Analysis of RAR File Structure

Features of RAR Files

RAR files typically offer better compression ratios than ZIP files, but they are slower in terms of compression and decompression speeds. Split Compression: The compressed file is divided into multiple parts. Solid Compression: Treats all the files to be compressed as a single entity, increasing the compression ratio. The downside is that to access any file from the archive, the entire archive needs to be extracted. Recovery Record: Adds redundant data to help repair the archive. If the archive is damaged but contains enough recovery record data, the damaged archive can be restored. Encryption: RAR 2.0 uses AES-128-cbc, while RAR 5.0 and later use AES-256CBC. Earlier versions of RAR used a proprietary encryption algorithm. Currently, these encryption methods have not been directly cracked (at least not publicly). Without a password, brute force cracking is the only option.

RAR File Stream Analysis

The signature of RAR 5.0 consists of 8 bytes:

0x52 0x61 0x72 0x21 0x1A 0x07 0x01 0x00

The signature of RAR 4.x consists of 7 bytes:

0x52 0x61 0x72 0x21 0x1A 0x07 0x00

A RAR 4.x compressed file is composed of several blocks of variable length.

Common Block Types:

Marker Block: HEAD_TYPE=0x72
Compressed File Header: HEAD_TYPE=0x73
File Header: HEAD_TYPE=0x74
Old-style Comment Header: HEAD_TYPE=0x75
Old-style User Identity Info: HEAD_TYPE=0x76
Old-style Subblock: HEAD_TYPE=0x77
Old-style Recovery Record: HEAD_TYPE=0X78
Old-style User Identity Info: HEAD_TYPE=0X79
Subblock: HEAD_TYPE=0x7A
Final End Block: HEAD_TYPE=0x7B

Marker Block (MARK_HEAD)

The first block is the Marker Block (MARK_HEAD), and its data is as follows:

52 61 72 21 1A 07 00

Left is the low byte, right is the high byte.

this is the RAR 4.x signature The signature indicates that the file was compressed using software supporting RAR 4.x.

If compressed with software supporting version 5.0, the signature may differ.

52 61 72 21 1A 07 01 00

Left is the low byte, right is the high byte, this is the RAR 5.x signature

Byte Explanation

52 61 is the header checksum (HEAD_CRC), occupying two bytes. Every block starts with HEAD_CRC, and all RAR files begin with 52 61.

72 is the block type (HEAD_TYPE), occupying one byte, and is consistent for all files.

21 1A is the block flags (HEAD_FLAGS), occupying two bytes.

07 00 indicates the block size, i.e., 52 61 72 21 1A 07 00 (Marker Block) occupies 7 bytes.

Compressed File Header (MAIN_HEAD)

The second block is the Compressed File Header (MAIN_HEAD), similar to the Marker Block.

The header type is 0x73, indicating the Compressed File Header block. The flags are 0x0000, meaning no flags are set. If the block header is encrypted, the flags should be 0x8000. The header size is 0x0D00, and as shown in the image, this compressed file header block occupies 13 bytes.

File Header (FILE_HEAD)

For details of the RAR file format and its fields, please refer to the RAR 5.0 archive format description.

Next, we will analyze the file header stream using a RAR file as an example.

D5 56 ：HEAD_CRC, 2 bytes, CRC check
74 ：HEAD_TYPE, 1 byte, block type, 74 indicates the block is a file header
20 90 ：HEAD_FLAGS, 2 bytes, flags, the value 20 90 has not been found in the documentation.
2D 00 ：HEAD_SIZE, 2 bytes, total size of the file header (including file name and comment)
10 00 00 00 ：PACK_SIZE, 4 bytes, compressed file size
10 00 00 00 ：UNP_SIZE, 4 bytes, uncompressed file size
02：HOST_OS, 1 byte, the operating system used for compressing the file, 02 represents Windows
C7 88 67 36：FILE_CRC, 4 bytes, the CRC value of the file
6D BB 4E 4B ：FTIME, 4 bytes, MS-DOS standard format date and time
1D：UNP_VER, 1 byte, the minimum RAR version required to extract the file
30：METHOD, 1 byte, compression method, here it is stored compression
08 00 ：NAME_SIZE, 2 bytes, file name length 8 bytes (flag.txt)
20 00 00 00 ：ATTR, 4 bytes, indicating file attributes, here it is a txt file
66 6C 61 67 2E 74 78 74：FILE_NAME (file name), NAME_SIZE bytes, here NAME_SIZE is 8

The next part is the content of the txt file, continuing until line 65. Below is the start of another file block. This block contains two CRC values: one is the checksum of the file header block (from block type to file name, 38 bytes), and the other is the CRC checksum of the file contained in the archive. When decompressing, the CRC value of the extracted file is calculated, and if it matches the CRC here, the extraction is complete. Otherwise, an error will occur, and the process will stop.

End Block

This end block has the same byte size and analysis method as the marker block.

C4 3D ：HEAD_CRC, 2 bytes, the CRC checksum from HEAD_TYPE to HEAD_SIZE 7B ：HEAD_TYPE, 1 byte, indicating that this block is the end block 00 40 HEAD_FLAGS, 2 bytes, flags 07 00 ：HEAD_SIZE, 2 bytes, block size. Similar to the marker block, the end block is also a fixed byte sequence, which is C4 3D 7B 00 40 07 00。