On Mon, 25 Jul 2005, Alexander Kurtakov wrote:
and 51432 is for ppt files. But this is only an assumtion
Alas it's not that simple.
Password protected powerpoint files are seriously seriously icky. As best
I can tell, they're badly cobbled together, and not planned....
Rather than encrypt the data and leave the record headers alone, or pop
the whole lot in an encrypted container record, or in a different OLE
stream, they've done something odd. It appears they encrypt all the
records (including record headers etc) except for the last two records.
The UserEditAtom pointed to by the CurrentUserAtom stream is in the clear.
Before that appears to be some sort of crypto record (or possibly two, I
haven't figured that one out)
So, every time you encrypt a powerpoint file, the encrypted form of the
first record differs. This means there's not one single first record type
you can check for
One option might be to test if the size reported in the first record is
larger than size of the whole document. However, that won't work in all
cases - there's nothing stopping the encrypted size appearing to be a
small little endian number, since the output of the encryption is almost
random. The larger the document size, the greater the chance that the
encrypted size of the first record appears to be a number smaller than the
overall size.
This is going to take some more pondering. Quite why they didn't have a
different stream (eg EncryptedPowerPointDocument), or at least a flag in
the CurrentUserAtom, escapes me. Bah...
Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
Mailing List: http://jakarta.apache.org/site/mail2.html#poi
The Apache Jakarta POI Project: http://jakarta.apache.org/poi/
