First off, I know very little about cryptography, as I am sure my post below makes clear. The short version is I presume I need to use the -o (offset) function of pkcrack, but I'm not sure how to work out what offset I need.
I have an old .wmv file (around 65MB) that I encrypted in a zip file about 11 years ago, and I'd like to access it. It's compressed/encrypted with ZipCrypto Deflate, according to 7Zip. There are no other files in that zip file, so I can't do a full plaintext attack. However, the pkcrack site (https://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack/pkcrack-readme.html) mentions that a partial plaintext can work. Using Notepad to look at other .wmv files created within a few days of the encrypted file, they seem to start with the following characters: 0&²uŽfϦ٠ª bÎl
However, when I save these characters in a .txt document (which I then change to .wmv - not sure if this is necessary or helpful) and compress into a zip, it doesn't use Deflate - it uses Store, presumably because the original file is only 23 bytes. If I've understood properly, this shouldn't work because both files have to be compressed with the same technique. I tried it anyway, and it a) doesn't work ("You must have chosen the wrong plaintext"), and b) takes about 6 hours.
So I am now trying some plaintext from further in my other .wmvs, which matches across several other files. This can be compressed with Deflate, and it only takes about 15 minutes to run pkcrack, but I still get the "You must have chosen the wrong plaintext" message.
The new plaintext begins on column 123 of the .wmv file when opened in Notepad. Using an offset of 123 with the command ./pkcrack -C encrypted.zip -c encrypted.wmv -P plaintext123.zip -p plaintext123.wmv -d decrypted.wmv -a -o 123 doesn't work.
And so my question, finally, is how do I find out what the offset should be? Thanks in advance for any help you can offer.
