Advanced Archive Password Recovery (ARCHPR)

Advanced Archive Password Recovery (or ARCHPR) is a program to recover lost or forgotten passwords to archives (compressed files) of the following types:

· ZIP/PKZip/WinZip
· ARJ/WinARJ
· ACE/WinACE (1.x)
· RAR/WinRAR

The key features of ARCHPR are:
· The program has a convenient user interface
· The program is very fast: for ZIP, brute-force attack speed is up to fifteen million passwords per second on modern CPUs like Pentium 4 (Prescott)
· Guaranteed decryption (usually, within the hour) of many WinZip archives (created in versions 8.0 and below, with 5+ encrypted files) is available; it works regardless the password complexity and length
· The program can work with archives containing only one encrypted file
· Archives created by various software packages are supported
· Self-extracting archives are supported
· The program is customizable: you can set the password length (or length range), the character set to be used to generate the passwords, and a couple of other options
· You can select the custom character set for brute-force attack (non-English characters are supported)
· Dictionary-based attack (with word mutations) is available
· The "brute-force with mask" attack is available
· Very fast known-plaintext attack is available (ZIP and ARJ only)
· You can interrupt the program at any time, and resume from the same point later
· The program can work in the background, using the CPU only when it is in idle state

Please note, however, that for the password is not stored anywhere in the archive (ZIP/RAR/ARJ/ACE file), and so it cannot be just extracted or decrypted. Instead, ARCHPR can recover it by trying different passwords: all possible combinations in a given range, or from a wordlist, etc. ARCHPR can test as many as fifteen million passwords per second (for ZIP archives), and so the likelihood of finding a valid one is very high. There is still no guarantee that the password will be recovered, but here the human factor plays its role: most people use short and/or easy to remember passwords. We estimate the success rate as 90-95%.


Requirements

· Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP or Windows Server 2003
· about 4 megabytes of free space on hard disk
· about 34 megabytes of free memory for ZIP known plaintext attack
· about 260 megabytes of free memory to process RAR 2.9 and 3.x archives


Passwords and encryption

Previous Top Next

The password encryption in ZIP/ARJ/RAR/ACE is very strong, and if the password is long enough and well selected, there is no way to recover it in a reasonable time. In most cases, only brute-force and dictionary attacks are available.

Dictionary attack is the most effective one – with it, the program tries every word in a dictionary (wordlist) until the password is found. This method is popular because it is well known that many people use common words as passwords. Dictionaries with hundreds of thousands of words, as well as specialist, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc.

If you have completed a dictionary attack, but some passwords still have not been recovered, you have to follow up with a brute-force attack. In this attack, the program tries to guess the password by trying every single combination of characters until the password is found. For example, the program might follow a sequence like this:

"aaaaaaaa"
"aaaaaaab"
"aaaaaaac" ...

until the password is found. Obviously, this method will take time: for an eight-character alpha password there are 200 Billion combinations to be checked. But with modern computers this sort of attack doesn't take as long as you might think. The brute force attack is the slowest method of password attack, but can often be successful on short and simple passwords.

There are also some special notes about every file format.

ZIP

There are a few different encryption algorithms for ZIP archives. ARCHPR supports two of them: the traditional PKWARE encryption (used in most ZIP-compatible compression utilities; see Application Notes - .ZIP File Format Specification) and Advanced Encryption Technology (used in WinZip 9.0 and 10.0 beta).

For archives that use traditional encryption, ARCHPR recovery speed is about 15 million passwords per second (on Pentioum 4 CPU), and so the "practical limit" for brute-force attack is about 10 characters. In addition, the "known-plaintext" attack is available: in most cases, it doesn't recover the password, but allows to get the encryption keys, and the archive can be decrypted so you will not need the password to get in. This attack usually takes 10-15 minutes (and the time does not depend on the password length). Unfortunately, it is not always applicable.

Also, due to the weakness of WinZip (versions up to 8.0) implementation of ZIP encryption algorythm, guaranteed recovery is available for many WinZip archives (with 5 or more encrypted files). As for known-plaintext attack, ARCHPR finds the decryption keys, so the password don't even needed. This attack is also very fast and takes maximum a few hours (in most cases – 15-20 minutes).

For ZIP files with advanced encryption technology, known-plaintext attack is not available, and brute-force attack works at just a few hundred passwords per second.

ARJ

ARJ encryption is simpler than ZIP one. In addition to brute-force and dictionary attacks, the known-plaintext attack is also supported; in contrary to ZIP, it allows to get the password instead of just decrypting the file). The practical limit for brute-force attack is 7-8 characters.

RAR

For RAR 2.0..2.8 archives, ARCHPR can try a few thousand passwords per second. RAR 2.9/3.x encryption is even better (see UnRAR sources for details)– recovery speed is extremely low, just a few passwords per second. So for such archives, brute-force attack is almost useless, and only dictionary attack is more or less effective.

ACE

For ACE 1.x archives, the the speed is just a few hundred passwords per second. ACE 2.x archives are not supported at all. The reason is: ACE 2.x decompression algorithm is proprietary (i.e. source code is not available); we have tried to implement password testing through unacev2.dll shipped with WinACE, but unfortunately, it contains many bugs, causing unexpected crashes – even WinACE itself crashes on some valid archives when particular password is supplied. Please don't ask us to add ACE 2.x support – we will not do that until decompression algorithm will be publically available, or at least the above mentioned DLL will be free of bugs.

Just enter the name of the ZIP/ARJ/RAR/ACE archive you'd like to get the password for. Use the "Browse" button (or F3 key) to select it, or press the "recent files" button (with a small down arrow) to pick from the list (if you've used ARCHPR on your target archive before). Alternatively, you can use drag'n'drop – just drag the file (with a mouse) from Windows Explorer, and drop it to the ARCHPR window. If all the settings are correct, the attack will be started immediately.

The way how ARCHPR will try to find the password for a given archive; you can select from Brute-force, Mask, Dictionary and Plaintext attacks (last one – for ZIP and ARJ archives only). Besides, Guaranteed WinZip attack is available (for WinZip 8.0 and below archives with 5 or more encrypted files), and there is also the special Password from keys attack, that could be used in addition to Brute-force and Plaintext attacks on ZIP archives

Instructs the program what characters have been used in the password. You can choose from all capital letters, all small letters, all digits, all special symbols and the space, or all printable (includes all of the above). The special characters are:

!@#$%^&*()_+-=<>,./?[]{}~:;`'|"\

Alternatively, you can define your own character set (charset). Just mark the "User-defined" checkbox and click on "Custom charset…" (at the right of the option). In the input window, enter all chars of your password range; for example: if you remember that your password was entered in the bottom keyboard row ("zxcv...") - your password range should be "zxcvbnm,./" (or in caps: "ZXCVBNM<>?"). You can also define both of these: "zxcvbnm,./ZXCVBNM<>?". In addition, you can load and save custom charsets, or combine them using the "Add charset from file..." button.

Just a note about "Convert to OEM encoding" option in the "User Defined Charset" option. Be sure to select it if the password contains any non-English characters, and the archive has been created by a DOS-based compression utility (like PKZIP, for example). Otherwise, the password will not be found.

This option may help, for example, if you know the first character(s) of the password. For example, if you're sure that the small letters have been used (from 'a' to 'z'), the length is 5, and the password definitely starts with 'k', than type 'kaaaa' here. Please also note, that if you press the "Stop" button when ARCHPR is working, the program writes the current password to this window ("Start from password"). It can be used later to restart the program from the same point.

Please note that the program verifies the passwords according to the following character order:

· CAPITAL letters: 'A'..'Z'

· the space

· small letters: 'a'..'z')

· digits: '0'..'9'

· special characters: !@#$%^&*()_+-=<>,./?[]{}~:;`'|"\



You can also use End at field to set the password ARCHPR should stop at. It might be useful if you attack the same archive on a few computers, and so can split the whole password range onto a few parts.

If you already know some characters in the password, you can specify the mask to decrease the total number of passwords to be verified. At the moment, you can set the mask only for fixed-length passwords, but doing this can still help.

For example, you know that the password contains 8 characters, starts with 'x', and ends with '99'; the other symbols are small or capital letters. So, the mask to be set is "x?????99", and the charset has to be set to All caps and All small. With such options, the total number of the passwords that ARCHPR will try will be the same as if you're working with 5-character passwords which don't contain digits; it is much less than if the length were set to 8 and the All Printable option were selected. In the above example, the '?' chars indicate the unknown symbols.

If you know that the password contains an occurrence of the mask character '?', you can choose a different mask character to avoid having one character, '?', represent both an unknown pattern position and a known character. In this case, you could change the mask symbol from '?' to, for example, '#' or '*', and use a mask pattern of "x######?" (for mask symbol '#') or "x******?" (for mask symbol '*'). Select the mask symbol on Advanced Options page.

This is one of the most important options affecting checking time. Usually, you can check all 4-character (and shorter) passwords in a few minutes; but for longer passwords, you have to have patience and/or some knowledge about the password (including the character set which has been used, or even better – the mask).

The minimum length cannot be set to a value greater than maximum length, of course.

If the minimum and maximum lengths are not the same, the program tries the shorter passwords first. For example, if you set minimum=3 and maximum=7, the program will start from 3-character passwords, then try 4-character ones and so on – up to 7. While ARCHPR is running, it shows the current password length, as well as the current password, average speed, elapsed and remaining time, and total and processed number of passwords (Program status). All of this information except average speed and elapsed time, which are global, is related only to the current length.

Simply select the desired dictionary file. In addition, you can select an option Smart mutations or Try all possible upper/lower case combinations – it may really help if you're not sure about the register the password has been typed in. For example, let's assume that the next word in dictionary is "PASSword" (the case, actually, doesn't matter here). With the second option enabled, the program will just try all possible combinations, like:

password
passworD
passwoRd
passwoRD
passwOrd

PASSWORd
PASSWORD

However, checking all such combinations takes a lot of time: in the example above, ARCHPR will check 2^8 words (i.e. 256) instead of one. With smart mutations, you can eliminate a number of "virtually impossible" combinations, and here are all the words which will be checked:

PASSword
(as is)

passWORD
(reversed)

password
(all lower case)

PASSWORD
(all upper case)

Password
(first uppercase, rest lowercase)

pASSWORD
(first lower case, rest uppercase)

PaSSWoRD
(elite: vowels in lc, others in uc)

pAsswOrd
(noelite)

PaSsWoRd
(alt/1)

pAsSwOrD
(alt/2)



So, it makes only 10 combinations for each word.

The Start line # option allows you to start an attack from a given line (in the dictionary); if you interrupt the attack, the "current" line number will be written there (and saved to the project file, of course).

The Convert to OEM encoding option can be used if: the dictionary is in ANSI coding, but the ZIP archive has been created with a DOS archiver (like PKZIP), and so the actual password is in OEM coding. Changing that option doesn't make any difference if all the words in the dictionary contain latin letters only.

ZIP files have a strong encryption algorithm. First, the password isn't stored anywhere in a password-protected archive. The ZIP archiver converts the password you've entered into three 32-bit encryption keys, and then uses them to encrypt the whole archive. Because of this, the total complexity of the ZIP attack is 2^96, i.e., we would have to try all possible key combinations. This is really a lot – even using all the computers in the world, it is not possible to check all of them, unfortunately… However, this algorithm isn't as strong as the DES, RSA, IDEA, and similar algorithms. One of the ways of breaking ZIP protection is using known-plaintext attack. If you're interested in the details of attack, find the paper "A Known Plaintext Attack on the PKZIP Stream Cipher" by Eli Biham and Paul Kocher. ARCHPR's implementation of plaintext attack is very close to that paper, with some minor modifications.

Having an encrypted file created by the ZIP archiver, and the same file in unencrypted form, we can make some calculations and retrieve the encryption keys used to protect that file. Usually, a ZIP archive contains several files and all of them have the same password (and therefore the same encryption keys). This means that if we get the encryption keys for one of these files, we'll be able to unprotect all the others! Furthermore, it won't take as much time as trying all possible combinations of encryption keys. To perform plaintext attack, all you need is one file from the archive, compressed by the same archiver and by the same method as an encrypted one.

Selecting the correct archiver is a bit complex, however; unfortunately, the ZIP file format doesn't contain any data which might help to identify the archiver. In fact, you may need to try several archivers (of course, only if you don't remember which particular utility you've used). A good check that the plain file is correct is the size difference between it and the encrypted file: the encrypted file must be exactly 12 bytes larger. Also, the files must have the same CRC and uncompressed sizes. ARCHPR automatically checks these conditions for selected files, so all you need to do is to create a "plain" ZIP archive.

Description

To perform plaintext attack you need to:

· Find an unencrypted file which also exists in the password-protected archive.

· Compress it with the same method and the same ZIP archiver as used in the encrypted archive. Note that this is required because ARCHPR checks file sizes and file checksums. (You can, however, use plaintext attack on a partial file; see the description below).

· Run ARCHPR, select encrypted archive, then select "plaintext" attack and browse for archive with unencrypted file.



After that, ARCHPR will check the files, and if there are matching ones, the attack is started.

There are two stages in "plaintext" attack, plus two password search additions (note that timings are estimated for Intel Celeron working at 366 MHz):

1. Keys reduction cycle. At this stage, ARCHPR needs about 34 megabytes of (virtual) memory. This cycle takes from one to three minutes (depending on the size of the plaintext). If you haven't got enough physical memory, it may take a bit more time. After this stage, ARCHPR will free most of that memory and work with only 2-4 megabytes. Please also note that the time required to complete this stage cannot be estimated, and so for the first few minutes the progress indicator will read 0%, after that it'll start to increase rapidly.

2. Searching matching keys. This is the main stage of "plaintext" attack. Now you can see how much time you need (worst case) to recover the archive. Depending on the size of the plaintext, this stage can take from 5 minutes to several hours. At that stage, you can stop the attack at any time without risk; the program will write a resume value into the Start from field (and save it into the project file, of course). Note that the first stage (keys reduction cycle) will be performed again upon resuming (but it only takes a few minutes).

When ARCHPR finds valid keys, it tries to find the password correlated with them. Due to some reasons, the password search can be easily done for 9 characters long (and shorter) passwords with any symbols, and passwords with up to 10 printable symbols – during a couple of minutes.

If ARCHPR can retrieve the password, it'll display the standard statistics message with it, if it can't – with encryption keys only. Please note that in most cases you don't need the original password because having encryption keys you can easily decrypt the ZIP archive so it will not require the password to unzip it.

Attack on partial file

Sometimes ZIP archives (where the one is password-protected and the second isn't) may differ in size. For example, WinZip can create such ones if the source file almost cannot be compressed. Encrypted files has 12 bytes at least, so when WinZip starts the compression routine, it may select another method to keep compression ratio good. But note that it is very unusual case. However, you can perform plaintext attack on such files anyway – just keep in password-protected archive only one file (that will be attacked); of course, backup your original files first. And keep only one file in "plaintext" archive as well. Run the attack, and ARCHPR will ask for confirmation for "partial" attack. Click 'Yes' and select the number of bytes to use as plaintext. Because we don't know how many bytes can be the same, it's good idea to start from 1-3Kb (it most cases it's enough) and decrease this number if ARCHPR won't be able to find encryption keys.

Current version notes

1. "Plaintext" file must be at least 12 bytes long.
2. "Plaintext" attack can be saved on the second stage only; after restarting, the first stage will be performed (again) anyway.
3. No time estimation for the first stage. But you can expect that it'll take a few minutes.
4. In any case, you need about 34 megabytes of RAM. If you don't have so much RAM, you need enough space on the for swap file on the disk (and patience – using virtual RAM will greatly decrease the performance). So, we recommend to use the "known plaintext" attack with at least 40-48 megabytes of RAM.

Test results

Here are the results (benchmarks) of "known plaintext" attack for the different files (on Intel Celeron 366MHz with 64MB RAM).

File size (bytes)
Stage #1 time
Stage #2 time





16
20s
2d 12h

32
33s
8h 30m

64
38s
3h 30m

128
45s
1h 45m

256
52s
42m

512
52s
20m

1024
52s
8m

2048
1m 5s
5m 30s

4096
1m 5s
4m

8192
1m 14s
4m

16384
1m 30s
4m

32768
2m 10s
4m


ARJ files have relatively strong encryption algorithm. The password isn't stored anywhere in password protected archive. However, this algorithm isn't as strong as DES, RSA, IDEA and similar ones, and one of the ways of breaking ARJ protection is using known-plaintext attack.

Having encrypted file created by ARJ archiver, and the same file in unencrypted form, we can make some calculations and retrieve password. Usually, ARJ archive contains several files, and all of them has the same password. To perform plaintext attack, all you need is one file from archive, compressed with the same method as an encrypted one.

To perform plaintext attack you need to:

· Find unencrypted file which also exists in password-protected archive.

· Compress it with the same method as in encrypted archive. Note that this is strongly needed because ARCHPR checks file sizes and checksums of files.

· Run ARCHPR, select encrypted archive, then select "plaintext" attack and browse for archive with unencrypted file.

After that, ARCHPR will check the files, and if there are matching ones, the password will be displayed immediately.


That's the most powerful attack available in ARCHPR. It works similarly to known-plaintext attack described above, but doesn't require you to have any files from the archive. However, the archive itself should have at least 5 encrypted (password-protected) files, and have to be created with WinZip or any other ZIP archiver based on Info-ZIP sources.

Please note that only WinZip versions 8.0 and below are vulnerable for this particular attack (because of using weak random number generator). In version 8.1, the hole has been fixed, and so for archives created with this version (as well as newer ones) you will not be able to use this attack at all.

Just select the archive file name, Guaranteed WinZip attack from Type of attack drop-down box, and press Run; no other options needed. If the archive has been created with some other archiver, or contains less than 5 files, ARCHPR will show an error message.

The attack consists of three stages: first two are for searching the encrypted keys (needed to decrypt the archive), and the last one searches for the actual password (up to 10 characters).

Usually, first stage takes just a few minutes (the program may show Estimated remaining time as a few hours, but actually, that's the theoretical maximum, and in most cases it is MUCH faster). Second one is from 10 to 30 minutes, and the last stage (where the password itself is being recovered) is 2-3 minutes only. For the second stage, the time estimation is also not very accurate (to make it better, it would be needed to perform a lot of additional operations, while ARCHPR does its best to recover keys/password as fast as possible).

That attacks works in most cases (as already noted, for WinZip files only), and even if the password is very long (so it could not be found during the 3rd stage), ARCHPR will be able to decrypt the whole archive, so you will not need to supply a password to extract files from it. However, in some very rare cases (the probability is 1/256, i.e. 0,4% only), WinZip may create ZIP archives this attack fails on. ARCHPR identifies such archives and prints a warning message into the log window; actually, this message does not mean that the ARCHPR will definitely fail, but if first stage will be completed but no encryption keys found – sorry, you're out of luck. Just try the other attacks.

As noted above, Known-plaintext and Guaranteed WinZip attacks try to recover the encryption keys first. Once they're there, the archive could be decrypted so no password is needed at all. However, they also search for passwords (just in case) that are up to 10 characters long.

If you already have the encryption keys and would like to recover the [longer] password itself, select this attack from drop-down Type of attack box. The keys should be entered on Plain-text tab (if Plain-text attack just finished, they are already there), and other options such as character set (Range tab) and password length (Length tab) – as for Brute-force attack. The recommended minimum password length is 11 (as far as if you have got the keys with ARCHPR and not from any other source, shorter passwords have been already tried), the "practial" maximum value is 14-15, depending on the character set. End at value is not supported for this attack at all; as for Start from – you have to be careful. Actually, there is no need to recover first 6 characters of the password – they're calculated based on the "tail" of the password (7th char and up). So starting password should already start with 6 asterisks, and "meaningful" positions start with 7. The program starts to search for correct combinations from the end; for example, for 11-character passwords containing small letters, the order is:

******aaaaa
******baaaa
...
******zaaaa
******zbaaa
******zzaaa
...
******zzzzz

Please take that in mind when selecting the starting password manually.

If you'd like ARCHPR to save its state periodically, please check the appropriate option, and select the time (in minutes) between saves. If you do that, ARCHPR will create and periodically update a restore file named "~archpr.axr" (that's the default – you can change it) in the same folder where your archive is located (also by default; you can select any other folder to save that file to). This file is similar to one created when using the "Save setup" button. Even if your computer stops responding (or if power fails), you'll be able to restore breaking the password from the last saved state. Instead of using the default settings (the name of the file and the folder it will be saved to), you can also select your own settings. Enabling this option is strongly recommended.

Priority: background or high. If you want to start ARCHPR as a "background" process, which will work only when the CPU is in an idle state, you may select "Background". If you want to increase performance, select "High", but be aware that this will decrease the performance of *all other* applications running on your computer.

Minimize to tray: if this option is enabled, the program window will disappear from the Windows desktop when you press the "minimize" button in the top-right corner of the window (or you select an appropriate item in the system menu). The small icon will be created in the "tray" area of the task bar (near the system clock). Just double-click on that icon to restore the window.

Log to archpr.log: when enabled, the program saves all information displayed in the status window into the log-file (archpr.log).

Progress bar update interval: allows to set an interval (in milliseconds) between progress bar and status window updates; the default is 500 (a reasonable value). By selecting the higher value (3000, for example), you can get slightly better recovery speed.

Register: press this button to register your copy of ARCHPR (if you've got the registration code already, of course).

Update: press this button (when you're connected to the Internet) to see if there a new version of ARCHPR on our site. Note: the program uses Microsoft Internet Explorer proxy settings.

Language: the program has multilingual interface. Just select the appropriate language from the drop-down box. English is the default

Use known start of the file for stored archives (hex): if your archive contains only one encrypted file, and this file is stored (i.e. not compressed), using that option is a solution to get much better recovery speed. But you have to know from 1 to 4 bytes this file starts from. There are a lot of well-known signatures, though: for example, 'MZ' (hex: 4D 5A) for executable files, 'PK' (hex: 50 4B 03 04) for ZIP files, D0 CF 11 E0 (hex) for OLE compound documents (like MS Word/Excel files) etc.

Always use WinZIP optimized attack engine if probability is greater than XX%: if your archive has been created with WinZIP (or other Windows-based ZIP tool based on the same sources -- there are many such tools) and contains at least five encrypted files, there is some good news: the speed of brute-force attack can be about three times better! ARCHPR tries to recognize such a situation automatically, but unfortunately, a ZIP file doesn't store any information about the archiver. So the program calculates the "probability" value (it depends on the number of files in the archive and other factors). If it is greater than 50%, ARCHPR suggests you to use this (optimized) attack each time you start the recovery process. You can set this option (selecting the appropriate percentage as well) for your convenience, so the optimized engine will (or will not) be used automatically. 85% is the good value to use, but you can set a higher value, if you're not sure.

If the files inside the ZIP archive have been encrypted with different passwords, ARCHPR might not be able to find the correct password. The workaround is to (1) make a backup copy of your archive; (2) remove all files from the archive except those which definitely have the same password (perhaps just one file); and (3) run ARCHPR on the resulting archive. When (if) ARCHPR finds the correct password, create another new archive, keeping the next portion of files which have the same password. If all the files have different passwords, you're in trouble – too much time for recovering them will be required; but that's the only thing you can do.

If you have no idea how long the password is and what characters it may contain, just run the dictionary-based attack first. If it fails, try brute-force with the following options (character set and password length range):

Charset
Length
Passwords
Time (approx.)






All printable
1..6
742,912,032,768
14 hours

Digits, small/capital, space
7
3,938,980,724,736
3 days

Digits, small letters, space
8
3,512,479,514,624
3 days

Digits, capital letters, space
8
3,512,479,514,624
3 days

Digits
9..11
1,110,999,957,504
1 day

Small letters, space
9
7,625,596,993,536
6 days

Capital letters, space
9
7,625,596,993,536
6 days



The third column shows the total number of possible password combinations (with the given charset and password length); and the last column shows the maximum time required for recovery of the password, assuming that the speed is 15,000,000 passwords per second (the performance of a computer with Pentium 4 3GHz CPU on ZIP archives with three or more files using traditional encryption, and at least one is inflated).

For archives of other types (or ZIP archives that use AES encryption etc. – i.e. when the speed is worse), you will have to run a benchmark in advance, and find the proper options (especially the password range) experimentally.


Command line

Previous Top Next

You can run ARCHPR with command-line parameters. The syntax is:

ARCHPR [switches] [zip/arj/ace/rar-filename]

or

ARCHPR [switches] [axr-filename]

The switches are separated with / or - characters. If the switch is followed by some data (e.g., filename, starting password, etc.) which contains these characters: space, semicolon, slash or dash, it must be enclosed in (single or double) quotes.


Switch
Description

Default






/a:b|m|d
attack type (brute-force, mask, dictionary)

brute-force

/c:csdepa
character set (caps, small, digits, special, space, all)

caps

/u:chars
user-defined charset



/oem
convert to OEM (for user-defined charset and dictionary attack)

disabled

/sf:pass
start from password



/endat:pass
end at password



/usewz:X
use optimized WinZip attack



/useknownstart:XX
use known bytes in stored file (from 1 to 4 hex values, no spaces)



/p[:filename]
plaintext filename



/m:mask
mask



/ms:C
mask symbol

?

/min:N
minimum password length

1

/max:N
maximum password length

5

/oem
convert to OEM (for user-defined charset and dictionary attack)

disabled

/useknownstart:XX
use known bytes in stored file (from 1 to 4 hex values, no spaces)



/d[:filename]
dictionary filename



/sm
smart mutations

disabled

/ac
try all possible upper/lower case combinations

disabled

/sl:N
start from line N

0

/autosave:N
autosave every N minutes; 0 means disabled

5

/aname:filename
autosave filename



/adir:dir
autosave directory



/idle
run at idle priority

enabled

/high
run at high priority

disabled

/dontstart
don't start the attack, just load/set the parameters



/minimize
minimize the program after starting the attack



/smartexit[:filename]
when the attack is completed, write all statistics, including the password (if found) to the given file (default "cmdline_stats.txt"), and close the program

disabled



Examples:

archpr.exe /a:b /c:cs /min:3 /max:7 /smartexit test.zip
(brute-force attack; small and capital letters; length from 3 to 7; save and exit when done)

archpr.exe /a:b /u:12345abcde test.ace
(brute-force attack with "12345abcde" character set; length: from 1 to 5)

archpr.exe /a:m /c:d /m:june???? /sf:june1000 /high test.rar
(mask attack with ""june????" mask; charset: digits; high priority)

archpr.exe /d:english.dic /sm /oem /dontstart test.zip
(dictionary attack; dictionary: "english.dic"; smart mutations; convert words from ANSI to OEM; don't start)

archpr.exe /a:p /p:plain.arj test.arj
(known plaintext attack)

If the parameter is the axr-file, the program will immediately load all the settings from it (ignoring the other settings supplied in the command line, except /dontstart, /minimize and /smartexit), and run the attack.

We've tried to make ARCHPR as reliable as possible, but on some specific archives it may still crash (after a few hours or even days of continuous operation). However, if you have the Auto-save option enabled, it is safe – the program will restart automatically (from the last-saved point). In addition, it will create a special dump file (in the same folder where archpr.exe is located), in the form:

CrashLog XXX, YYY.log

where XXX indicates the crash date, and YYY the crash time. The file contains information which will really help us to fix the problem (the crash address, registers map, stack dump, process list, memory map, etc.) – so, if you should ever get that dump (an appropriate message will be written into the message log), please send it to us, and we'll do our best to make ARCHPR even better.

To test the functionality described above, press Ctrl-Alt-Shift-F12 – the program will simulate an exception by causing a division by zero.


Home page URL : http://www.elcomsoft.com/archpr.html

0 comments:

Related Posts Plugin for WordPress, Blogger...