c R A R k  for  7-Zip
(Fastest 7-Zip Cracker)
v. 1.1

(c) Copyright PSW-soft 2012-13 by P. Semjanov


This is FREEWARE program, so it can be distributed under the following conditions: program code is kept unchanged and the program is distributed in the form of distributive archive. Any commercial use of this program is prohibited!


The cRARk for 7-Zip program is designed to determine a forgotten password for 7-Zip archives. It supports 7-Zip archives versions from 3.x and up.

To proceed with cRARk-7z program you need processor with SSE2 support. It is recommended to use as powerful processor as possible (the code is optimized for Core 2/Core iX/AMD Bulldozer). From v. 1.0, cRARk-7z can use both NVIDIA and AMD/ATI GPUs with CUDA/OpenCL support.

cRARk-7z is the tool for professionals, no GUI or great service is provided. But it tries to maximize your abilities for passwords definition and to minimize search time. cRARk-7z uses Password Cracking Library (PCL), a very powerful tool allowing you to define rules to generate passwords.

The rate of password search should be about of 150 password per second on modern powerful computer, so finding the 6-characters password of lower case Latin letters will need about a month. In the GPU the rate could achive 5000 p/s. Rate for dictionary attack is about 50 pass/sec (GPU is not supported ).


Program should work with 7-Zip archive if following requirements are to be met:

In case of solid-archives, the first file should satisfy these requirements. Therefore, if the files in archive were encrypted with the different passwords, the password for first file will be found.

cRARk-7z must be working with selfextracting (sfx) and multivolume archives, as well as archives with encrypted headers.

From version 1.0, cRARk-7z supports passwords computations on GPU cards (CUDA and OpenCL technology). Current limitations are:

3. Working with the program

To run the program YOU ARE TO CREATE PASSWORD DEFINITION FILE firstly (see section 4).

This is a command-line utility! You should run it from command (DOS) prompt.

To run the program you should use:

cRARk-7z [options] archive

The found password is printed in such a form:

truepass - CRC OK

Next it is repeated in hexadecimal PCL-like form (see section 4.2.1).

All other messages ARE NOT passwords and are intended as progress indication of the program.

Options in this mode are:

-lXXset password length to XX at least (XX = 0..255, XX = 1 by default). This parameter affects password length only when '*' is used in its definition (see section 4.2.1);
-gXXset password length to XX at most (XX = 0..255, XX = 8 by default)
-pXXXXset the name of password definition file ("PASSWORD.DEF" by default).
-bperform benchmarking
-vdebug mode (see section 5). It may be used to show character sets in use. This option generates also all the passwords according to with their definition; it does not test but prints them, so you can check their validity.
-cdisable GPU support (use CPU only)
-nXuse GPU #X
-dXXset GPU delay (XX = 0..5), 0 - fastest, 5 - slower, but smoothest
-fWXY(advanced) set crypto functions #W,X,Y. Some information about available functions is printed by -b option.


Password definition file is the main control file. Its translation and processing are the main task of PCL library. Its format doesn't depend on application, to which PCL is linked, so this library can be used for any password searching program.

4.1. Password definition file format

Password definition file is an ordinary text file and consists of two parts: firstly, dictionary and character set definition, and secondly, passwords definition. The parts are separated by a line of two '##' symbols:

[ <dictionary and character set definition> ]
<passwords definition>

The first part could be missing, in that case password definition file starts with '##' symbols.

In all other cases the symbol '#' is considered as a start of comment.

Space characters and tabs are ignored in password definition file and may separate any components.

To make it easy, let's look upon the password definition mechanism at first and then character set definition, contrary to their position in password definition file.

4.2. Password definition

This is the main part of the file. IT NECESSARILY EXSISTS IN ANY PASSWORD DEFINITION FILE (PASSWORD.DEF) AFTER THE LINE '##' and presets password generation rules to be checked out later on. It consists of the text lines, each of them gives its own password set and mode of operation, i.e. an algorithm of password search. Each line is independent and is processed separately, herewith the total number of checked passwords is counted up.

Character sets and dictionary words form password definition. They preset one or more characters, which will hold the appropriate position in a password.

4.2.1. Character sets

Character set (charset) is a range of characters, any of them can occupy current position in a password. Here please find some examples of these characters:

1) Simple single characters (a, b, etc.). It means this particular character occupies given position in a password;

2) Shielded characters. If any of special characters can ever occur in the password, it must be shielded. The meaning is identical with item 1 mentioned above. Among these characters are:

\$, \., \*, \?, \='$', '.', '*', '?', '='
\], \[, \{, \}, \(, \)corresponding brackets;
\ (space character)space character
\XXany hex-code character (X is a hexadecimal digit)
\0no character. It is usually used in conjunction with "real" character (see examples below).

Generally, any character can be shielded except hexadecimal digits.

3) Macros of character set. It means that current position in the password can be occupied by any character from the set. These sets are specified in the first part of password definition file (see section 4.3.2) and are denoted as:

$alower-case Latin letters (26 letters, unless otherwise specified)
$Aupper-case Latin letters (26 letters, unless otherwise specified)
$!special characters (32 characters, unless otherwise specified)
$1digits (10 digits, unless otherwise specified)
$ilower-case letters of national alphabet
(33 letters for Russian alphabet)
$Iupper-case letters of national alphabet
(33 letters for Russian alphabet)
$oother user-specified characters
?any character (i.e. all the characters, included into the macros mentioned above)

NOTE: macros $v and $p (see section 4.3.4) cannot be used for password definition.

4) Any combinations of the characters mentioned above. It must be written in square brackets. The meaning is identical with item 3 mentioned above. For example:

[$a $A]any Latin letter
[abc]a, or b, or c
[$1 abcdef]hexadecimal digit
[s \0]s or nothing
[$a $A $1 $! $i $I $o]this is equivalent to ?

5) Regular repetition character '*'. It means the previous character set has to be repeated in next password positions 0 or more times. For example:

$a *a password of any length, consisting of lower-case Latin letters
[ab] *space character, a, b, aa, ab, ba, bb, aaa, ...
[$a $A] [$a $A $1] *"identifier", i.e. a sequence of letters and digits with a letter at first position

Note that password of zero length is physically meaningful and is not always the same as no password at all.

The length of repetition is computed automatically on the base of the defined maximum and minimum password length options. (Note that these options influence the password length only if '*' exists in password definition and are ignored if the password consists of words or static characters only.. It is recommended to use '*' as wide as possible. This is because it allows to perform the most powerful search. Although the constructions '? *' and '? ? *' seem to be alike from the logic standpoint, the first one will be searched through faster.

Current limitation: '*' can be the last character in the line only.

4.2.2. Dictionary words and their modifiers

Contrary to the character set, the words preset several consecutive passwords characters. Two dictionaries are supported by PDL library: main (with ordinary words mainly) and user's (where special information can be stored, for example, proper names, dates, etc.), though there is no difference between them.

Dictionary is a text file, consisting of the words, separated by the end-of-line characters. Both DOS-format (CR/LF) and UNIX-format (LF) files can be used. Preferably to use words of the same (lower) case in dictionaries (to increase search rate, among other factors). To sort out words by its length is also desirable.

Thus, there are two macros:

$wa word from the main dictionary
$ua word from the user dictionary

As is known altered words are often used as passwords. So a whole set of word modifiers is introduce to determine such passwords. Among these are:

.u (upper)to upper-case
.l (lower)to lower-case
.t (truncate)to truncate up to the given length
.c (convert)to convert the word
.j (joke)to upper-case some letters
.r (reverse)to reverse the word
.s (shrink)to shrink the word
.d (duplicate)to duplicate the word

Modifiers may have parameters, written in round brackets. For modifiers, meant for single letters use, it is possible to preset a number of the word as a parameter. Lack of parameters or null parameter means "the whole word". Then, letters can be numerated from both the beginning of the word and the end of the word. The end of the word is denoted with the character '-' .

There are only three such modifiers for today: .u, .l, .t. So, use:

.u or .u(0)to upper-case the whole word (PASSWORD)
.u(1), .u(2)to upper-case only the first (the second) letter (Password, pAssword)
.u(-), .u(-1)to upper-case the last (the next to last) letter (passworD, passwoRd)
.t(-1)to truncate the last letter in the word (passwor)

The other modifiers operate with the whole words only and their parameters give the way of modification. The following modifier parameters are specified for today:

.j(0) or .jto upper-case odd letters (PaSsWoRd)
.j(1)to upper-case even letters (pAsSwOrD)
.j(2)to upper-case vowels (pAsswOrd)
.j(3)to upper-case consonants (PaSSWoRD)
.r(0) or .rto reverse the word (drowssap)
.s(0) or .sto reduce the word by discarding vowels unless the first one is a vowel
(password -> psswrd, offset -> offst)
.d(0) or .dto duplicate the word (passwordpassword)
.d(1)to add reversed word (passworddrowssap)
.c(<number>)to convert all the letters in the word according to the appropriate conversion string (see section 4.3.3)

All the modifiers operate adequately with both Latin and national letters, provided that the rules of national character sets definition are observed. Clearly there can be more than one modifier (the number of consecutive modifiers is limited by 63, which is unlikely to be exceeded). For example: (let $w mean a password):


4.2.3. Permutation brackets

The problem is widely met, when you remember your password, but it is not valid for some reason. Probably, you mistype it. The PCL engine has its own algorithm to restore such passwords. The following typing mistakes are considered: two neighboring letters are swapped (psasword), a letter is omitted (pasword), a needless letter is inserted (passweord) or one letter is replaced with another (passwird). Such password changes will be referred to as permutations.

To indicate the beginning and the end of that password section where permutations could appear, braces '{' and '}' are used. The brace '}' can be followed by a number of permutations (1 by default), separated by a dot (or in parenthesis). The physical meaning of the number of permutations is the number of simultaneously introduced mistakes. For example:

{abc} - 182 (different) passwords will be obtained, including:

bac, acb2 swaps
bc, ac, bc3 omissions
aabc, babc ...4 * 26 - 3 insertions
bbc, cbc ...3 * 25 replacements
abcthe desired word

{password}.2 or {password}(2) - the following words will be generated: psswrod, passwdro, paasswor, etc.;

{$w} - all the words with one mistake from the main dictionary. .


1)It is obvious that some passwords will be obtained more than once, so the higher number of permutations, the higher number of replicas. It was made efforts in reducing replicas, but they are empirical and are made for not more than two permutations. In other words, it is not certainly that any password would not be discarded mistakenly for higher numbers. Fanatics of the theory of combinations can compute the exact number for {password}.3, for example, and compare it with that one obtained by the program.

2) For insert and replacement functions it is important to know the set of characters to be inserted or replaced. If at the description part this set is not specified (see section 4.3.4), then the program forms it automatically, presuming what standard sets the characters in brackets are refer to (i.e. for {password} $a will be inserted, for {Password} [$a $A] will be inserted). The similar process with words is performed, based on the first word from the dictionary where modifiers is considered in. If set is specified explicitly, it is that set which will be used.

3) Current restriction is that the character '{' must necessarily be the first in the line. Such expressions as good_{password} remain to be supported, but {good}_password is quite possible.

4.3. Dictionaries and character sets definitions

All the definitions are set in the beginning of password definition file up to the characters '##'.

4.3.1. Dictionaries definition

The main and/or user dictionaries in use (see section 4.2.2) are initially defined. It is necessary only if you are going to use words from the dictionaries when defining passwords, i.e. $w or $u.

The dictionaries are given as follows:

$w = "main.dic" # main dictionary
$u = "c:\\dict\\user.dic" # user dictionary

File name is to be quoted, the path characters are to be shielded.

4.3.2. Definition of the character sets in use

Then usually character sets in use are defined. They are classified in two groups: predefined and user-defined.

Predefined sets include:

$alower-cased Latin letters, 26 letters in all
$Aupper-cased Latin letters, 26 letters in all
$!special characters (32 characters in all)
$1digits, 10 digits in all

User-defined sets include:

$ilower-cased letters of national alphabet
$Iupper-cased letters of national alphabet
$oadditional character set (for example, any non-typable characters)

Character sets are defined as follows:

$<charset> = [ <single characters or character sets> ]

In other words, character set is written as combination of characters (see section 4.2.1), for example:

$i = [ !"#$%&'()*+,-./`abcdefghijklmnoq]
$o = [$! $1 \FF]


1) Any character sets are allowed to be defined, including pre-defined. For example, you may include additional characters, such as space character or \FF into the set $!

2) When the sets $i and $I are being defined, the function of switching between lower/upper case is defined automatically. So it is important to have letters being ordered uniformly in these sets.

The full character set '?', consisting of [$a $A $1 $!$i $I $o] (just such an order is of importance in the next section), is never formed until all the characters are defined.

4.3.3. Definition of conversion modifiers

Then conversion modifiers .c may be defined (see section 4.2.2) in relation to the certain character set ?. It is performed with the line of the form:

?.c(<a number>) = "<conversion string>"

Any character from the whole set is converted into an appropriate character, occupying the same position in transformation string. For example, let ? = [1234567890], then ?.c(0) = "!@#$%^&*()"; gives transformation identical to that for Shift keystroke. The characters '\' and '"' are to be shielded in conversion string. The numbers of modifiers may vary from 0 to 255.

4.3.4. Special character sets definition

Among special character sets are:

$va set of vowels (in all alphabets being used). It is needed only when .s and .j modifiers are used
$pa set for insertion and replacement for permutation brackets. It is needed only if automatic generation of this set does not suit you for some reason (see section 4.2.3)

These sets are defined in a similar way to the other character sets.


0)The most common definition is brute-force searching, which uses only lower-case Latin letters.

$a *

2) Let me cite ZEXPL2L program specification: "Let you have an archive with the password looking like "Heaven!!!", but you have forgotten, how many !s were there in the end and what kind of letters lower- or upper-cased were used: "HeAvEn!!!", "Heaven!" or "HeAven!!!!". But fortunately you remember your password to be 10 characters at most and 7 characters at least." This password will be written in PCL language as follows:

He [aA] v [eE] n ! *
and options -l7 -g10.

Suppose that among other things you have mistaken while typing the main part of the password. So the following one is worth attention:

{He [aA] v [eE] n} ! *
and options -l7 -g10.

2) One more citation from the same specification: "Let you have two variants of the password string: "myprog", "MyProg", "my_prog" and "My_Prog". It will be written as:

[mM] y [_ \0] [pP] rog

3) It is often recommended to use two meaningful words, separated by certain character, as a password. The description is as following:

$w [$1 $!] $w
$w.u(1) [$1 $!] $w.u(1)

It should be mentioned that both $w are distinct here (these are distinct words), so a total of 20000 * 42 * 20000 = 1.68E10 passwords (if there are 20000 dictionary words) will be generated , i.e. it takes, on the average, less than a day to crack passwords, considered to be extremely hard for cracking. Thus, just two successive words are cracked 42 times faster.

4) Password consists of exactly six letters from national alphabet:

$i $i $i $i $i $i
$i *
and -16 -g6 options, are far more efficient.

6) You remember your password to be "MyVeryLongGoodPassword", but it is not do for some reason. Try to use the following ones:

{MyVeryLongGoodPassword}2382 passwords in 1 second
{MyVeryLongGoodPassword}.22836413 passwords in 1 minute
{MyVeryLongGoodPassword}.3??? passwords in 2-3 days

7) You know you password to be a meaningful word with a digit inserted elsewhere. The definition file is:

$p = [$1]       # the insertion set is defined as a set of digits

8) Syllable attack. You are to set up a dictionary of possible syllables of your language and then to search through all the meaningful words by proceeding as follows:

$u		# monosyllabic words
$u$u		# disyllabic words
$u$u$u		# etc.

9) In order to run your program in parallel on two computers, give them the following definition files:

[abcdefghijklm] $a *for the first one
[nopqrstuvwxyz] $a *for the second one

Proceed similarly with n computers.

5. Possible problems (FAQ)

1. How to break and then to continue the search.

The program may be broken painlessly once the message "Testing XX-chars passwords..." is displayed, and then the search may be continued with - lXX option (both XX are equal).

2. How to resume search from the password XXX?

Sorry, no way. I's implemented in the PCL 3.0 used in Parallel Password Recovery.

3. The program has been searching for 10 days, but my password is not yet at hand.

Alas! It can't be helped. May be your password is too long, or the search set is wrong. Additional information on the password is necessary.

4. There are files with different passwords in the archive. What am I to do?

Just remove (using 7-Zip) files with already known passwords.

5. The software is not working with multivolume archives.

You need to concatenate all the parts of multivolume archive into one file, like: copy /b test.7z.001+test.7z.002+test.7z.033 test.7z

6. I have tested your program. To my mind, your program is nothing but utter error, it cannot even find "aaa2"-like password.

RTFM. Distributive file password.def searches through only lower-cased Latin letters. Change your password definition to "[$a $1] *" and everything will be ok.

7. I've got beginning of one file from archive in plain text. Will it be useful to me?

No. At least, I couldn't use it. Could you? 7-Zip encryption sources are available in the official site.

8. I'd like to optimize your program. How can I get the sources?

You don't need them. Take 7-Zip sources and optimize the function in 7zAes.cpp file.

9. Is there any option to save program operation log?

Probably, you have never dealt with UNIX. Use:
cRARk-7z [options] > file
If you don't like this, use "tee" utility.

10. Is it possible to speed-up dictionary attack?

Yes, just sort your dictionary by the words size

11. Your distribution kit is packed with a password in itself!!! I do not find it funny!

You are reading this file, so you have solved this problem.

12. I need GUI, multicore support, pause/resume etc.

cRARk-7z is the free program, and I have no time to support such features. To find all you need, please look at Parallel Password Recovery which licensed cRARk-7z and PCL engine.

13. How to use my GPU card to recover passwords?

You need:
a) NVIDIA GPU from GeForce 8 serie (some old 8800 cards may be not supported) or AMD Radeon HF from 5xxx
b) latest drivers (it's recommended to get them from: http://www.nvidia.com/object/cuda_get.html) and http://support.amd.com/us/gpudownload/Pages/index.aspx
c) the password definition should contain '*' symbol

14. I've got some errors when using my GPU card.

a) Please install the latest drivers!
b) Don't overclock neither GPU nor CPU!
c) On Windows Vista and 7, if the message about the stopped driver appears, please use the file driver-timeout.reg from the distributon archive.

6. On PCL library

PCL 2.0 library is distributed by the author as FREEWARE in the form of source text. The reference to PCL as an obligatory requirement for your programs.

PCL 3.0 with plenty of new features is not a FREEWARE.

7. How to contact the author

Only by e-mail.

Please don't ask me about how to run the program etc - I have no time to explain individually.

e-mail:  pavel@semjanov.com
WWW:     http://www.semjanov.com

Program URL is: http://crark.net/crark-7zip.html

A lot of free, benchmarked password crackers you'll find at:


cRARk-7z is a FREE program, so all the claims will be rejected. Anyway, I'll be very grateful for pointing out the serious errors, such as:

  • the program hangs up while searching (the lack of displayed messages is not an evidence of hangup);
  • the program cannot find such password in such archive, although the set of characters in search is specified correctly

I'll be also glad to any constructive suggestions on improvements of program operation.

8. Special thanks and copyright notices

To Igor Pavlov for 7-Zip, LZMA SDK and its source codes.
To Andy Polyakov and other OpenSSL guys for some optimization ideas.
This software uses cryptographic routines from GRYPTOGAMS: Copyright (c) 2006, CRYPTOGAMS by All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain copyright notices, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the CRYPTOGAMS nor the names of its copyright holder and contributors may be used to endorse or promote products derived from this software without specific prior written permission. ALTERNATIVELY, provided that this notice is retained in full, this product may be distributed under the terms of the GNU General Public License (GPL), in which case the provisions of the GPL apply INSTEAD OF those given above. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Good luck!

Pavel Semjanov, St.-Petersburg.