Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 09 Mar 2015 20:42:57 +0300
From: Alexander Cherepanov <>
Subject: Re: Crack 7z format

On 2015-03-09 18:40, Kai Zhao wrote:
> 7z_fmt_plug.c:
> I want to test 7z format, here are what I think.
> 1. Use 7-zip to encrypt a file
> 2. How can I get the password file (like /ect/password and /etc/shadow)

In case of encrypted files (and in some other cases), you have to use 
2john tools bundled with john. For 7-Zip, it's

> 3. Is the password file like the format described as 7z_fmt_plug.c ?
>      "$7z$0$19$0$1122$8$d1f50227759415890000000000000000$1412385885$112$112
>       $5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac69
>       2c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd854a3164
>       6ad117654182253706dae0c069d3f4ce46121d52b6f20741a0bb39fc61113ce14d22f
>       9184adafd6b5333fb1"

This a "hash" which embeds everything necessary for cracking. You can 
put it into a file and feed this file to john.

> 4. When I fuzzed a 7z-hash, how could I know the fuzzed hash is valid or
> not ?

I don't think there is a general simple way to do it, you have to look 
into the C code for the format. There are some hints though. It's quite 
common to separate parts of the "hash" with $, and the main part of this 
hash looks like hex.

 > By the valid() function ?

valid() function should ideally accept a hash if and only if it's valid. 
Large part of the task is to improve valid() functions.

> If a fuzzed 7z-hash passes valid() and takes a lot of time
> to crack, how should I
>      judge the fuzzed 7z-hash whether is a wrong format ?

It doesn't matter for now how much time it takes to be cracked, if it is 
cracked at all or if it is cracked incorrectly. That's all important 
questions but they are somewhat separate. Fuzzing (and the corresponding 
GSoC task) are aimed at ensuring that the hash is handled robustly in 
the process -- that all parts of the hash don't overflow any arrays, 
that all necessary variables are initialized etc.

Alexander Cherepanov

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ