GuaPDF (Guaranteed PDF Decryptor) PDF files decryptor/restrictions remover v. 2.1 - command line version (c) Copyright PSW-soft 2000-04 by P. Semjanov THIS PROGRAM IS DISTRIBUTED "AS IS". USE IT AT YOUR OWN RISK. GuaPDF comes with ABSOLUTELY NO WARRANTY. The AUTHOR also DOES NOT GUARANTEE releasing any future VERSIONS of the program. This program has two versions: 1) FREEWARE (with some limitations) that can be distributed freely under following conditions: the program code should not be changed and has to be distributed in original form. Any commercial use of this version is prohibited. Support and updating of this version also is not guaranteed. 2) COMMERCIAL (fully-functional) that can't be distributed in any form with out written explicit permission of the author and the usage of with version is restricted by included license. Also, there are some commercial version modifications. 1. Objectives and characteristics. The program GuaPDF can be used: 1) to remove the restrictions applied to the PDF documents (such as not allowing printing, changing, selecting text etc). These restrictions are insecure and removing process is instant on any PDF file (even with 128-bit encryption enabled). 2) to decrypt PDF documents encrypted with password to open (user password) without knowing the password. But it is not PASSWORD recovery program, the decryption of any file is guaranteed regardless of password used. This is not possible on the files with new 128-bit encryption. The program has been tested on PDF files up to version 1.5 (Acrobat 6.0). ATTENTION: Only standard PDF encryprion is supported, neither third-party plug-ins nor e-books. 2. PDF security overview The standard security provided by PDF consist of two different methods and two different passwords. A PDF document may be protected by password for opening ('user' password) and the document may also specify operations that should be restricted even when the document is decrypted: printing; copying text and graphics out of the document; modifying the document; and adding or modifying text notes and AcroForm fields (using 'owner' also known as "Change security options" password). Encryption of PDF documents with user password uses a RC4 stream cipher which is cryptographically strong. (Un)fortunately, PDF files created in Acrobat 3.x, 4.x and with default encryption in Acrobat 5.x-6.x) use key with 40 bits length long. Not long ago it was impossible for individuals to test all keys, but nowadays, the power of modern PC is sufficient for that procedure. To crack ANY PDF user password you need to test 2^40 keys. (No matter how long the password is, what charset and national symbols uses). It's implemented in this program with the speed about 1.000.000 keys/s on Pentium 4/1600 and you will need about 13 days to finish it. (Surely, in average you will need only a half of this time). The faster computer you've got, the earlier file is decrypted. To speed up cracking simple distributed computing mechanism is included in GuaPDF program (*). (*) - not available in free and restrictions remover versions All keyspace is divided to 16384 (0-16383) "megakeys" (they are simply called "keys" below) and each of them can be tested in parallel on separate computer. One key testing time is about 1 minute on Pentium 4/1600). So, if you've got thousand computers in your LAN, you could find the right key in a few minutes. Second security method (operations restrictions) is insecure and can be cracked instantly. NOTE: If you know owner password for encrypted PDF file, this file can be also decrypted instantly. 3. Working with the command-line version of the program. (If you use GUI version, please refer to the help). You may run GuaPDF program under Win32 (Windows 95/98/NT/2000 etc) and Linux. 3.1. Running the restriction remover version. This GuaPDF version can only remove restrictions (or owner password) on a PDF file (if you even can't open the file, use GuaPDF n-clients version). Any Acrobat and PDF version supported, even with new 128-bit encryption. Use the following command line to run the program: GUAPDF.EXE [options] PDF_file , where: PDF_file is PDF document with restricted operations. Options are: /p password proceed file protected with given owner password; /y don't ask about starting the decryption. If you know at owner password of the file, you may instantly remove restrictions and user password on this file (/p option). Use /y option if you are sure you made backup copy of your file and don't need the confirmation of starting the restrictions removal. When the right key is found, the PDF file will be decrypted and saved as file with .decrypted.pdf extentions. 3.2. Running the n-clients GuaPDF version. This GuaPDF version can remove restrictions (or owner password) on a PDF file or/and decrypt file encrypted with user password (see p. 1). If you are going to use several computers, you should copy GuaPDF program to the shared directory and run GuaPDF on every computer (client) from this directory. Also, you should start SHARE.EXE under MS DOS before running GuaPDF on the network. Use the following command line to run the program: GUAPDF.EXE [options] PDF_file [start_key [end_key]], where: PDF_file is PDF document with password for opening and/or restricted operations. Parameters in [] brackets are optional: start_key is a key to start from (0-16383), default = 0 (*); end_key is a last key to test (0-16383), default = 16383 (*). If you reduce keyspace using these parameters, the available clients number will be reduced in proportion. The following options should be used on FIRST client only: /r restarts cracking after any accident; (*) /1 forces first client mode (*) /p password proceed file protected with given password; /y don't ask about starting the decryption. (*) - not available in free version /r option may be useful if an accident has occurred, such as power was off or decryption failed for some reason. This option sets the number of clients to zero and convert all interrupted keys (see below) to "not tested" ones. Of course, it doesn't change any other keys, already tested keys never be tested again. Use /r option only on ONE (first) client when all clients are not working, next clients should be run without /r option. /1 option should be used to start first client again after interruption. No need to interrupt other clients when starting first one. If you know at least one password (no matter which one) of protected file, you should always use /p option. Then you can instantly: 1) remove restrictions (and password) on encrypted file entering its user password; 2) decrypt file entering its owner password. Use /y option if you are sure you made backup copy of your file and don't need the confirmation of starting the restrictions removal. When the right key is found, the PDF file will be decrypted and saved as file with .decrypted.pdf extentions. To provide distributed computing mechanism (*) the shared file (with .key extension) is created in current directory at the first run of the GuaPDF program. Thus, you will need to have WRITE PERMISSION to the current (shared) directory. (Also you need write permission to the temporary directory). Do not delete nor modify this file if you are not sure that this is right thing to do. Normally, there should be no interrupted keys in the .key file, but they could appear if computer accidentally powers off or if you interrupt the program, running on Windows NT. To resolve the problem with the interrupted keys please look at the messages of the LAST client finished. If it says, "ATTENTION: There are some possibly interrupted keys", rerun this client with /r option and the same keyspace. The program will retest all interrupted keys. 3.3. The examples of GuaPDF using. Following command lines can be used with any GuaPDF version: 1) To crack (decrypt or remove restrictions) the TEST.PDF file on one computer use: GUAPDF.EXE TEST.PDF 1a) To remove restrictions on the TEST.PDF file without prompt use: GUAPDF.EXE /y TEST.PDF 1b) To remove restrictions on the TEST.PDF file encrypted with user password 'PASS' use: GUAPDF.EXE /p PASS TEST.PDF 1c) To decrypt TEST.PDF file protected with owner password 'OWNER' use the similar command line: GUAPDF.EXE /p OWNER TEST.PDF 1d) To remove restrictions on the TEST.PDF file encrypted with user password 'PASS' without prompt use: GUAPDF.EXE /p PASS /y TEST.PDF Below are examples for GuaPDF n-clients version only: 2) To crack encrypted TEST.PDF file on several computers on the LAN, copy the GuaPDF program and TEST.PDF file to the shared directory and use this simple command line: GUAPDF.EXE TEST.PDF The first started client is special, and will actually decryption do. Any client can be interrupted by pressing Ctrl-C once and continued by running with the same options (no need to change the keyspace range - it will be picked up automatically). When interrupting first client, to continue it use special /1 option, like: GUAWORD /1 TEST.DOC 3) To crack TEST.PDF on two divided LANs or on two divided computers (e.g. at home and at work), use: GUAPDF.EXE TEST.PDF 0 8191 - on first LAN GUAPDF.EXE TEST.PDF 8192 - on second LAN Use the similar command lines on several LANs. 4) If some accident has occurred (such as power was off or decryption failed for some reason), you may continue from the last untested key by running on FIRST client: GUAPDF /r TEST.PDF Any other clients should not be running at this time, start them in normal way. 4. Mini-FAQ. 1) How to interrupt and continue searching? The program can be interrupted by pressing Ctrl-Break once and continued by running with the same options (no need to change the keyspace range - it will be picked up automatically). (*) Continuing is impossible in freeware version, it will start from key 0. ATTENTION: on pressing Ctrl-Break Windows NT will cause the "Application error" window and interrupted key will appear in the .key file (see above). 2) What do the values in .key file mean? First 16 bytes are special. The byte with n offset means the state of (n-16) key and may be one of 3 values: 0 - key is not tested yet, 1 - key was tested and is not right, 2 - key is testing now (or may be interrupted key). So, if the test of a given keyspace is completed, and there are still some values (in this keyspace) which are not equal to 1, then there must be a bug in the program. Those keys, which have not been tested, can be tested by simply running the program on this keyspace again with /r option. 3) I've got Pentium III/1000 computer, but key testing time is extremely large. Make sure that other CPU hungry programs (including 3D-screensavers) are not running simultaneously. 3a) One key testing time is 2 times longer under Windows NT than under MS-DOS or Windows 95. Give 100% CPU time to the program. Easiest way to do it is click on blank space on the taskbar and next click on the program window. 4) How can I test if your program is working? To test restrictions removal, run GuaPDF on RESTRICT.PDF file in the archive. To test password cracking and decryption, run GuaPDF on ENCRYPT.PDF file in the archive and wait until it finishes testing key 0. (The user password for last file is 'gird', the owner password for both files is 'owner'). 4a) I try to put 'gird' password on my .pdf file, and your program can't decrypt it within 0 key attempt. Sure, ENCRYPT.PDF is an especially constructed example, and you have no chances to make such (fast breakable) file using standard PDF creating software. See q. 13. 4b) I try to make another restricted file example but demo version says file is too large... Demo version can correctly decrypt only few streams (look at PDF specification if you don't know what does it mean). I recommend create text (.txt) file containing few words and next open it in Acrobat, set owner password and run GuaPDF. Also you may convert small MS Word (.doc) file to PDF. 5) The full keyspace has been tested, no key found. Check for interrupted keys in .key file (see q.2) or just simply run program again with /r option. If it is still fails, your PDF file is seriously corrupted or it's a bug. 6) Your program found a key, successfully decrypted a file and I still can not open it... First, don't despair. The found key is correct and your file can be decrypted. Just write me, and I'll fix this bug, and you won't need to test the keys again. 7) What are the differences between freeware and commercial version? a) Demo version is limited to decrypt only few streams - it means, only small files can be processed correctly b) Distributed mechanism c) Starting and ending key arguments, /r option d) Support 8) Can you explain the differences between commercial versions? Restrictions remover version is designed to unset operation restrictions only. Other versions can also do that, and can be used for decrypting documents with user password. They are differ only by available clients number. If you are not sure what version you should buy, run demo version on your file and look what it says. 9) Is it possible to speed up your program? On Pentium Pro architecture processors (including Celeron, PII, PIII) is not possible. On other architecture - perhaps, especially with newest AMD processors. 10) I'm using UNIX, OS/2, BeOS etc. Will such version be available? Possibly. At least, Linux i386 is already exists. Restriction remover verion can also be easily ported. Regarding other version and platforms, bear in mind that GuaPDF is optimized exclusively for Pentium II architecture and may be much slower even on very powerful processors. Mail me if you desperately need such version. 11) Program displays "no more clients (N) allowed in this keyspace", although less than N clients are running. You incorrectly interrupted some clients. Stop others and use /r option. 12a) Freeware version found the key, but couldn't (correctly) decrypt the file. Is there the way for not searching for key again? 12b) Freeware version tested some (a lot of) keys when I decide to buy commercial version. Is there the way for not testing them again? Sure, just run commercial version with appropriate start_key parameter. 13) I'm sure all of my files are encrypted with the same password, and I successfully decrypted one of them. Can I decrypt others without running GuaPDF on all files? Files with the same password DON'T have the same key, because it depends on file ID etc. and there is no way to decrypt other files if you even know the key of one of them. I think, however, that it is possible to write PASSWORD recovering utility from given key and .pdf file. 14) Your program produces a lot of warnings: "String XXXXX truncated in line XXX". What do they mean? When decrypting, some strings need to be truncated. For majority of PDF documents, these truncations don't affect the resulting file in any way. If your document is affected, mail me. I'm working now on new GuaPDF engine, allowing to get rid such a warning. 15) GuaPDF prints "XXXXXXXXXXXX.pdf: No such file or directory (ENOENT)", although the file exists. Don't use long file names on Windows NT (rename the file). 16) Will the signature on signed PDF file be valid after decryption/removing restriction? Of course not, because the file will be changed, 17) How can I remove restrictions from several file in one directory? Use FOR command, like: for %i in (*.pdf) do guapdf /y %i or, in .BAT file: for %%i in (*.pdf) do guapdf /y %%i 18) How to run GuaPDF in the low priority? RTFM. Under Windows NT/2000 use start /low guapdf 19) My file is confidential and I don't want to remain it in the shared directory. What to do? You can remove your file after the key test begins and copy it back when the prompt for decryption will appear. 20) The key has been found on one of the clients while first client was stopped. How to decrypt file in this situation? Just start first client with /1 option. 21) How to run GuaPDF on the dual processor computer? Just start two copies of the program with the same options. 5. Ordering and contact information. Program support URLs are http://www.password-crackers.com/crack/guapdf.html Here you find the link to ordering page. There are commercial versions: restrictions remover only - $29; 1 client version - $42.95; 5 clients (max) version - $59; These versions are licensed to non-profit, individual use. To use GuaPDF for business, you should buy business license for unlimited version - $450. You can also contact to author: e-mail: pavel@semjanov.com A lot of great password crackers are at http://www.password-crackers.com Although I already mentioned that I will not accept any claims, I shall be grateful to here about obvious errors, such as: - the program hangs at brute force; - the program does not find the key of a given file although all keys were tested. I appreciate any constructive ideas for improving this program. 5. Special thanks. To Eric Young for his great SSLeay library. To Derek B. Noonburg for his not less great xpdf library. To Phil Frisbie, Jr. for CPU identification function. To Olga Potapova for correcting this doc. To guys from comp.text.pdf. Good luck! Pavel Semjanov, St.-Petersburg.