
		(THIS WAS THE MACHINE TRANSLATION)
-------------------------------------------------------------
                           c R A R k
                   (First & Fastest RAR Cracker)
                            v. 3.1

  (c) Copyright PSW-soft 1995-2001, 2006-2007 by P. Semjanov


THIS PROGRAM VERSION  IS DISTRIBUTED "AS  IS". YOU MAY  USE IT
AT YOUR OWN RISK. ALL THE CLAIMS TO PROGRAM OPERATION WILL  BE
REJECTED.  THE  AUTHOR  DOES  NOT  ALSO GUARANTEE THIS PROGRAM
FUTURE MAINTENANCE AND UPDATE.

This is FREEWARE program, so it can be distributed under the
following conditions: program code is kept unchanged and the
program is distributed in the form of distributive archive.
Any commercial use of this program is prohibited!

1. PURPOSES AND CHARACTERISTICS

The cRARk  program  is  designed  to  determine  a forgotten
password for  RAR-archives. This  program operates  adequately
with  RAR-archives versions  2.x and 3.x.

To proceed  with cRARk program you  need a  computer with  the
Pentium compatible processor or later. It is recommended to  use
as powerful processor as  possible (the code is  optimized for
Pentium III/4/AMD/Core 2).

cRARk is the tool for professionals,  no GUI or  great service
is  provided.  But  it  tries  to  maximize your abilities for
passwords definition and to  minimize search  time. cRARk uses
Password  Cracking  Library  (PCL),   a  very  powerful   tool
allowing you to define rules to generate passwords.

The rate of password search should be about of 100 password per
second on modern powerful computer, so finding the 6-characters
password of lower case  Latin letters will need about a month.
Rate for dictionary attack is about 50 pass/sec. The stored files
rate is slower and depends of file length.

2. REQUIREMENTS FOR THE INPUT ARCHIVE

To ensure  the program  to process  an RAR-archive  under test
successfully, the following requirements are to be met:

  - There is at least one encrypted file.
  - The password should be not longer than 28 symbols (RAR 3.x).
  - For maximum speed, this file must be not stored (-m0 option). If
the program displays the warning about it you could simply remove such file
from archive.
  In case  of solid-archives,  the first file should satisfy these requirements
Therefore, if the files in archive were  encrypted
with the different passwords, the password for first file will be found.
   cRARk must be working with selfextracting (sfx) and multivolume
arhcives. CRARK-HP is designed for cracking archives with encrypted headers.

3. Working with the program.

To  run  the  program  YOU  ARE TO CREATE PASSWORD
DEFINITION FILE firstly (see section 4).

This is a command-line utility! You should run it from
command (DOS) prompt. 

To run the program you should use:

CRARK [options] archive
or
CRARK-HP [options] archive

The found password is printed in such a form:

truepass - CRC OK
Next it is repeated in hexadecimal PCL-like form (see 4.2.1).

All other messages ARE NOT passwords and are intended as progress
indication of the program.

Options in this mode are:

   -lXX  -  to  set  password  length  to  XX at least (XX =
0..255, XX =  1 by default).  This parameter affects  password
length only when  '*' is used  in its definition  (see section
4.2.1);
   -gXX - to set password length to XX at most (XX = 0..255,
XX = 8 by default);
   -pXXXX  -  to  set  the  name of password definition file
("PASSWORD.DEF" by  default). Long  file names  are supported under
Windows 95/98 only (not MS DOS or Windows NT);
   -b - to perform benchmarking;
   -v - debug mode (see section 5.1). It may be used to show
character  sets  in  use.  This  option generates also all the
passwords according to with their definition; it does not test
but prints them, so you can check their validity.
    -fWXYZ - (advanced ) set crypto functions #W,X,Y,Z. Some
information about available functions is printed by -b option.


4. THE USE OF PASSWORD DEFINITION FILE IN CHOOSING OF MODE  OF
OPERATION AND PASSWORD SET

Password   definition   file   is   the   main  control  file.
Its translation  and processing  are   the main  task of   PCL
library.  Its format  doesn't depend on application,  to which
PCL is linked,  so this  library can be used for any  password
searching program.

4.1. Password definition file format

Password definition file is an ordinary text file and consists
of  two   parts:  firstly,   dictionary  and   character   set
definition, and secondly, passwords definition. The  parts are
separated by a line of two '##' symbols:

[ <dictionary and character set definition> ]
##
<passwords definition>

The  first  part  may  be  omitted,  in  that  case   password
definition file is to begin with '##' symbols.

Anywhere  else  the  symbol  '#'  is  considered  as a comment
beginning.

Space characters and tabs  are ignored in password  definition
file and may separate any components.

For  convenience,  let  password  definition  mechanism be our
first concern and character set definition be the second  one,
contrary to their position in password  definition file.

4.2. Password  definition

This is the main part of the file. IT NECESSARILY PRESENTS  IN
ANY  PASSWORD  DEFINITION  FILE  (PASSWORD.DEF) AFTER THE LINE
'##' and presets password generation rules to be checked later
on. It consists  of text lines,  each giving its  own password
set and  mode of  operation, i.  e. an  algorithm of  password
search.  Each  line  is  in  its  own  right  and is processed
separately,  so  the  total  number  of  passwords  checked is
computed.

Character sets and dictionary words form password  definition.
They  preset  one  or  more  characters,  which  will hold the
appropriate position in a password.

4.2.1. Character sets

Character  set  (charset)  is  a  set of characters, which can
occupy current position  in a password  (but, of course,  only
one of them holds it). These characters may be following:

1) Ordinary characters (a, b, etc.). It means that it is  this
character that occupies given position in a password;

2) Shielded characters. Special  characters, if ever occur  in
the password,  are to  be shielded.  The meaning  is identical
with mentioned above. Among these are:

     \$, \., \*, \?, \=        '$', '.', '*', '?', '='
     \], \[, \{, \}, \(, \)    corresponding brackets;
     \ (space character)       space character
	\XX, where X is a hexadecimal digit
                               any hex-code character
     \0                        no character. It is usually
used in conjunction with "real" character (see examples below).

Generally, any  character can  be shielded  except hexadecimal
digits.

3) Macros of character set. It means that current position  in
the password can  be occupied by  any character from  the set.
These sets are specified in the first part of password defini-
tion file (see section 4.3.2) and are denoted as:

     $a  -  lower-case  Latin  letters  (26  letters,   unless
            otherwise specified);

     $A  -  upper-case  Latin  letters  (26  letters,   unless
            otherwise specified);

     $!  -  special   characters   (32    characters,   unless
            otherwise specified);

     $1  -  digits (10 digits, unless otherwise specified);

     $i  -  lower-case   letters of   national alphabet    (33
            letters for Russian alphabet);

     $I  -  upper-case  letters   of  national  alphabet   (33
            letters for Russian alphabet);

     $o  -  other user-specified characters;

     ?   -  any character (i. e. all the characters,  included
            into the macros mentioned above).

NOTE: macros $v and $p (see section 4.3.4) cannot be used  for
password definition.

4) Any combinations of  the characters mentioned above.  It is
written  in  square  brackets.  The  meaning is identical with
mentioned above. For example:

	[$a $A]		        	any Latin letter;
	[abc]				a, or b, or c;
	[$1 abcdef]			hexadecimal digit;
	[s \0]				s or nothing;
	[$a $A $1 $! $i $I $o]	        this is equivalent to ?.

5)  Regular  duplication  character  '*'.  It  means  that the
preceding character set  is to be  duplicated 0 or  more times
in  corresponding  (next)  positions  of  the  password.   For
example:

     $a *     -  a password of arbitrary length, consisting
                    of lower-case Latin letters;
     [ab] *   -  space character, a, b, aa, ab, ba, bb,
                 aaa, ...
     [$a $A] [$a $A $1] *   -  "identifier", i. e. a sequence
                 of letters and digits with a letter at first
                 position.

Note that password of zero length is physically meaningful and
is not always the same as no password at all.

The length   of duplication    is computed   automatically  by
options,   on   the   basis   of   given  maximum  and minimum
password  length.  Note,   that  these   parameters  influence
only  password  length,  generated   with  the  use   of   '*'
character,  and  are   not  taken  into  account for password,
consisting  of  words  or   static  characters  only.  It   is
recommended to use  '*' as wide  as possible. This  is because
it allows to perform the  most  powerful search. Although  the
constructions '? *'  and '? ? *'  seem  to be alike   from the
logic standpoint,   the first   one will   be searched through
faster.

Current   restriction:  '*'   can  be   the  last    character
in the line only.

4.2.2. Dictionary words and their modifiers

The  words  present  several  consecutive  characters  of  the
password as  opposed to  character set.  Two dictionaries  are
supported in PCL library: main (with ordinary words, as usual)
and  user  (where  special  information  can  be  stored,  for
example, names,  dates, etc.),  though there  is no difference
between them.

Dictionary is a text  file, consisting of words,  separated by
the  end-of-line  characters.  Both  DOS-format  (CR/LF)   and
UNIX-format  (LF)  files  may  be  used.  It  is desirable (to
increase search rate, among other factors) to use words of the
same (lower) case in dictionaries.

Thus, there are two macros:

	$w	a word from the main dictionary;
	$u	a word from the user dictionary.

It is known that altered words are often used as passwords. So
to determine such passwords a  whole set of word modifiers  is
put into use. Among these are:

	.u (upper)		to upper-case;
	.l (lower)		to lower-case;
	.t (truncate)		to truncate up to the given length;
	.c (convert)		to convert the word;
	.j (joke)		to upper-case some letters;
	.r (reverse)		to reverse the word;
	.s (shrink)		to shrink the word;
     .d (duplicate)           to duplicate the word.

Modifiers may have parameters, written in round brackets.  For
modifiers, intended for use with single letters, the number of
the letter can be considered as a parameter; no parameters  or
null  parameter  means  "the  whole  word".  Letters  can   be
numerated both from the beginning of the word and from the end.
The end of the word is denoted with the character '-'.

There are only three such modifiers for today: .u, .l, .t. So,
use

     .u  or .u(0)     to upper-case the whole word (PASSWORD);
     .u(1), .u(2)     to upper-case only the first (the second)
                      letter (Password, pAssword);
     .u(-), .u(-1)    to upper-case the last (the next to last)
                      letter (passworD, passwoRd);
     .t(-1)           to truncate the last letter in the word
                      (passwor).

The  other  modifiers  operate  with  the whole words only and
their parameters give the  way of modification. The  following
modifier parameters are specified for today:

     .j(0) or .j      to upper-case odd letters (PaSsWoRd);
     .j(1)            to upper-case even letters (pAsSwOrD):
     .j(2)            to upper-case vowels (pAsswOrd);
     .j(3)            to upper-case consonants (PaSSWoRD);
     .r(0) or .r      to reverse the word (drowssap);
     .s(0) or .s      to reduce the word by discarding vowels
                      unless the first one is a vowel
                      (password -> psswrd, offset -> offst);
     .d(0) or .d      to duplicate the word (passwordpassword);
     .d(1)            to add reversed word (passworddrowssap);
     .c(<number>)     to convert all the letters in the word
                      according to the appropriate conversion
                      string (see section 4.3.3).

All the  modifiers operate   adequately with  both Latin   and
national  letters,  provided  that   the  rules  of   national
character sets definition are observed.  Clearly there can  be
more than one modifier  (the number  of  consecutive modifiers
is   limited by  63, which  is unlikely  to be  exceeded). For
example: (let $w mean a password):

	$w.u(1).u(-)		PassworD
	$w.s.t(4)		pssw
	$w.t(4).s		pss


4.2.3. Permutation brackets

The problem is  widely met, when  you remember your  password,
but it is not do for some reason. Probably, you have  mistaken
while typing it. This program has its own algorithm to restore
such passwords. The following typing mistakes are  considered:
two neighboring  letters are  swapped (psasword),  a letter is
omitted (pasword), an unneeded letter is inserted  (passweord)
or  one  letter  is  replaced  with  another  (passwird). Such
password changes will be referred to as permutations.

To indicate the beginning and  the end of that portion  of the
password where permutations could appear, permutation brackets
'{' and '}'  are used. The  bracket '}' can  be followed by  a
number of permutations  (1 by default),  separated by a  point
(or in round brackets). The physical meaning of the number  of
permutations  is  the  number  of  simultaneous  mistakes. For
example:

     {abc}  -  182  (different)  passwords  will  be obtained,
including:

     bac, acb           2 swaps;
     bc, ac, bc         3 omissions;
     aabc, babc ...     4 * 26 - 3 insertions;
     bbc, cbc ...       3 * 25 replacements;
     abc                the desired word;

     {password}.2 or {password}(2) - the following words  will
be generated: psswrod, passwdro, paasswor, etc.;

     {$w} - all  the words, containing  one mistake, from  the
main  dictionary.

Notes:
1) It  is obvious  that some  passwords will  be obtained more
than once, so  the larger is  the number of  permutations, the
larger is the  number of replicas.  Efforts were made  in this
program to reduce replicas, but they are purely empirical  and
were made for  two permutations at  most. In other  words, for
the  large  numbers  there  is  no certainty that a particular
password  cannot  be  discarded  erroneously.  Fanatics of the
theory  of  combinations  can  compute  the  exact  number for
{password}.3, for  example, then  I'll be  able to  compare it
with that one obtained by the program.

2) For insertion  and replacement you  are to know  the set of
characters to be inserted or  replaced. In the event this  set
is not specified explicitly (see section 4.3.4), this  program
forms  it  automatically  for  character  sets, in relation to
standard set these characters  are from (i. e.  for {password}
$a will be inserted, for {Password} [$a $A] will be inserted).
The similar operation  with words is  performed, based on  the
first word from the dictionary with modifiers being taken into
account. In the event this set is specified explicitly, it  is
just the set to be used.

3)  Current  restriction  is  that  the  character  '{'   must
necessarily   be   the     first    in   the     line.    Such
expressions   as  good_{password} remain to be  supported, but
{good}_password is quite possible.

4.3. Dictionaries and character sets definitions

All  the  definitions  are  set  in  the beginning of password
definition file up to the characters '##'.

4.3.1. Dictionaries definition

The main and user dictionaries in use (see section 4.2.2)  are
initially defined as  usual. It is  necessary only if  you are
going  to  use  words  from  the  dictionaries  when  defining
passwords, i. e. $w or $u.

The dictionaries are given as follows:

$w = "main.dic"                    # main dictionary
$u = "c:\\dict\\user.dic"          # user dictionary

File  name  is  to  be  quoted,  the path characters are to be
shielded. Long file names are adequate for Windows 95/98  only
(not for MSDOS or Windows NT).

4.3.2. Definition of the character sets in use

Then character  sets in  use are  defined, as  usual. They are
classified  in  two   groups:  predefined  and   user-defined.
Predefined sets include:

    $a	lower-cased Latin letters, 26 letters in all;
    $A	upper-cased Latin letters, 26 letters in all;
    $!  special characters {}:"<>?[];\',./~!@#$%^&*()_+`-=\|,
        32 characters in all;
    $1	digits, 10 digits in all.

User-defined sets include

    $i	lower-cased letters of national alphabet;
    $I	upper-cased letters of national alphabet;
    $o  additional character set (for example, any
        non-typable characters).

Character sets are defined as follows:

	$<charset> = [ <single characters or character sets> ]

To  put  this  another  way,  character  set  is  written   as
combination of characters (see section 4.2.1), for example:

	$i = [ !"#$%&'()*+,-./`abcdefghijklmnoq]
	$o = [$! $1 \FF]

NOTES:
1) Any  character sets  are allowed  to be  defined, including
pre-defined.  For  example,    you  may  include    additional
characters, such as space character or \FF into the set $!

2) When the sets $i and $I are being defined, the function  of
switching between lower/upper  case is defined  automatically.
So it is important to have letters being ordered uniformly  in
these sets.

The full character  set '?', consisting  of [$a $A  $1 $!$i $I
$o] (just such an order is of importance in the next section),
is never formed until all the characters are defined.

4.3.3. Definition of conversion modifiers

Then  conversion  modifiers  .c  may  be  defined (see section
4.2.2) in relation to the certain character set ?. It is
performed with the line of the form

     ?.c(<a number>) = "<conversion string>"

Any  character  from  the   whole  set  is  converted into  an
appropriate  character,   occupying  the   same  position   in
transformation string. For example, let

	?      = [1234567890], then
	?.c(0) = "!@#$%^&*()"

gives transformation  identical to  that for  Shift keystroke.
The characters '\' and ' " ' are to be shielded in  conversion
string. The numbers of modifiers may vary from 0 to 255.

4.3.4.Special character sets definition

Among special character sets are:

     $v  - a set of vowels (in all alphabets being used). It is
           needed only when .s and .j modifiers are used.
     $p - a set for insertion and replacement for  permutation
          brackets. It is needed only if automatic  generation
          of this set does not  suit you for some reason  (see
          section 4.2.3).

These sets are defined in a similar way to the other character
sets.

4.4. USEFUL EXAMPLES OF PASSWORD DEFINITION

0) The most  typical password definition,  similar to that  of
preceding program versions,  is "$s(2) $s(3)  $a *". It  means
that the first three characters, obtained by the program,  are
to be used and lower-cased Latin letters are to be added next.

The second password character is determined rather inaccurately, so the
following definition is recommended also:

	"$s(1) $a $s(3) $a *"   (don't use quotes!)

If you are searching  through some other character  set, don't
forget to set it to  the second position of the  password. For
example:

	"$s(1) [$! $1] $s(3) [$! $1] *"   (don't use quotes!)

1) Let me cite ZEXPL2L program specification:
"Let  you  have  an  archive  with  the  password looking like
"Heaven!!!", but you have forgotten, how many !s were there in
the end and  what kind of  letters lower- or  upper-cased were
used: "HeAvEn!!!", "Heaven!" or "HeAven!!!!". But  fortunately
you remember your password to  be 10 characters at most  and 7
characters at  least." This  password will  be written  in PCL
language as follows:

     "He [aA] v [eE] n ! *" (don't use quotes!)
and options -l7 -g10.

Suppose that among other things you have mistaken while typing
the main part of the  password. So the following one  is worth
attention:

     "{He [aA] v [eE] n} ! *" (don't use quotes!)
and options -l7 -g10.

2) One more citation from the same specification: "Let you
have  two   variants  of   the  password   string:   "myprog",
"MyProg", "my_prog" and "My_Prog".

It will be written as:

	"[mM] y [_ \0] [pP] rog" (don't use quotes!)

3)  It  is  often  recommended  to  use  two meaningful words,
separated   by   certain   character,   as   a  password.  The
description is as following:

	"$w [$1 $!] $w" or
	"$w.u(1) [$1 $!] $w.u(1)" (don't use quotes!)

It should be mentioned that  both $w are distinct here  (these
are  distinct  words),  so  a  total  of  20000 * 42 * 20000 =
1.68E10 passwords (if there  are 20000 dictionary words)  will
be generated , i. e. it takes, on the average, less than a day
to crack passwords, considered to be extremely hard for  crac-
king. Thus,  just two  successive words  are cracked  42 times
faster.

4)  Password  consists  of  exactly  six letters from national
alphabet:

	"$i $i $i $i $i $i"	(don't use quotes!)

But "$i *" and -16 -g6 options are far more efficient.

6) You remember your password to be  "MyVeryLongGoodPassword",
but it is  not do for  some reason. Try  to use the  following
ones:

	"{MyVeryLongGoodPassword}"	2382 passwords in 1 second
	"{MyVeryLongGoodPassword}.2"	2836413 passwords in 1 minute
	"{MyVeryLongGoodPassword}.3"	??? passwords in 2-3 days

7) You know you password to be a meaningful word with a  digit
inserted elsewhere. The definition file is:

$p = [$1]	# the insertion set is defined as a set of digits
##
{$w}

8) Syllable attack. You are to set up a dictionary of possible
syllables of your language and then to search through all  the
meaningful words by proceeding as follows:

	$u		# monosyllabic words
	$u$u		# disyllabic words
	$u$u$u		# etc.
	$u$u$u$u
...

9) In order to run your program in parallel on two  computers,
give them the following definition files:

	"[abcdefghijklm] $a *"	for the first one,
	"[nopqrstuvwxyz] $a *"	for the second one.

Proceed similarly with n computers.

5. Possible problems (FAQ).

1. How to break and then to continue the search.

The program may be broken painlessly once the message "Testing
XX-chars passwords..." is displayed,  and then the search  may
be continued with - lXX option (both XX are equal).

2. How to resume search from the password XXX?

In no way as yet. I hope, it will be done in the PCL 3.0.

3. The program has been searching for 10 days, but my password
is not yet at hand.

Alas! It can't be helped. May be your password is too long, or
the search set  is wrong.  Additional  information  on  the
password is necessary.

4. There are  files with different  passwords in the  archive.
What am I to do?

Just remove (using RAR) files with already known passwords.

5. I have  tested your program.  To my mind,  your program is
nothing  but  utter  error,  it  cannot  even find "aaa2"-like
password.

RTFM. Distributive file password.def searches through only lo-
wer-cased Latin  letters. Change  your password  definition to
"[$a $1] *" and everything will be ok.

6. I've got beginning of one file from archive in plain text.
Will it be useful to me?

No. At least, I couldn't use it. Could you? RAR encryption sources
are available in WinRAR distribution.

7. I'd like to optimize your program. How can I get the sources?

You don't need them. Take UnRar sources and optimize the
SetCryptKeys() function. Next contact me.

8. Is there any option to save program operation log?

Probably, you have never dealt with UNIX. Use

   crark [options] > file.

If you don't like this, use "tee" utility.

9. Is is possible to speed-up dictionary attack?

Yes, just sort your dictionary by the words size

10. Your   distribution kit   is packed   with a   password in
itself!!! I do not find it funny!

You are reading this file, so you have solved this problem.

6. On PCL library

PCL library is  distributed by the  author as FREEWARE  in the
form of source text as well as .LIB (for Borland, Watcom C) or
.a (for DJGPP)  files. The reference  to PCL as  an obligatory
requirement for your programs. Now it is under development, so
I'll be very glad to any comments on defect and errors in  the
program, especially to those guiding the way for  improvements
and supplements.

7. How to contact the author

Only by e-mail.

Please don't ask me about how to run the program etc - 
I have no time to explain individually.

e-mail:	pavel@semjanov.com
WWW:	http://www.semjanov.com

Program support URL is:
http://www.password-crackers.com/en/category_99/program_13.html

A lot of free, benchmarked password crackers you'll find at

http://www.password-crackers.com

cRARk is a  FREE program, so  all the claims  will be rejected.
Anyway,  I'll  be  very  grateful  for  pointing  out the 
serious errors, such as:

- the program hangs up while searching (the lack of  displayed
messages is not an evidence of hangup);

-  the   program  cannot   find  such  password   in
such archive,  although  the  set  of  characters in
search is specified correctly

I'll  be  also  glad   to  any  constructive  suggestions   on
improvements of program operation.


8. Special thanks.

  To Eugene Roshal for good encryption algorithm;
  To John Vandermeersch <vanderme@tornado.be> for correcting this
docs;
  To Phil Frisbie, Jr. (pfrisbie@geocities.com) for CPU
identification function.


Good luck!

Pavel Semjanov, St.-Petersburg.
