[](https://crates.io/crates/pkcrack)
[](https://gitcode.net/dnrops/pkcrack)
[](https://gitcode.net/dnrops/pkcrack/-/raw/master/LICENSE)
# PKCRACK - Rust Implementation
A complete Rust implementation of the known-plaintext attack against PkZip encryption, based on the original C implementation by Peter Conrad.
## Overview
This tool implements the Biham/Kocher known-plaintext attack against the proprietary PkZip encryption scheme (also known as ZipCrypto). The attack is divided into three main stages:
1. **Stage 1**: Generate and reduce possible key2 values from known plaintext-ciphertext pairs
2. **Stage 2**: Reconstruct complete key sequences from reduced candidates
3. **Stage 3**: Find the original password or decrypt the ZIP file directly
## Features
- Complete port of the original C pkcrack functionality
- Modern Rust implementation with memory safety guarantees
- Comprehensive command-line interface
- ZIP file processing capabilities
- Detailed progress reporting
- Automatic report generation
- Cross-platform compatibility (Windows, Linux, macOS)
## Installation
### Prerequisites
- Rust 1.70 or higher
- Cargo (included with Rust)
### Build from source
```bash
git clone <repository>
cd pkcrack
cargo build --release
```
The compiled binary will be available at `target/release/pkcrack` (or `pkcrack.exe` on Windows).
## Usage
### Basic Usage
```bash
# Attack encrypted file with known plaintext
pkcrack -c encrypted.zip -p known_plaintext.txt
# Specify custom offset
pkcrack -c encrypted.zip -p known_plaintext.txt -o 12
# Extract files from ZIP archives
pkcrack -C encrypted.zip -c "secret.txt" -P plaintext.zip -p "secret.txt"
pkcrack -C flag.zip -c "key.txt" -P key.zip -p "key.txt"
```
### Command Line Options
```
Usage: pkcrack.exe [OPTIONS]
Options:
-c, --ciphertext <CIPHERTEXT> Ciphertext file
-p, --plaintext <PLAINTEXT> Plaintext file
-C, --ciphertext-zip <CIPHERTEXT_ZIP> ZIP archive containing ciphertext
-P, --plaintext-zip <PLAINTEXT_ZIP> ZIP archive containing plaintext
-d, --decrypt <OUTPUT_ZIP> Output decrypted ZIP archive
-o, --offset <OFFSET> Offset of plaintext into ciphertext (may be negative) [default: 12]
-i, --case-sensitive Case-sensitive filename matching in ZIP archives
-a, --abort Abort key searching after first success
-n, --no-progress Disable progress indicator
-h, --help Print help
```
## Examples
### Example 1: Basic Attack
```bash
# You have an encrypted ZIP file and know part of its contents
pkcrack -c secret.zip -p known_text.txt
# The program will:
# 1. Load both files
# 2. Execute the three-stage attack
# 3. Display results including recovered keys and/or password
```
### Example 2: ZIP Archive Processing
```bash
# Extract encrypted file from ZIP and known plaintext from another ZIP
pkcrack -C archive.zip -c "secret.txt" -P known.zip -p "known.txt" -d decrypted.zip
```
### Example 3: Custom Configuration
```bash
# Use custom offset and disable progress indicator
pkcrack -c encrypted.dat -p plaintext.dat -o 8 -n -a
```
## Attack Algorithm
The attack works in three stages:
### Stage 1: Key Space Reduction
1. Generates initial candidates for key2[n] using mathematical relationships
2. Reduces the candidate space through backward iteration
3. Typically reduces from millions to hundreds of candidates
### Stage 2: Key Reconstruction
1. Reconstructs complete key sequences (key0, key1, key2)
2. Uses recursive algorithms to validate key transitions
3. Cross-references against known plaintext-ciphertext pairs
### Stage 3: Password/Decryption
Two possible approaches:
- **Password Search**: Brute-force search for the original password
- **Direct Decryption**: Use recovered keys to decrypt ZIP file directly
## Requirements
- **Minimum plaintext length**: 13 bytes
- **Plaintext must be**: Known and contained within the encrypted file
- **File format**: PkZip encrypted files (ZipCrypto)
## Performance
- Memory usage: ~33MB for large key spaces
- Time complexity: Variable based on attack success
- Optimized with precomputed tables for maximum efficiency
## Output
The tool provides:
- Recovered encryption keys (key0, key1, key2)
- Original password (if found)
- Detailed attack statistics
- Comprehensive progress reports
- Timestamped attack logs
## Security Considerations
This tool is designed for:
- Security research and education
- Password recovery on owned files
- CTF competitions and penetration testing
- Understanding cryptographic vulnerabilities
**IMPORTANT**: Only use on files you own or have explicit permission to analyze.
## Technical Details
### Mathematical Foundation
The attack exploits weaknesses in PkZip's key initialization:
1. **Key Relationships**: `key3[n] = plaintext[n] XOR ciphertext[n]`
2. **Inverse Operations**: Uses inverse CRC-32 operations
3. **Constraint Satisfaction**: Each key imposes constraints on previous keys
### Key State Management
The algorithm maintains three 32-bit keys:
- **key0**: CRC-32 based key
- **key1**: Mathematical transformation of key0
- **key2**: CRC-32 based on key1's most significant byte
### Implementation Details
- Precomputed lookup tables for performance
- Thread-safe global state management
- Comprehensive error handling
- Memory-efficient data structures
## Testing
Run the test suite:
```bash
cargo test
```
## Contributing
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests if applicable
5. Submit a pull request
## License
This project is licensed under the MIT License - see the LICENSE file for details.
## Acknowledgments
- Original C implementation by Peter Conrad
- Biham/Kocher cryptographic research
- Rust community for excellent tooling
- Test contributors and security researchers
## Disclaimer
This tool is for educational and research purposes only. Users are responsible for ensuring compliance with applicable laws and regulations.