During an information security audit I was working with a file from a regulating entity containing audit procedures. The file had several tables with form fields and was protected.
The "form fill" restriction was too limiting as I worked to record audit information in the document. The longer I worked the more frustrated I became. It would have been much more useful if I could “unprotect” the file. I had heard others talking about scripts that could be used to discover the password, but I didn’t have access to any password discovery applications.
I did remember that Word 2007 was using xml as the source code to format it’s documents. It made me wonder if there would be anything in the xml code that could be used to unprotect the file. I made a copy of the file, saved it as xml, and then opened it with WordPad to view the xml code. I searched until I found something about document protection. Here is what I found within the documentProtection command.
<w:documentProtection w:edit="forms" w:enforcement="1" w:cryptProviderType="rsaFull" w:cryptAlgorithmClass="hash" w:cryptAlgorithmType="typeAny" w:cryptAlgorithmSid="4" w:cryptSpinCount="50000" w:hash="D+Y7lSKVquz/6NisDVadZtFS31g=" w:salt="J6dnbwcKHV7Gn4bMQjXoUA=="/>
In the w:enforcement field I changed the "1" to "0". I saved the document. Then I opened my altered copy in Word and the document was intact, with proper formatting, but now it was unlocked.