Hi Caolan

> the original encrypted table stream is the file en.01, and the
> semi-decrypted file is the generated file "after". I wonder is there a
> standard mechanism that is used with rc4 to tweak the key after 512
> bytes ?

Ok, I have a few theories about this. My first theory is that RC4 is
rekeyed (ie, the keysetup routine is run once again) every 512 bytes. My
second theory is that Word runs RC4 for a fixed number of steps but
discards the output instead of encrypting with it. To test this, save
about 2000 bytes of RC4 output from your program to a file, then obtain
the actual RC4 keystream by XOR'ing the plaintext and ciphertext together.
Finally, check to see whether the actual keystream appears in the RC4
output file and if it does, you'll know the offset and hence, how many
bytes to discard in your program. 

RC4 has a statistical weak key problem whereby the first few keystream
bytes generated immediately after keying may be unsafe to use, so RSA Data
Security (which licenses RC4) recommend that the first hundred bytes be
discarded. I think this fact supports my second theory. I didn't have a 
proper look at the source code, so I couldn't tell if Microsoft were doing
this (I presume they were) and how many bytes are discarded. 

One observation I made when I was doing my black-box analysis was that if
the same document is encrypted on different occasions then the ciphertext
is different each time. There are a couple of conclusions which could be
drawn from this (I can only remember one right now -- that the RC4 key is
'salted'), but your source code might help explain that phenomenon. 

The strength of the encryption is only 40 bits, but the RC4 cipher uses a
128-bit key. So, for instance, Word chooses 40 bits at random and
generates the other 128-40=88 bits from known sources (they might be fixed
bits, or appear in the document itself in the clear -- for 'salting'). Or
perhaps it just picks 40 random bits and then hashes them to a 128-bit
key. Your source code might explain this too. Simply put, there are only
2^40 possible 128-bit RC4 keys that Word uses, so strictly apeaking it
uses 40-bit encryption even though it uses a 128-bit key.

Cheers
Fauzan