RAR GPU Password Recovery v0.5

Copyright (C) 2009-2010 Ivan Golubev, http://golubev.com

This program is really outdated now, it has been transformed into commercial Accent RAR Password Recovery with multi-GPU, multicore-CPU and GUI support. And if you're afraid of command line you're definitely should try AccentRPR instead.

It is not magic wand to remove RAR password protection (and there no such wands around). If you don't understand words like "brute-force, dictionary attack, SHA1, AES, etc" you should probably try to find something else.

Description

This software using ATI RV 670/770/870 and nVidia "CUDA" video cards to recover passwords for RAR archives v 3.x. Recovery speed at HD4850 about 20 times better than single core of Q6600 @ 2.4Ghz. (Comparing only optimized SSE2 code running on iCore). For non-optimized CPU versions it can be [place your favorite number here, like 100x or 200x].

Performance on nVidia cards slower than with ATI ones (because of nVidia GPU architecture). So, 8600 GT about 2x times faster than single core of Q6600 @ 2.4Ghz. GTX 260 /w 192SP about 12 times faster than single core of Q6600 @ 2.4Ghz.

Plain numbers (for RAR passwords with length == 4) are:
~168 passwords per second on single core of Q6600 @ 2.4Ghz (crark's result)
~325 passwords per second on 8600 GT
~3350 passwords per second on ATI HD4850
~2075 passwords per second on GTX260/192SP

Note that password recovery speed is not constant for RAR archive, it depends on password length (i.e shorter passwords will be checked faster than longer ones).

Supported GPUs

Only supported ATI cards are: based on RV670, RV740+ and RV870 (3870, 4770, 4850, 4870, 4890, 5870, etc).

Catalyst 9.9+ must be installed.

Support for RV670 & RV870 aren't tested at all (as I don't have any such cards around, let me know if they works or not).

Only supported nVidia cards are: the ones with CUDA support, i.e. G80+. Was tested with 8600 GT, 8600 GTS, GTX260/192SP, GTX260/216SP, GTS250. Should work with anything G80+ I guess.

Starting from v0.4 you can choose to GPU to work with. It can be done with /device:N command line switch. See examples below.

Usage

It is console application, so should be run from command line.

igrargpu.exe [switch:param] filename.rar

-a:b|d|r Attack type: brute-force (default), dictionary or dictionary with rules
-c:csdepa Charset definition (cap, small (default), digits, special, space, all)
-u:[chars] User-defined characters
-sf:[password] Password to start attack from
-m:[mask] Password mask
-ms:[symbol] Mask symbol
-min:[value] Minimum length (default == 1)
-max:[value] Maximum length (default == 5)

-d:[filename] Dictionary filename
-sl:[N] Start dictionary attack from line [N]
-r:[filename] Rules filename
-rl:[N] Start from rule [N]

-blocksize:[N] Set block size (default depends on GPU)
-device:[N] GPU #N to use

Brute-force attack examples

igrargpu.exe /a:b /c:s /min:1 /max:4 archive.rar

will checks all passwords from length 1 to length 4 consisting of small latin letters.

igrargpu.exe /a:b /c:s /m:??u??la archive.rar

will checks all passwords starting from aauaala, aauabla, ... to zzuzzla.

Be carefull with length. Depending on charset set maximum realistic length will be around 5-7 symbols. For example,

igrargpu.exe /min:6 /max:6 archive.rar

checks all passwords with length == 6 consisting of small latin letters. There are 96^6 = 308 915 776 possible passwords, on HD4770 recovery speed is about 2465 p/s, so we have 308 915 776 / 2465 / 60s / 60m = 35 hours to wait.

Shortly, it's almost no chances to brute-force anything longer than 6 symbols.

You can manually split range to several GPUs if you have them. For example,

igrargpu.exe /a:b /c:cs /min:5 /max:5 /sf:AAAAA /device:0 archive.rar
igrargpu.exe /a:b /c:cs /min:5 /max:5 /sf:NAAAA /device:1 archive.rar

will open two copies of IGRARGPU and they will utilize both GPUs.

Dictionary based attacks examples

Dictionary must be in Unicode format, Intel's byte order, each line of file == password. Intel's byte order means that file starts from [0xFF 0xFE]. You can use notepad.exe and Save As ... / Unicode for fast convertion ANSI -> Unicode.

igrargpu.exe /a:d d:/example.dic archive.rar

will checks all words found in example.dic. Each line of dictionary file == password.

Dictionary based attack with rules

It's really "advanced" thing and some programming experience required to fully understand everything :).

Main idea of this attack is to take one word from dictionary and modify it with so called "rules". This attack can be started as:

igrargpu.exe /a:r /d:dictionary.txt /r:rules.txt archive.rar

Rules file must be in Unicode format and starts from some defines:

Name=Simple mutations
CreatedBy=Ivan Golubev
Language=English
Caps=ABCDEFGHIJKLMNOPQRSTUVWXYZ
Smalls=abcdefghijklmnopqrstuvwxyz

Main defines are "Caps=" & "Smalls=" which will be used later with "capitalize", "lowerize" and other toggle case mutations. All empty lines and lines starts from ';' will be skipped. ';' used to start comment.

After "[Rules]" actual rules definition starts. Each line == single rule. There are some specials characters to define actions and "normal" characters which will be added to current string.

Special characters can be inserted using '\'. Character followed '\' will be used 'as is'. Except for 'x' as '\xNNNN' can be used to describe Unicode character which hex value NNNN.

Processing always starts from blank line. The base definition is:

$w

which means "insert current word from dictionary".

Modifiers start from '.', possible values are:

.l lowercase word
.u uppercase word
.c capitalize word
.C inv capitalize word
.t toggle case word
.R reverse word
.2-9 repeat word 2-9 times
.TN toggle char N=0..9, A..Z, x = last
.dN delete char at pos N
.iNX insert char X at position N (z = insert after last char)
.rNX replace char at position N with X
.sXY replace all chars X with Y
.xX remove all chars X from word
.eN truncate word to N symbols
.pN push char at pos N to stack keeping it on pos
.PN push char at pos N to stack and remove it from word
.qN pop char from stack to pos N and keep char on stack
.QN pop char from stack to pos N and remove char from stack

Now some examples. Let "current word" be "PassWord", then

$w            PassWord
$w.l          password
$w.u          PASSWORD
$w.c          Password
$w.C          pASSWORD
$w.t          pASSwORD
$w.R          droWssaP
$w.2          PassWordPassWord
$w.3          PassWordPassWordPassWord
$w.c.Tx       PassworD
$w.R.c        Drowssap
$w.R.c.Tx     DrowssaP
$w.d0         assWord
$w.d0.c       Assword
$w.dx         PassWor
$w.dx.c       Passwor
$w.p0.Q0      PPassWord
$w.p0.Q0.c    Ppassword
$w.p0.q0.Q0   PPPassWord
$w.p0.q0.Q0.c Pppassword
$w.px.Qz      PassWordd
$w.px.Qz.c    Passwordd
$w.px.qz.Qz   PassWorddd
$w.px.qz.Qz.c Passworddd
$w0           PassWord0
$w1           PassWord1

It's possible to use $w more than once.

$w$w$w        PassWordPassWordPassWord

It's possible to use brackets to perform multiple mutations.

($w.c)($w.l)  PASSWORDPassWord

It's possible to use flow control. Simple rejects can be done with:

<N continue only if word is less than N symbols length
>N continue only if word is greater than N symbols length
=N continue only if word is exactly N symbols length

$w>4         PassWord will be processed
$w<4         PassWord will be skipped

More complex flow control possible with compare operation followed by predicated command. It's possible to compare:

.bNX compare char at position N with X
.BXN count number of char X occurencies at word and compare it with N
.vN  compare current length of word with N

Result of compare are carry and zero flags. And these flags can be used with:

@gt execute next command only if result was greater than
@lt --||-- less than
@le --||-- less or equal
@ge --||-- greater or equal
@eq --||-- equal
@ne --||-- not equal

Examples:

$w.b0G @ne 0         if first character is not 'G' then append '0'
$w.b1a @eq 1         if second character is 'a' then append '1'
$x.Bs2 @ge !         if there 2 or more 's' in word then append '!'
$w.v3 @ge 1          if word length is 3 or more symbols then append '1'
$w.v4 @gt (555)      if word length is more than 4 symbols then append "555"

There is special command '|' -- reject word. Also can be used like:

$x.Bs2 @ne |         reject word if it doesn't contains two 's'

There is command line switch -passgen to write all passwords to file instead of validating them. It's very usefull for checking your own rules files. For example:

igrargpu.exe /a:r /r:74.txt /d:password.txt /passgen

will creates file "__generated__$$__.txt" with all words found in "password.txt" and modified with rules in "74.txt".

The description of rules are far from complete, anyway I hope you got the main idea and so can create your own rules sets.

Block size value

Block size means that (block size) * 64 == pack of 64*blocksize passwords will be processed on GPU at once. Increasing this value may helps to improve performance on different GPUs. But increasing this value too much will results in video driver hangs up and reloading.

You should change this value only if you completely understand what you're doing.

Limitations

Future plans

GUI, CPU support including multicores and support for multiGPU systems were implemented with AccentRPR release. Distributed version will be released soon too either as AccentRPR part or some separate product, anyway it'll available at http://passwordrecoverytools.com.

Acknowledgements

This software includes parts of UNRAR utility written by Alexander Roshal. Quote from UNRAR's license agreement:

"Distribution of modified UnRAR sources in separate form or as a part of other software is permitted, provided that it is clearly stated in the documentation and source comments that the code may not be used to develop a RAR (WinRAR) compatible archiver."

This software includes parts of LZMA SDK written by Igor Pavlov.

Thanks to InsidePro's author -- http://insidepro.com. As I was inspired by his rules ideas. And this thanks actually forwarded to Solar Designer (John The Ripper's author).

Contact info

http://www.golubev.com
rargpu (at) golubev.com