[john-users] rar2john problem with old DOS rars

Discussion:

Jeroen

2014-11-30 23:03:59 UTC

Hi,

I found some ancient backups from the DOS era. The data is stored in a
password protected RAR, probably RAR 2.x of maybe even 1.x. rar2john doesn't
seem to understand this format:

***@test:/tmp$ /opt/JohnTheRipper/run/rar2john OLDMODS.RAR
! OLDMODS.RAR: Not recognising any more headers.
Did not find a valid encrypted candidate in OLDMODS.RAR

JtR is the latest and greatest magnumripper version. Any clues about how
what's going on? Thanks!

Cheers,

Jeroen

Xt Xt

2014-12-01 01:12:11 UTC

Permalink

Is the file too sensitive to provide a copy of so we can play around with
it? If not, post a link.

Thanks,

xt

Post by Jeroen
Hi,
I found some ancient backups from the DOS era. The data is stored in a
password protected RAR, probably RAR 2.x of maybe even 1.x. rar2john doesn't
! OLDMODS.RAR: Not recognising any more headers.
Did not find a valid encrypted candidate in OLDMODS.RAR
JtR is the latest and greatest magnumripper version. Any clues about how
what's going on? Thanks!
Cheers,
Jeroen

Jeroen

2014-12-01 07:58:38 UTC

Permalink

Post by Xt Xt
Is the file too sensitive to provide a copy of so we can play around with
it? If not, post a link.

Hi xt,

Just some old music modules ;) See <https://www.wetransfer.com/downloads/8342252bd47a2c2041b5cc4f1eb3b13320141201075528/e0c3b039090967543e387d7dd799b6ba20141201075528/9b875e> for an example.

cheers,

Jeroen

j***@cox.net

2014-12-01 14:38:45 UTC

Permalink

This rar file has a comment header, that current rar2john is not handling, ,thus it gets lost.

I put in a little code to handle that comment header, but it still needs to be made generic, and got this hash:

TEST.RAR:$RAR3$*1*0000000000000000*6884a9d7*2670064*5361791*0*./TEST.RAR*490*35:1::538MIX.XM

I am pretty sure that is the correct hash. The current rar2john pretty much only handles file headers. Anything more than that, and the program does not handle them. I am not sure how large a change this is to get rar2john to work for any rar file, but it may not be trivial.

Post by Jeroen

Post by Xt Xt
Is the file too sensitive to provide a copy of so we can play around with
it? If not, post a link.

Hi xt,
Just some old music modules ;) See <https://www.wetransfer.com/downloads/8342252bd47a2c2041b5cc4f1eb3b13320141201075528/e0c3b039090967543e387d7dd799b6ba20141201075528/9b875e> for an example.

Jeroen

2014-12-01 19:31:44 UTC

Permalink

Post by j***@cox.net
This rar file has a comment header, that current rar2john is not handling,
,thus it gets lost.
I put in a little code to handle that comment header, but it still needs
TEST.RAR:$RAR3$*1*0000000000000000*6884a9d7*2670064*5361791*0*./TEST.RAR
*490*35:1::538MIX.XM
I am pretty sure that is the correct hash.

Thanks, I'll start a cracking session to (hopefully) verify.

Post by j***@cox.net
The current rar2john pretty much only handles file headers. Anything more
than that, and the program does not handle them. I am not sure how large
a change this is to get rar2john to work for any rar file, but it may not
be trivial.

Is it possible to commit the code update you did now (--experimental-commentheader or something like that) so I can also use it on other files? Thanks!

Cheers,

Jeroen

jfoug

2014-12-01 20:01:22 UTC

Permalink

Post by Jeroen
Is it possible to commit the code update you did now (--experimental-commentheader or something like that) so I can also use it on other files? Thanks!

I believe I have found a 'simple' way to handle these. It still does not handle all possible types of rar files (I bet files with paths and other stuff will fail). BUT I think it is a trivial fix that can get us past this issue, until we get a full parser for all 'header' types that can be in a rar file, so that the tool can properly walk the headers, looking for the right data.

Jim.

jfoug

2014-12-01 20:24:45 UTC

Permalink

I have pushed this the main jumbo git repo. It should be a 'safe' change. The original code simply read 13 bytes for the main archive header. The change still does that BUT it now looks at the 'header size' short integer contained within this header. If that value is larger than 13, then it simple moves the file read pointer ahead that many bytes to skip this. It appears that the main file archive header is only larger than 13 bytes IF there is a file comment header following those 13 bytes. But if that is the case, then the header size within the main archive header will be > 13 bytes, exactly large enough to skip past this file comment header.

The code is currently in the bleeding jumbo git repo ( git://github.com/magnumripper/JohnTheRipper -b bleeding-jumbo )

Please have a look, and report back if this gets the hashes for all these older files you have.

-----Original Message-----
From: Jeroen [mailto:***@marsman.net]
Sent: Monday, December 01, 2014 13:32
...
Is it possible to commit the code update you did now (--experimental-commentheader or something like that) so I can also use it on other files? Thanks!