Recover 7z Archive (Password Protected)

Ajexpert
2013-12-01
2013-12-19
1 2 > >> (Page 1 of 2)
  • Ajexpert
    Ajexpert
    2013-12-01

    Hi,
    Almost a year ago, I archived about 7.5GB of data using 7z and now I am not able to open it.

    Really appreciate any help in this regard as I have deleted the original files thinking I would be able to recover at later time.

    Please please help!

    Thanks,
    AJ

     
  • Shell
    Shell
    2013-12-01

    7-Zip uses a strong cipher for password-protected archives, so there's no way of recovering your files except for providing the correct password. Try to remember or brute-force it. (An extraordinary variant is to wait until somebody cracks the AES cipher, which is very unlikely to happen in the near future).

    If you know some of the bytes inside the archive, you may organize a so-called plain-text attack on it. This is rather difficult and requires a good knowledge of cryptography, so please consult the appropriate literature for details.

     
    Last edit: Shell 2013-12-01
  • Ajexpert
    Ajexpert
    2013-12-12

    Hi Shell,
    I do have the password, i believe its failing due to huge size.

    Please help!

     
  • Shell
    Shell
    2013-12-12

    That is strange. What does 7-Zip say to you? Please, give a screenshot or cite the error message.

    Try the same version you used to create the archive. Does the error persist? There is a chance (very small though) of incompatibility between versions, or a specific version of 7-Zip may have a bug.

    You may also try several other versions (e.g. 4.57, 9.20, 9.22, 9.30, 9.32). There is no need to install them all - you may either use 7za.exe (7-Zip Standalone package) or extract 7z.exe and 7z.dll from an installation package.

     
    Last edit: Shell 2013-12-12
  • Ajexpert
    Ajexpert
    2013-12-13

    Hi Shell,

    I really appreciate your continued help.

    I have attached screen shot.

    Please let me know if you need further details.

    Thanks Again Shell

     
  • Aytek Ustundag
    Aytek Ustundag
    2013-12-13

    I confirm the problem, I have an 18 GB file I created which does not accept the password.

     
  • Shell
    Shell
    2013-12-14

    Ajexpert: have you tried other 7-Zip versions? If they behave identically, then your archive is likely to be damaged. Unlike the archive in the similar topic, How to fix corrupted files of a archive, yours has lost the header. You may try to recover it manually, but you should know its structure (which is described in 7-Zip's source code). Maybe Mr. Pavlov could help you with that.

    Aytek Ustundag: do you see the same error? Have you tried other 7-Zip versions? If the error is different, then your chances of recovery may be higher.

    To both: as in the mentioned topic, I suspect your disc to be faulty. Use a hex editor to find long sequences of identical bytes (usually zeros) in your archives. Each 512-byte (at least 512, but may be 2048 or 4096) long sequence indicates a corrupt sector on a disc. Each damage loses you all subsequent files till the end of the solid block or till the end of an encryption block, whichever occurs last.

    If my guess is right, then your chances to recover the damaged archives are negligible, but, which is even more important, you may lose other data stored on that disc. Please, check it (if it is a hard disc, the S.M.A.R.T. attributes will help) and back up the important data.

     
    • Ajexpert
      Ajexpert
      2013-12-15

      Hi Shell,

      I have tried different versions of 7z on different machines, can't open it.

      I am sure that my disk is not damaged.

      Please let me know the steps or instructions how to use hex editor to find sequences of identical bytes (sorry for asking this )

      Thanks a lot for your assistance

       
  • Aytek Ustundag
    Aytek Ustundag
    2013-12-14

    Hello, thanks for fast response.
    No my disk is not faulty and there is no repeating bytes in my file.
    I used the command line tools like this

    "7za.exe" a -t7z "G:\xxx.7z" "d:\" -v512m -ssw -mmt2 -mx5 -mhe -xr!abcd

    Since i use 7z in my many projects and i think it is reliable, so i also think about the probability i could have written the password wrong while archiving.

    But to be sure can you answer those?

    1)Did you ever heard about this problem before? (my version is 7-Zip (A) 9.20)
    2)If my compression is somehow halted in between resulting an incomplete file, would i get wrong password error or would i get bad archive error?
    3)Is there something very different with my parameters, should i try to extract a different way?
    4)I used 32bit console version in my x64 system for (about 200.000 files) (resulting 18 gb archive). does the 32 bit console have some kind of restriction you know about?

    I would be happy if you could answer those so if there is a known bug i wont try inputting passwords all weekend =) thank you

     
    • Shell
      Shell
      2013-12-14

      1. This problem is new for me.
      2. You certainly would. 7-Zip stores the header in the end of the archive and writes it in the last turn, so an incomplete archive would be unreadable unless you manually reconstruct the header. This is also true for multivolume sets, because (if I am not mistaking) the header is written only once - in the last volume.
      3. Everything seems OK. -t7z and -mx5 are the defaults, so you may omit them.
      4. It certainly has: it cannot use more than 2 GiB of memory (4 GiB since version 9.21). As long as your dictionary does not exceed 96 MiB, you will hardly hit that limit.

      Concerning your problematic archive:
      1) what error do you get?
      2) was the archive ever readable?
      3) try a different version of 7-Zip (e.g. 9.22 standalone) and/or abandon encryption - does the error appear then?

       
  • Aytek Ustundag
    Aytek Ustundag
    2013-12-14

    1) The error i get is

    7-Zip (A) 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
    Processing archive: Q_Drive_17-09-2013_20-28-24.7z
    Enter password (will not be echoed):
    Error: Can not open encrypted archive. Wrong password?

    2) No this is the first time i read the archive
    3) i canot retry with abandoning encryption because my files are inside =)

    Thank you very much for your help, i think the odds are there is a problem from my side, i inputed some kind of wrong password maybe. thanks

     
    • Shell
      Shell
      2013-12-14

      Have you already deleted the original files? If so, it is bad - you have no possibility but to brute-force the password. I think it is a good idea to test an archive straight after its creation. You can do one more thing though - create another big archive with a known password and test whether 7-Zip can open it. If it cannot - there is an error in 7-Zip 9.20 itself.

      I cannot help you further, except for a brute-force code (it will NOT work if there are spaces in the password):
      for /f %a in (passwords.txt) do (
      7za l -p%a Q_Drive_17-09-2013_20-28-24.7z
      if not errorlevel 2 echo Found a password: %a
      )

       
  • Nikow
    Nikow
    2013-12-14

    If your password is long, you can try write part of it. I don't know why but 7zip similar to truecrypt is cuting too long passwords without a word. I had it twice.

    Meybe you used some special character and you're using system who is coding it in other way? (There can be some difference beetwen powershell and cmd or windows1250 and UTF-8)

     
  • Ajexpert
    Ajexpert
    2013-12-15

    Hi Shell,
    I have tried different versions of 7z on different machines, can't open it.

    I am sure that my disk is not damaged.

    Please let me know the steps or instructions how to use hex editor to find sequences of identical bytes (sorry for asking this )

    Thanks a lot for your assistance

     
  • Shell
    Shell
    2013-12-15

    I don't know what editors have you got, so I will name some familiar to me.

    MS Visual Studio: open archive in Binary mode (Auto should also suit), select Edit->Find... (Ctrl+F), type at least 8 pairs of zeros in the dialog box: 00 00 00 00..., and go. If you want, repeat that with F6's.

    Total Commander: open archive in Lister, select Edit->Find, check the HEX code box, type at least 16 zeros (now without spaces) and go. You may also switch into hexadecimal view for convenience, but the search would work anyway.

    I want to ask you one more question: Was that archive ever readable? Maybe it has been corrupt upon creation, so there is nothing we can do with it.

     
  • Ajexpert
    Ajexpert
    2013-12-15

    Hi Shell,

    Thank you so very much for prompt response.

    I will download the editor and get back to you on this.

    Was that archive ever readable? -> I remember this was readable 6 months ago, but now I have switched to different machine. I was using 32 bit Win7 OS, now using 64 bit Win 7.
    Consequently 7z version that I used for archive could be different from what I have now.

    Thanks again to keep this thread alive Shell.

     
  • Ajexpert
    Ajexpert
    2013-12-16

    Hi Shell,

    Please check the attached screen shot. Is this what you asked for?

    Please pardon my ignorance and let me know if you need anything to get this sorted.

    Thanks,

     
  • Shell
    Shell
    2013-12-16

    Yes, that's it. It is very unlikely for an archive to contain so many consequent zeros (unless the Copy method is used). I believe your disc has got some damaged sectors; they are likely to be remapped already, but the data is lost. (You may check this guess by examining your disc's S.M.A.R.T. attribute 05).

    I am sorry, but, speaking generally, your files are lost unless you have their back-up copy. To be more precise, if the archive's header is encrypted independently of the solid blocks, it is possible to recover the files that, being compressed, fit the area between each solid block's beginning and the first damage after that point. However, 7-Zip cannot do that - you will need a special software based on 7-Zip's code. Whether such software exists - I don't know.

    P.S. I think you should double-check your disc and back up other important data to avoid further losses. If it is a hard disc, I insist on examining its S.M.A.R.T. data. There are many programs that can query S.M.A.R.T., Victoria for example. If you post a screenshot here, I'll try to give a prognosis on your disc.

     
    Last edit: Shell 2013-12-16
  • therube
    therube
    2013-12-16

    I am sure that my disk is not damaged

    How do you know?
    Additionally, won't hurt to run the drive manufacturers diagnostic on the disk.

     
  • Ajexpert
    Ajexpert
    2013-12-16

    Hi Shell,

    I have switched to new machine now and old laptop has been recycled.

    This archive had about 15-20 files and one or two files may be duplicate.

    Please let me know if there is any (simple) way to recover some if not all files.

    Appreciate your help as always.

    Thanks

     
  • Igor Pavlov
    Igor Pavlov
    2013-12-16

    Ajexpert:

    Show
    1) first 48 bytes in hex.
    2) last 128 bytes in hex.

     
  • Ajexpert
    Ajexpert
    2013-12-16

    Hi Igor,

    Pardon my ignorance, Could you please let me know how to extract first 48 and last 128 bytes in hex.

    Thanks

     
    • Shell
      Shell
      2013-12-17

      You may use Total Commander instead of FAR since you already have it. Look at your previous screenshot: the first line begins at file offset 0513FFC90 (hex), and it contains the following bytes (hex): 0A 05 E3 15 02 A1 A5 8D 57 76 6E 4F 63 26 74 3A. Igor Pavlov wants to see three lines in the beginning (offsets 0, 10 and 20) and 8 lines in the end (I don't know the precise offsets, but they will begin with 1). Either copy the hex codes into your post, or take two screenshots.

      Concerning your question about recovery, there is currently no simple way to recover files from damaged 7-Zip archives. Nevertheless, such recovery is theoretically possible. The encryption imposes a great difficulty to the recovery. You may ask someone keen in programming to extract the data from undamaged parts of archive, but such work is usually paid for.

      Since the original storage is gone, there is no immediate need to check your disc. However, I still recommend you to back up your data regularly.

      P.S. The damage you have shown falls at offset 051400000 - that is precisely 1300 megabytes. It is interesting that the number is so even...

       
      • Igor Pavlov
        Igor Pavlov
        2013-12-17

        • 1300 megabytes. It is interesting that the number is so even...

        1300 MB = 650MB *2
        Maybe the archive was split to 650MB chunks and there was some problem with volume .003

         
  • Igor Pavlov
    Igor Pavlov
    2013-12-16

    farmanager.com

    install far manager
    run
    select file
    F3 - view
    F4 - hex
    Alt+Ins - to set select mode
    Select lines with all columns
    Ctrl+Ins to copy to clipboard

     
1 2 > >> (Page 1 of 2)