Main Projects Background
PentiumGCC EGCS Judge
FreeISDN Gimp Destripe
lsys ==FCrackZip== root-tail
lma-init PApp Suxus
LibLZF ISO tables Xcb
speedstep Deliantra MORPG

Last change: 2008-08-04

NEWS: Version 0.2.0 has been released, which includes a new mode to crack cp-mask'ed images.



Hi, this is the start of a my fcrackzip page ;) fcrackzip is a zip password cracker, similar to fzc, zipcrack and others.

Why, the hell, another zip cracker?

Naturally, programs are born out of an actual need. The situation with fcrackzip was no different... I'm not using zip very much, but recently I needed a password cracker. "Sure", I thought, "there are hundreds of them out there, I'll just gonna get one!". This wasn't so easy, in fact, none of the zipcrackers I found were able to find the passwords, either they didn't accept more than one zipfile, were awfully slow, or didn't do brute force attacks (which I needed). The worst thing was: no source!.

Why is no source! such a bad thing?

[insert big chapter about the free software spirit here ;)], anyway people will never learn... You will find reasons why it's much better to provide source to your programs here, at, and here, at the Free Software Foundation.

Now, what are the features of fcrackzip?

Caveat, Imperator!

Naturally, there are also some drawbacks. At the moment, fcrackzip is a bit slower than necessary, and lacks some important (or nice) features, like automatic unzip-testing and others. On the other hand, fcrackzip-0.0.1 was hacked together in under ten hours, and you can always modify the source (and send me patches!!!) (I hope I've made it clear now ;)


You can always download the latest version here, nowhere else. Source: Windows binary of 0.3, compiled under cygwin. Possibly requires msvcrt.dll and/or cygwin.dll (compiled by John Stroy):

Also, if you have any remarks, questions, patches, code, bug reports, don't hesitate to send me mail. You can reach me as

Mailing List

There is a mailinglist for general discussion, support and development of fcrackzip. You can subscribe in the usual way by sending a mail to and putting the single line:


in the subject or the body.


Here's the current NEWS file from my harddisk:
	- do not crash when user passes a password that is too long (based on
          a patch by Macarse).
        - fix an evaluation ordering problem in fgetu* in crack.c

version 1.0  Mon Aug  4 08:24:40 CEST 2008
	- fix a segfault when the zip cannot be opened, patch by Peter Kortschack.
        - make use_unzip unstatic.
        - update to current autoconf/automake.

version 0.3  Sun Jan 18 23:35:22 CET 2004
	- many compatibility enhancements and bugfixes suggested
          by Robert Meszaros.
        - various small bugfixes noted by Jeff LaMarche and Max Alekseyev.
        - updated to current gcc, autoconf, automake.
        - added a TARGET_CPU=0 mode, for the C-only version.

version 0.2.4
	- fixed -v mode for zip cracking and a few minor nits.

version 0.2.3
	- improved speed of assembly version ever so slightly. More unrolling
          might result in even better speed on ppro and above(!).
	- fixed a compiler compaitiblity problem with newer versions of gcc. Always
          try the --validate option with the method you want to use before you
          trust fcrackzip!
	- --help now displays the method number in addition to the name.
        - applied short options fix from Tomislav Greguric
        - fcrackzip now detects extended header format files, treating them
          corerctly instead of silently not finding any passwords.
        - first try at a dictionary mode. not fast, but working.

version 0.2.2
	- portability fixes.
        - improved cpmask cracking by 16-20% by implementing the
          simple&effective ideas of Tim Jones <>.
        - applied slightly modified patch by

version 0.2.1
	- verbose mode for cpmask, fixed verbose mode for zipcrack.
        - default method is now respected.
        - great (but non-algorithmic) speedup for cpmask.

version 0.2.0
	- portability fixes
        - cpmask support (!).

version 0.1.3
	- portability fixes

version 0.1.2
	- fixed the --init-password option
	- added zipinfo program

version 0.1.1
	- fixed small configure bug
	- fixed --length option to accept a single number

version 0.1
	- implemented multiple methods
	- accept more types of zipfiles
	- new --length option for easier searching
	- new --method option to choose cracking method at runtime

version 0.0.5  Wed Aug 12 22:27:44 CEST 1998
	- removed USE_LARGE_MTAB. nobody has such a good memory system
	- more configuration cleanup
	- max. number of chars/password now 40
	- fixed a bug with pentium assembly (reported by Pavel Semjanov)

version 0.0.4  Sat Jul 25 03:53:12 CEST 1998
	- configure now detects more features itself
	- increased the speed on ppro by ~60%, pentium code unchanged
	- removed SYNTHETIC_MULTIPLY support. the next thing to drop
	- added --use-unzip option.
	- added more useful help.

version 0.0.3
	- many bugfixes
	- added primitive unzip-checking

version 0.0.2
	- now we are a bit faster than fzc (about 4%)
	  wasn't difficult, though. (this is on a non-MMX pentium!)
	- benchmarking works (more) reliably
	- some bugfixes

version 0.0.1
	- added autoconf && automake


To alleviate the need for further documentation (ha, what a joke!), a copy of the fcrackzip manpage is reproduced below.


Section: User Commands (1)
Updated: Free/Fast Zip Password Cracker


fcrackzip - a Free/Fast Zip Password Cracker  


fcrackzip [-bDBchVvplum2] [--brute-force] [--dictionary] [--benchmark] [--charset characterset] [--help] [--validate] [--verbose] [--init-password string/path] [--length min-max] [--use-unzip] [--method name] [--modulo r/m] file...  


fcrackzip searches each zipfile given for encrypted files and tries to guess the password. All files must be encrypted with the same password, the more files you provide, the better.  


-h, --help
Prints the version number and (hopefully) some helpful insights.
-v, --verbose
Each -v makes the program more verbose.
-b, --brute-force
Select brute force mode. This tries all possible combinations of the letters you specify.
-D, --dictionary
Select dictionary mode. In this mode, fcrackzip will read passwords from a file, which must contain one password per line and should be alphabetically sorted (e.g. using (1)).
-c, --charset characterset-specification
Select the characters to use in brute-force cracking. Must be one of

  a   include all lowercase characters [a-z]
  A   include all uppercase characters [A-Z]
  1   include the digits [0-9]
  !   include [!:$%&/()=?[]+*~#]
  :   the following characters upto the end of the spe-
      cification string are included in the character set.
      This way you can include any character except binary
      null (at least under unix).

For example, a1:$% selects lowercase characters, digits and the dollar and percent signs.

-p, --init-password string
Set initial (starting) password for brute-force searching to string, or use the file with the name string to supply passwords for dictionary searching.
-l, --length min[-max]
Use an initial password of length min, and check all passwords upto passwords of length max (including). You can omit the max parameter.
-u, --use-unzip
Try to decompress the first file by calling unzip with the guessed password. This weeds out false positives when not enough files have been given.
-m, --method name
Use method number "name" instead of the default cracking method. The switch --help will print a list of available methods. Use --benchmark to see which method does perform best on your machine. The name can also be the number of the method to use.
-2, --modulo r/m
Calculate only r/m of the password. Not yet supported.
-B, --benchmark
Make a small benchmark, the output is nearly meaningless.
-V, --validate
Make some basic checks wether the cracker works.


Have you ever mis-typed a password for unzip? Unzip reacted pretty fast with 'incorrect password', without decrypting the whole file. While the encryption algorithm used by zip is relatively secure, PK made cracking easy by providing hooks for very fast password-checking, directly in the zip file. Understanding these is crucial to zip password cracking:

For each password that is tried, the first twelve bytes of the file are decrypted. Depending on the version of zip used to encrypt the file (more on that later), the first ten or eleven bytes are random, followed by one or two bytes whose values are stored elsewhere in the zip file, i.e. are known beforehand. If these last bytes don't have the correct (known) value, the password is definitely wrong. If the bytes are correct, the password might be correct, but the only method to find out is to unzip the file and compare the uncompressed length and crc's.

Earlier versions of pkzip (1.xx) (and, incidentally, many zip clones for other operating systems!) stored two known bytes. Thus the error rate was roughly 1/2^16 = 0.01%. PKWARE 'improved' (interesting what industry calls improved) the security of their format by only including one byte, so the possibility of false passwords is now raised to 0.4%. Unfortunately, there is no real way to distinguish one byte from two byte formats, so we have to be conservative.  


By default, brute force starts at the given starting password, and successively tries all combinations until they are exhausted, printing all passwords that it detects, together with a rough correctness indicator.

The starting password given by the -p switch determines the length. fcrackzip will not currently increase the password length automatically, unless the -l switch is used.  


This mode is similar to brute force mode, but instead of generating passwords using a given set of characters and a length, the passwords will be read from a file that you have to specify using the -p switch.  


A CP mask is a method to obscure images or parts of images using a password. These obscured images can be restored even when saved as JPEG files. In most of these files the password is actually hidden and can be decoded easily (using one of the many available viewer and masking programs, e.g. xv). If you convert the image the password, however, is lost. The cpmask crack method can be used to brute-force these images. Instead of a zip file you supply the obscured part (and nothing else) of the image in the PPM-Image Format (xv and other viewers can easily do this).

The cpmask method can only cope with password composed of uppercase letters, so be sure to supply the --charset A or equivalent option, together with a suitable initialization password.  


fcrackzip -c a -p aaaaaa
checks the encrypted files in for all lowercase 6 character passwords (aaaaaa ... abaaba ... ghfgrg ... zzzzzz).
fcrackzip --method cpmask --charset A --init AAAA test.ppm
checks the obscured image test.ppm for all four character passwords. -TP fcrackzip -D -p passwords.txt check for every password listed in the file passwords.txt.


fzc, which seems to be widely used as a fast password cracker, claims to make 204570 checks per second on my machine (measured under plain dos w/o memory manager).

fcrackzip, being written in C and not in assembler, naturally is slower. Measured on a slightly loaded unix (same machine), it's 12 percent slower (the compiler used was pgcc, from

To remedy this a bit, I converted small parts of the encryption core to x86 assembler (it will still compile on non x86 machines), and now it's about 4-12 percent faster than fzc (again, the fcrackzip performance was measured under a multitasking os, so there are inevitably some meaurement errors), so there shouldn't be a tempting reason to switch to other programs.

Further improvements are definitely possible: fzc took 4 years to get into shape, while fcrackzip was hacked together in under 10 hours. And not to forget you have the source, while other programs (like fzc), even come as an encrypted .exe file (maybe because their programmers are afraid of other people could having a look at their lack of programming skills? nobody knows...)  


The reason I wrote fcrackzip was NOT to have the fastest zip cracker available, but to provide a portable, free (thus extensible), but still fast zip password cracker. I was really pissed of with that dumb, nonextendable zipcrackers that were either slow, were too limited, or wouldn't run in the background (say, under unix). (And you can't run them on your superfast 600Mhz Alpha).  


No automatic unzip checking.

Stop/resume facility is missing.

Should be able to distinguish between files with 16 bit stored CRC's and 8 bit stored CRC's.

The benchmark does not work on all systems.

It's still early alpha.

Method "cpmask" only accepts ppms.

Could be faster.  


fcrackzip was written by Marc Lehmann <>. The main fcrackzip page is at





Any questions/hints/critics? Contact the author of this page!