Brute Forcing RAR Archives Encrypted with the "-hp" Option

Today I am finally doing an official release of unrarhp, a Unix command line proof-of-concept brute forcer to recover the passwords of RAR archives encrypted with the RAR 3.x "-hp" option. As far as I know this is the only RAR "-hp" brute forcer that is open source and free. I wrote this cracker back in 2004 for a computer security contest organized at the Epitech french computer science school. I had to study the source code of the Unix version of "unrar", because at the time, the format of encrypted archives was not documented (not sure if it is today). There are 2 different ways to encrypt a RAR archive; the rar CLI tool exposes them through 2 options:

  • -p option, which encrypts only the content of the files in the archive, while file metadata (filenames...) are not encrypted
  • -hp option, which encrypts the internal block headers that contain file metadata, as well as the content of the files

I have never looked at the -p encryption, unrarhp works against archives encrypted with -hp only, but the 2 encryption mechanisms are definitely based on the same concepts. When encrypting a RAR archive with "-hp", a random 64-bit salt is generated by RAR, the UCS-2 encoded password is concatenated to the salt, the salt-password pair is hashed with 262144 rounds of a function based on SHA-1, which eventually outputs a 128-bit IV and 128-bit key used to AES-encrypt data blocks in ECB mode.

As a side remark, note that the fact that AES is used in ECB mode, and the fact that the same salt is reused for each file in the archive are serious cryptographic mistakes. This may open some yet undiscovered attack paths...

Unrarhp verifies passwords by using a trick that I am not sure any other RAR brute forcer uses: encrypted RAR archives seem to always contain an "end-of-archive" block that is the constant 7-byte plaintext blob "c4 3d 7b 00 40 07 00", so unrarhp simply compares the decrypted data with this known plaintext . The code is completely unoptimized and re-uses the SHA-1 and AES implementation of RAR, but it works. I first posted the code on the BarsWF forum to help others, and I believe IvanG (author of rargpu) wrote his brute forcer with the help of my code.

For more information and how to use the brute forcer, see the README file in the unrarhp tarball.

mrb Tuesday 01 June 2010 at 11:09 pm | | Default

One comment

guejoiggeks

Hey There
I’m an IT engineer, 33, and fan of 3d technology, nothing more to say, just thanks for this website !

guejoiggeks, (Email ) - 17-08-’10 12:40
(optional field)
(optional field)
Remember personal info?
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.