
Hacking WinRAR for fun and profit - taviso
https://github.com/taviso/rarvmtools
======
taviso
Related blog post [http://blog.cmpxchg8b.com/2012/09/fun-with-constrained-
progr...](http://blog.cmpxchg8b.com/2012/09/fun-with-constrained-
programming.html)

~~~
lordlicorice
The screenshot at the bottom is one of the coolest things I've ever seen.

------
DanBlake
Is this article implying that their is the possibility of including a
malicious application inside of a .rar format that would run upon
uncompression? That is crazy if true. Also makes me think using 7zip might be
a safer option than WinRAR if they handle the decompression differently.

~~~
gregschlom
Yes, but theoretically those applications wouldn't be able to do anything else
than modify the data that you're uncompressing, which simply means that you
have to decide whether you want to trust the data that you uncompressed.

Now of course there may be exploitable vulnerabilities here, but just as in
any other piece of software.

So no, just because this runs a VM doesn't mean it's intrinsically more
dangerous than anything else. Basically just any program that takes input from
the outside world (a PDF reader, an MP3 player, you name it) is vulnerable to
attacks.

~~~
anonymouz
But the fact that the VM has not seen much scrunity by the community together
with the following snippet from the linked page:

"There are several known bugs in the RarVM.

[redacted as some have security consequences]"

makes it seem quite likely that there are some ugly vulnerabilities.

------
kijin
If anyone sent me an .rar these days, it would go straight into the Trash.
(Ditto for Koreans who insist on sending me .alz archives.) Sure, 7-Zip can
probably open it, but I still prefer .zip which has much better compatibility
overall.

I can understand why those who have used WinRAR for many years might keep
using the .rar format out of habit even in 2012, but is there any other reason
for anyone else to compress new files with .rar at this point? Sure, you might
be able to shave a few more kilobytes off a large file, but small differences
like that are becoming increasingly irrelevant compared to interoperability.
Are there other technical advantages to the .rar format that other formats
like .zip and .tar.gz lack?

~~~
psykotic
> If anyone sent me an .rar these days, it would go straight into the Trash.

So, a customer sends you a RAR file and it goes straight to the trash? You
sound like a swell guy.

~~~
stesch
We have customers who send .ace files.

------
gburt
Why does WinRAR have it's own VM and what does WinRAR do when it creates a
.rar file? I feel like this is missing a lot of elucidation.

~~~
andrewf
(Not sure exactly what WinRAR does, but generally speaking for a compressor..)
Backwards compatibility.

Let's say you're putting together WinRAR 4.5 and have a fancy new compression
method you want to implement. .RAR files generated with Version 4.5 that use
it, won't be compatible with earlier versions.

The way around this is to embed, in the .RAR file itself, a program (written
in the WinRAR VM) to decompress the data using the new method. WinRAR 4.0 can
just run this embedded program without knowing the precise details of the
Version 4.5 algorithm.

So you get some of the advantages of a self-executable archive without the
portability and security issues.

I think that WinRAR in particular implements a lot of pre-filters, which are
things you run over the data before your main compression algorithm in order
to make the data more compressible. This seems like a good use for such a VM -
they're simple, less-speed-critical than your core compressor, and you can
always write more of them.

Examples of prefilters are BCJ2 (<http://en.wikipedia.org/wiki/7z#Pre-
processing_filters>) and the PNG image filters (<http://www.w3.org/TR/PNG-
Filters.html>).

~~~
mkup
Why WinRAR team didn't add digital signing to the code for that VMs? Old
WinRAR versions would contain VM interpreter, public RSA key and signature
verification code; new WinRAR versions would embed already signed blobs of VM
code into archive files; private RSA key would stay on WinRAR developers'
computers only. And no one would be able to execute arbitrary VM code on end
user PC.

~~~
klodolph
What exactly is the drawback of executing arbitrary VM code on an end user PC?
If there aren't security flaws in the VM, then the code is sandboxed, and
worst case you extract a really big file or hang WinRAR.

Now, if there's a security flaw, that's a different story. But it looks like
the VM just gets to play around with memory and registers and doesn't get any
libraries or IO, and doesn't rely on type safety for correctness -- which
eliminates the typical sources of security holes in more complex VMs such as
JVM. And if you don't need great performance, then you can put bounds checks
everywhere.

Safe as houses. Unless someone screwed up.

~~~
mkup
Because it's better to be safe than sorry.

------
JoshTriplett
Nice to see more FOSS tools trying to dissect the RAR format.

Now if only a decompressor existed for current versions of RAR. A FOSS unrar
tool exists that decompresses RAR 1, RAR 2, and some RAR 3 archives, but not
current RAR 3 archives.

~~~
tbirdz
No, now there is unar, FOSS which will work for all rar versions.

~~~
JoshTriplett
Hadn't seen that one; thanks for the pointer! Since "unar" proved difficult to
search for: <http://unarchiver.c3.cx/>

------
mey
"Known Bugs There are several known bugs in the RarVM.

[redacted as some have security consequences]"

I wonder if torrent seeders have exploited this to spread malware/bots....

~~~
mukyu
Doubtful when it is so much easier to get people with 'download this codec to
play this video' or putting them in cracks/keygens.

------
wamatt
Wow, had no idea WinRAR contained a mini-VM. Cool, weird and maybe slightly
disconcerting

~~~
TazeTSchnitzel
It's funny, so does Bitcoin, Adobe Reader, a lot of things.

Maybe we need to rewrite that old law:

 _All programs expand until they contain a virtual machine. Those that cannot
do so are replaced by ones that can._

~~~
runn1ng
What does Bitcoin do with virtual machine?

(If you don't take "running the bitcoin script" as "virtual machine".... then
yes, it is technically a virtual machine, but very Turing incomplete.)

~~~
TazeTSchnitzel
Yes, I meant the script. Not turing complete, sure, but still quite flexible.

------
StavrosK
Can someone explain exactly how WinRAR uses this VM to improve compression?

~~~
jevinskie
If you read the linked blog post you will see one example. For instance, calls
to a foobar function are encoded with relative addresses. The preprocessor can
detect this, calculate the absolute address, encode that, and calculate the
original relative address at decompression time. I like the idea apart from
the security concerns! I was excited to find an unknown aspect of such a
prolific program!

------
luriel
In somewhat related news, here is Russ Cox's excellent blog post about cool
hacks with the zip format:

<http://research.swtch.com/zip>

------
ck2
Didn't the winrar author pass away several years ago? Vaguely remember.

Is it still being developed?

Oh okay, it was the distributor, not author:
<http://en.wikipedia.org/wiki/Ron_Dwight>

~~~
malkia
Eugene Roshal is the author, and from his other products I use everyday the
FAR Manager for Windows (Midnight Commander / Norton Commander type of file
manager) - <http://en.wikipedia.org/wiki/Eugene_Roshal>

FAR Manager has been open-sourced - <http://www.farmanager.com/>

------
hamxiaoz
Watch out, the linked post [1] is blocked by my TrendMicro.

[1] [http://blog.cmpxchg8b.com/2012/09/fun-with-constrained-
progr...](http://blog.cmpxchg8b.com/2012/09/fun-with-constrained-
programming.html)

~~~
asdfs
It's probably picking up the text and assuming that it might be a malicious
payload.

This sort of thing can happen to some virus scanners when they come across a
page with the text of things like malicious VBScript, batch files, etc., even
if it's text that's displayed on the page.

------
duskwuff
For what it's worth, 7zip contains a virtual machine too. Not sure how capable
it is compared to WinRAR's, though.

