c R A R k (First & Fastest RAR Cracker) v. 2.3a (c) Copyright PSW-soft 1995-2001 by P. Semjanov THIS PROGRAM VERSION IS DISTRIBUTED "AS IS". YOU MAY USE IT AT YOUR OWN RISK. ALL THE CLAIMS TO PROGRAM OPERATION WILL BE REJECTED. THE AUTHOR DOES NOT ALSO GUARANTEE THIS PROGRAM FUTURE MAINTENANCE AND UPDATE. This is FREEWARE program, so it can be distributed under the following conditions: program code is kept unchanged and the program is distributed in the form of distributive archive. Any commercial use of this program is prohibited! 1. PURPOSES AND CHARACTERISTICS The cRARk program is designed to determine a "forgotten" password for RAR-archives. This program operates adequately with RAR-archives versions 2.0x (for RAR archvies version 1.5x use cRARk v, 1.5x) and also with NOTE: Some RAR 2.0 BETA archives may be not supported. To proceed with cRARk program you need a computer with the 80386 compatible processor or later. It is recommended to use as powerful processor as possible (the code is optimized for Pentium/Pentium II). cRARk is the tool for professionals, no GUI or great service is provided. But it tries to maximize your abilities for passwords definition and to minimize search time. cRARk uses Password Cracking Library (PCL), a very powerful tool allowing you to define rules to generate passwords. The rate of password search is approximately 2000 --------- pass/sec on a Pentium II/333 class computer, where [(n+1)/2] n is the password length; [x] is ceil (x), so finding the 6-characters password of lower case Latin letters will need about a week. Rate for dictionary attack is about 400 pass/sec. For stored files the speed is much slower and depends of file length. 2. REQUIREMENTS FOR INPUT ARCHIVE To ensure the program to process an RAR-archive under test successfully, the following requirements are to be met: - There is at least one encrypted file. - This file must not be split in a several archives using the -v option. - For maximum speed, this file must be not stored (-m0 option). If the program displays the warning about it you could simply remove such file from archive. See -m option too. In case of solid-archives, the first file should satisfy these requirements Therefore, if the files in archive were encrypted with the different passwords, the password for fistr file will be found. cRARk must be working with sfx-archives. 3. Working with the program. To run the program YOU ARE TO CREATE PASSWORD DEFINITION FILE firstly (see section 4). You may run the program under MS-DOS, any Windows, Linux. You need any DPMI-host to run the program under MS-DOS. If you have no DPMI-host, you may use FREEWARE CWSDPMI (it is not included in this package), get it at ftp://ftp.simtel.net/pub/simtelnet/gnu/djgpp/v2misc/csdpmi5b.zip. This is a command-line utility! To run the program you should use: CRARK [options] archive The password determined is printed in such a form: truepass - CRC OK Next it is repeated in hexadecimal PCL-like form (see 4.2.1). All other messages ARE NOT passwords and are intended as progress indication of the program. Options in this mode are: -lXX - to set password length to XX at least (XX = 0..255, XX = 1 by default). This parameter affects password length only when '*' is used in its definition (see section 4.2.1); -gXX - to set password length to XX at most (XX = 0..255, XX = 8 by default); -mXX - Sets the first symbol of decompressed file in a hexadecimal form. It is frequently known from its extension (.EXE - 4D, .DOC -D0, .ARJ - 60 etc.). Using this option is allowed on stored files only and reduces the searching time. -pXXXX - to set the name of password definition file ("PASSWORD.DEF" by default). Long file names are supported under Windows 95/98 only (not MS DOS or Windows NT); -b - to perform benchmarking; -v - debug mode (see section 5.1). It may be used to show character sets in use. This option generates also all the passwords according to with their definition; it does not test but prints them, so you can check their validity. -5 - use Pentium optimized code. -6 - use Pentium Pro/II optimized code (also is better for AMD). If none of the last 2 options are not defined, the CPU is autodetected and the best code is chosen. 4. THE USE OF PASSWORD DEFINITION FILE IN CHOOSING OF MODE OF OPERATION AND PASSWORD SET Password definition file is the main control file. Its translation and processing are the main task of PCL library. Its format doesn't depend on application, to which PCL is linked, so this library can be used for any password searching program. 4.1. Password definition file format Password definition file is an ordinary text file and consists of two parts: firstly, dictionary and character set definition, and secondly, passwords definition; the parts are separated by a line of two '##' symbols: [ ] ## The first part may be omitted, in that case password definition file is to begin with '##' symbols. Anywhere else the symbol '#' is considered as a comment beginning. Space characters and tabs are ignored in password definition file and may separate any components. For convenience, let password definition mechanism be our first concern and character set definition be the second one, contrary to their position in password definition file. 4.2. Password definition This is the main part of the file. IT NECESSARILY PRESENTS IN ANY PASSWORD DEFINITION FILE (PASSWORD.DEF) AFTER THE LINE '##' and presets password generation rules to be checked later on. It consists of text lines, each giving its own password set and mode of operation, i. e. an algorithm of password search. Each line is in its own right and is processed separately, so the total number of passwords checked is computed. Character sets and dictionary words form password definition. They preset one or more characters, which will hold the appropriate position in a password. 4.2.1. Character sets Character set (charset) is a set of characters, which can occupy current position in a password (but, of course, only one of them holds it). These characters may be following: 1) Ordinary characters (a, b, etc.). It means that it is this character that occupies given position in a password; 2) Shielded characters. Special characters, if ever occur in the password, are to be shielded. The meaning is identical with mentioned above. Among these are: \$, \., \*, \?, \= '$', '.', '*', '?', '=' \], \[, \{, \}, \(, \) corresponding brackets; \ (space character) space character \XX, where X is a hexadecimal digit any hex-code character \0 no character. It is usually used in conjunction with "real" character (see examples below). Generally, any character can be shielded except hexadecimal digits. 3) Macros of character set. It means that current position in the password can be occupied by any character from the set. These sets are specified in the first part of password defini- tion file (see section 4.3.2) and are denoted as: $a - lower-case Latin letters (26 letters, unless otherwise specified); $A - upper-case Latin letters (26 letters, unless otherwise specified); $! - special characters (32 characters, unless otherwise specified); $1 - digits (10 digits, unless otherwise specified); $i - lower-case letters of national alphabet (33 letters for Russian alphabet); $I - upper-case letters of national alphabet (33 letters for Russian alphabet); $o - other user-specified characters; ? - any character (i. e. all the characters, included into the macros mentioned above). NOTE: macros $v and $p (see section 4.3.4) cannot be used for password definition. 4) Any combinations of the characters mentioned above. It is written in square brackets. The meaning is identical with mentioned above. For example: [$a $A] any Latin letter; [abc] a, or b, or c; [$1 abcdef] hexadecimal digit; [s \0] s or nothing; [$a $A $1 $! $i $I $o] this is equivalent to ?. 5) Regular duplication character '*'. It means that the preceding character set is to be duplicated 0 or more times in corresponding (next) positions of the password. For example: $a * - a password of arbitrary length, consisting of lower-case Latin letters; [ab] * - space character, a, b, aa, ab, ba, bb, aaa, ... [$a $A] [$a $A $1] * - "identifier", i. e. a sequence of letters and digits with a letter at first position. Note that password of zero length is physically meaningful and is not always the same as no password at all. The length of duplication is computed automatically by options, on the basis of given maximum and minimum password length. Note, that these parameters influence only password length, generated with the use of '*' character, and are not taken into account for password, consisting of words or static characters only. It is recommended to use '*' as wide as possible. This is because it allows to perform the most powerful search. Although the constructions '? *' and '? ? *' seem to be alike from the logic standpoint, the first one will be searched through faster. Current restriction: '*' can be the last character in the line only. 4.2.2. Dictionary words and their modifiers The words present several consecutive characters of the password as opposed to character set. Two dictionaries are supported in PCL library: main (with ordinary words, as usual) and user (where special information can be stored, for example, names, dates, etc.), though there is no difference between them. Dictionary is a text file, consisting of words, separated by the end-of-line characters. Both DOS-format (CR/LF) and UNIX-format (LF) files may be used. It is desirable (to increase search rate, among other factors) to use words of the same (lower) case in dictionaries. Thus, there are two macros: $w a word from the main dictionary; $u a word from the user dictionary. It is known that altered words are often used as passwords. So to determine such passwords a whole set of word modifiers is put into use. Among these are: .u (upper) to upper-case; .l (lower) to lower-case; .t (truncate) to truncate up to the given length; .c (convert) to convert the word; .j (joke) to upper-case some letters; .r (reverse) to reverse the word; .s (shrink) to shrink the word; .d (duplicate) to duplicate the word. Modifiers may have parameters, written in round brackets. For modifiers, intended for use with single letters, the number of the letter can be considered as a parameter; no parameters or null parameter means "the whole word". Letters can be numerated both from the beginning of the word and from the end. The end of the word is denoted with the character '-'. There are only three such modifiers for today: .u, .l, .t. So, use .u or .u(0) to upper-case the whole word (PASSWORD); .u(1), .u(2) to upper-case only the first (the second) letter (Password, pAssword); .u(-), .u(-1) to upper-case the last (the next to last) letter (passworD, passwoRd); .t(-1) to truncate the last letter in the word (passwor). The other modifiers operate with the whole words only and their parameters give the way of modification. The following modifier parameters are specified for today: .j(0) or .j to upper-case odd letters (PaSsWoRd); .j(1) to upper-case even letters (pAsSwOrD): .j(2) to upper-case vowels (pAsswOrd); .j(3) to upper-case consonants (PaSSWoRD); .r(0) or .r to reverse the word (drowssap); .s(0) or .s to reduce the word by discarding vowels unless the first one is a vowel (password -> psswrd, offset -> offst); .d(0) or .d to duplicate the word (passwordpassword); .d(1) to add reversed word (passworddrowssap); .c() to convert all the letters in the word according to the appropriate conversion string (see section 4.3.3). All the modifiers operate adequately with both Latin and national letters, provided that the rules of national character sets definition are observed. Clearly there can be more than one modifier (the number of consecutive modifiers is limited by 63, which is unlikely to be exceeded). For example: (let $w mean a password): $w.u(1).u(-) PassworD $w.s.t(4) pssw $w.t(4).s pss 4.2.3. Permutation brackets The problem is widely met, when you remember your password, but it is not do for some reason. Probably, you have mistaken while typing it. This program has its own algorithm to restore such passwords. The following typing mistakes are considered: two neighboring letters are swapped (psasword), a letter is omitted (pasword), an unneeded letter is inserted (passweord) or one letter is replaced with another (passwird). Such password changes will be referred to as permutations. To indicate the beginning and the end of that portion of the password where permutations could appear, permutation brackets '{' and '}' are used. The bracket '}' can be followed by a number of permutations (1 by default), separated by a point (or in round brackets). The physical meaning of the number of permutations is the number of simultaneous mistakes. For example: {abc} - 182 (different) passwords will be obtained, including: bac, acb 2 swaps; bc, ac, bc 3 omissions; aabc, babc ... 4 * 26 - 3 insertions; bbc, cbc ... 3 * 25 replacements; abc the desired word; {password}.2 or {password}(2) - the following words will be generated: psswrod, passwdro, paasswor, etc.; {$w} - all the words, containing one mistake, from the main dictionary. Notes: 1) It is obvious that some passwords will be obtained more than once, so the larger is the number of permutations, the larger is the number of replicas. Efforts were made in this program to reduce replicas, but they are purely empirical and were made for two permutations at most. In other words, for the large numbers there is no certainty that a particular password cannot be discarded erroneously. Fanatics of the theory of combinations can compute the exact number for {password}.3, for example, then I'll be able to compare it with that one obtained by the program. 2) For insertion and replacement you are to know the set of characters to be inserted or replaced. In the event this set is not specified explicitly (see section 4.3.4), this program forms it automatically for character sets, in relation to standard set these characters are from (i. e. for {password} $a will be inserted, for {Password} [$a $A] will be inserted). The similar operation with words is performed, based on the first word from the dictionary with modifiers being taken into account. In the event this set is specified explicitly, it is just the set to be used. 3) Current restriction is that the character '{' must necessarily be the first in the line. Such expressions as good_{password} remain to be supported, but {good}_password is quite possible. 4.3. Dictionaries and character sets definitions All the definitions are set in the beginning of password definition file up to the characters '##'. 4.3.1. Dictionaries definition The main and user dictionaries in use (see section 4.2.2) are initially defined as usual. It is necessary only if you are going to use words from the dictionaries when defining passwords, i. e. $w or $u. The dictionaries are given as follows: $w = "main.dic" # main dictionary $u = "c:\\dict\\user.dic" # user dictionary File name is to be quoted, the path characters are to be shielded. Long file names are adequate for Windows 95/98 only (not for MSDOS or Windows NT). 4.3.2. Definition of the character sets in use Then character sets in use are defined, as usual. They are classified in two groups: predefined and user-defined. Predefined sets include: $a lower-cased Latin letters, 26 letters in all; $A upper-cased Latin letters, 26 letters in all; $! special characters {}:"<>?[];\',./~!@#$%^&*()_+`-=\|, 32 characters in all; $1 digits, 10 digits in all. User-defined sets include $i lower-cased letters of national alphabet; $I upper-cased letters of national alphabet; $o additional character set (for example, any non-typable characters). Character sets are defined as follows: $ = [ ] To put this another way, character set is written as combination of characters (see section 4.2.1), for example: $i = [ !"#$%&'()*+,-./`abcdefghijklmnoq] $o = [$! $1 \FF] NOTES: 1) Any character sets are allowed to be defined, including pre-defined. For example, you may include additional characters, such as space character or \FF into the set $! 2) When the sets $i and $I are being defined, the function of switching between lower/upper case is defined automatically. So it is important to have letters being ordered uniformly in these sets. The full character set '?', consisting of [$a $A $1 $!$i $I $o] (just such an order is of importance in the next section), is never formed until all the characters are defined. 4.3.3. Definition of conversion modifiers Then conversion modifiers .c may be defined (see section 4.2.2) in relation to the certain character set ?. It is performed with the line of the form ?.c() = "" Any character from the whole set is converted into an appropriate character, occupying the same position in transformation string. For example, let ? = [1234567890], then ?.c(0) = "!@#$%^&*()" gives transformation identical to that for Shift keystroke. The characters '\' and ' " ' are to be shielded in conversion string. The numbers of modifiers may vary from 0 to 255. 4.3.4.Special character sets definition Among special character sets are: $v - a set of vowels (in all alphabets being used). It is needed only when .s and .j modifiers are used. $p - a set for insertion and replacement for permutation brackets. It is needed only if automatic generation of this set does not suit you for some reason (see section 4.2.3). These sets are defined in a similar way to the other character sets. 4.4. USEFUL EXAMPLES OF PASSWORD DEFINITION 0) The most typical password definition, similar to that of preceding program versions, is "$s(2) $s(3) $a *". It means that the first three characters, obtained by the program, are to be used and lower-cased Latin letters are to be added next. The second password character is determined rather inaccurately, so the following definition is recommended also: "$s(1) $a $s(3) $a *" (don't use quotes!) If you are searching through some other character set, don't forget to set it to the second position of the password. For example: "$s(1) [$! $1] $s(3) [$! $1] *" (don't use quotes!) 1) Let me cite ZEXPL2L program specification: "Let you have an archive with the password looking like "Heaven!!!", but you have forgotten, how many !s were there in the end and what kind of letters lower- or upper-cased were used: "HeAvEn!!!", "Heaven!" or "HeAven!!!!". But fortunately you remember your password to be 10 characters at most and 7 characters at least." This password will be written in PCL language as follows: "He [aA] v [eE] n ! *" (don't use quotes!) and options -l7 -g10. Suppose that among other things you have mistaken while typing the main part of the password. So the following one is worth attention: "{He [aA] v [eE] n} ! *" (don't use quotes!) and options -l7 -g10. 2) One more citation from the same specification: "Let you have two variants of the password string: "myprog", "MyProg", "my_prog" and "My_Prog". It will be written as: "[mM] y [_ \0] [pP] rog" (don't use quotes!) 3) It is often recommended to use two meaningful words, separated by certain character, as a password. The description is as following: "$w [$1 $!] $w" or "$w.u(1) [$1 $!] $w.u(1)" (don't use quotes!) It should be mentioned that both $w are distinct here (these are distinct words), so a total of 20000 * 42 * 20000 = 1.68E10 passwords (if there are 20000 dictionary words) will be generated , i. e. it takes, on the average, less than a day to crack passwords, considered to be extremely hard for crac- king. Thus, just two successive words are cracked 42 times faster. 4) Password consists of exactly six letters from national alphabet: "$i $i $i $i $i $i" (don't use quotes!) But "$i *" and -16 -g6 options are far more efficient. 6) You remember your password to be "MyVeryLongGoodPassword", but it is not do for some reason. Try to use the following ones: "{MyVeryLongGoodPassword}" 2382 passwords in 1 second "{MyVeryLongGoodPassword}.2" 2836413 passwords in 1 minute "{MyVeryLongGoodPassword}.3" ??? passwords in 2-3 days 7) You know you password to be a meaningful word with a digit inserted elsewhere. The definition file is: $p = [$1] # the insertion set is defined as a set of digits ## {$w} 8) Syllable attack. You are to set up a dictionary of possible syllables of your language and then to search through all the meaningful words by proceeding as follows: $u # monosyllabic words $u$u # disyllabic words $u$u$u # etc. $u$u$u$u ... 9) In order to run your program in parallel on two computers, give them the following definition files: "[abcdefghijklm] $a *" for the first one, "[nopqrstuvwxyz] $a *" for the second one. Proceed similarly with n computers. 5. Possible problems (FAQ). 1. How to break and then to continue the search. The program may be broken painlessly once the message "Testing XX-chars passwords..." is displayed, and then the search may be continued with - lXX option (both XX are equal). 2. How to resume search from the password XXX? In no way as yet. I hope, it will be done in the PCL 3.0. 3. The program has been searching for 10 days, but my password is not yet at hand. Alas! It can't be helped. May be your password is too long, or the search set is wrong. Additional information on the password is necessary. 4. There are files with different passwords in the archive. What am I to do? Just remove (using RAR) files with already known passwords. 5. I have tested your program. To my mind, your program is nothing but utter error, it cannot even find "aaa2"-like password. RTFM. Distributive file password.def searches through only lo- wer-cased Latin letters. Change your password definition to "[$a $1] *" and everything will be ok. 6. I've got beginning of one file from archive in plain text. Will it be useful to me? No. At least, I couldn't use it. Could you? RAR encryption sources are available in WinRAR distribution. 7. I'd like to optimize your program. How can I get the sources? You don't need them. Take UnRar sources and optimize the SetCryptKeys() function. Next contact me. 8. Is there any option to save program operation log? Probably, you have never dealt with UNIX. Use crark [options] > file. If you don't like this, use "tee" utility. 9. Your program operates in Windows NT two times slower than in MS-DOS. Allow this program the 100% CPU time. All you have to do is to click mouse button at the free space in the taskbar and then click at your program window. 10. Your distribution kit is packed with a password in itself!!! I do not find it funny! You are reading this file, so you have solved this problem. 6. On PCL library PCL library is distributed by the author as FREEWARE in the form of source text as well as .LIB (for Borland, Watcom C) or .a (for DJGPP) files. The reference to PCL as an obligatory requirement for your programs. Now it is under development, so I'll be very glad to any comments on defect and errors in the program, especially to those guiding the way for improvements and supplements. 7. How to contact the author Only by e-mail. FIDO: 2:5030/145.17 e-mail: psw@ssl.stu.neva.ru WWW: http://www.ssl.stu.neva.ru/psw/ Program support URL is: http://www.password-crackers.com/crack/crark.html A lot of free, benchmarked password crackers you'll find at http://www.password-crackers.com cRARk is a FREE program, so all the claims will be rejected. Anyway, I'll be very grateful for pointing out manifest errors, such as: - the program hangs up while searching (the lack of displayed messages is not an evidence of hangup); - the program cannot find such-and-such password in such-and-such archive, although the set of characters in search is specified correctly I'll be also glad to any constructive suggestions on improvements of program operation. The discussion of program algorithm and souse codes is possible if you are just interested in this program development. 8. Special thanks. To Eugene Roshal for good encryption algorithm; To John Vandermeersch for correcting this docs; To Phil Frisbie, Jr. (pfrisbie@geocities.com) for CPU identification function. Good luck! Pavel Semjanov, St.-Petersburg.