Difference between revisions of "RAR"

From ForensicsWiki
Jump to: navigation, search
Line 107: Line 107:
  
 
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!')
 
* Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!')
 +
 +
 +
==Metadata==
 +
 +
 +
 +
==Sub-formats==
 +
 +
The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:
 +
:* 1.3 (Does not have the RAR! signature)
 +
:** There is difficulty finding information regarding this sub-format. Please update if you know something.
 +
:* 1.5
 +
:** Utilizes a proprietary compression method that is not available to the public.
 +
:** Considered the root model of subsequent formats.
 +
:** A detailed list of information can be found [http://www.win-rar.com/index.php?id=24&kb_article_id=162 here].
 +
:* 2.0
 +
:** Utilizes a proprietary compression method that is not available to the public.
 +
:** Based off of version 1.5 of the RAR file format.
 +
:* 3.0
 +
:** Utilizes the [http://en.wikipedia.org/wiki/Prediction_by_Partial_Matching PPMII] and [http://en.wikipedia.org/wiki/LZ77_and_LZ78 Lempel-Ziv (LZSS)]] algorithms.
 +
:** Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
 +
:** Based off of version 1.5 of the RAR file format.
 +
 +
 +
 +
==Software==
 +
 +
This only way to create a RAR file is using the [http://www.rarlab.com/ Winrar software]. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:
 +
 +
;unrarLib
 +
 +
:* RAR file unarchiver written in C
 +
:* Easy implementation with a header file and the source code file
 +
:* [http://www.unrarlib.org/ Information Link]
 +
 +
;WinRAR
 +
 +
:* Only software that can create and open a RAR file
 +
:* Distributed by a proprietary license
 +
:* [http://www.rarlab.com/download.htm WinRAR executable for Windows]
 +
 +
;UnRAR
 +
 +
:* Created by Eugene Roshal for opening up RAR files only
 +
:* May not be used to reverse engineer the RAR file format and create RAR files
 +
:* Source code provided for people to implement/integrate methods of opening RAR files
 +
:* Additionally, implementations of UnRAR are available for a plethora of operating systems
 +
:* [http://www.rarlab.com/rar_add.htm Download Link]
 +
 +
;The Unarchiver
 +
 +
:* Utility made for Mac OSX to open a multitude of files, including RAR files
 +
:* Very handy for dealing with multiple file types
 +
:* [http://code.google.com/p/theunarchiver/downloads/list Source Code Download]
 +
:* [http://unarchiver.c3.cx/ Information Website]
 +
 +
;7-Zip
 +
 +
:* Utility made for Windows applications to open a multitude of files, including RAR files
 +
:* [http://www.7-zip.org/download.html Download Link]
 +
 +
 +
There is a lot more software to open RAR files, but have been omitted due to redundancy.
 +
==See Also==
 +
* [http://en.wikipedia.org/wiki/RAR Wikipedia: RAR]
 +
* [http://acritum.com/winrar/rar-format RAR File Format Information]
 +
* RAR File Format Technical Information for Version 4.11 [[File:RARFileStructure.txt]]
 +
 +
[[Category:File Formats]]

Revision as of 09:36, 11 April 2012

RAR Archives (Roshal ARchive file format) is a proprietary format for storing information created by Eugene Roshal. The format is currently handled by Alexander Roshal, Eugene's brother.

Format

The file has the magic number of:

0x 52 61 72 21 1A 07 00

which is a break down of the following to describe an Archive Header:

  • 0x6152 - HEAD_CRC
  • 0x72 - HEAD_TYPE
  • 0x1a21 - HEAD_FLAGS
  • 0x0007 - HEAD_SIZE


RAR File Format

Each Block has the following fields

Block Fields
Name Size (bytes) Description
HEAD_CRC 2 CRC of total block or block part
HEAD_TYPE 1 Block type
HEAD_FLAGS 2 Block flags
HEAD_SIZE 2 Block size
ADD_SIZE 4 Optional field - added block size

There are certain block types

Block Types
Head Type Signifier Description
HEAD_TYPE=0x72 marker block
HEAD_TYPE=0x73 archive header
HEAD_TYPE=0x74 file header
HEAD_TYPE=0x75 old style comment header
HEAD_TYPE=0x76 old style authenticity information
HEAD_TYPE=0x77 old style subblock
HEAD_TYPE=0x78 old style recovery record
HEAD_TYPE=0x79 old style authenticity information
HEAD_TYPE=0x7a subblock


Block Formats

Marker Block (MARK_HEAD)

MARK_HEAD
Field Name Size (bytes) Possibilities
HEAD_CRC 2 Always 0x6152
HEAD_TYPE 1 Header type: 0x72
HEAD_FLAGS 2 Always 0x1a21
HEAD_SIZE 2 Block size = 0x0007
  • Note: the marker block is considered a fixed byte sequence (AKA, magic number) of: 0x52 0x61 0x72 0x21 0x1a 0x07 0x00 (which is seen as 'Rar!')


Metadata

Sub-formats

The RAR format is comprised of many sub-formats that have changed over the years. The different formats and their descriptions are as follows:

  • 1.3 (Does not have the RAR! signature)
    • There is difficulty finding information regarding this sub-format. Please update if you know something.
  • 1.5
    • Utilizes a proprietary compression method that is not available to the public.
    • Considered the root model of subsequent formats.
    • A detailed list of information can be found here.
  • 2.0
    • Utilizes a proprietary compression method that is not available to the public.
    • Based off of version 1.5 of the RAR file format.
  • 3.0
    • Utilizes the PPMII and Lempel-Ziv (LZSS)] algorithms.
    • Encryption now uses cipher block chaining (CBC) instead of Advanced Encryption Standard (AES).
    • Based off of version 1.5 of the RAR file format.


Software

This only way to create a RAR file is using the Winrar software. There are several implementations of the process to open a RAR file (commonly known as the "unrar" process). Some of them are:

unrarLib
  • RAR file unarchiver written in C
  • Easy implementation with a header file and the source code file
  • Information Link
WinRAR
UnRAR
  • Created by Eugene Roshal for opening up RAR files only
  • May not be used to reverse engineer the RAR file format and create RAR files
  • Source code provided for people to implement/integrate methods of opening RAR files
  • Additionally, implementations of UnRAR are available for a plethora of operating systems
  • Download Link
The Unarchiver
7-Zip
  • Utility made for Windows applications to open a multitude of files, including RAR files
  • Download Link


There is a lot more software to open RAR files, but have been omitted due to redundancy.

See Also