This is an update for plugin plugin_biff.py.
Protected xls files (workbook protection, sheet protection) are protected with a password, but are not encrypted.
The password is hashed to a 16-bit hash called verifier, such a short hash gives ample opportunity for hash collisions.
I calculated passwords for all possible hash values (32768, or 0x8000) mostly with letters and digits, some with special characters (verifier table). This verifier table is not a rainbow table, because the table contains all possible hash values and a corresponding password.
If a verifier can not be cracked with a provided password list, the password will be taken from the verifier list.
Example: this spreadsheet has a sheet protected with password azeqsdwxc, which is not in the embedded password list (obtained from John The Ripper); thus the password from the verifier table is taken (bbbbhz):
Passwords azeqsdwxc and bbbbhz both hash to the same verifier value (0xd9b1), thus there is a hash collision, and both passwords can be used to unprotect the sheet.
oledump_V0_0_77.zip (http)Click to Open Code Editor