Hey, trying to run rar2john on an OSX system but getting the following output:

! -hp mode entry found in 1.rar
1.rar:$RAR3$*0*0000000000000000*00000000000000000000000000000000:0::::1.rar

The "file" command gives the following:

1.rar: RAR archive data, v0, os: MS-DOS

And the header of the archive is the following:

[13:58:25 connection-gX9wj2J3iEGE+***@public.gmane.org:~/john]$ hexdump -C 1.rar |head
00000000 52 61 72 21 1a 07 00 ce 99 73 80 00 0d 00 00 00 |Rar!.....s......|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000060 00 00 00 00 00 00 00 00 00 00 00 00 cc 0b 7d 38 |..............}8|
00000070 34 9f 04 e8 57 e3 7b 70 f3 c7 76 7b b9 19 a9 07 |4...W.{p..v{....|
00000080 5b 72 6d eb c6 c5 59 05 51 ff c5 2f 04 ea b9 4a |[rm...Y.Q../...J|
00000090 b0 1f d1 c3 e5 b7 f5 6a b9 87 82 1b 19 de d8 3e |.......j.......>|
000000a0 11 9d 30 0a d9 66 18 45 6e 77 9d f9 4f 79 ea 1a |..0..f.Enw..Oy..|
000000b0 76 21 84 5a 18 4c 4d e4 48 88 58 3e ae 20 92 59 |v!.Z.LM.H.X>. .Y|
000000c0 74 a6 10 c5 f2 03 80 fa bc bc a2 05 21 77 c5 f1 |t...........!w..|


As this is a file that a client believes is being used to exfiltrate data from the network, I sadly cannot share the archive for debugging purposes but I hope someone has run into this issue in the past and can point me in the right direction.

I hope it's just an OSX issue and I can throw the rar into a Virtual Machine to solve this
Luis Santana : Founder - HackTalk Security
http://hacktalk.net
hacktalk-***@public.gmane.org
HackTalk Security - Security From The Underground