Difference between revisions of "RAR"
From Forensics Wiki
| (4 intermediate revisions by one user not shown) | |||
| Line 9: | Line 9: | ||
:* 0x1a21 - HEAD_FLAGS | :* 0x1a21 - HEAD_FLAGS | ||
:* 0x0007 - HEAD_SIZE | :* 0x0007 - HEAD_SIZE | ||
| + | |||
| + | |||
| + | ===RAR File Format=== | ||
| + | |||
| + | Each Block has the following fields | ||
| + | {| class="wikitable" | ||
| + | |+ Block Fields | ||
| + | ! Name | ||
| + | ! Size (bytes) | ||
| + | ! Description | ||
| + | |- | ||
| + | | HEAD_CRC | ||
| + | | 2 | ||
| + | | CRC of total block or block part | ||
| + | |- | ||
| + | | HEAD_TYPE | ||
| + | | 1 | ||
| + | | Block type | ||
| + | |- | ||
| + | | HEAD_FLAGS | ||
| + | | 2 | ||
| + | | Block flags | ||
| + | |- | ||
| + | | HEAD_SIZE | ||
| + | | 2 | ||
| + | | Block size | ||
| + | |- | ||
| + | | ADD_SIZE | ||
| + | | 4 | ||
| + | | Optional field - added block size | ||
| + | |} | ||
| + | |||
| + | ---- | ||
| + | There are certain block types | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+ Block Types | ||
| + | ! Head Type Signifier | ||
| + | ! Description | ||
| + | |- | ||
| + | | HEAD_TYPE=0x72 | ||
| + | | marker block | ||
| + | |- | ||
| + | | HEAD_TYPE=0x73 | ||
| + | | archive header | ||
| + | |- | ||
| + | | HEAD_TYPE=0x74 | ||
| + | | file header | ||
| + | |- | ||
| + | | HEAD_TYPE=0x75 | ||
| + | | old style comment header | ||
| + | |- | ||
| + | | HEAD_TYPE=0x76 | ||
| + | | old style authenticity information | ||
| + | |- | ||
| + | | HEAD_TYPE=0x77 | ||
| + | | old style subblock | ||
| + | |- | ||
| + | | HEAD_TYPE=0x78 | ||
| + | | old style recovery record | ||
| + | |- | ||
| + | | HEAD_TYPE=0x79 | ||
| + | | old style authenticity information | ||
| + | |- | ||
| + | | HEAD_TYPE=0x7a | ||
| + | | subblock | ||
| + | |} | ||
| + | ---- | ||
| + | |||
| + | |||
| + | ===Block Formats=== | ||
| + | |||
| + | Marker Block (MARK_HEAD) | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |+ MARK_HEAD | ||
| + | ! Field Name | ||
| + | ! Size (bytes) | ||
| + | ! Possibilities | ||
| + | |- | ||
| + | | HEAD_CRC | ||
| + | | 2 | ||
| + | | Always 0x6152 | ||
| + | |- | ||
| + | | HEAD_TYPE | ||
| + | | 1 | ||
| + | | Header type: 0x72 | ||
| + | |- | ||
| + | | HEAD_FLAGS | ||
| + | | 2 | ||
| + | | Always 0x1a21 | ||
| + | |- | ||
| + | | HEAD_SIZE | ||
| + | | 2 | ||
| + | | Block size = 0x0007 | ||
| + | |} | ||
| + | |||
| + | * Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!') | ||
| Line 26: | Line 124: | ||
:* 2.0 | :* 2.0 | ||
:** Utilizes a proprietary compression method that is not available to the public. | :** Utilizes a proprietary compression method that is not available to the public. | ||
| + | :** Based off of version 1.5 of the RAR file format. | ||
:* 3.0 | :* 3.0 | ||
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms. | :** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms. | ||
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES). | :** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES). | ||
| − | + | :** Based off of version 1.5 of the RAR file format. | |
| Line 73: | Line 172: | ||
==See Also== | ==See Also== | ||
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR] | * [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR] | ||
| − | * [http://acritum.com/winrar/rar-format RAR | + | * [http://acritum.com/winrar/rar-format RAR File Format Information] |
| − | + | * RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]] | |
[[Category:File Formats]] | [[Category:File Formats]] | ||
Revision as of 09:36, 11 April 2012
RAR Archives (Roshal ARchive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.
Contents |
Format
The file has the magic number of:
0x 52 61 72 21 1A 07 00
which is a break down of the following to describe an Archive Header:
- 0x6152 - HEAD_CRC
- 0x72 - HEAD_TYPE
- 0x1a21 - HEAD_FLAGS
- 0x0007 - HEAD_SIZE
RAR File Format
Each Block has the following fields
| Name | Size (bytes) | Description |
|---|---|---|
| HEAD_CRC | 2 | CRC of total block or block part |
| HEAD_TYPE | 1 | Block type |
| HEAD_FLAGS | 2 | Block flags |
| HEAD_SIZE | 2 | Block size |
| ADD_SIZE | 4 | Optional field - added block size |
There are certain block types
| Head Type Signifier | Description |
|---|---|
| HEAD_TYPE=0x72 | marker block |
| HEAD_TYPE=0x73 | archive header |
| HEAD_TYPE=0x74 | file header |
| HEAD_TYPE=0x75 | old style comment header |
| HEAD_TYPE=0x76 | old style authenticity information |
| HEAD_TYPE=0x77 | old style subblock |
| HEAD_TYPE=0x78 | old style recovery record |
| HEAD_TYPE=0x79 | old style authenticity information |
| HEAD_TYPE=0x7a | subblock |
Block Formats
Marker Block (MARK_HEAD)
| Field Name | Size (bytes) | Possibilities |
|---|---|---|
| HEAD_CRC | 2 | Always 0x6152 |
| HEAD_TYPE | 1 | Header type: 0x72 |
| HEAD_FLAGS | 2 | Always 0x1a21 |
| HEAD_SIZE | 2 | Block size = 0x0007 |
- Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!')
Metadata
Sub-formats
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
- 1.3 (Does not have the RAR! signature)
- There is difficulty finding information regarding this sub-format. Please update if you know something.
- 1.5
- Utilizes a proprietary compression method that is not available to the public.
- Considered the root model of subsequent formats.
- A detailed list of information can be found here.
- 2.0
- Utilizes a proprietary compression method that is not available to the public.
- Based off of version 1.5 of the RAR file format.
- 3.0
- Utilizes the PPMII and Lempel-Ziv (LZSS)] algorithms.
- Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
- Based off of version 1.5 of the RAR file format.
- 1.3 (Does not have the RAR! signature)
Software
This only way to create a RAR file is using the Winrar software. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
- unrarLib
- RAR file unarchiver written in C
- Easy implementation with a header file and the source code file
- Information Link
- WinRAR
- Only software that can create and open a RAR file
- Distributed by a proprietary license
- WinRAR executable for Windows
- UnRAR
- Created by Eugene Roshal for opening up RAR files only
- May not be used to reverse engineer the RAR file format and create RAR files
- Source code provided for people to implement/integrate methods of opening RAR files
- Additionally, implementations of UnRAR are available for a plethora of operating systems
- Download Link
- The Unarchiver
- Utility made for Mac OSX to open a multitude of files, including RAR files
- Very handy for dealing with multiple file types
- Source Code Download
- Information Website
- 7-Zip
- Utility made for Windows applications to open a multitude of files, including RAR files
- Download Link
There is a lot more software to open RAR files, but have been omitted due to redundancy.
See Also
- Wikipedia: RAR
- RAR File Format Information
- RAR File Format Technical Information for Version 4.11 File:RARFileStructure.txt
