Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Feb 2013 16:18:19 +0000
From: Nicolas Brulez <nicolas.Brulez@...persky.com>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: RE: RAR Cracking with JtR Jumbo (Files found during
 forensics)

Yes, everything is encrypted.

RAR SFX are just a template for unraring the files.
At the end of the PE file, outside of the image (in overlay), you have the full RAR archive.
Basically, all you need to do, is to look for the magic "52 61 72 21" ("Rar!") and extract it from here till EOF.
You can either use pattern, or you just parse the PE header, get the last section physical address, add its physical size, and you
will get an offset to the actual archive from where you can extract.

You get a RAR archive, that opens in Winrar, you get the password prompt, and rar2john worked nicely on them.

This method was tested on a RAR SFX created in the same condition. with a password.
The extracted rar works and the password as well.

Let me know if you need further information.

Nico

-- 
Best regards,

Nicolas Brulez | Malware Expert - Global Research and Analysis Team | Kaspersky Lab


-----Message d'origine-----
De : Dhiru Kholia [mailto:dhiru.kholia@...il.com] 
Envoyé : mercredi 13 février 2013 17:04
À : john-users@...ts.openwall.com
Objet : Re: [john-users] RAR Cracking with JtR Jumbo (Files found during forensics)

On Wed, Feb 13, 2013 at 9:16 PM, Nicolas Brulez
<nicolas.Brulez@...persky.com> wrote:
> This is what i got from rar2john:
>
> $rar3$*0*deaac5fe718c2eb0*ca36e398cc9ea2c54cfd92d378a84fe7
> $rar3$*0*97c9bc9cbc1e00ac*92d09807b3932d3d9ad4fbb80a06c29e
> $rar3$*0*7d1ac6125f295a5a*c48559081a762e1a6db410e21e786881

RAR files corresponding to these hashes were generated using "rar -hp
..." command which means that even the filenames are encrypted.

Even WinRAR cannot strip the SFX module from such RAR SFX files.

Can you share your method / steps for extracting the actual RAR
archive from a WinRAR SFX file in more detail?

-- 
Dhiru

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.