Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 19 Oct 2019 16:06:24 +0800
From: "王之叹息" <>
To: "john.magnum" <>
Subject: Re: cannot get rar hash

I usually pulling out USB after safety pulling out prompt。
There is no the same archive to compare md5sum,but I have an another archive which incloud the same file I need.So I will give up the broken archive.
I have Tried many online crack websites,all failed.
I'm running on hashcat now,really slowly.
Do you have any ideal?

------------------ 原始邮件 ------------------
发件人: "john.magnum"<>;
发送时间: 2019年10月17日(星期四) 凌晨3:14
收件人: "john-users"<>;

主题: Re: [john-users] 回复: [john-users] cannot get rar hash

On 2019-10-07 13:00, 王之叹息 wrote:
> Hi,magnum
> I can share it with you,what should I do now.
> Besides,I'm very glad if you are interst in crack the archive.
> I've tried a month on all possible mask crack mode and failed.
> In Brute force mode,it will take me 150 years at least base on rtx2070.

I got the file you sent me and I have some bad news. Here's the end of a 
hexdump of your archive:

0bb00000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 
0bb74550  00 00 00 00                                       |....|

In case you're not familiar with hexdump, thats compressed output of 
**465KB of zeros** :(

My guess is this was caused by some broken storage at some point in 
time, or perhaps after pulling out an USB stick too early, who knows. 
I'm pretty sure you can stop that ARPR session as well, because it can't 
ever find any password.

Because of the way this file is encrypted (rar -hp) we can't know what 
the size *should* be. It's theoretically possible that all these nulls 
are appended to the full correct data and should just be stripped away 
but the fact it's starting at an even block boundary speaks vividly 
against it.

So your only bet is to find more copies of that file, if possible. Old 
backups, old external disks, old USB sticks, anything you can find? If 
you do find more copies of it, run md5sum or shasum on them and see if 
they're all the same or not (btw you should start simply comparing their 

PS. The fact we do have 187MB (compressed, mind you) of possibly good 
data before the truncation means we could add code to try and crack it 
based on early rejection, huffman/PPM checks and entropy measure of 
decrypted data instead of the known trailing plaintext. That way you 
*might* be able to salvage parts of the archive. I'll give that some 
thought and possibly follow up off-list.

Good luck,

> ------------------ 原始邮件 ------------------
> 发件人: "magnum"<>;
> 发送时间: 2019年10月7日(星期一) 凌晨2:24
> 收件人: "john-users"<>;
> 主题: Re: [john-users] cannot get rar hash
> On 2019-09-30 17:44, 王之叹息 wrote:
>> Hi,
>> After I input "unrar vt hjjmeee.rar" in cmd line,it let me to input the archive's password which I forgot.
>> And the archive looks like RAR 4,according to the output.
> I will probably have to see that particular archive to get a clue about
> what is wrong. If you can somehow share it with me privately, that's a
> good next step (provided you trust me - but I do have a 10-year history
> of not abusing things like that).
> magnum
>> ------------------ 原始邮件 ------------------
>> 发件人: "magnum"<>;
>> 发送时间: 2019年9月30日(星期一) 下午2:27
>> 收件人: "john-users"<>;
>> 主题: Re: [john-users] cannot get rar hash
>> One thing that might help us would be showing the output of "unrar vt
>> hjjmeee.rar" provided you have or are able to install the "unrar"
>> command-line utility. In case even file names within the archive is
>> sensitive, you could obfuscate them - we're only interested in the
>> technical meta-data.
>> Output example:
>>            Name: 2
>>            Type: File
>>            Size: 4
>>     Packed size: 16
>>           Ratio: 400%
>>           mtime: 2012-02-28 20:59:49,853355500
>>      Attributes: ..A....
>>           CRC32: D87F7E0C
>>         Host OS: Windows
>>     Compression: RAR 3.0(v29) -m3 -md=128K
>>           Flags: encrypted
>> magnum
>> On 2019-09-29 16:34, 王之叹息 wrote:
>>> Hi,
>>> I'm afraid it's very hard to creat a test archive with the same problem.
>>> I don't have the winrar program which is from 3-6 years ago.
>>> And I'm not sure the archive is rar3-hp type or earlier.
>>> ------------------ Original ------------------
>>> From: "Solar Designer"<>;
>>> Date: Sun, Sep 29, 2019 09:17 PM
>>> To: "john-users"<>;
>>> Subject: Re: [john-users] cannot get rar hash
>>> On Sun, Sep 29, 2019 at 08:13:29PM +0800, ???????? wrote:
>>>> It's a archive I created 3-6years ago which I forgot my password,not a test file.
>>> Sure.  I'm asking you to create a test archive and try to reproduce the
>>> problem with it.  Then share that test archive with the user community.
>>>> It's a little sensitive that I can share it with you?╦onh?? but not other  john users such as crackers.
>>>> How can I share the archive with you,by sharing onedrive link on the reply email?
>>> Please don't.  Please try the test archive approach first.
>>> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.