Ultra Word 97 Password Cracker v1.00 MMX (c) 1999 Ivan Golubev
==============================================================


Contents
========

  Description
  Requirements
  Usage
  Template attack
  National languages support
  Performance
  Known bugs and limitations
  Future enhancements
  How to register
  Special thanks
  Technical support
  Where to get the latest version


Description
-----------

Ultra Word 97 Password Cracker (or UW97PC) can be used to recover
passwords for Microsoft Word 97 files. Here is brief list of UW97PC advantages:

  - UW97PC is a 32-bit application for Windows 9x/NT4.0.
  - UW97PC has a user friendly GUI.
  - UW97PC supports three types of attack: "brute-force", dictionary based
    and a mix of "brute-force" and dictionary based, called a template attack.
  - UW97PC is a fast program. On a K6-2-300 system its performance is about
    50 000 password tests per second (using MMX instructions).
  - UW97PC is customisable: you can set up the minimum and maximum password
    length, define the type of characters used in the password for a
    "brute-force" attack, and you can choose the method of modifying a test
    password from the dictionary file, for a "dictionary based" attack.
  - You can interrupt UW97PC at any time and save the current cracking status.
  - UW97PC shows you an estimate of the time remaining for a solution.
  - There is multi-lingual National language support, using simple text files.


Requirements
------------

To run this program you need:
  - A computer with running Windows 95/98/NT.
  - About 100 kilobytes of free hard disk space.


Usage
-----

After starting UW97PC, select the Task menu, choose New, then select
the Word 97 file that you want to process. In the next dialog box
select the attack type to be used. 

If you have selected the "brute-force" attack, in the next dialog box
define the characters to use in the password search, and the minimum
and maximum password length. Then press the "Go" button.

If you have selected the "dictionary based" attack, in the next dialog box
enter the dictionary name and choose how to modify passwords found in the
dictionary file. Then press the "Go" button. The program automatically
recognises the line delimiter used in the dictionary file. It may be
DOS <CR/LF> or UNIX <LF> or just a <CR> delimiter.

For the "template attack" see the description below.

The program is now working. It shows the current status. You can see the
current password being tested, the average passwords tested per second,
and the estimated time to reach a solution. The status information is
updating every 5 (by default) seconds. At any moment you can interrupt the
cracking process by selecting the "Task\Stop" menu item. Also at any moment
you can save the current cracking status by selecting the "Task\Save" menu 
item. By default, UW97PC will save the current cracking status in a file with
an extension of .wpc, and with the same name as the Word document file being
processed. You can open this file later and continue the cracking process
from the saved position.

If you think that your system is not stable you can use the autosave function.
Select "Options\Setup" and check "autosave every xx minutes". Note that if
you start a new task with autosave "on" then you will be asked for the status
filename when the autosave time comes (if you have not manually saved the
status previously).

Also you can change the time interval between status updates. However, we
recommend that the update time interval be 5 or more seconds; if it is less 
than 5 seconds the speed of execution of the program will decrease by between
1% and 3%.

If you think that UW97PC takes up too much space on the task bar you can select 
"Options\Setup\Minimize to tray".

When (if) UW97PC find a password it stops working and displays the results.
It shows the Word document filename, the password for those files and the
password length. Also UW97PC saves the password in a file with the extension
.psw, into the same location as the Word document.


Template attack
---------------

A "template attack" is a mix of "brute-force" and a dictionary-based attack. It
can greatly assist in the finding of a password if you know something about the
password. The main idea of a template attack is to subdivide the password using 
known information. Each part of a template may be either some character set
with a minimum and maximum length, or some word from a dictionary file. To 
understand how to use a template attack let's take some examples:

I. I remember that the password starts with two digits (but I don't remember
them), then I used from 3 to 5 lower case letters and maybe I used a special 
character at the end.

So I select template attack and describe the template as:
+----------+--------------+------------------------------+
| Position | Repeat Count |    Description               |
|          |  min  |  max |                              |
+----------+-------+------+------------------------------+
|        1 |   2   |   2  |   Digits (0123456789)        |
|        2 |   3   |   5  |   Lower case letters (abc...)|
|        3 |   0   |   1  |   Special symbols (!#$...)   |
+----------+-------+------+------------------------------+
Using this template UW97PC starting to generate password from 00aaa, 00aab,
00aac, ..., 00baa, ..., 12adef$, ..., 21ivan$, ..., up to 99zzzzz~.
This template will be processed much faster than a "brute-force" attack that 
uses character sets "digits" + "lower case letters" + "special symbols", and
with a minimum length of 5 and a maximum length of 8.

II. Ok, let's look at the standard keyboard layout:
 1 2 3 4 5 6 7 8 9 0 - = \
  q w e r t y u i o p [ ]
   a s d f g h j k l ; '
    z x c v b n m , . /

Consider the case where I remember that the password for a file is, for example,
"golubev".  Suppose I incorrectly typed the password, so that in fact "golubev"
is incorrect. Then, given that word, I know which parts of the keyboard I
originally pressed, (or I've watched how another person typed in a password :-)).
Using that incorrect password I can create the following template:
+----------+--------------+----------------------------+
| Position | Repeat Count |    Description             |
|          |  min  |  max |                            |
+----------+-------+------+----------------------------+
|        1 |   1   |   1  |   rtyfghcvbn               |
|        2 |   1   |   1  |   890iopjkl;               |
|        3 |   1   |   1  |   iopkl;m,./               |
|        4 |   1   |   1  |   678yuighjk               |
|        5 |   1   |   1  |   fghjvbn and space        |
|        6 |   1   |   1  |   234wersdf                |
|        7 |   1   |   1  |   dfgcvb and space         |
+----------+-------+------+----------------------------+
Using this template UW97PC can find such passwords as "go;ubev" or "holubwv".

III. Since I am smart enough not to password a file with only a simple word, 
I've used a more complex password, but I've forgotten that password! And,
because I am so smart, the password cannot be recovered by a simple 
dictionary based attack (even using all available modifiers).
However, I know that the password starts with from 2 to 3 digits, 
then I've used some simple word, and maybe I've used a special symbol at the
end. So, first I create a dictionary file of the likely words that I may have
used, (I don't know what word I've used but I try to anticipate it):
=================================================================
ivan
formula-1
f1
formula1
formula_1
password
UW97PC
computer
ok
ok computer
radio
head
=================================================================
I have called this dictionary file mydict.txt.

Secondly, I create the following template:
+----------+--------------+-------------------------------------+
| Position | Repeat Count |    Description                      |
|          |  min  |  max |                                     |
+----------+-------+------+-------------------------------------+
|        1 |   2   |   3  |   digits                            |
|        2 |   -   |   -  |   Word from "mydict.txt":           |
|          |       |      |   all upper/lower case combinations |
|        3 |   0   |   1  |   Special symbols                   |
+----------+-------+------+-------------------------------------+

UW97PC starts to work and after some time it finds the correct password
"91FoRmuLa-1$". Wow, it's not so good to be too smart :-)

I hope these examples will help you to understand how to use the
"template attack". But if you have some questions feel free to contact us.


National languages support
--------------------------

UW97PC can support national languages. There is a message file named UW97PC.lng
in the same directory as the program. You can replace this file with
another that contain messages in your national language.


Performance
-----------

  Here is a small table with testing results. 
+-------------------+--------------+-----------------------+
|    Computer/OS    | Is MMX used? | Passwords per seconds |
+-------------------+--------------+-----------------------+
| Cyrix PR233 Win98 |       No     |        25 000         |
| Cyrix PR233 Win98 |      Yes     |        25 000         |
| K6-2-300    WinNT |       No     |        35 000         |
| K6-2-300    WinNT |      Yes     |        50 000         |
+-------------------+--------------+-----------------------+


Known bugs and limitations
--------------------------
  - Doesn't support French version of MS Word

Future enhancements
-------------------
  - Speed optimisation.
  - Support local network.
  - Your wishes.


How to register
---------------
Why you should register ....

Because,

  - your support helps the author make this program better.

  - you gain access to all the features of UW97PC. Being unregistered, UW97PC
    does not support passwords with a length exceeding four characters for
    a brute-force attack. Also, UW97PC doesn't support modifiers "All available
    combinations", "Reverse order" and "All available combinations in
    reverse order" for dictionary-based/template attacks.

Once registered you will receive your own registration number. After you
enter it in the Options/Registration dialog box, you will gain access to
all the features of UW97PC. Note that the registration number will be valid
for all future updates of UW97PC. Registration costs 30 US Dollars.

At this moment there are two ways to register:

1. The fastest way is to use a credit card. You can register UW97PC via the
"Register Now" option at :

	https://www.regnow.com/softsell/nph-softsell.cgi?item=1964-3

NOTE : The information you send about your card is in a very secure format.
       No one can read it other than credit card processor program.

2. You can transfer $30 direct to our bank account. If you want to use this 
method, tell us in what country you live and we will send you more detailed
information. But please note, there are taxes for bank transfers. The taxes
can be up to 100%!

If you cannot use either of these ways contact to us, and we'll try to find
another way.

You can contact us via e-mail at trooper@mail.wplus.net.


Special thanks to
-----------------
	Chris Gregory     who edited this file.


Technical support
-----------------
For technical support please contact :

	Ivan Golubev at trooper@mail.wplus.net
or
 	Denis Gladysh at m53group@chat.ru


Where to get the latest version
-------------------------------
The latest version of this program is available from our web pages at :

	http://members.xoom.com/m53group

or the Russian mirror

	http://www.chat.ru/~m53group

