Advanced PDF Password Recovery Pro (APDFPRP)

Advanced PDF Password Recovery Pro (APDFPRP) is a program to decrypt protected Adobe Acrobat PDF files, which have user (open) and/or owner (security, master) passwords set, and to recover these passwords. Owner-level protection allows to prevent PDF file from editing (changing), printing, selecting text and graphics (and copying them into the Clipboard), or adding/changing annotations and form fields (in any combination); user-level one locks the file so the password is required to open/view the file. If only owner password is set, decryption is being done instantly; decrypted file can be opened in any PDF viewer (e.g. Adobe Acrobat Reader) without any restrictions -- i.e. with edit/copy/print/annotate functions enabled. Alternatively, owner password can be recovered using brute-force or dictionary attacks; for user password, these attacks are required in any case. Also, the program supports "key search" attack that allows to decrypt (in a reasonable time) PDF files with 40-bit security redardless the password length, guaranteed.

Requirements :
·Windows 95, Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP or Windows Server 2003
·about one megabyte of free space on hard disk

Please note that the program cannot (yet) work with some files created in Adobe Acrobat 6.0 (PDF 1.5 specification).

Adobe Acrobat features two levels of password protection.

Protecting document with access restriction ("owner", so-called "security" or "master") password does not affect a user's ability to open and view the PDF file, but prevents user from editing (changing) the file, printing it, selecting text and graphics (and copying them into the Clipboard), adding/changing annotations and form fields etc (in any combination). If the file is protected this way, you open it in Adobe Acrobat Reader (again, the password is not required for that) and select File | Document Security menu item (in Acrobat Reader 5.x or older) or File | Document Properties, Security, Show Details in Adobe Reader 6.x and 7.x, the following information is shown.

Fortunately, there is no need to recover that password at all: instead, we can remove it (decrypt the file), so the resulting document will not have any restrictions. That's exactly what APDFPRP does. However, such decryption possible only if "user" password (see below) is not set or known.

Also, there are "open" (so-called "user") passwords. If one is set, the file is encrypted with strong RC4 algorithm, and cannot be opened at all, if the password or encryption key is not known. APDFPRP can recover (try to recover) this password, too, but time-consuming dictionary and brute-force attacks are required. In addition, APDFPRP allows to run this attacks to recover "owner" password, because to decrypt the file, either "user" or "owner" password is needed. Even if both passwords are very long and complex, it is still possible to decrypt the file using Key search attack, which tries all possible 40-bit RC4 keys. It takes up to 30 days to complete (on a single PIII machine), but the success is guaranteed.

Note that when the file is being saved in Acrobat and the "user" password is set, the "owner" password is being set automatically to the same value (but can be changed manually, of course). That's because PDF file cannot have only "user" password: in any case, it has either "owner" password, or both "owner" and "user" passwords (which could be the same or different). Please take that in mind when selecting Advanced options.

Finally, PDF files can be protected using PDF Merchant and EBX digital rights management schemes or 3rd party plugins such as FileOpen, SoftLock etc. APDFPRP does not support such ones, i.e. cannot decrypt them at all.

Please note that Acrobat 5.0 and 6.0 can create PDF files with improved security level: 56..128-bit RC4 encryption (look at Complete new feature highlights document on Adobe server). For such files, "owner" protection can be recovered instantly as for Adobe Acrobat 4.0 (and older versions), but brute-force and dictionary attacks are much slower; and "key search" attack is not available at all.

When brute-force or dictionary atack starts, APDFPR provides additional information what kind of security handler is being used; log window will contain a record like:

05.04.2002 13:05:51 - File "C:My Documents\test.pdf" opened.
05.04.2002 13:06:14 - Handler: Acrobat Standard (Standard) 40-bit security v.1.

or

05.04.2002 13:05:51 - Handler: Acrobat Standard (Standard) 128-bit security v.2.

Just enter the name of the PDF document you'd like to get the password for. Use the "Browse" ("Load PDF file into the project...") button (or F3 key) to select it, or press the "recent files" button (with a small down arrow) to pick from the list (if you've used APDFPRP on your target document before). Alternatively, you can use drag'n'drop – just drag the file (with a mouse) from Windows Explorer, and drop it to the APDFPRP window.

If only "owner" password is set, or the "user" password is known, you can decrypt it immediately – press "Decrypt the document" button (just at the right of "Browse" one). If the "user" password is set, you'll be prompted for it. Please note that you can enter even the "owner" password there – APDFPRP can still decrypt the file with it, recognizing the type of the password automatically.

If the "user" password is set but now known, you have to select other options and start the attack – consult next chapters for more informations.

If the file is encrypted using any security method other than standard, APDFPR will display an error message (that this kind of encryption is not supported), and write a corresponding record to the log file, for example:

05.04.2002 13:08:59 - Handler: FileOpen Publisher (FOPN_fLock) 40-bit security v.1.

Instructs the program what characters have been used in the password. You can choose from all capital letters, all small letters, all digits, all special symbols and the space, or all printable (includes all of the above). The special characters are:

!@#$%^&*()_+-=<>,./?[]{}~:;`'|"\

Alternatively, you can define your own character set (charset). Just mark the "User-defined" checkbox and click on "Custom charset…" (at the right of the option). In the input window, enter all chars of your password range; for example: if you remember that your password was entered in the bottom keyboard row ("zxcv...") - your password range should be "zxcvbnm,./" (or in caps: "ZXCVBNM<>?"). You can also define both of these: "zxcvbnm,./ZXCVBNM<>?". In addition, you can load and save custom charsets, or combine them using the "Add charset from file..." button.

This option may help, for example, if you know the first character(s) of the password. For example, if you're sure that the small letters have been used (from 'a' to 'z'), the length is 5, and the password definitely starts with 'k', than type 'kaaaa' here. Please also note, that if you press the "Stop" button when APDFPRP is working, the program writes the current password to this window ("Start from password"). It can be used later to restart the program from the same point.

Please note that the program verifies the passwords according to the following character order:

· CAPITAL letters: 'A'..'Z'

· the space

· small letters: 'a'..'z')

· digits: '0'..'9'

· special characters: !@#$%^&*()_+-=<>,./?[]{}~:;`'|"\

You can also use End at field to set the password APDFPRP should stop at. It might be useful if you attack the same document on a few computers, and so can split the whole password range onto a few parts.

If you already know some characters in the password, you can specify the mask to decrease the total number of passwords to be verified. At the moment, you can set the mask only for fixed-length passwords, but doing this can still help.

For example, you know that the password contains 8 characters, starts with 'x', and ends with '99'; the other symbols are small or capital letters. So, the mask to be set is "x?????99", and the charset has to be set to All caps and All small. With such options, the total number of the passwords that APDFPRP will try will be the same as if you're working with 5-character passwords which don't contain digits; it is much less than if the length were set to 8 and the All Printable option were selected. In the above example, the '?' chars indicate the unknown symbols.

If you know that the password contains an occurrence of the mask character '?', you can choose a different mask character to avoid having one character, '?', represent both an unknown pattern position and a known character. In this case, you could change the mask symbol from '?' to, for example, '#' or '*', and use a mask pattern of "x######?" (for mask symbol '#') or "x******?" (for mask symbol '*').

This is one of the most important options affecting checking time. Usually, you can test all short passwords in just a few minutes; but for longer passwords, you have to have patience and/or some knowledge about the password (including the character set which has been used, or even better – the mask).

The minimum length cannot be set to a value greater than maximum length, of course.

If the minimum and maximum lengths are not the same, the program tries the shorter passwords first. For example, if you set minimum=3 and maximum=7, the program will start from 3-character passwords, then try 4-character ones and so on – up to 7. While APDFPRP is running, it shows the current password length, as well as the current password, average speed, elapsed and remaining time, and total and processed number of passwords (Program status). All of this information except average speed and elapsed time, which are global, is related only to the current length.

Simply select the desired dictionary file. In addition, you can select an option Smart mutations or Try all possible upper/lower case combinations – it may really help if you're not sure about the register the password has been typed in. For example, let's assume that the next word in dictionary is "PASSword" (the case, actually, doesn't matter here). With the second option enabled, the program will just try all possible combinations, like:

password
passworD
passwoRd
passwoRD
passwOrd
…
PASSWORd
PASSWORD

However, checking all such combinations takes a lot of time: in the example above, APDFPRP will check 2^8 words (i.e. 256) instead of one. With smart mutations, you can eliminate a number of "virtually impossible" combinations, and here are all the words which will be checked:

PASSword
(as is)

passWORD
(reversed)

password
(all lower case)

PASSWORD
(all upper case)

Password
(first uppercase, rest lowercase)

pASSWORD
(first lower case, rest uppercase)

PaSSWoRD
(elite: vowels in lc, others in uc)

pAsswOrd
(noelite)

PaSsWoRd
(alt/1)

pAsSwOrD
(alt/2)

So, it makes only 10 combinations for each word.

The Start line # option allows you to start an attack from a given line (in the dictionary); if you interrupt the attack, the "current" line number will be written there (and saved to the project file, of course).

A small but very effective dictionary is included into APDFPRP distribution: english.dic (about 27,000 words). An extended English dictionary (over 2,600,000 words), as well as the dictionaries for more than 20 other languages.

If the PDF file has both user and owner passwords and they are long and complex, you have nothing to do but try this attack. It tries all possible RC4 encryption keys until it finds the right one, and allows to decrypt the file using that key – the resulting PDF file will have no security at all. That method gives 100% success.

In PDF 1.2/1.3 files (Acrobat 4.x or older), the key length in 40 bits, and so the total number of keys is 2^40, or 1,099,511,627,776. All key space is divided into 65,536 blocks, with 16,777,216 in a block; it takes up to a minute (sometimes more, if you have a slow CPU) to process one block. So the whole recovery process takes about 30 days on PIII-450 computer, and the average is just 15 days.

You have to select the block to start from (Start from block input box) and ending block (End at block box); both values could be from 0 to 65536. During the attack, the program shows the number of the current block, time elapsed, average speed (in keys per second), number of keys already processed and the total number of keys. When the key is found, the program shows it and ask you to decrypt the file; if you already know the key, just put it into the Document key input box and press Decrypt button at the right.

If you you have more than one CPU in your system and SMP-enabled operating system (Windows NT, Windows 2000 or Windows XP), be sure to enable the Use multi-processor code option – recovery speed will be almost two times better (right now the system is optimized for two CPUs only, so if you have more, they will not be used).

Unfortunately, Adobe Acrobat 5.0 can create PDF files with improved security level: 56..128-bit RC4 encryption (PDF 1.4 specification; look at Complete new feature highlights document on Adobe server), and so that attack is not applicable to them (you will get an error message).

If you'd like APDFPRP to save its state periodically, please check the appropriate option, and select the time (in minutes) between saves. If you do that, APDFPRP will create and periodically update a restore file named "~apdfpr.axr" (that's the default – you can change it) in the same folder where your document is located (also by default; you can select any other folder to save that file to). This file is similar to one created when using the "Save setup" button. Even if your computer stops responding (or if power fails), you'll be able to restore breaking the password from the last saved state. Instead of using the default settings (the name of the file and the folder it will be saved to), you can also select your own settings. Enabling this option is strongly recommended.

Priority: background or high. If you want to start APDFPRP as a "background" process, which will work only when the CPU is in an idle state, you may select "Background". If you want to increase performance, select "High", but be aware that this will decrease the performance of *all other* applications running on your computer.

Minimize to tray: if this option is enabled, the program window will disappear from the Windows desktop when you press the "minimize" button in the top-right corner of the window (or you select an appropriate item in the system menu). The small icon will be created in the "tray" area of the task bar (near the system clock). Just double-click on that icon to restore the window.

Log to apdfprp.log: when enabled, the program saves all information displayed in the status window into the log-file (apdfprp.log).

Progress bar update interval: allows to set an interval (in milliseconds) between progress bar and status window updates; the default is 500 (a reasonable value). By selecting the higher value (3000, for example), you can get slightly better recovery speed.

Register: press this button to register your copy of APDFPRP (if you've got the registration code already, of course).

Update: press this button (when you're connected to the Internet) to see if there a new version of APDFPRP on our site. Note: the program uses Microsoft Internet Explorer proxy settings.

Language: the program has multi-language interface. Just select the appropriate language from the drop-down box. English is the default.

Search for: Any password, User password or Owner password. Select this option to instruct the program which particular password to search for; look at About PDF encryption chapter first. And here are a few recommendations for different cases:

· Your file is not encrypted at all. It doesn't matter what do you select: when you try to run the attack, the program will note you that it is nothing to do.

· Your file has only "owner" password set. You'll get a notification message that the file can be decrypted now, but you can still search for the original password. Select to search for Owner password only; you can also search for Any password, but the speed will be lower.

· Your file has both "user" and "owner" passwords set, and they're the same (typically, you don't know that in advance, but as noted above, the "owner" password is set to the same value as "user" one just by default). The best solution here is to search for User password only, as far as it is the fastest.

· Both "user" and "owner" passwords are set, but they're different. You can search for any of them, or for both at the same time. Please take in mind that searching for User password is the fastest, for Owner password – almost two time slower, and for Any password – the slowest. So that's up to you what to select. There is a chance that one of these passwords is much shorter/simpler than the other one, but again, you don't know that in advance. We'd recommend to set Any password first (for example, with the dictionary attack, and up to 4-5 chars with brute-force attack), and then look for User password, but in extended range (e.g. up to 7 chars).

Mask symbol: used for Mask attack.

Use code optimized for: (Non-MMX processors / Intel PII/PIII/Celeron / AMD Athlon / Intel P4 SSE2): force APDFPRP to use the code specially optimized for the given CPUs. The program detects your CPU and tries to select the proper code automatically, but you may want to play with that option if you've got any other CPU such as Cyrix, Transmeta Crusoe etc.


Home page URL : http://www.elcomsoft.com/apdfpr.html