(c) Copyright PSW-soft 1995-2001, 2006-2011 by P. Semjanov
THIS PROGRAM VERSION IS DISTRIBUTED "AS IS". YOU MAY USE IT AT YOUR OWN RISK. ALL THE CLAIMS TO PROGRAM OPERATION WILL BE REJECTED. THE AUTHOR DOES NOT ALSO GUARANTEE THIS PROGRAM FUTURE MAINTENANCE AND UPDATE.
This is FREEWARE program, so it can be distributed under the following conditions: program code is kept unchanged and the program is distributed in the form of distributive archive. Any commercial use of this program is prohibited!
1. PURPOSES AND CHARACTERISTICS
The cRARk program is designed to determine a forgotten password for RAR-archives. This program operates adequately with RAR-archives versions 2.x, 3.x, 4.x.
To proceed with cRARk program you need a computer with the Pentium compatible processor or later. It is recommended to use as powerful processor as possible (the code is optimized for Pentium III/4/AMD/Core 2). From v. 3.2, cRARk supports NVIDIA GPU with CUDA support and computing capability 1.1. From v. 3.4, cRARK also supports OpenCL both on NVIDIA and ATI/AMD Radeon GPUs.
cRARk is the tool for professionals, no GUI or great service is provided. But it tries to maximize your abilities for passwords definition and to minimize search time. cRARk uses Password Cracking Library (PCL), a very powerful tool allowing you to define rules to generate passwords.
The rate of password search should be about of 100 password per second on modern powerful computer, so finding the 6-characters password of lower case Latin letters will need about a month. In the GPU the rate could achive 5000 p/s. Rate for dictionary attack is about 50 pass/sec (GPU is not supported).
2. REQUIREMENTS FOR THE INPUT ARCHIVE
To ensure the program to process an RAR-archive under test successfully, the following requirements are to be met:
In case of solid-archives, the first file should satisfy these requirements. Therefore, if the files in archive were encrypted with the different passwords, the password for first file will be found.
cRARk must be working with selfextracting (sfx) and multivolume archives.
CRARK-HP is designed for cracking archives with encrypted headers.
From version 3.2, cRARk supports passwords computations on GPU cards (CUDA and OpenCL technology). Current limitations are:
To run the program YOU ARE TO CREATE PASSWORD DEFINITION FILE firstly (see section 4).
This is a command-line utility! You should run it from command (DOS) prompt.
To run the program you should use:
The found password is printed in such a form:
Next it is repeated in hexadecimal PCL-like form (see section 4.2.1).
All other messages ARE NOT passwords and are intended as progress indication of the program.
Options in this mode are:
| -lXX | set password length to XX at least (XX = 0..255, XX = 1 by default). This parameter affects password length only when '*' is used in its definition (see section 4.2.1); |
| -gXX | set password length to XX at most (XX = 0..255, XX = 8 by default) |
| -pXXXX | set the name of password definition file ("PASSWORD.DEF" by default). |
| -b | perform benchmarking |
| -v | debug mode (see section 5). It may be used to show character sets in use. This option generates also all the passwords according to with their definition; it does not test but prints them, so you can check their validity. |
| -c | disable GPU support (use CPU only) |
| -dXX | set CUDA delay (XX = 0..5), 0 - fastest, 5 - slower, but smoothest |
| -fWXYZ | (advanced) set crypto functions #W,X,Y,Z. Some information about available functions is printed by -b option. |
4. THE USE OF PASSWORD DEFINITION FILE IN CHOOSING OF MODE OF OPERATION AND PASSWORD SET
Password definition file is the main control file. Its translation and processing are the main task of PCL library. Its format doesn't depend on application, to which PCL is linked, so this library can be used for any password searching program.
4.1. Password definition file format
Password definition file is an ordinary text file and consists of two parts: firstly, dictionary and character set definition, and secondly, passwords definition. The parts are separated by a line of two '##' symbols:
The first part could be missing, in that case password definition file starts with '##' symbols.
In all other cases the symbol '#' is considered as a start of comment.
Space characters and tabs are ignored in password definition file and may separate any components.
To make it easy, let's look upon the password definition mechanism at first and then character set definition, contrary to their position in password definition file.
4.2. Password definition
This is the main part of the file. IT NECESSARILY EXSISTS IN ANY PASSWORD DEFINITION FILE (PASSWORD.DEF) AFTER THE LINE '##' and presets password generation rules to be checked out later on. It consists of the text lines, each of them gives its own password set and mode of operation, i.e. an algorithm of password search. Each line is independent and is processed separately, herewith the total number of checked passwords is counted up.
Character sets and dictionary words form password definition. They preset one or more characters, which will hold the appropriate position in a password.
4.2.1. Character sets
Character set (charset) is a range of characters, any of them can occupy current position in a password. Here please find some examples of these characters:
1) Simple single characters (a, b, etc.). It means this particular character occupies given position in a password;
2) Shielded characters. If any of special characters can ever occur in the password, it must be shielded. The meaning is identical with item 1 mentioned above. Among these characters are:
| \$, \., \*, \?, \= | '$', '.', '*', '?', '=' | |
| \], \[, \{, \}, \(, \) | corresponding brackets; | |
| \ (space character) | space character | |
| \XX | any hex-code character (X is a hexadecimal digit) | |
| \0 | no character. It is usually used in conjunction with "real" character (see examples below). | |
Generally, any character can be shielded except hexadecimal digits.
3) Macros of character set. It means that current position in the password can be occupied by any character from the set. These sets are specified in the first part of password definition file (see section 4.3.2) and are denoted as:
| $a | lower-case Latin letters (26 letters, unless otherwise specified) |
| $A | upper-case Latin letters (26 letters, unless otherwise specified) |
| $! | special characters (32 characters, unless otherwise specified) |
| $1 | digits (10 digits, unless otherwise specified) |
| $i | lower-case letters of national alphabet (33 letters for Russian alphabet) |
| $I | upper-case letters of national alphabet (33 letters for Russian alphabet) |
| $o | other user-specified characters |
| ? | any character (i.e. all the characters, included into the macros mentioned above) |
NOTE: macros $v and $p (see section 4.3.4) cannot be used for password definition.
4) Any combinations of the characters mentioned above. It must be written in square brackets. The meaning is identical with item 3 mentioned above. For example:
| [$a $A] | any Latin letter |
| [abc] | a, or b, or c |
| [$1 abcdef] | hexadecimal digit |
| [s \0] | s or nothing |
| [$a $A $1 $! $i $I $o] | this is equivalent to ? |
5) Regular repetition character '*'. It means the previous character set has to be repeated in next password positions 0 or more times. For example:
| $a * | a password of any length, consisting of lower-case Latin letters | |
| [ab] * | space character, a, b, aa, ab, ba, bb, aaa, ... | |
| [$a $A] [$a $A $1] * | "identifier", i.e. a sequence of letters and digits with a letter at first position | |
Note that password of zero length is physically meaningful and is not always the same as no password at all.
The length of repetition is computed automatically on the base of the defined maximum and minimum password length options. (Note that these options influence the password length only if '*' exists in password definition and are ignored if the password consists of words or static characters only.. It is recommended to use '*' as wide as possible. This is because it allows to perform the most powerful search. Although the constructions '? *' and '? ? *' seem to be alike from the logic standpoint, the first one will be searched through faster.
Current limitation: '*' can be the last character in the line only.
4.2.2. Dictionary words and their modifiers
Contrary to the character set, the words preset several consecutive passwords characters. Two dictionaries are supported by PDL library: main (with ordinary words mainly) and user's (where special information can be stored, for example, proper names, dates, etc.), though there is no difference between them.
Dictionary is a text file, consisting of the words, separated by the end-of-line characters. Both DOS-format (CR/LF) and UNIX-format (LF) files can be used. Preferably to use words of the same (lower) case in dictionaries (to increase search rate, among other factors). To sort out words by its length is also desirable.
Thus, there are two macros:
| $w | a word from the main dictionary |
| $u | a word from the user dictionary |
As is known altered words are often used as passwords. So a whole set of word modifiers is introduce to determine such passwords. Among these are:
| .u (upper) | to upper-case |
| .l (lower) | to lower-case |
| .t (truncate) | to truncate up to the given length |
| .c (convert) | to convert the word |
| .j (joke) | to upper-case some letters |
| .r (reverse) | to reverse the word |
| .s (shrink) | to shrink the word |
| .d (duplicate) | to duplicate the word |
Modifiers may have parameters, written in round brackets. For modifiers, meant for single letters use, it is possible to preset a number of the word as a parameter. Lack of parameters or null parameter means "the whole word". Then, letters can be numerated from both the beginning of the word and the end of the word. The end of the word is denoted with the character '-' .
There are only three such modifiers for today: .u, .l, .t. So, use:
| .u or .u(0) | to upper-case the whole word (PASSWORD) |
| .u(1), .u(2) | to upper-case only the first (the second) letter (Password, pAssword) |
| .u(-), .u(-1) | to upper-case the last (the next to last) letter (passworD, passwoRd) |
| .t(-1) | to truncate the last letter in the word (passwor) |
The other modifiers operate with the whole words only and their parameters give the way of modification. The following modifier parameters are specified for today:
| .j(0) or .j | to upper-case odd letters (PaSsWoRd) |
| .j(1) | to upper-case even letters (pAsSwOrD) |
| .j(2) | to upper-case vowels (pAsswOrd) |
| .j(3) | to upper-case consonants (PaSSWoRD) |
| .r(0) or .r | to reverse the word (drowssap) |
| .s(0) or .s | to reduce the word by discarding vowels unless the first one is a vowel (password -> psswrd, offset -> offst) |
| .d(0) or .d | to duplicate the word (passwordpassword) |
| .d(1) | to add reversed word (passworddrowssap) |
| .c(<number>) | to convert all the letters in the word according to the appropriate conversion string (see section 4.3.3) |
All the modifiers operate adequately with both Latin and national letters, provided that the rules of national character sets definition are observed. Clearly there can be more than one modifier (the number of consecutive modifiers is limited by 63, which is unlikely to be exceeded). For example: (let $w mean a password):
| $w.u(1).u(-) | PassworD |
| $w.s.t(4) | pssw |
| $w.t(4).s | pss |
4.2.3. Permutation brackets
The problem is widely met, when you remember your password, but it is not valid for some reason. Probably, you mistype it. The PCL engine has its own algorithm to restore such passwords. The following typing mistakes are considered: two neighboring letters are swapped (psasword), a letter is omitted (pasword), a needless letter is inserted (passweord) or one letter is replaced with another (passwird). Such password changes will be referred to as permutations.
To indicate the beginning and the end of that password section where permutations could appear, braces '{' and '}' are used. The brace '}' can be followed by a number of permutations (1 by default), separated by a dot (or in parenthesis). The physical meaning of the number of permutations is the number of simultaneously introduced mistakes. For example:
{abc} - 182 (different) passwords will be obtained, including:
| bac, acb | 2 swaps |
| bc, ac, bc | 3 omissions |
| aabc, babc ... | 4 * 26 - 3 insertions |
| bbc, cbc ... | 3 * 25 replacements |
| abc | the desired word |
{password}.2 or {password}(2) - the following words will be generated: psswrod, passwdro, paasswor, etc.;
{$w} - all the words with one mistake from the main dictionary. .
Notes:
1)It is obvious that some passwords will be obtained more than once, so the higher number of permutations, the higher number of replicas. It was made efforts in reducing replicas, but they are empirical and are made for not more than two permutations. In other words, it is not certainly that any password would not be discarded mistakenly for higher numbers. Fanatics of the theory of combinations can compute the exact number for {password}.3, for example, and compare it with that one obtained by the program.
2) For insert and replacement functions it is important to know the set of characters to be inserted or replaced. If at the description part this set is not specified (see section 4.3.4), then the program forms it automatically, presuming what standard sets the characters in brackets are refer to (i.e. for {password} $a will be inserted, for {Password} [$a $A] will be inserted). The similar process with words is performed, based on the first word from the dictionary where modifiers is considered in. If set is specified explicitly, it is that set which will be used.
3) Current restriction is that the character '{' must necessarily be the first in the line. Such expressions as good_{password} remain to be supported, but {good}_password is quite possible.
4.3. Dictionaries and character sets definitions
All the definitions are set in the beginning of password definition file up to the characters '##'.
4.3.1. Dictionaries definition
The main and/or user dictionaries in use (see section 4.2.2) are initially defined. It is necessary only if you are going to use words from the dictionaries when defining passwords, i.e. $w or $u.
The dictionaries are given as follows:
File name is to be quoted, the path characters are to be shielded.
4.3.2. Definition of the character sets in use
Then usually character sets in use are defined. They are classified in two groups: predefined and user-defined.
Predefined sets include:
| $a | lower-cased Latin letters, 26 letters in all |
| $A | upper-cased Latin letters, 26 letters in all |
| $! | special characters (32 characters in all) {}:"<>?[];\',./~!@#$%^&*()_+`-=\| |
| $1 | digits, 10 digits in all |
User-defined sets include:
| $i | lower-cased letters of national alphabet |
| $I | upper-cased letters of national alphabet |
| $o | additional character set (for example, any non-typable characters) |
Character sets are defined as follows:
In other words, character set is written as combination of characters (see section 4.2.1), for example:
NOTES:
1) Any character sets are allowed to be defined, including pre-defined. For example, you may include additional characters, such as space character or \FF into the set $!
2) When the sets $i and $I are being defined, the function of switching between lower/upper case is defined automatically. So it is important to have letters being ordered uniformly in these sets.
The full character set '?', consisting of [$a $A $1 $!$i $I $o] (just such an order is of importance in the next section), is never formed until all the characters are defined.
4.3.3. Definition of conversion modifiers
Then conversion modifiers .c may be defined (see section 4.2.2) in relation to the certain character set ?. It is performed with the line of the form:
Any character from the whole set is converted into an appropriate character, occupying the same position in transformation string. For example, let ? = [1234567890], then ?.c(0) = "!@#$%^&*()"; gives transformation identical to that for Shift keystroke. The characters '\' and '"' are to be shielded in conversion string. The numbers of modifiers may vary from 0 to 255.
4.3.4. Special character sets definition
Among special character sets are:
| $v | a set of vowels (in all alphabets being used). It is needed only when .s and .j modifiers are used |
| $p | a set for insertion and replacement for permutation brackets. It is needed only if automatic generation of this set does not suit you for some reason (see section 4.2.3) |
These sets are defined in a similar way to the other character sets.
4.4. USEFUL EXAMPLES OF PASSWORD DEFINITION
0)The most common definition is brute-force searching, which uses only lower-case Latin letters.
2) Let me cite ZEXPL2L program specification: "Let you have an archive with the password looking like "Heaven!!!", but you have forgotten, how many !s were there in the end and what kind of letters lower- or upper-cased were used: "HeAvEn!!!", "Heaven!" or "HeAven!!!!". But fortunately you remember your password to be 10 characters at most and 7 characters at least." This password will be written in PCL language as follows:
Suppose that among other things you have mistaken while typing the main part of the password. So the following one is worth attention:
2) One more citation from the same specification: "Let you have two variants of the password string: "myprog", "MyProg", "my_prog" and "My_Prog". It will be written as:
3) It is often recommended to use two meaningful words, separated by certain character, as a password. The description is as following:
It should be mentioned that both $w are distinct here (these are distinct words), so a total of 20000 * 42 * 20000 = 1.68E10 passwords (if there are 20000 dictionary words) will be generated , i.e. it takes, on the average, less than a day to crack passwords, considered to be extremely hard for cracking. Thus, just two successive words are cracked 42 times faster.
4) Password consists of exactly six letters from national alphabet:
6) You remember your password to be "MyVeryLongGoodPassword", but it is not do for some reason. Try to use the following ones:
| {MyVeryLongGoodPassword} | 2382 passwords in 1 second |
| {MyVeryLongGoodPassword}.2 | 2836413 passwords in 1 minute |
| {MyVeryLongGoodPassword}.3 | ??? passwords in 2-3 days |
7) You know you password to be a meaningful word with a digit inserted elsewhere. The definition file is:
8) Syllable attack. You are to set up a dictionary of possible syllables of your language and then to search through all the meaningful words by proceeding as follows:
$u # monosyllabic words $u$u # disyllabic words $u$u$u # etc. $u$u$u$u
9) In order to run your program in parallel on two computers, give them the following definition files:
| [abcdefghijklm] $a * | for the first one |
| [nopqrstuvwxyz] $a * | for the second one |
Proceed similarly with n computers.
1. How to break and then to continue the search.
2. How to resume search from the password XXX?
3. The program has been searching for 10 days, but my password is not yet at hand.
4. There are files with different passwords in the archive. What am I to do?
5. I have tested your program. To my mind, your program is nothing but utter error, it cannot even find "aaa2"-like password.
6. I've got beginning of one file from archive in plain text. Will it be useful to me?
7. I'd like to optimize your program. How can I get the sources?
8. Is there any option to save program operation log?
9. Is it possible to speed-up dictionary attack?
10. Your distribution kit is packed with a password in itself!!! I do not find it funny!
11. I need GUI, multicore support, pause/resume etc.
12. How to use my GPU card to recover passwords?
13. I've got some errors when using my GPU card.
PCL 2.0 library is distributed by the author as FREEWARE in the form of source text. The reference to PCL as an obligatory requirement for your programs.
PCL 3.0 with plenty of new features is not a FREEWARE.
Only by e-mail.
Please don't ask me about how to run the program etc - I have no time to explain individually.
e-mail: pavel@semjanov.com
WWW: http://www.semjanov.com
Program URL is: http://www.crark.net
A lot of free, benchmarked password crackers you'll find at:
cRARk is a FREE program, so all the claims will be rejected. Anyway, I'll be very grateful for pointing out the serious errors, such as:
I'll be also glad to any constructive suggestions on improvements of program operation.
8. Special thanks and copyright notices
Good luck!
Pavel Semjanov, St.-Petersburg.