1 /*
2 * rar2john utility for RAR 3.x files, written in 2011 by Dhiru Kholia for GSoC.
3 * rar2john processes input RAR files into a format suitable for use with JtR.
4 *
5 * This software is Copyright (c) 2011, Dhiru Kholia <dhiru.kholia at gmail.com>
6 * and (c) 2012, magnum and (c) 2014, JimF
7 * and it is hereby released to the general public under the following terms:
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted.
10 *
11 * Huge thanks to Marc Bevand <m.bevand (at) gmail.com> for releasing unrarhp
12 * (http://www.zorinaq.com/unrarhp/) and documenting the RAR encryption scheme.
13 * This patch is made possible by unrarhp's documentation.
14 *
15 * Usage:
16 *
17 * 1. Run rar2john on rar file(s) as "rar2john [rar files]".
18 * Output is written to standard output.
19 * 2. Run JtR on the output generated by rar2john as "john [output file]".
20 *
21 * Output Line Format:
22 *
23 * For type = 0 for files encrypted with "rar -hp ..." option
24 * archive_name:$RAR3$*type*hex(salt)*hex(partial-file-contents):type::::archive_name
25 *
26 * For type = 1 for files encrypted with "rar -p ..." option
27 * archive_name:$RAR3$*type*hex(salt)*hex(crc)*PACK_SIZE*UNP_SIZE*0*archive_name*offset-for-ciphertext*method:type::file_name
28 *
29 * or
30 *
31 * archive_name:$RAR3$*type*hex(salt)*hex(crc)*PACK_SIZE*UNP_SIZE*1*hex(full encrypted file)*method:type::file_name
32 *
33 * TODO:
34 * Possibly support some file magics (see zip2john)
35 *
36 * FIXED:
37 * Archive starting with a directory is currently not read (skip it)
38 * Archive starting with a plaintext file is currently not read (skip it)
39 * Pick smallest possible file in case of -p mode, just like pkzip do
40 * If any of the files is uncompressed, this is preferred even if larger
41 * Add METHOD to output
42 *
43 */
44
45 #include <stdint.h>
46 #include <stdio.h>
47 #include <stdlib.h>
48 #if !AC_BUILT || HAVE_LIMITS_H
49 #include <limits.h>
50 #endif
51 #include <errno.h>
52 #include <string.h>
53 #if (!AC_BUILT || HAVE_UNISTD_H) && !_MSC_VER
54 #include <unistd.h>
55 #endif
56
57 #include "jumbo.h"
58 #include "common.h"
59 #include "arch.h"
60 #include "params.h"
61 #include "crc32.h"
62 #include "unicode.h"
63 #include "base64_convert.h"
64 #include "sha2.h"
65 #include "rar2john.h"
66 #ifdef _MSC_VER
67 #include "missing_getopt.h"
68 #endif
69
70 #define CHUNK_SIZE 4096
71
72 /* Max file (path) name length, in characters */
73 #define PATH_BUF_SIZE 256
74
75 static int verbose;
76 static char *self_name;
77
hexdump(const void * msg,void * x,unsigned int size)78 static void hexdump(const void *msg, void *x, unsigned int size)
79 {
80 unsigned int i;
81
82 printf("%s : ", (char *)msg);
83 for (i=0;i<size;i++)
84 {
85 printf("%.2x", ((unsigned char*)x)[i]);
86 if ( (i%4)==3 )
87 printf(" ");
88 }
89 printf("\n");
90 }
91
92 static int process_file5(const char *archive_name);
93
check_fread(const size_t buf_size,const size_t size,const size_t nmemb)94 static int check_fread(const size_t buf_size, const size_t size,
95 const size_t nmemb)
96 {
97 if (buf_size < size * nmemb) {
98 fprintf(stderr, "Error: check_fread(buf_size="Zu", size="Zu", nmemb="Zu
99 ") failed, buf_size is smaller than size * nmemb.\n",
100 buf_size, size, nmemb);
101 return 0;
102 }
103 return 1;
104 }
105
106 /* Derived from unrar's encname.cpp */
DecodeFileName(unsigned char * Name,unsigned char * EncName,size_t EncSize,UTF16 * NameW,size_t MaxDecSize)107 static void DecodeFileName(unsigned char *Name, unsigned char *EncName,
108 size_t EncSize, UTF16 *NameW, size_t MaxDecSize)
109 {
110 unsigned char Flags = 0;
111 unsigned int FlagBits = 0;
112 size_t EncPos = 0, DecPos = 0;
113 unsigned char HighByte = EncName[EncPos++];
114
115 MaxDecSize /= sizeof(UTF16);
116
117 while (EncPos < EncSize - 1 && DecPos < MaxDecSize - 1)
118 {
119 if (FlagBits == 0)
120 {
121 Flags = EncName[EncPos++];
122 FlagBits = 8;
123 }
124 switch(Flags >> 6)
125 {
126 case 0:
127 #if ARCH_LITTLE_ENDIAN
128 NameW[DecPos++] = EncName[EncPos++];
129 #else
130 NameW[DecPos++] = EncName[EncPos++] << 8;
131 #endif
132 break;
133 case 1:
134 #if ARCH_LITTLE_ENDIAN
135 NameW[DecPos++] = EncName[EncPos++] + (HighByte << 8);
136 #else
137 NameW[DecPos++] = (EncName[EncPos++] << 8) + HighByte;
138 #endif
139 break;
140 case 2:
141 #if ARCH_LITTLE_ENDIAN
142 NameW[DecPos++] = EncName[EncPos] +
143 (EncName[EncPos+1]<<8);
144 #else
145 NameW[DecPos++] = (EncName[EncPos] << 8) +
146 EncName[EncPos+1];
147 #endif
148 EncPos+=2;
149 break;
150 case 3:
151 {
152 int Length = EncName[EncPos++];
153 if (Length & 0x80)
154 {
155 unsigned char Correction = EncName[EncPos++];
156 for (Length = (Length & 0x7f) + 2;
157 Length>0 && DecPos < MaxDecSize;
158 Length--, DecPos++)
159 #if ARCH_LITTLE_ENDIAN
160 NameW[DecPos] = ((Name[DecPos] +
161 Correction) & 0xff) + (HighByte << 8);
162 #else
163 NameW[DecPos] = (((Name[DecPos] +
164 Correction) & 0xff) << 8) + HighByte;
165 #endif
166 }
167 else
168 for (Length += 2;
169 Length>0 && DecPos < MaxDecSize;
170 Length--,DecPos++)
171 #if ARCH_LITTLE_ENDIAN
172 NameW[DecPos] = Name[DecPos];
173 #else
174 NameW[DecPos] = Name[DecPos] << 8;
175 #endif
176 }
177 break;
178 }
179 Flags <<= 2;
180 FlagBits -= 2;
181 }
182 NameW[DecPos < MaxDecSize ? DecPos : MaxDecSize - 1] = 0;
183 }
184
process_file(const char * archive_name)185 static void process_file(const char *archive_name)
186 {
187 FILE *fp;
188 unsigned char marker_block[7];
189 unsigned char archive_hdr_block[13];
190 unsigned char file_hdr_block[40];
191 int i, count, type;
192 struct {
193 size_t pack;
194 size_t unp;
195 uint8_t method;
196 } bestsize = { SIZE_MAX, SIZE_MAX };
197 char *base_aname;
198 unsigned char buf[CHUNK_SIZE];
199 uint16_t archive_hdr_head_flags, file_hdr_head_flags, head_size;
200 unsigned char *pos;
201 int diff;
202 int found = 0;
203 char path[PATH_BUFFER_SIZE];
204 char *gecos, *best = NULL;
205 size_t best_len = 0;
206 int gecos_len = 0;
207
208 gecos = mem_calloc(1, LINE_BUFFER_SIZE);
209
210 strnzcpy(path, archive_name, sizeof(path));
211 base_aname = basename(path);
212 errno = 0;
213
214 if (!(fp = fopen(archive_name, "rb"))) {
215 fprintf(stderr, "! %s: %s\n", archive_name, strerror(errno));
216 goto err;
217 }
218 /* marker block */
219 memset(marker_block, 0, 7);
220 if (fread(marker_block, 7, 1, fp) != 1) {
221 fprintf(stderr, "%s: Error: read failed: %s.\n",
222 archive_name, strerror(errno));
223 goto err;
224 }
225
226 if (memcmp(marker_block, "\x52\x61\x72\x21\x1a\x07\x00", 7)) {
227 /* handle SFX archives */
228 if (memcmp(marker_block, "MZ", 2) == 0) {
229 /* jump to "Rar!" signature */
230 while (!feof(fp)) {
231 count = fread(buf, 1, CHUNK_SIZE, fp);
232 if ((pos =
233 memmem(buf, count, "\x52\x61\x72\x21\x1a\x07\x00",7))) {
234 diff = count - (pos - buf);
235 jtr_fseek64(fp, - diff, SEEK_CUR);
236 jtr_fseek64(fp, 7, SEEK_CUR);
237 found = 1;
238 break;
239 }
240 if (feof(fp)) //We shold examine the EOF before seek back
241 break;
242 jtr_fseek64(fp, -6, SEEK_CUR);
243 }
244 if (!found) {
245 if (process_file5(archive_name))
246 return;
247 fprintf(stderr, "! %s: Not a RAR file\n", archive_name);
248 goto err;
249 }
250 }
251 else {
252 /* try to detect RAR 5 files */
253 fclose(fp);
254 fp = NULL;
255 MEM_FREE(best);
256 MEM_FREE(gecos);
257 if (process_file5(archive_name))
258 return;
259 fprintf(stderr, "! %s: Not a RAR file\n", archive_name);
260 goto err;
261 }
262 }
263
264 /* archive header block */
265 if (fread(archive_hdr_block, 13, 1, fp) != 1) {
266 fprintf(stderr, "%s: Error: read failed: %s.\n",
267 archive_name, strerror(errno));
268 goto err;
269 }
270 if (archive_hdr_block[2] != 0x73) {
271 fprintf(stderr, "%s: Error: archive_hdr_block[2] must be 0x73.\n",
272 archive_name);
273 goto err;
274 }
275
276 /* find encryption mode used (called type in output line format) */
277 archive_hdr_head_flags =
278 archive_hdr_block[4] << 8 | archive_hdr_block[3];
279 if (archive_hdr_head_flags & 0x0080) { /* file header block is encrypted */
280 type = 0; /* RAR file was created using -hp flag */
281 } else
282 type = 1;
283
284 /*
285 * We need to skip ahead, if there is a comment block in the main header.
286 * It causes that header tp be larger that a simple 13 byte block.
287 */
288 head_size = archive_hdr_block[6] << 8 | archive_hdr_block[5];
289 if (head_size > 13)
290 fseek(fp, head_size-13, SEEK_CUR);
291
292 next_file_header:
293 if (verbose)
294 fprintf(stderr, "\n");
295
296 /* file header block */
297 count = fread(file_hdr_block, 32, 1, fp);
298
299 if (feof(fp)) {
300 if (verbose) {
301 fprintf(stderr, "! %s: End of file\n", archive_name);
302 }
303 goto BailOut;
304 }
305
306 if (count != 1) {
307 fprintf(stderr, "%s: Error: read failed: %s.\n",
308 archive_name, strerror(errno));
309 goto err;
310 }
311
312 if (type == 1 && file_hdr_block[2] == 0x7a) {
313 if (verbose) {
314 fprintf(stderr, "! %s: Comment block present?\n", archive_name);
315 }
316 }
317 else if (type == 1 && file_hdr_block[2] != 0x74) {
318 fprintf(stderr, "! %s: Not recognising any more headers.\n",
319 archive_name);
320 goto BailOut;
321 }
322
323 file_hdr_head_flags =
324 file_hdr_block[4] << 8 | file_hdr_block[3];
325
326 /* process -hp mode files
327 use Marc's end-of-archive block decrypt trick */
328 if (type == 0) {
329 unsigned char buf[24];
330
331 if (verbose) {
332 fprintf(stderr, "! -hp mode entry found in %s\n", base_aname);
333 }
334 printf("%s:$RAR3$*%d*", base_aname, type);
335 jtr_fseek64(fp, -24, SEEK_END);
336 if (fread(buf, 24, 1, fp) != 1) {
337 fprintf(stderr, "%s: Error: read failed: %s.\n",
338 archive_name, strerror(errno));
339 goto err;
340 }
341
342 for (i = 0; i < 8; i++) { /* salt */
343 printf("%c%c", itoa16[ARCH_INDEX(buf[i] >> 4)],
344 itoa16[ARCH_INDEX(buf[i] & 0x0f)]);
345 }
346 printf("*");
347 /* encrypted block with known plaintext */
348 for (i = 8; i < 24; i++) {
349 printf("%c%c", itoa16[ARCH_INDEX(buf[i] >> 4)],
350 itoa16[ARCH_INDEX(buf[i] & 0x0f)]);
351 }
352 printf(":%d::::%s\n", type, archive_name);
353 } else {
354 size_t file_hdr_pack_size = 0, file_hdr_unp_size = 0;
355 int ext_time_size;
356 uint8_t method;
357 uint64_t bytes_left;
358 uint16_t file_hdr_head_size, file_name_size;
359 unsigned char file_name[4 * PATH_BUF_SIZE], file_crc[4];
360 unsigned char salt[8] = { 0 };
361 unsigned char rejbuf[32];
362 char *p;
363 unsigned char s;
364
365 if (!(file_hdr_head_flags & 0x8000)) {
366 fprintf(stderr, "File header flag 0x8000 unset, bailing out.\n");
367 goto BailOut;
368 }
369
370 file_hdr_head_size =
371 file_hdr_block[6] << 8 | file_hdr_block[5];
372
373 /*
374 * Low 32 bits. If header_flags & 0x100 set, then there are additional
375 * 32 bits of length data later in the header. FIXME!
376 */
377 file_hdr_pack_size = file_hdr_block[10];
378 file_hdr_pack_size <<= 8; file_hdr_pack_size += file_hdr_block[9];
379 file_hdr_pack_size <<= 8; file_hdr_pack_size += file_hdr_block[8];
380 file_hdr_pack_size <<= 8; file_hdr_pack_size += file_hdr_block[7];
381
382 file_hdr_unp_size = file_hdr_block[14];
383 file_hdr_unp_size <<= 8; file_hdr_unp_size += file_hdr_block[13];
384 file_hdr_unp_size <<= 8; file_hdr_unp_size += file_hdr_block[12];
385 file_hdr_unp_size <<= 8; file_hdr_unp_size += file_hdr_block[11];
386
387 if (verbose) {
388 fprintf(stderr, "! HEAD_SIZE: %d, PACK_SIZE: %"PRIu64
389 ", UNP_SIZE: %"PRIu64"\n",
390 file_hdr_head_size,
391 (uint64_t)file_hdr_pack_size,
392 (uint64_t)file_hdr_unp_size);
393 fprintf(stderr, "! file_hdr_block:\n! ");
394 for (i = 0; i < 32; ++i)
395 fprintf(stderr, " %02x", file_hdr_block[i]);
396 fprintf(stderr, "\n");
397 }
398 /* calculate EXT_TIME size */
399 ext_time_size = file_hdr_head_size - 32;
400
401 if (file_hdr_head_flags & 0x100) {
402 uint64_t ex;
403 if (fread(rejbuf, 4, 1, fp) != 1) {
404 fprintf(stderr, "\n! %s: Error: read failed: %s.\n",
405 archive_name, strerror(errno));
406 goto err;
407 }
408 if (verbose) {
409 fprintf(stderr, "! ");
410 for (i = 0; i < 4; ++i)
411 fprintf(stderr, " %02x", rejbuf[i]);
412 }
413 ex = rejbuf[3];
414 ex <<= 8; ex += rejbuf[2];
415 ex <<= 8; ex += rejbuf[1];
416 ex <<= 8; ex += rejbuf[0];
417 ex <<= 32;
418 file_hdr_pack_size += ex;
419 ext_time_size -= 4;
420
421 if (fread(rejbuf, 4, 1, fp) != 1) {
422 fprintf(stderr, "\n! %s: Error: read failed: %s.\n",
423 archive_name, strerror(errno));
424 goto err;
425 }
426 if (verbose) {
427 for (i = 0; i < 4; ++i)
428 fprintf(stderr, " %02x", rejbuf[i]);
429 fprintf(stderr, " (High Pack/Unp extra header data)\n");
430 }
431 ex = rejbuf[3];
432 ex <<= 8; ex += rejbuf[2];
433 ex <<= 8; ex += rejbuf[1];
434 ex <<= 8; ex += rejbuf[0];
435 ex <<= 32;
436 file_hdr_unp_size += ex;
437 ext_time_size -= 4;
438 if (verbose) {
439 fprintf(stderr, "! HIGH_PACK_SIZE present\n");
440 fprintf(stderr, "! HIGH_UNP_SIZE present\n");
441 if (sizeof(size_t) < 8) {
442 fprintf(stderr, "! %s: Error: File contains 64-bit sizes "
443 "but this build of %s doesn't support it.\n",
444 archive_name, self_name);
445 goto err;
446 }
447 }
448 }
449
450 /* file name processing */
451 file_name_size =
452 file_hdr_block[27] << 8 | file_hdr_block[26];
453 if (verbose) {
454 fprintf(stderr, "! file name size: %d bytes\n", file_name_size);
455 }
456 memset(file_name, 0, sizeof(file_name));
457
458 if (!check_fread(sizeof(file_name), file_name_size, 1))
459 goto err;
460 if (fread(file_name, file_name_size, 1, fp) != 1) {
461 fprintf(stderr, "! %s: Error: read failed: %s.\n",
462 archive_name, strerror(errno));
463 goto err;
464 }
465
466 file_name[sizeof(file_name) - 1] = 0;
467 ext_time_size -= file_name_size;
468
469 /* If this flag is set, file_name contains some weird
470 wide char encoding that need to be decoded to UTF16
471 and then to UTF-8 (we don't support codepages here) */
472 if (file_hdr_head_flags & 0x200) {
473 UTF16 FileNameW[PATH_BUF_SIZE];
474 int Length = strlen((char*)file_name);
475
476 if (verbose) {
477 hexdump("! Encoded filenames", file_name, file_name_size);
478 }
479 DecodeFileName(file_name, file_name + Length + 1,
480 sizeof(file_name) - Length - 1,
481 FileNameW, sizeof(FileNameW));
482
483 if (*FileNameW) {
484 if (verbose) {
485 hexdump("! UTF16 filename", FileNameW,
486 strlen16(FileNameW) << 1);
487 fprintf(stderr, "OEM name: %s\n", file_name);
488 }
489 utf16_to_utf8_r(file_name, PATH_BUF_SIZE, FileNameW);
490 fprintf(stderr, "! Unicode: %s\n", file_name);
491 } else
492 fprintf(stderr, "! UTF8 name: %s\n", file_name);
493 }
494 else
495 fprintf(stderr, "! file name: %s\n", file_name);
496
497 /* We duplicate file names to the GECOS field, for single mode */
498 if (gecos_len + strlen((char*)file_name) < LINE_BUFFER_SIZE)
499 gecos_len += snprintf(&gecos[gecos_len], LINE_BUFFER_SIZE - gecos_len - 1, "%s ", (char*)file_name);
500
501 /* salt processing */
502 if (file_hdr_head_flags & 0x400) {
503 ext_time_size -= 8;
504 if (fread(salt, 8, 1, fp) != 1) {
505 fprintf(stderr, "! %s: Error: read failed: %s.\n",
506 archive_name, strerror(errno));
507 goto err;
508 }
509
510 }
511
512 /* EXT_TIME processing */
513 if (file_hdr_head_flags & 0x1000) {
514 if (verbose) {
515 fprintf(stderr, "! EXT_TIME present with size %d\n",
516 ext_time_size);
517 }
518
519 if (!check_fread(sizeof(rejbuf), ext_time_size, 1))
520 goto err;
521
522 if (fread(rejbuf, ext_time_size, 1, fp) != 1) {
523 fprintf(stderr, "! %s: Error: read failed: %s.\n",
524 archive_name, strerror(errno));
525 goto err;
526 }
527 }
528
529 /* Skip solid files (first file is never solid)
530 * We could probably add support for this
531 */
532 if (file_hdr_head_flags & 0x10) {
533 fprintf(stderr, "! Solid, can't handle (currently)\n");
534 jtr_fseek64(fp, file_hdr_pack_size, SEEK_CUR);
535 goto next_file_header;
536 }
537
538 if ((file_hdr_head_flags & 0xe0)>>5 == 7) {
539 if (verbose) {
540 fprintf(stderr, "! Is a directory, skipping\n");
541 }
542 jtr_fseek64(fp, file_hdr_pack_size, SEEK_CUR);
543 goto next_file_header;
544 }
545 else if (verbose) {
546 fprintf(stderr, "! Dictionary size: %u KB\n", 64<<((file_hdr_head_flags & 0xe0)>>5));
547 }
548
549 /* Check if encryption is being used */
550 if (!(file_hdr_head_flags & 0x04)) {
551 fprintf(stderr, "! not encrypted, skipping\n");
552 jtr_fseek64(fp, file_hdr_pack_size, SEEK_CUR);
553 goto next_file_header;
554 }
555
556 method = file_hdr_block[25];
557
558 /*
559 * Prefer shortest pack size, but given two files with single-block
560 * pack size, prefer unpack size >= 8. This gives us better immunity
561 * against false positives.
562 */
563 if (bestsize.pack < SIZE_MAX &&
564 (((bestsize.pack < file_hdr_pack_size &&
565 bestsize.unp >= (bestsize.method > 0x30 ? 4 : 1)) ||
566 (bestsize.unp > file_hdr_unp_size &&
567 file_hdr_unp_size < (method > 0x30 ? 4 : 1))) ||
568 (bestsize.pack == file_hdr_pack_size &&
569 ((bestsize.unp > file_hdr_unp_size && file_hdr_unp_size < 8) ||
570 (bestsize.unp <= file_hdr_unp_size && bestsize.unp >= 8))))) {
571 if (verbose)
572 fprintf(stderr,
573 "! We got a better candidate already, skipping\n");
574 jtr_fseek64(fp, file_hdr_pack_size, SEEK_CUR);
575 goto next_file_header;
576 }
577
578 if (verbose)
579 fprintf(stderr, "! This is best candidate so far\n");
580 bestsize.pack = file_hdr_pack_size;
581 bestsize.unp = file_hdr_unp_size;
582 bestsize.method = method;
583
584 MEM_FREE(best);
585 best = mem_calloc(1, 2 * LINE_BUFFER_SIZE + 2 * file_hdr_pack_size);
586
587 /* process encrypted data of size "file_hdr_pack_size" */
588 best_len = sprintf(best, "%s:$RAR3$*%d*", base_aname, type);
589 for (i = 0; i < 8; i++) { /* encode salt */
590 best_len += sprintf(&best[best_len], "%c%c", itoa16[ARCH_INDEX(salt[i] >> 4)], itoa16[ARCH_INDEX(salt[i] & 0x0f)]);
591 }
592 if (verbose) {
593 fprintf(stderr, "! salt: '%s'\n", best);
594 }
595 best_len += sprintf(&best[best_len], "*");
596 memcpy(file_crc, file_hdr_block + 16, 4);
597 for (i = 0; i < 4; i++) { /* encode file_crc */
598 best_len += sprintf(&best[best_len], "%c%c", itoa16[ARCH_INDEX(file_crc[i] >> 4)], itoa16[ARCH_INDEX(file_crc[i] & 0x0f)]);
599 }
600 if (verbose) {
601 /* Minimal version needed to unpack this file */
602 fprintf(stderr, "! UNP_VER is %0.1f\n", (float)file_hdr_block[24] / 10.);
603 }
604 /*
605 * 0x30 - storing
606 * 0x31 - fastest compression
607 * 0x32 - fast compression
608 * 0x33 - normal compression (default)
609 * 0x34 - good compression
610 * 0x35 - best compression
611 *
612 * m3b means 0x33 and a dictionary size of 128KB (a == 64KB .. g == 4096KB)
613 */
614 if (verbose) {
615 fprintf(stderr, "! METHOD is m%x%c\n", method - 0x30, 'a'+((file_hdr_head_flags&0xe0)>>5));
616 //fprintf(stderr, "! file_hdr_flags is 0x%04x\n", file_hdr_head_flags);
617 }
618
619 best_len += sprintf(&best[best_len], "*%"PRIu64"*%"PRIu64"*",
620 (uint64_t)file_hdr_pack_size,
621 (uint64_t)file_hdr_unp_size);
622
623 /* We always store it inline */
624
625 best_len += sprintf(&best[best_len], "1*");
626 p = &best[best_len];
627 bytes_left = file_hdr_pack_size;
628 for (i = 0; i < file_hdr_pack_size; i++) {
629 unsigned char bytes[64*1024];
630 unsigned x, to_read = 64*1024;
631 if (bytes_left < 64*1024)
632 to_read = bytes_left;
633 bytes_left -= to_read;
634 if (fread(bytes, 1, to_read, fp) != to_read)
635 fprintf(stderr, "! Error while reading archive: %s\n", strerror(errno));
636 for (x = 0; x < to_read; ++x) {
637 s = bytes[x];
638 *p++ = itoa16[s >> 4];
639 *p++ = itoa16[s & 0xf];
640 }
641 }
642 best_len += file_hdr_pack_size;
643 best_len += sprintf(p, "*%02x:%d::", method, type);
644
645 /* Keep looking for better candidates */
646 goto next_file_header;
647
648 BailOut:
649 if (best && *best) {
650 if (verbose) {
651 fprintf(stderr, "! Found a valid -p mode candidate in %s\n", base_aname);
652 }
653 if (bestsize.unp < (bestsize.method > 0x30 ? 5 : 1))
654 fprintf(stderr, "! WARNING best candidate found is too small, you may see false positives.\n");
655 strncat(best, gecos, LINE_BUFFER_SIZE - best_len - 1);
656 puts(best);
657 } else
658 fprintf(stderr, "! Did not find a valid encrypted candidate in %s\n", base_aname);
659 }
660
661 err:
662 if (fp)
663 fclose(fp);
664 MEM_FREE(best);
665 MEM_FREE(gecos);
666 }
667
668
669 /**************************************************************************
670 * Here are the functions and tools for RAR5
671 *************************************************************************/
672
673 // global variables
674 static int Encrypted = 0;
675 static unsigned char PswCheck[SIZE_PSWCHECK];
676 static unsigned rar5_interations=0, UsePswCheck=0;
677 static unsigned char rar5_salt[SIZE_SALT50];
678
679 /**************************************************************************
680 * These 4 functions do much of the reading for rar5 files. There is a
681 * function to read a 4 byte int (in LE format), one to read a single
682 * byte, one to to read a buffer, and one that reads the variable sized
683 * numbers used in rar5 (LE format, 7 bits used per byte with high bit
684 * used to signify if there are more bytes of data or not)
685 *************************************************************************/
read_uint32(FILE * fp,uint32_t * n,uint32_t * bytes_read)686 int read_uint32 (FILE *fp, uint32_t *n, uint32_t *bytes_read) {
687 unsigned char Buf[4];
688 int i, shift=0;
689 *n = 0;
690 if (fread(Buf, 1, 4, fp) < 4)
691 return 0;
692 for (i = 0; i < 4; ++i) {
693 *n = *n + (Buf[i] << shift);
694 shift += 8;
695 }
696 *bytes_read += 4;
697 return 4;
698 }
read_uint8(FILE * fp,uint8_t * n,uint32_t * bytes_read)699 int read_uint8 (FILE *fp, uint8_t *n, uint32_t *bytes_read) {
700 unsigned char Buf[1];
701 if (fread(Buf, 1, 1, fp) < 1)
702 return 0;
703 *n = Buf[0];
704 *bytes_read += 1;
705 return 1;
706 }
read_buf(FILE * fp,unsigned char * cp,int len,uint32_t * bytes_read)707 int read_buf (FILE *fp, unsigned char *cp, int len, uint32_t *bytes_read) {
708 if (fread(cp, 1, len, fp) < 1)
709 return 0;
710 *bytes_read += len;
711 return len;
712 }
read_vuint(FILE * fp,uint64_t * n,uint32_t * bytes_read)713 int read_vuint (FILE *fp, uint64_t *n, uint32_t *bytes_read) {
714 unsigned char c;
715 int i, shift=0;
716 uint64_t accum;
717 *n = 0;
718 for (i = 0; i < 10; ++i) {
719 if (fread(&c, 1, 1, fp) != 1)
720 return 0;
721 accum = (c&0x7f);
722 *n = *n + (accum << shift);
723 shift += 7;
724 if ((c & 0x80) == 0) {
725 *bytes_read += i+1;
726 return i+1;
727 }
728 }
729 return 0;
730 }
731
732 /**************************************************************************
733 * Process an 'extra' block of data. This is where rar5 stores the
734 * encryption block.
735 *************************************************************************/
ProcessExtra50(FILE * fp,uint64_t extra_size,uint64_t HeadSize,uint32_t HeaderType,uint32_t CurBlockPos,const char * archive_name)736 static int ProcessExtra50(FILE *fp, uint64_t extra_size, uint64_t HeadSize, uint32_t HeaderType, uint32_t CurBlockPos, const char *archive_name) {
737 uint64_t FieldSize, FieldType, EncVersion, Flags;
738 uint32_t bytes_read=0;
739 int bytes_left=(int)extra_size;
740 unsigned char Lg2Count;
741
742 // fprintf(stderr, "in extra50 extrasize=%d\n", extra_size);
743 while (1) {
744 int len = read_vuint(fp, &FieldSize, &bytes_read);
745 if (!len || len > 3) return 0; // rar5 technote (http://www.rarlab.com/technote.htm#arcblocks) lists max size of header len is 3 byte vint.
746 bytes_left -= len;
747 bytes_left -= (uint32_t)FieldSize;
748 if (bytes_left < 0) return 0;
749 if (!read_vuint(fp, &FieldType, &bytes_read)) return 0;
750 // fprintf(stderr, "in Extra50. FieldSize=%d FieldType=%d\n", FieldSize, FieldType);
751 if (HeaderType == HEAD_FILE || HeaderType == HEAD_SERVICE) {
752 if (FieldType == FHEXTRA_CRYPT) {
753 unsigned char InitV[SIZE_INITV];
754 unsigned char Hex1[128], Hex2[128], Hex3[128];
755 if (!read_vuint(fp, &EncVersion, &bytes_read)) return 0;
756 if (!read_vuint(fp, &Flags, &bytes_read)) return 0;
757 if ( (Flags & FHEXTRA_CRYPT_PSWCHECK) == 0) {
758 fprintf(stderr, "UsePswCheck is OFF. We currently don't support such files!\n");
759 return 0;
760 }
761 if (!read_uint8(fp, &Lg2Count, &bytes_read)) return 0;
762 if (Lg2Count >= CRYPT5_KDF_LG2_COUNT_MAX) {
763 fprintf(stderr, "Lg2Count >= CRYPT5_KDF_LG2_COUNT_MAX (problem with file?)");
764 return 0;
765 }
766 if (!read_buf(fp, rar5_salt, SIZE_SALT50, &bytes_read)) return 0;
767 if (!read_buf(fp, InitV, SIZE_INITV, &bytes_read)) return 0;
768 if (!read_buf(fp, PswCheck, SIZE_PSWCHECK, &bytes_read)) return 0;
769 printf("%s:$rar5$%d$%s$%d$%s$%d$%s\n",
770 archive_name,
771 SIZE_SALT50, base64_convert_cp(rar5_salt,e_b64_raw,SIZE_SALT50,Hex1,e_b64_hex,sizeof(Hex1),0, 0),
772 Lg2Count, base64_convert_cp(InitV,e_b64_raw,SIZE_INITV,Hex2,e_b64_hex,sizeof(Hex2),0, 0),
773 SIZE_PSWCHECK, base64_convert_cp(PswCheck,e_b64_raw,SIZE_PSWCHECK,Hex3,e_b64_hex,sizeof(Hex3),0, 0));
774 return 0;
775 }
776 }
777 }
778 return 1;
779 }
780
781 /**************************************************************************
782 * Common file header processing for rar5
783 *************************************************************************/
784
read_rar5_header(FILE * fp,size_t CurBlockPos,uint8_t * HeaderType,const char * archive_name)785 static size_t read_rar5_header(FILE *fp, size_t CurBlockPos, uint8_t *HeaderType, const char *archive_name) {
786 uint64_t block_size, flags, extra_size=0, data_size=0;
787 uint64_t crypt_version, enc_flags, HeadSize;
788 uint32_t head_crc, header_bytes_read = 0, sizeof_vint;
789 uint8_t header_type, lg_2count;
790
791 if (Encrypted) {
792 // The header is encrypted, so we simply find the IV from this block.
793 unsigned char HeadersInitV[SIZE_INITV];
794 unsigned char Hex1[128], Hex2[128], Hex3[128];
795 sizeof_vint = read_buf(fp, HeadersInitV, SIZE_INITV, &header_bytes_read);
796 if (sizeof_vint != SIZE_INITV) {
797 fprintf(stderr, "Error, rar file %s too short, could not read IV from header\n", archive_name);
798 return 0;
799 }
800 printf("%s:$rar5$%d$%s$%d$%s$%d$%s\n",
801 archive_name,
802 SIZE_SALT50, base64_convert_cp(rar5_salt,e_b64_raw,SIZE_SALT50,Hex1,e_b64_hex,sizeof(Hex1),0, 0),
803 rar5_interations, base64_convert_cp(HeadersInitV,e_b64_raw,SIZE_INITV,Hex2,e_b64_hex,sizeof(Hex2),0, 0),
804 SIZE_PSWCHECK, base64_convert_cp(PswCheck,e_b64_raw,SIZE_PSWCHECK,Hex3,e_b64_hex,sizeof(Hex3),0, 0));
805 return 0;
806 }
807 if (!read_uint32(fp, &head_crc, &header_bytes_read)) return 0;
808
809 sizeof_vint = read_vuint(fp, &block_size, &header_bytes_read);
810 if (!sizeof_vint) return 0;
811 // The HeadSize is full size of this header from the start of the HeaderCRC, to the end of any 'extra-data' section.
812 HeadSize = block_size + 4 + sizeof_vint;
813
814 //if (!read_vuint(fp, &header_type, &header_bytes_read)) return 0;
815 if (!read_uint8(fp, &header_type, &header_bytes_read)) return 0;
816 if (!read_vuint(fp, &flags, &header_bytes_read)) return 0;
817 *HeaderType = header_type;
818 if ((flags & HFL_EXTRA) != 0) { if (!read_vuint(fp, &extra_size, &header_bytes_read)) return 0; }
819 if ((flags & HFL_DATA) != 0) { if (!read_vuint(fp, &data_size, &header_bytes_read)) return 0; }
820
821 // fprintf(stderr, "curpos=%d bs=%d firstreadsize=%d, sizeBytes=%d headtye=%d flags=%d \n", NowCurPos, block_size, 7, SizeBytes, header_type, flags);
822
823 if (header_type == HEAD_CRYPT) {
824 unsigned char chksum[SIZE_PSWCHECK_CSUM];
825 if (!read_vuint(fp, &crypt_version, &header_bytes_read)) return 0;
826 if (crypt_version > CRYPT_VERSION) { printf("bad rar crypt version byte\n"); return 0; }
827 if (!read_vuint(fp, &enc_flags, &header_bytes_read)) return 0;
828 UsePswCheck = (enc_flags & CHFL_CRYPT_PSWCHECK) != 0; // set global
829 if (!read_uint8(fp, &lg_2count, &header_bytes_read)) return 0;
830 if (lg_2count > CRYPT5_KDF_LG2_COUNT_MAX) { printf("rar PBKDF2 iteration count too large\n"); return 0; }
831 rar5_interations = lg_2count; // set global
832 // get salt
833 if (!read_buf(fp, rar5_salt, SIZE_SALT50, &header_bytes_read)) return 0;
834 if (UsePswCheck) {
835 unsigned char sha256ch[32];
836 SHA256_CTX ctx;
837 if (!read_buf(fp, PswCheck, SIZE_PSWCHECK, &header_bytes_read)) return 0;
838 if (!read_buf(fp, chksum, SIZE_PSWCHECK_CSUM, &header_bytes_read)) return 0;
839 SHA256_Init(&ctx);
840 SHA256_Update(&ctx, PswCheck, SIZE_PSWCHECK);
841 SHA256_Final(sha256ch, &ctx);
842 UsePswCheck = !memcmp(sha256ch, chksum, sizeof(chksum));
843 }
844 Encrypted = 1;
845 } else if (header_type == HEAD_MAIN) {
846 uint64_t ArcFlags, VolNumber=0;
847 if (!read_vuint(fp, &ArcFlags, &header_bytes_read)) return 0;
848 if ((ArcFlags & MHFL_VOLNUMBER) != 0)
849 if (!read_vuint(fp, &VolNumber, &header_bytes_read)) return 0;
850 } else if (header_type == HEAD_FILE || header_type == HEAD_SERVICE) {
851 uint64_t FileFlags, UnpSize, FileAttr;
852 uint64_t CompInfo, HostOS, NameSize;
853 uint32_t FileHashCRC32, tmp;
854
855 if (!read_vuint(fp, &FileFlags, &header_bytes_read)) return 0;
856 if (!read_vuint(fp, &UnpSize, &header_bytes_read)) return 0;
857 if (!read_vuint(fp, &FileAttr, &header_bytes_read)) return 0;
858
859 if ((FileFlags & FHFL_UTIME) != 0) {
860 if (!read_uint32(fp, &tmp, &header_bytes_read)) return 0;
861 //mtime = tmp;
862 }
863
864 if ((FileFlags & FHFL_CRC32) != 0) {
865 if (!read_uint32(fp, &FileHashCRC32, &header_bytes_read)) return 0;
866 }
867
868 if (!read_vuint(fp, &CompInfo, &header_bytes_read)) return 0;
869 if (!read_vuint(fp, &HostOS, &header_bytes_read)) return 0;
870 if (!read_vuint(fp, &NameSize, &header_bytes_read)) return 0;
871 // skip the field name.
872 jtr_fseek64(fp, NameSize, SEEK_CUR);
873 if (extra_size != 0)
874 ProcessExtra50(fp, extra_size, HeadSize, *HeaderType, CurBlockPos, archive_name);
875
876 } else if (header_type == HEAD_ENDARC) {
877 return 0;
878 }
879 return CurBlockPos+HeadSize+data_size;
880 }
881
882 /* handle rar5 files */
process_file5(const char * archive_name)883 static int process_file5(const char *archive_name) {
884 //fprintf(stderr, "! %s: Not a RAR 3.x file, try running rar5tojohn.py on me!\n", archive_name);
885 char Magic[8], buf[CHUNK_SIZE], *pos;
886 size_t count, NextBlockPos, CurBlockPos;
887 int diff, found = 0;
888 FILE *fp;
889
890 fp = fopen(archive_name, "rb");
891 if (!fp) { fprintf(stderr, "error opening file %s\n", archive_name); return 0; }
892 if (fread(Magic, 1, 8, fp) != 8) {
893 fclose(fp);
894 fprintf(stderr, "Error reading rar signature from file %s\n", archive_name);
895 return 0;
896 }
897 if (memcmp(Magic, "\x52\x61\x72\x21\x1a\x07\x01\x00", 8)) { /* handle SFX archives */
898 if (memcmp(Magic, "MZ", 2) == 0) {
899 /* jump to "Rar!" signature */
900 while (!feof(fp)) {
901 count = fread(buf, 1, CHUNK_SIZE, fp);
902 if ( (pos = (char*)memmem(buf, count, "\x52\x61\x72\x21\x1a\x07\x01\x00", 8))) {
903 diff = count - (pos - buf);
904 jtr_fseek64(fp, - diff, SEEK_CUR);
905 jtr_fseek64(fp, 8, SEEK_CUR);
906 found = 1;
907 break;
908 }
909 if (feof(fp)) //We shold examine the EOF before seek back
910 break;
911 jtr_fseek64(fp, -7, SEEK_CUR);
912 }
913 if (!found)
914 goto err;
915 }
916 }
917 while (1) {
918 uint8_t HeaderType;
919 CurBlockPos = (size_t)jtr_ftell64(fp);
920 NextBlockPos = read_rar5_header(fp, CurBlockPos, &HeaderType, archive_name);
921 if (!NextBlockPos)
922 break;
923 // fprintf(stderr, "NextBlockPos is %d Headertype=%d curblockpos=%d\n", NextBlockPos, HeaderType, CurBlockPos);
924 jtr_fseek64(fp, NextBlockPos, SEEK_SET);
925 }
926 if (fp) fclose(fp);
927 return 1;
928 err:;
929 if (fp) fclose(fp);
930 return 0;
931 }
932
933
usage(char * name)934 static int usage(char *name)
935 {
936 fprintf(stderr,"Usage: %s <rar file(s)>\n", name);
937 return EXIT_FAILURE;
938 }
939
rar2john(int argc,char ** argv)940 int rar2john(int argc, char **argv)
941 {
942 int c;
943
944 self_name = argv[0];
945
946 /* Parse command line */
947 while ((c = getopt(argc, argv, "v")) != -1) {
948 switch (c) {
949 case 'v':
950 verbose = 1;
951 break;
952 case '?':
953 default:
954 return usage(argv[0]);
955 }
956 }
957 argc -= optind;
958 if (argc == 0)
959 return usage(argv[0]);
960 argv += optind;
961
962 while (argc--)
963 process_file(*argv++);
964
965 return EXIT_SUCCESS;
966 }
967