Date: Wed, 16 Oct 2019 21:14:25 +0200 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: 回复： cannot get rar hash On 2019-10-07 13:00, 王之叹息 wrote: > Hi,magnum > I can share it with you,what should I do now. > Besides,I'm very glad if you are interst in crack the archive. > I've tried a month on all possible mask crack mode and failed. > In Brute force mode,it will take me 150 years at least base on rtx2070. I got the file you sent me and I have some bad news. Here's the end of a hexdump of your archive: 0bb00000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 0bb74550 00 00 00 00 |....| In case you're not familiar with hexdump, thats compressed output of **465KB of zeros** :( My guess is this was caused by some broken storage at some point in time, or perhaps after pulling out an USB stick too early, who knows. I'm pretty sure you can stop that ARPR session as well, because it can't ever find any password. Because of the way this file is encrypted (rar -hp) we can't know what the size *should* be. It's theoretically possible that all these nulls are appended to the full correct data and should just be stripped away but the fact it's starting at an even block boundary speaks vividly against it. So your only bet is to find more copies of that file, if possible. Old backups, old external disks, old USB sticks, anything you can find? If you do find more copies of it, run md5sum or shasum on them and see if they're all the same or not (btw you should start simply comparing their sizes!). PS. The fact we do have 187MB (compressed, mind you) of possibly good data before the truncation means we could add code to try and crack it based on early rejection, huffman/PPM checks and entropy measure of decrypted data instead of the known trailing plaintext. That way you *might* be able to salvage parts of the archive. I'll give that some thought and possibly follow up off-list. Good luck, magnum > ------------------ 原始邮件 ------------------ > 发件人: "magnum"<john.magnum@...hmail.com>; > 发送时间: 2019年10月7日(星期一) 凌晨2:24 > 收件人: "john-users"<john-users@...ts.openwall.com>; > > 主题: Re: [john-users] cannot get rar hash > > > > On 2019-09-30 17:44, 王之叹息 wrote: >> Hi, >> After I input "unrar vt hjjmeee.rar" in cmd line,it let me to input the archive's password which I forgot. >> And the archive looks like RAR 4，according to the output. > > I will probably have to see that particular archive to get a clue about > what is wrong. If you can somehow share it with me privately, that's a > good next step (provided you trust me - but I do have a 10-year history > of not abusing things like that). > > magnum > >> ------------------ 原始邮件 ------------------ >> 发件人: "magnum"<john.magnum@...hmail.com>; >> 发送时间: 2019年9月30日(星期一) 下午2:27 >> 收件人: "john-users"<john-users@...ts.openwall.com>; >> >> 主题: Re: [john-users] cannot get rar hash >> >> >> >> One thing that might help us would be showing the output of "unrar vt >> hjjmeee.rar" provided you have or are able to install the "unrar" >> command-line utility. In case even file names within the archive is >> sensitive, you could obfuscate them - we're only interested in the >> technical meta-data. >> >> Output example: >> >> Name: 2 >> Type: File >> Size: 4 >> Packed size: 16 >> Ratio: 400% >> mtime: 2012-02-28 20:59:49,853355500 >> Attributes: ..A.... >> CRC32: D87F7E0C >> Host OS: Windows >> Compression: RAR 3.0(v29) -m3 -md=128K >> Flags: encrypted >> >> magnum >> >> On 2019-09-29 16:34, 王之叹息 wrote: >>> Hi, >>> I'm afraid it's very hard to creat a test archive with the same problem. >>> I don't have the winrar program which is from 3-6 years ago. >>> And I'm not sure the archive is rar3-hp type or earlier. >>> >>> >>> >>> ------------------ Original ------------------ >>> From: "Solar Designer"<solar@...nwall.com>; >>> Date: Sun, Sep 29, 2019 09:17 PM >>> To: "john-users"<john-users@...ts.openwall.com>; >>> >>> Subject: Re: [john-users] cannot get rar hash >>> >>> >>> >>> On Sun, Sep 29, 2019 at 08:13:29PM +0800, ???????? wrote: >>>> It's a archive I created 3-6years ago which I forgot my password,not a test file. >>> >>> Sure. I'm asking you to create a test archive and try to reproduce the >>> problem with it. Then share that test archive with the user community. >>> >>>> It's a little sensitive that I can share it with you?╦onh?? but not other john users such as crackers. >>>> How can I share the archive with you,by sharing onedrive link on the reply email? >>> >>> Please don't. Please try the test archive approach first. >>> >>> Alexander >>> >> >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.