+-------------------------------------------------------------------------------------------------------------------+ | RAR5 CRYPTOGRAPHIC FUNCTIONS - LIST OF KNOWN | +-------------------------------------------------------------------------------------------------------------------+ +-----------------+-------------------------------------------------------------------------------------------------+ | ADDRESS |FUNCTION NAME | PURPOSE & NOTES | +-----------------+--------------+----------------------------------------------------------------------------------+ | 0x140001fa0 | FUN_140001fa0| MAIN CONSTRUCTOR - allocates context, calls init functions | | 0x1400251e4 | FUN_1400251e4| PASSWORD DIALOG - prompts, handles first/second entry, calls password reader | | 0x1400255c0 | FUN_1400255c0| CONSOLE PASSWORD READER - ReadConsoleW, buffer 0x200 (512 chars) | | 0x140009d3c | FUN_140009d3c| COPY PASSWORD TO STRUCTURE - SSO optimization, wcslen + memcpy | | 0x14006c3ec | FUN_14006c3ec| REMOVE CR/LF FROM PASSWORD - strips '\\r' and '\\n' from end | | 0x1400271d0 | FUN_1400271d0| SALT GENERATOR (PRIMARY) - CryptGenRandom (Windows CryptoAPI) | | 0x140027de8 | FUN_140027de8| SALT GENERATOR (FALLBACK - WEAK!) - GetTickCount + QPC + global counter | | 0x14008d780 | FUN_14008d780| GetTickCount() WRAPPER - milliseconds since boot | | 0x14006ea28 | FUN_14006ea28| QPC WRAPPER + DIVISION - QueryPerformanceCounter / 1,000,000 | | 0x1400696c0 | FUN_1400696c0| KEY GENERATION WRAPPER - checks non-empty password, calls context prep | | 0x140069530 | FUN_140069530| KEY CONTEXT PREPARATION - copies password, calls DPAPI protection | | 0x140069578 | FUN_140069578| DPAPI MEMORY PROTECTION - CryptProtectMemory / CryptUnprotectMemory | | 0x1400578b0 | FUN_1400578b0| PBKDF2 MAIN LOOP - 32768 iterations (0x8000), buffer management | | 0x140057764 | FUN_140057764| PBKDF2 BUFFER READ - internal data extraction from buffer | | 0x140057afc | FUN_140057afc| PBKDF2 INTERNAL FUNCTION - block processing, CBC feedback | | 0x140019628 | FUN_140019628| SHA-256 (SOFTWARE) - pure software implementation, constants found | | 0x140019a40 | FUN_140019a40| AES-256 DECRYPTION (HARDWARE) - uses aesdec / aesdeclast (AES-NI) | | 0x14001ade0 | FUN_14001ade0| AES DISPATCHER (DECRYPT) - processes 0x40 (64-byte) blocks | | 0x14001ab88 | FUN_14001ab88| AES BLOCK PROCESSOR - handles alignment, selects HW/SW AES | | 0x14003c14c | FUN_14003c14c| I/O DISPATCHER - mode 1=wide strings, mode 2=CRC, mode 3=AES decryption | | 0x14003c20c | FUN_14003c20c| CRC / CHECKSUM (Mode 2) - computes data checksums (not cryptographic) | | 0x14003da10 | FUN_14003da10| VERBOSE LISTING (rar v) - displays archive contents, CRC32, BLAKE2 | | 0x140065c3c | FUN_140065c3c| AES-256 ENCRYPTION (HARDWARE) - uses aesenc / aesenclast (AES-NI) | | 0x1400657c8 | FUN_1400657c8| AES-256 ENCRYPTION (SOFTWARE) - table-based (Te0..Te3 + S-box) | | 0x140065ddc | FUN_140065ddc| AES CORE ROUND - SubBytes (S-box), ShiftRows, AddRoundKey, CBC feedback | | 0x140065d08 | FUN_140065d08| AES KEY EXPANSION - generates 14 round keys (224 bytes) from 32-byte key | | 0x14006522c | FUN_14006522c| AES CONTEXT INIT - CPUID detection (AES-NI), sets num_rounds, copies key | | 0x140065020 | FUN_140065020| AES T-TABLE GENERATOR - builds Te0..Te3 and Td0..Td3 from S-box + Rcon | | 0x140065cb4 | FUN_140065cb4| GF(2^8) MULTIPLICATION - xtime + multiply in AES Galois field (as AI tells so) | | 0x14009abd0 | FUN_14009abd0| memcpy (AVX/AVX2) - optimized memory copy, used everywhere | | 0x140009ed4 | FUN_140009ed4| STRING COMPARE (AVX2) - wcsncmp with vpcmpeqw + vpmovmskb | | 0x140080c64 | FUN_140080c64| malloc WRAPPER - heap memory allocation | | 0x140069718 | FUN_140069718| free WRAPPER - heap memory deallocation | | 0x140080e20 | FUN_140080e20| STACK COOKIE CHECK - GS security, calls __fastfail on mismatch | | 0x14006df84 | FUN_14006df84| SECURE MEMORY CLEANUP - zeroes sensitive data (keys, passwords) | | 0x1400266cc | FUN_1400266cc| CRC TABLE INITIALIZER - builds CRC-32 (or CRC-32C) table for decompressor | +-----------------+--------------+----------------------------------------------------------------------------------+ FUNCTIONS BY CATEGORY +-----------------+-------------------------------------------------------------------------------------------------+ | CATEGORY | FUNCTIONS | +-----------------+-------------------------------------------------------------------------------------------------+ | PASSWORD INPUT | FUN_1400251e4, FUN_1400255c0, FUN_140009d3c, FUN_14006c3ec, FUN_140009ed4 | | SALT GENERATION | FUN_1400271d0, FUN_140027de8, FUN_14008d780, FUN_14006ea28 | | KEY DERIVATION | FUN_1400696c0, FUN_140069530, FUN_140069578, FUN_1400578b0, FUN_140057764, FUN_140057afc | | SHA-256 | FUN_140019628 | | AES (DECRYPT) | FUN_140019a40, FUN_14001ade0, FUN_14001ab88, FUN_14003c14c | | AES (ENCRYPT) | FUN_140065c3c, FUN_1400657c8, FUN_140065ddc, FUN_140065d08, FUN_14006522c | | AES TABLES | FUN_140065020, FUN_140065cb4 | | UTILITIES | FUN_14009abd0, FUN_140080c64, FUN_140069718, FUN_140080e20, FUN_14006df84, FUN_1400266cc | | OTHER | FUN_14003c20c, FUN_14003da10, FUN_140001fa0 | +-----------------+-------------------------------------------------------------------------------------------------+ CONSTANTS & TABLES LOCATIONS (In Ghidra diss of Rar.exe): +-------------------------+--------------+---------+-------------------------------------------------+ | ITEM | ADDRESS | SIZE | DESCRIPTION | +-------------------------+--------------+---------+-------------------------------------------------+ | S-box (AES) | 0x1400bb350 | 256 | Standard AES S-box: 63 7C 77 7B F2 6B 6F C5... | | Rcon (round constants) | 0x1400b9a50 | 40 | 01 02 04 08 10 20 40 80 1B 36... | | Te0 (T-table 0) | 0x1400c8f00 | 1024 | Generated dynamically by FUN_140065020 | | Te1 (T-table 1) | 0x1400c9300 | 1024 | Generated dynamically | | Te2 (T-table 2) | 0x1400c9700 | 1024 | Generated dynamically | | Te3 (T-table 3) | 0x1400c9b00 | 1024 | Generated dynamically | | Td0 (Inv T-table 0) | 0x1400caf00 | 1024 | Generated dynamically | | Td1 (Inv T-table 1) | 0x1400cb300 | 1024 | Generated dynamically | | Td2 (Inv T-table 2) | 0x1400cb700 | 1024 | Generated dynamically | | Td3 (Inv T-table 3) | 0x1400cbb00 | 1024 | Generated dynamically | | CRC table (decompressor)| 0x1400bd0b0 | 1024 | Built by FUN_1400266cc | | Stack cookie (canary) | 0x1400bba80 | 8 | DAT_1400bba80, randomized per process | +-------------------------+--------------+---------+-------------------------------------------------+ S-BOX: +--------+-------------------------------------------------+------------------------+ | OFFSET | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ASCII (partial) | +--------+-------------------------------------------------+------------------------+ | 0x00 | 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 | c|w{.ko.0.g+...v | | 0x10 | CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 | ...}.YG.......r. | | 0x20 | B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15 | ...&6?..4...q.1. | | 0x30 | 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75 | ..#..........'.u | | 0x40 | 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84 | ..,..nZ.R;..)./. | | 0x50 | 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF | S... ..[j..9JLX. | | 0x60 | D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8 | ....CM3.E...P<.. | | 0x70 | 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2 | Q.@...8....!.... | | 0x80 | CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73 | ...._.D...~=d].s | | 0x90 | 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB | `.O."*..F....^.. | | 0xA0 | E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79 | .2:.I.$\...b...y | | 0xB0 | E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08 | ..7m..N.lV..ez.. | | 0xC0 | BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A | .x%.......t.K... | | 0xD0 | 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E | p>.fH...a5W..... | | 0xE0 | E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF | ....i........U(. | | 0xF0 | 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16 | ......BhA.-..T.. | +--------+-------------------------------------------------+------------------------+ In RAW: 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79 E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08 BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16 RCON (Round Constants for AES Key Schedule): +--------+--------------------------------------------------+----------------------------------------------+ | OFFSET | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | VALUE (hex) | +--------+--------------------------------------------------+----------------------------------------------+ | 0x00 | 01 02 04 08 10 20 40 80 1B 36 00 00 00 00 00 00 | Rcon[1..10] (for AES-128, AES-192, AES-256) | +--------+--------------------------------------------------+----------------------------------------------+ In RAW: 01 02 04 08 10 20 40 80 1B 36