Guide To Cracking 2002

home *** CD-ROM | disk | FTP | other *** search

/ Guide To Cracking 2002 / Guide_to_Cracking_2002.iso / Utilities / Zip Crackerz / Yet Another Arj Cracker.exe / Yet Another ARJ Cracker / YAAC.ENG < prev next >

Wrap

Text File | 1998-11-21 | 29.2 KB | 748 lines

THIS IS MACHINE TRANSLATION! --------------------------------------- ------------------------- Changes in versions: 0.97b: - "5th line" bug in PCL 2.0 fixed. Only password definitions greather than 4 lines have been affected. Thanks to Dmitry Lisiy. Some minor bugs in -f option fixed (thanks to Mikhail Leitus). 0.97a - 0.95a version "know-how" was applied and speed was increased a bit. 0.97: - PCL v. 2.0 added. Thus, appeared: support of different languages and encodings, charset definition, new modifiers and their parameters, timing and benchmarking functions, maximal password length is now 255. Due to the invaluable Vyacheslav Semyonov's help many heuristics are improved, therefore up to a half of the passwords is discarded beforehand. The options -g and -l now mean length of the password, not '*'. 0.96: - Some bugs fixed affected ARJ > 2.60 archives only. 0.95b: - New ARJ > 2.50 encryption scheme (-hg option) check (not support) added. 0.95a: - 25-40% speedup on Pentiums. 0.95: - Library Password Cracking Library (PCL) v. 1.1 added, allowing multifunctional dictionary attacky, brute force attack with known symbols, recovery of the incorrectly typed password and much. - Small bug fixed, connected that on very rare files of block ratio number can nevertheless be more than 1.1 - In connection with transition to the gcc compiler the 386+ processor and DPMI-host is now required. 0.91b: - Bug fixed, because of which seldom the 3-rd symbol incorrectly turned out; - Conclusion of length of files in an option -c is added; 0.91: - First version released. --------------------------------------- ------------------------- Y A A C (Yet Another ARJ Cracker) v. 0.97 (ß) Copyright PSW-soft 1994-98 by P. Semjanov THIS BETA-VERSION of the PROGRAM IS DISTRIBUTED " AS IS ". You CAN USE IT AT YOUR OWN RISK. ANY CLAIMS ON WORKING of the PROGRAM WILL NOT BE ACCEPTED. ALSO the AUTHOR DOES NOT GUARANTEE FURTHER SUPPORT and UPDATING of future VERSIONS of THIS PROGRAM. This program is FREEWARE and can be distributed freely under fol- lowing conditions: the program code may not be changed and the program is distributed in original form. 1. Purpose and characteristics. The YAAC program is intended for definition of the "forgotten" password at ARJ-archives. The program correctly works with archives ARJ of versions 2.30-2.60. Since version 2.55 the ARJ's author introduced the new procedure of encoding it is not supported by the given program (see item 6). Also this program is intended for demonstrating possibilities of the Password Cracking Library (PCL) library. For operation the YAAC program needs the computer with at least 80386 processor and 256K of the main memory, and also any DPMI-host. Thus it is recommended to use the program on as more powerful processor as possible (code is optimized for Pentium). The YAAC program is rather fast (the speed achieves 350000 pass/s on Pentium/166 at brute-force search and about 270000 pass/s at attack under the dictionary). So, finding the 8-character password from capital latin characters will take several minutes. 2. Requirement to entry archive. For successful work of the program for given of ARJ-archive the following requirements should be carried out: - All files were ciphered with the identical password; - options -jh, -m0, -m4, -hg were not used. The program will work especially effectively, if in archive: - it is a lot of files. In no event it is not necessary up to work of the program to throw out from archive some (long) files; - is of a little bit small files (100-500 byte). If you have besides ciphered archive at least one file from it in plain, decompressed text, very effective attack in the plain text can be applied. There is the program SOLVEPWD.COM by Anantolyn Skoblov (enters a package BRKARJ). 3. Operation with the program. The program has two modes of operations: automatic and for advanced users. For operation with the program at first it is necessary to create password definition file (see item 4). Also DPMI-host is necessary for start of the program (from QEMM, Windows etc.), or FREEWARE CWSDPMI. 3.1. Automatic mode. For start of the program in this mode use the command: YAAC of [option] archive [.ARJ] If the password consists no more, than from 3 characters, it at once is produced on the screen. Differently program will produce probable combinations of first two characters of the password (" The password may begin with: ") and third character (" The 3rd char is: "). These assumptions it makes, being based on all possible characters which are included in set '?' (see 4.2.1). Further it produces a recommended character set (" Recommended set of chars: "). On the basis of this information you can foresee, of what characters the password consists. Here it is possible to give the following advices: - The majority of the passwords are limited to small latin characters ($a ); - The program is most exact determines the first and third character of the password, therefore just on the basis of them you should accept solution, what character set to use; - Use full sets of characters will increase time of search of the password in comparison with set $a on some orders. Found password is produced on screen as: Truepass CRC OK Passwords tested = XXXXXXX (slow tests = XXXXX) All other messages of the program, both with a mark "CRC ERROR", and without it, are not right passwords. Options in this mode are: -lXX - establishes minimum password length, where XX ranges from 1 to 255, (by default = 1). This options affects only if '*' presents in password definition (See item 4.1.1). -gXX - establishes maximum password length, where XX ranges from 1 to 255, (by default = 5). -n - is usual the program truncates set of first two characters $ S (1) up to what get in recommended. This option cancels it. -pXXX - sets a name of the password definition file (by default "PASSWORD.DEF"). -b - make some benchmarks. -v - verbose debug mode (see 5.1), could be used for printing defined charsets. 3.2. Mode for advanced users. The necessity for introduction of such mode is connected that the author did not manage to construct the function authentically defining first two characters of the password. However it can be made manually on To the following scheme: 1) From your archive (let it is named YOUR.ARJ) select some small files; 2) Start the program YAAC -c YOUR.ARJ to find out original length and the ratio for these files, and also version of ARJ used; For each of them do the following (for example, for the SAMPLE.EXE file of length 10000, ratio = 0.6): 3) Find on the hard disk files with the same extension (*.EXE) and approximately such length + - 50 % (7500-15000); 4) Arhive these files by the archiver ARJ of the same version in other archive OTHER.ARJ; 5) Start the program YAAC -c OTHER.ARJ Also select among them those, the ratio which differs from source no more than on 2-3 % (0.57-0.63); 6) For these files find maximum and minimum value from a column Block ratio (let it will be 0.66 and 0.75); 7) Add in the YAAC.SIZ file a line SAMPLE.EXE 0.66 0.75 After a closing up with all files 8) Start the program YAAC -f YOUR.ARJ Some remarks: - If you can not find files with such extension, try to look for files with similar length (+ - 10 %), and then select what give same ratio; - If you have found only 1-2 suitable files, take away from minimum value Block ratio and add to maximum on 0.05; - Numbers Block ratio can be more than 1.0, but can not be more than 1.2, and very much hardly less than 0.3. Usual values are 0.75.. 0.95; - It is possible also to try compress the found files, using options ARJ -jm, -m2, -m3. In this mode together with an option -f it is possible to use Any options of an automatic mode. 4. Choice of operation mode and password set with the help of a password description file. The password definition file is a main managing file. Its compilation and processing is purely the basic problem of library PCL. Its format is independent of the application, to which PCL is connected, therefore this library can be used with any program, engaged in detection of passwords. 4.1. Format of the password definition file. Password definition file is a plain text file divided on two parts: dictionaries and character sets descriptions and password description. These parts are divided by line '##': [ <the description of the dictionaries and character sets> ] ## <the description of the passwords> The first part can be absent, then the file should begin with symbols '##'. Thus in any other place the symbol '#' is considered as the beginning of the comment. The blanks and tabulation in a file of the descriptions are ignored and can divide any components. For a convenience, at the beginning, as against a sequence of the descriptions in a file, we shall consider the mechanism of the description of the passwords, and then description of character sets. 4.2. Description of the passwords. It is a main part of a file, NECESSARY PRESENT IN ANY PASSWORD DEFINITION FILE AFTER '##' LINE. It consists of textual lines, each of which sets the set of the passwords and working mode, i.e. which algorithm will be used. Each line is independent and is processed separately, thus the total number of the checked passwords is counted up. The basic components of the password definition file are: character sets and words from the dictionaries. They set one or several symbols, which will be in the password on appropriate places. 4.2.1. Character sets. The character set (charset) is set of symbols, which can be on a actual place in the password (but there is, naturally, only one of them). To can be the following: 1) Simple single symbols (a, b, and etc.). Meaning, that in the given position of the password there is just this symbol. 2) Shielded symbols. The special symbols, if they are met in the password, they should be shielded. The sense coincides with previous. They are: \$, \., \*, \?, \= - "$", ".", "*", "?", "=" \], \[, \ , \}, $, $ - appropriate brackets \ (space) - space \\ - "\" \XX, where X is hex-digit - any symbol in hex-code \0 - empty symbol (absence of a symbol). Is usually applied in association with the "present" symbol (see examples below). Basically, any symbols can be shielded, if they are not hex-digits. 3) Symbol set macros. These sets are defined(determined) in the first part of a file of the descriptions (see item 4.3.2). Meaning, that in a current position of the password there is any symbols, determined by following macros: $a - lower Latin letters (if not redefined, in total 26 possibilities); $A - upper Latin letters (if not redefined, in total 26 possibilities); $! - special marks (if not redefined, 32 possibilities); $1 - Figures (if not redefined, 10 possibilities); $i - lower national letters; $I - upper national letters; $o - User's set; ? - Any symbol, i.e. all chars included in these macroses. Note: $v and $p (see 4.3.4) could not be used to generate passwords. 4) The combination of any of the listed symbols above. Is written down with the help of square brackets. The sense coincides with previous. Examples: [$a $A] - any Latin letter; [abc] - or a, or b, or c; [$1 abcdef] - hex-digit; [s \0] - or s, or nothing; [$a $A $1 $! $i $I $o] - is equivalent to ?. 5) Regular symbol of recurrence "*". Means that the previous cha- racter set needs to be repeated 0 or more time in the appropriate positions of the password. Examples: $a * - password of any length from the small Latin letters; [ab] * - is empty, a, b, aa, ab, ba, bb, aaa... [$a $A] [$a $A $1] * - "identifier" - sequence of the letters and figures, and first letter. Let's note, that the zero length password has the certain physical sense, and is not always equivalent to absence of the password. Length of recurrence is calculated automatically on the basis of given maximal and minimal length of the password by a call of the basic function of library parse_rules_file(). Let's note, that these parameters influence only length of the password generated with the help of a symbol '*' and are not using, if the password consists only of words or static symbols. It is recommended to use "*" as often as possible due to the fact that it will create the most effective brute force attack. Current restriction - "*" can only be the last element of a line. 4.2.2. Word from the dictionaries and their modifiers. Contrary to a character set, the word set uses not one, but a few symbols of the password in succession. The PCL library supports two dictionaries basic (where more often used words are found ) and user (where the specific information such as names or dates). The dictionary is a text file, consisting of words, divided by end of a li- ne(EOL) symbols. Files such as DOS- (CR/LF), and UNIX-format (LF) can be used. It is desirable (including brute force speed) to have all words in one (lower) case. Thus, two macros exist: $w - Word from the basic dictionary $u - Word from the user dictionary. Also as the words can be described special sets, since they can have any length. They are designated $s(1), $s(2),... And are determi- ned to be specific to a problem. For this program are two special sets: $s(1) and $s(2), meaning two first and third character of the password accordingly. It is necessary to mean what to use special character sets it is meaningful only in a defined place, namely, $s(1) should go by first (and has length of 2 characters), and $s(2) should get on a third position in the password (length is equal 1). Thus, only following examples make sense: $ s(1) $s(2) $ s(1) ? ?? $s(2). It is impossible to consider anyone others, though and generating passwords, correct. As is frequently known the passwords are altered words. Therefore for determining such passwords the whole set of modified words are entered. Use following switches: .u (upper) - convert to uppercase; .l (lower) - convert to lowercaser; .t (truncate) - truncate at given length; .c (convert) - transform the word; .j (joke) - convert to uppercase some letters; .r (reverse) - reverse the word; .s (shrink) - reduce a word; .d (duplicate) - repeat a word 2 times. The modifiers can have parameters which are written down in parentheses. For modifiers intended for work with the separate letters, it is possible to set as parameter the number of the letter; absence of parameter or zero parameter means - " the whole word ". Further, numbers of the letters can be set both from a beginning of a word, and from the end. The end of a word is designated by a symbol '-'. For today there are only 3 of such modifiers: .u, .l, .t. So, .u or .u(0) - uppercase the whole word (PASSWORD); .u(1), .u(2) - uppercase only first (second) letter (Password, pAssword); .u(-), .u(-1) - uppercase last (last but one) letter (passworD, passwoRd); .t(-1) - cut off last letter in a word (passwor). Other modifiers work only with the whole words and parameter sets a conversion mode. For today the following parameters to modifiers are legal: .j(0) or .j - uppercase the odd letters (PaSsWoRd); .j(1) - uppercase the even letters (pAsSwOrD): .j(2) - uppercase the vowels (pAsswOrd); .j(3) - uppercase the consonants (PaSSWoRD); .r(0) or .r - reverse a word (drowssap); .s(0) or .s - reduce a word by removing vowels, if it is not first char (password - > psswrd, offset - > offst); .d(0) or .d - duplicate a word (passwordpassword); .d(1) - add the reversed word (passworddrowssap); .c(<number>) - convert all letters in a word according to the conversion string (see item 4.3.3). All modifiers will correctly work both with latin, and with the national letters, if national character are set correctly. Certainly, that the modifier can be not unique (restriction of their number in succession - 63, which hardly is possible to exceed). Examples (let $w - password): $w.u(1).u(-) - PassworD $w.s.t(4) - pssw $w.t(4).s - pss 4.2.3. Permutation brackets. Maybe you remember the password, but it does not match. Pro- bably, you were mistaken when you typed it. For restoration of such passwords, the program has its own proper algorithm . It conside- res, the errors in typing can be following: two letters are swaped (psasword), one letter is removed (pasword), extra letter is inserted (passweord) or one is replaced with other (passwird). Let's name such changes of the password "permutations". To indicate the start and end of a possible permutation in the password permutation brackets "{" and "}" are applied . "}" is followed by the permutation number (by default - 1), separated by "." or in in parentheses. Physical sense of permutation number is the amount of simultaneously allowed errors. Examples: {abc} - will receive 182 (different) passwords, such as: bac, acb - 2 swaps; bc, ac, bc - 3 removals; aabc, babc... - 4 * 26 - 3 inserts; bbc, cbc... - 3 * 25 replacements; abc - and the word; {Password}.2 or {Password}(2) - in particular, words as: "psswrod", "passwdro" and "paasswor" will be received; {$w} - all words with one error from the basic dictionary. Notes: 1) It is normal, that some passwords will not be found at on- ce, and, the higher the permutation number is, the more recur- rences there will be. Efforts on reduction of recurrences were made in the program, but they are purely empirical and are untrusted on permutation numbers greater than 2. Or else, for large numbers there is no guarantee that any password will not be wrongly throw out. 2) For insert and replacement it is necessary to know, which set of symbols to insert. If this set is not defined (see item 4.3.4), this program defines it automatically, inserting the set of the standard set these symbols belong (i.e. {password} should be in- serted - $a, {Password} - [$a $A]). For words the similar ope- ration must be carried out on the first word from the dic- tionary, thus modifiers are taken into account. 3) Current restrictions: the symbol "{" should be first in a line. The expressions as good_{password} are not suppoted, but {good}_password are supported. 4.3. Description of the dictionaries and character sets. All descriptions make in the beginning of a password definition file above to symbols '##'. 4.3.1. Description of the dictionaries. In the beginning are usually described the basic and user dictionary (see item 4.2.2). It is necessary only if password description will be used words from the dictionaries, i.e. $w or $ u. The dictionaries are set as follows: $w = "<dictionary_filename>" # the basic dictionary $u = "c:\\dict\\user.dic" # additional Is it necessary to quote the filenames, and to shield the path symbols. 4.3.2. Definition of used character sets. Used character sets further are usually defined. They are divided on predefined and set by the user. Predefined consist from: $a - small latin letters, only 26 pieces; $A - large latin letters, only 26 pieces; $! - special symbols {}:"<>?[];\',./~!@#$%^&*()_+`-=\| - 32 pieces; $1 - figures, 10 pieces. User-defined sets consist of: $i - lowercase letters of the national alphabet; $I - uppercase letters of the national alphabet; $o - additional set (for example, any non-typed on keyboard symbols). The definition of sets occurs to the help of the following format: $<set> = [< single symbols or character sets >] Or else, the character set enters the name with the help of combination of symbols (see item 4.2.1), for example: $o = [$! $1 \FF] NOTES: 1) Yoy may define any character sets, including predefined. For example, it is possible to add in set $! additional symbols, such as a blank or \FF. 2) The definition of sets $i and $I automatically determines rules of upper/lowercase conversion. Therefore it is important, that the letters in these sets is in the same order. Only after all character sets are defined, the complete set of symbols '?' will be formed, consisting of [$a $A $1 $! $i $I $o], and just in such order (it is important for following item). 4.3.3. Definition of convert modifiers. Convert modifiers .c (see item 4.2.2) can be set further, with reference to complete set of symbols '?'. It could be done using the lines with format: ?.c(<number>) = " < conversion line > " Each symbol available in complete set will be transformed in appropriate to it, taking place in the same position in a conversion string. For example, let ? = [1234567890], then ?.c(0) = "!@#$%^&*()" sets shift-conversion. In the conversion string it is necessary to shield symbols '\' and '"". Parameters at convert modifiers can be from 0 up to 255. 4.3.4. Definition of special character sets To special character sets concern: $v - the set of vowels (in all alphabets) - is required only, if the modifiers .s and .j are used. $p - the set for insert with permutation brackets - is required only, if for some reason does not arrange automatic reception of this set (see item 4.2.3). They are set similarly to other character sets. 4.4. Useful examples of password descriptions. 1) Let me give you a fragment from the documentation on the program ZEXPL2L: " I assume, that you have archive with a password, similar to " Heaven!!!", but you have forgotten, how many '!' were at the end of a word, and which - lower/upper case vowels were. This password would be written down in PCL language as such: "He [aA] v [eE] n! * " We shall assume in addition, that you were mistaken about a set of the basic part of the password. Then it is necessary to try following: "{He [aA] v [eE] n} ! * " 2) Another citation : " Assuming, you have two variants of a line of the password: "myprog", "MyProg","my_prog" and "My_Prog". It should be written down as: "[mM] y [_ \0] [pP] rog". 3) Often passwords consist of two intelligent words, separated by some sign. The appropriate description: "$w [$1 $!] $w" or "$w.u(1) [$1 $!] $w.u(1)" It is important to note, that both $w are not equal here , and will generate a total of (if there are 20000 words in the dic- tionary): 20000 * 42 * 20000 = 1.68E10 passwords. Accordingly, it is simple two words separated by a number break in 42 times faster. 4) You remember, that your password was "MyVeryLongGoodPassword", but it does not match for some reason. Try these combinations: "{MyVeryLongGoodPassword}" - 2382 passwords, 1 sec "{MyVeryLongGoodPassword}.2" - 2836413 pass., 1 min 5) You know, that the password consists of an intelligent word, inside which on any position figure is inserted. The description: $p = [$1] # define insert set ## {$w} 6) Attack on syllables. Create the dictionary of allowable syllables of your language, and then it is possible to touch all intelligent-sounding word as follows: $u # all one-syllable word $u$u # two-syllables $u$u$u #etc. $u$u$u$u ... 7) To parrallel the work on 2 computers, set to them the following descriptions: "[abcdefghijklm] $a * " - first "[nopqrstuvwxyz] $a * " - second. Similarly act for n of computers. 5. Originating problems (FAQ). 1. Message " No matching passwords " is printed. The following reasons and ways of their elimination are possible(probable): 1) In the password non-standard symbols are used. Include all possible symbols to $o charset. 2) In case in archive there are enough files, it can occur from(because of) imperfection of an automatic mode. Start the program YAAC c by an option -v and analyse the target information. It(she) consists for each file in archive of his(its) name, after which there are four numbers and then set of allowable first two symbols of the password, processing suitable the ambassador of this file. Therefore, if the information looks like as: FILE1.EXT 1881 940 2050 1504 po = 422 pp = 421 pr = 427 ps = 426 pt = 425 pu = 424 pv = 431 pw = 430 px = 429 py = 428 pz = 435 FILE2.EXT 959 479 1045 764 FILE3.EXT 1317 658 1435 1052 That, how it is visible, on a file FILE2.EXT the set of the first two symbols has become empty and this file IS NECESSARY FOR REMOVING from archive. Can similarly be, that stabilized set of the first two symbols suddenly sharply decreases, such file too is better for removing. If it will not help, remove from archive all large files. If and it will not help, remove from archive the whole first half. 3) Refuse automatic mode of operations. 2. How to interrupt and to continue the brute-force searching? The program can be painlessly interrupted after a conclusion of the message " Testing XX-chars passwords... " and continued with the help of an option -lXX (here both XX are equal). 3. The program counts 10-th day, but nothing was found. Alas! There is no help here. Either the password is too long, or it is incorrectly described. Additional information on the password is necessary. See 5.1. 4. I've tested your program. It's one big bug! It couldn't find such passwords as "aaa2". RTFM. Standard password.def file does brute-force searching using only lowercase latin letters. Just change password definition to "s(1) s(2) [$a $1] *" and everything will be ok. 5. I had password "abc", and the program does not find it. If the password consists less, than from four characters, it can be produced as "double-length" password. It is not an error, it's small defect only. 5a. I had password "A$rrr", and the program does not find it, although first three characters are printed correctly. Try -n option. Without it the program truncates first three characters set to the recommended set and '$' symbol may be not included in it. 6. I have one file in plain text. It can help? Yes. Use the SOLVEPWD.COM program. 6. Outputs and perspectives. 1) Probably, nevertheless it is possible to write more - less áñÑ¬óáΓ ìπε the function defining Block ratio and by that to refuse from inconvenient unautomatic mode of operations. 2) Is similar, that is possible to expand used algorithm so, that the exhaustive search will be conducted only up to 7-9 character passwords, and then it will be possible to touch only passwords, which beginning from 7-9 characters satisfies to some criterion. It will allow to increase effective length «ΓúáñδóáÑ¼«ú« of the password till 13-15 of characters. 3) Very easily it is possible to open the password, if in archive there are files with single ¬«¼»αÑßß¿Ñ⌐ (-m0). In version ARJ 2.55 encoding archives on âÄæÆπ (option -hg) has appeared. If this encoding and ever will be supported by the given program, the speed it will fall on 1-2 order. Wishing to me to help and to become the co-authors can communicate with me. The knowledge of the programming language distinct from BASIC, and source codes UNARJ 2.41 is necessary. 7. Concerning library PCL. The author distributes the library PCL as FREEWARE files .LIB (under Borland, Watcom C) or .a (under DJGPP) with the requirement of the certitude of reference of it in your programs. Receipt of the sources is a separate subject. 8. How to contact to the author. Only by e-mail. e-mail: psw@ssl.stu.neva.ru FIDO: 2:5030/145.17 WWW; http://www.ssl.stu.neva.ru/psw/ THE NEW VERSIONS of the PROGRAM ARE ONLY ON the FOLLOWING WWW-address. I AM NOT ENGAGED in THEIR DISTRIBUTION In ANY SORT! http://www.ssl.stu.neva.ru/psw/crack.html Though, as I already have told, any claims to be accepted will not be, I shall be grateful to the instruction(indication) on obvious errors, such as: - The program hangs up at exhaustive search (that she(it) nothing outputs thus on the screen, is not tag of hangup); - The program does not find such password in such archive, though the set of characters of exhaustive search is given correctly and first three characters are output correctly: - The program incorrectly finds third character of the password; - The program does not find the password at the described above circuit(scheme) of operation in a unautomatic mode. As I shall be glad to any constructive sentences on π½πτΦÑ ì¿ε of operation of the program. I shall not refuse still, if someone, whom this program has rescued life to, as gratitude wants to transfer(translate) this file on good English. The discussion of algorithm of the program and source codes is possible only at your interest in development of this program. Do not ask, that I have made service such as continuation of exhaustive search from the current password either imaging of the current password or interruption at any moment on Ctrl-Break! 9. Special thanks. Anatoly Skoblov for the program BRKARJ, serving by a push to a writing of this program; Mikael Malakhov for the program ARJ_PSW, the initial texts of which were used; Vyacheslav Semyonov for it the invaluable help on improvement heuristics, All by rest, who helped, advised and tested YAAC. Good luck! Pavel Semjanov, St.-Petersburg.