Everyone knows that since Office 2007, all file formats from Office have been converted to the OfficeOpen standard, which is nothing more then a zip containing a bunch of XMLs. A lot of IT guys also know that Microsoft and the (password) protection of spreadsheets is nothing more then a tiny user interface lock and one line of code in the underlying XML, which of course is only a real issue to users of Excel. Starting with OpenOffice, there is actually a good encryption built into the file format. It now can use AES encryption, which is currently the standard for encryption.
But what if we’d locked parts of the spreadsheet, but without password-protecting the file (but just the cell protection)? This would implicitly tell us that Office can open the file without password. Inspecting some of these files I got as an assignment for my job, I found out that Office does encrypt these files. Opening these kind of files as a zip is impossible because they have become some OLE-object instead. Which acts as the encrypted data container.
To unlock these files, you’ll need the password Microsoft used as some hardcoded useless feature in their Office programs, “VelvetSweatshop” (which is ironically enough a wink at critics on Microsoft’s PO policy in 1989). Microsoft Office of course has this feature (try the password and if we fail, ask the user). Luckily I was not the first to find out that Microsoft introduced this password protection. Although it took me some hours of googling to get this knowledge.
I could get my files decrypted using the ooxmlcrypto library of Danilo Mirkovic (plus some minor tweaks to get it running using mono).