I can now rule out WinZip as encryption tool, as the Zip file uses minimum version of 1.0 to extract stored files and minimum version of 2.0 to extract deflated files.
Also all WinZip versions of that time span (2002) (6.3,7.0,7.1,8.0,8.1) do not write an extended local header, which is also present.
This means that all attacks depending on the extremely weak PRNG of WinZip earlier 8.0 do not work.
The PRNG still is quite weak and the starting seed is (if Info-ZIP compatible was used) also guessable in between time(NULL) ^ PI as PI is used on win32 for xoring.
Also we know the plain text bytes of the 4 stored files that most probably start with the same header (PK...).
One file is unfortunately not enough as the time byte must be guessed correctly. (However this is only a manual brute force of 255 combinations).
However while this is enough to rule out the possible key combinations no published source code program exists, which uses plain text in several files at once.
So one you guys with the fast machines, you can try to get pkcrack running (on windows) and do a known some plain text attack on tables.zip with:
2d b0 50 4b 03 04 14 00 0a 00 08 00 ??
This assumes that the first file in tables.zip was deflated (08 00), is compatible using version 2 (14 00), and was using maximum compression settings and extended local headers (0a 00), using not another password (again 0 bit in 0a 00 is 0).
The other possibility would be:
2d b0 50 4b 03 04 14 00 08 00 08 00 ??
(Using standard compression settings, but still extended local headers)
Quite another possibility if another program was used for the other zip files is:
2d b0 50 4b 03 04 14 00 00 00 08 00 ??
(if no extended local headers were used)
The 2d b0 can be found in TM.zip as the time of day (in standard DOS format) (which is used instead of CRC-32 for files, which use extended local headers) and assumes that the zipper used for encryption was writing two checkbytes, however being compatible with version 1.0 this might hold true.
pkcrack needs to be started as follows then:
./pkcrack -C TM.zip -c tables.zip -p pt.zip -o -2
assuming that the pt.zip contains the bytes written above.
Another attack could assume that the zip file was packed together after the files were copied as we can see several files with 01 date have almost the same time stamp:
2d b0 50 4b 03 04 14 00 0a 00 08 00 ?? b0 36 2b
would then be our search string for tables.zip assuming that the first file in tables.zip has a last-modified date of approximately the same time as when it was packed.
(Risky but 4 times faster!)
That is all I can find for now,
Best Wishes,
Fabian
