file:
part number in which file begins (00): part 1
relative offset of local header: 0 (0x00000000) bytes
version made by operating system (00): MS-DOS, OS/2, NT FAT
version made by zip software (20): 2.0
operat. system version needed to extract (00): MS-DOS, OS/2, NT FAT
unzip software version needed to extract (20): 2.0
general purpose bit flag (0x0001) (bit 15..0): 0000.0000 0000.0001
file security status (bit 0): encrypted
extended local header (bit 3): no
compression method (08): deflated
compression sub-type (deflation): normal
file last modified on (0x000034f2 0x00004e10): 2006-jul-26 16:23:11
32-bit CRC value: 0xed656c30
compressed size: 944826 bytes
uncompressed size: 954936 bytes
length of filename: 12 characters
length of extra field: 0 bytes
length of file comment: 0 characters
internal file attributes: 0x0000
apparent file type: binary
external file attributes: 0x00000020
non-MSDOS external file attributes: 0x000000
MS-DOS file attributes (0x20): arc
Current Location part 1 offset 2691065
filename:Photo001.JPG
Current Location part 1 offset 2691087
Central directory entry PK0102 (4+42): #2
And the newer plaintext:
part number in which file begins (00): part 1
relative offset of local header: 1746047 (0x001aa47f) bytes
version made by operating system (00): MS-DOS, OS/2, NT FAT
version made by zip software (20): 2.0
operat. system version needed to extract (00): MS-DOS, OS/2, NT FAT
unzip software version needed to extract (20): 2.0
general purpose bit flag (0x0000) (bit 15..0): 0000.0000 0000.0000
file security status (bit 0): not encrypted
extended local header (bit 3): no
compression method (08): deflated
compression sub-type (deflation): normal
file last modified on (0x00004505 0x0000a882): 2014-aug-05 21:04:04
32-bit CRC value: 0xed656c30
compressed size: 944816 bytes
uncompressed size: 954936 bytes
length of filename: 12 characters
length of extra field: 0 bytes
length of file comment: 0 characters
internal file attributes: 0x0000
apparent file type: binary
external file attributes: 0x81b60020
non-MSDOS external file attributes: 0x81b600
MS-DOS file attributes (0x20): arc
Current Location part 1 offset 2691095
filename:Photo001.JPG
Current Location part 1 offset 0
Local directory entry PK0304 (4+26): #1
So from what I can see there are a couple of differences but I don't think they should matter. The external file attributes should only matter after decryption right? And the uncompressed size and CRC are identical so it should be the exact same file. The compression method is also the same. Additionally I am quite certain that WinZIP was used for encryption. So what is strange is the 10 byte difference in the compressed size. Running pkcrack I am told "No solutions found. You must have chosen the wrong plaintext." which is not correct. Does anyone know what I am doing wrong?
PS. I also have about 30 bytes of plaintext from a textfile in the same archive, if anyone know how that could be used. The documentation says that knowing only part of a file is enough but I never found a source specifying how that could be used.
Found the answer. There were two problems with what I was trying to do. Firstly it was indeed the wrong WinZIP version, so I simply tried every single one released around the date seen in the information above. Second, pkcrack has some bug in it causing a segmentation fault. This meant for me that running the tool using ZIP archives crashed, and instead I had to run the tool on one file at a time after extracting them.