Date: Wed, 13 Feb 2013 16:18:19 +0000 From: Nicolas Brulez <nicolas.Brulez@...persky.com> To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com> Subject: RE: RAR Cracking with JtR Jumbo (Files found during forensics) Yes, everything is encrypted. RAR SFX are just a template for unraring the files. At the end of the PE file, outside of the image (in overlay), you have the full RAR archive. Basically, all you need to do, is to look for the magic "52 61 72 21" ("Rar!") and extract it from here till EOF. You can either use pattern, or you just parse the PE header, get the last section physical address, add its physical size, and you will get an offset to the actual archive from where you can extract. You get a RAR archive, that opens in Winrar, you get the password prompt, and rar2john worked nicely on them. This method was tested on a RAR SFX created in the same condition. with a password. The extracted rar works and the password as well. Let me know if you need further information. Nico -- Best regards, Nicolas Brulez | Malware Expert - Global Research and Analysis Team | Kaspersky Lab -----Message d'origine----- De : Dhiru Kholia [mailto:dhiru.kholia@...il.com] Envoyé : mercredi 13 février 2013 17:04 À : john-users@...ts.openwall.com Objet : Re: [john-users] RAR Cracking with JtR Jumbo (Files found during forensics) On Wed, Feb 13, 2013 at 9:16 PM, Nicolas Brulez <nicolas.Brulez@...persky.com> wrote: > This is what i got from rar2john: > > $rar3$*0*deaac5fe718c2eb0*ca36e398cc9ea2c54cfd92d378a84fe7 > $rar3$*0*97c9bc9cbc1e00ac*92d09807b3932d3d9ad4fbb80a06c29e > $rar3$*0*7d1ac6125f295a5a*c48559081a762e1a6db410e21e786881 RAR files corresponding to these hashes were generated using "rar -hp ..." command which means that even the filenames are encrypted. Even WinRAR cannot strip the SFX module from such RAR SFX files. Can you share your method / steps for extracting the actual RAR archive from a WinRAR SFX file in more detail? -- Dhiru
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.