Recovering Lupa's back up file password.

A friend of mine is using the authoring software Lupa to create a family album. Lupa helps you author albums and then receive a printed copy of the album you created in the software. The software is given for free. Lupa makes its business from the printed albums people order.

My friend then used Lupa's backup feature to back-up his work. He noticed the Lupa back-up file is actually a zip file! He was happy, because that meant that he now had one zip with all the content he created. As he was the one that created the content, it seems logical that he can export it, and use it as he wants to.

Unfortunately, the zip file was password protected! That's when my friend called me to assist him. So we went on to discover the lost password of the zip file!

When you look at lupa's folder, you notice a file called delzip179.dll:

When you look at this dll in depends, you see the interesting Dz_UnzExec function. Interesting!!

When we open the backup file created using Lupa, it will probably use this function to unzip it, and provide it with the password as input. A quick test with windbg, confirms that this function is indeed used, so the question that remaines is where is the password?!

Now instead of opening IDA and trying to figure this out the hard way, we googled this DLL. apparently it's open source! Took us a little while to find a not broken link to the sources, but eventually, we got the signature of the function. It received one parameter, a struct named UnZipParms:

typedef struct

  HWND                          fHandle;
  void                          *fCaller;
  long                          fVersion;
  ZFunctionPtrType              ZCallbackFunc;
  BOOL                          fTraceEnabled;
  unsigned                      fWantedCodePage;
  unsigned                      fPromptToOverwrite;
  char                          *pZipPassword;
  BOOL                          fTest;
  BOOL                          fComments;
  BOOL                          fConvert;
  BOOL                          fQuiet;
  BOOL                          fVerboseEnabled;
  BOOL                          fUpdate;
  BOOL                          fFreshen;
  BOOL                          fDirectories;
  BOOL                          fOverwrite;
  long                          fArgc;
  char                          *pZipFN;
  UnzFileData                   *fUFDS;
  struct UnzExFileData          *fXUDFS;
  BOOL                          fUseOutStream;      // Use Memory stream as output.
  void                          *fOutStream;          // Pointer to the start of streaam data.
  unsigned long                 fOutStreamSize; // Size of the output data.
  BOOL                          fUseInStream;       // Use memory stream as input.
  void                          *fInStream;           // Pointer to the start of the input stream data.
  unsigned long                 fInStreamSize;      // Size of the input data.
  unsigned long                 fPwdReqCount;       // PasswordRequestCount, How many times a password will be asked per file
  char                          *fExtractDir;
  long                          fNotUsed[8];
  long                          fSeven;

Do notice the 7th parameter, called pZipPassword. Bingo!

Now, all that is left to do, is to open lupa, attach windbg to it and get the password and:

Wait for the zip to load: *sxe ld delzip179*
Open the backup file in Lupa 
Print the password: *bp delzip179!DZ_UnzExec "db poi(poi(esp+4)+1c)"*
    break on the unzip function
    dereference (poi) the first parameter
    then dereference the 7th (7*4=28 = 0x1c) member in that structure
    display the bytes in that address.

(windbg commands are bold and italic)

This revealed the password:

As you may notice, it is a 22 bytes binary password (in hex: "6c 6b 32 33 33 f6 30 2c 2e 6c 6f 70 32 65 73 33 33 33 34 fb fc df"). We tried to copy (programmatically) and paste it to winzip, and that didnt work. So we used python's zipfile module, that did the job just fine, and extracted the files inside the zip.

My friend had hoped to see XML files there, but unfortunately for him, this was not the case... Anyway the rest is left for him to figure out ;-)

Note that we found the password hardcoded in the EXE. this makes sense - as Lupa can open backup files that other people made. This probably means that the password is the same for all Lupa's out there. Not even sure of what's the point of encryption here... even DRM is no excuse, as the content does not belong to them... Do they try to protect the user's data from the user himself?!

This was relatively an easy task, but any program that tries to hide\encrypt data that belongs to user from the user himself can be cracked. that's a fact... so why even bother with it?