john-samples 'p0.rar' file is not crackable

[claudioandre-br]

The 2john tool seems to do the right thing, but the hash is not recognized.

$ john-the-ripper.rar2john -v p0.rar

! HEAD_SIZE: 48, PACK_SIZE: 16, UNP_SIZE: 0
! file_hdr_block:
!   2d 91 74 24 84 30 00 10 00 00 00 00 00 00 00 03 00 00 00 00 00 ab 9b 3e 1d 33 08 00 a4 81 00 00
! file name size: 8 bytes
! file name: test.txt
! Dictionary size: 128 KB
! This is best candidate so far
! salt: 'p0.rar:$RAR3$*1*906ef03580b0df4b'
! UNP_VER is 2.9
! METHOD is m3b

! p0.rar: End of file
! Found a valid -p mode candidate in p0.rar
! WARNING best candidate found is too small, you may see false positives.
p0.rar:$RAR3$*1*906ef03580b0df4b*00000000*16*0*1*dfa00624bb2e2b5ed7130631248c0718*33:1::test.txt 

$ john hash.p0 
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

I tried to see if it's a post Jumbo 1 regression, but it's not. The same hash was generated but also not detected.

$ docker run --rm -it --entrypoint=/bin/bash -v "$(pwd)":/data ghcr.io/openwall/john:v1.9.0J1
JtR@38eb99d208a9:/$ cd /data

JtR@38eb99d208a9:/data$ /john/run/john-avx2 p0.hash 
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

Seems we are not aware of it: https://github.com/openwall/john/issues?q=is%3Aissue+%22best+candidate+found+is+too+small%22

---

[edited]

The GUI actually opens the file without using a password. CRC could be zero?

[magnumripper]

That sample isn't the best one... it's a zero-byte test.txt. I can unpack it with unrar (password is "password") but not with eg. 7zip. And it gets weirder: I can unpack it with (original) unrar using any password and still get the 0-byte test.txt extracted just fine.

We should probably just delete that sample (or document these crazy facts).

[solardiz]

Per magnum's comment, this is almost a non-issue. So closing it.