Thanks
bobby - especially for De-Rap,quite nifty tool
In a somewhat similar concept (of modifying .rar archives I mean),
I saw this small tool 'advertized' around in a few reverse engineering forums recently:
http://www.softpedia.com/get/Security/Decrypting-Decoding/Winrar-Unlock.shtml"
Winrar Unlock was designed to unlock winrar archives (including SFX),
allowing you to modify the content freely."
Now I personally haven't tested the aformentioned tool's capabilities...my curiosity was raised though,
so I spent some time today checking,how someone can manually "unlock" rar archives...
Here's what I got,in case it saves some time / helps anyone out there...
===================52 61 72 21 1A 07 00 CF 90 73 00 00 0D -> Typical rar
52 61 72 21 1A 07 00 B5 30 73 04 00 0D -> Locked rar
52 61 72 21 1A 07 00 41 70 73 0C 00 0D -> Locked rar (Solid Archive)
52 61 72 21 1A 07 00 15 37 73 44 00 0D -> Locked rar (With Recovery Record)
So far,so good...in all cases,it's just a matter of 3 bytes patching in the header.
In short:
xx xx 73 xxShould be changed to:
CF 90 73 00===================Stuff gets slightly more complicated,when "Authenticity Verification" has been enabled.
Haven't checked the Auth Verification removal under different systems yet,
but I also don't see a reason why it shouldn't work correctly.
At first step,the header obviously needs to be pached...
52 61 72 21 1A 07 00 CF 90 73 00 00 0D 00 00 00 00 00 00 -> Typical rar
52 61 72 21 1A 07 00 39 1D 73 00 00 0D 00 00 00 CB E3 08 -> Not Locked (With Authenticity Verification)
52 61 72 21 1A 07 00 43 BD 73 04 00 0D 00 00 00 CB E3 08 -> Locked rar (With Authenticity Verification)
52 61 72 21 1A 07 00 E3 BA 73 44 00 0D 00 00 00 CB E3 08 -> Locked rar (With Authenticity Verification plus Recovery Record)
In short:
xx xx 73 xx 00 0D 00 00 00 xx xx xxChanges to:
CF 90 73 00 00 0D 00 00 00 00 00 00Second step:along with the above header's byte patching,
Auth Verification record itself (located towards the end of file) also has to be removed.
Else,the archive becomes/appears corrupted.
There exists the following "pseudo-marker" (if I could call it this way...)
?? ?? 7A 00 C0 E0 00 00 00 00 00 00 00 00 00 02 00 00 00 00 .. .. .. C4 3D 7B 00 40 07 00
2 wildcarded bytes
+ pseudo-marker
+ .. .. .. (random size values)
+ end-marker
7A 00 C0 E0 is what interests us mostly,the pseudo-marker to say so...
The
?? ?? are just 2 extra wildcarded bytes located exactly before,that also need to be removed.
In these 2 wildcarded bytes (non standard values,they differ from archive to archive),
is where the "cut/removal" should start.
The
.. .. .. is also a non standard number of bytes that contains the rest of Auth Verification record:
it's size changes/is depended on computer's name,archive's name etc etc...
So how do we know where the "cut/removal" should end?
Exactly before the following end-marker...
C4 3D 7B 00 40 07 00
Topic: De-Rap and De-GMER (Read 6430 times)
