mrb's blog

Brute Forcing RAR Archives Encrypted with the "-⁠hp" Option

Keywords: attack bruteforcing cryptography

Today I am finally doing an official release of unrarhp, a Unix command line proof-of-concept brute forcer to recover the passwords of RAR archives encrypted with the RAR 3.x "-hp" option. As far as I know this is the only RAR "-hp" brute forcer that is open source and free. I wrote this cracker back in 2004 for a computer security contest organized at the Epitech french computer science school. I had to study the source code of the Unix version of "unrar", because at the time, the format of encrypted archives was not documented (not sure if it is today). There are 2 different ways to encrypt a RAR archive; the rar CLI tool exposes them through 2 options:

  • -p option, which encrypts only the content of the files in the archive, while file metadata (filenames...) are not encrypted
  • -hp option, which encrypts the internal block headers that contain file metadata, as well as the content of the files

I have never looked at the -p encryption, unrarhp works against archives encrypted with -hp only, but the 2 encryption mechanisms are definitely based on the same concepts. When encrypting a RAR archive with "-hp", a random 64-bit salt is generated by RAR, the UCS-2 encoded password is concatenated to the salt, the salt-password pair is hashed with 262144 rounds of a function based on SHA-1, which eventually outputs a 128-bit IV and 128-bit key used to AES-encrypt data blocks in ECB mode.

As a side remark, note that the fact that AES is used in ECB mode, and the fact that the same salt is reused for each file in the archive are serious cryptographic mistakes. This may open some yet undiscovered attack paths...

Unrarhp verifies passwords by using a trick that I am not sure any other RAR brute forcer uses: encrypted RAR archives seem to always contain an "end-of-archive" block that is the constant 7-byte plaintext blob "c4 3d 7b 00 40 07 00", so unrarhp simply compares the decrypted data with this known plaintext . The code is completely unoptimized and re-uses the SHA-1 and AES implementation of RAR, but it works. I first posted the code on the BarsWF forum to help others, and I believe IvanG (author of rargpu) wrote his brute forcer with the help of my code.

For more information and how to use the brute forcer, see the README file in the unrarhp tarball.

Comments

guejoiggeks wrote: Hey There
I'm an IT engineer, 33, and fan of 3d technology, nothing more to say, just thanks for this website !
17 Aug 2010 19:40 UTC

Joey Zang wrote: Hi, where can i find the encryption mechanism of "-hp" or "-p", thank you. 08 Jun 2016 09:56 UTC