1 /*
2 * JtR format to crack password protected Ethereum Wallets.
3 *
4 * This software is Copyright (c) 2017, Dhiru Kholia <kholia at kth.se> and it
5 * is hereby released to the general public under the following terms:
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted.
9 */
10
11 #if FMT_EXTERNS_H
12 extern struct fmt_main fmt_ethereum;
13 #elif FMT_REGISTERS_H
14 john_register_one(&fmt_ethereum);
15 #else
16
17 #include <string.h>
18 #include <errno.h>
19
20 #ifdef _OPENMP
21 #include <omp.h>
22 #endif
23
24 #include "arch.h"
25 #include "misc.h"
26 #include "common.h"
27 #include "formats.h"
28 #include "params.h"
29 #include "options.h"
30 #define PBKDF2_HMAC_SHA256_VARYING_SALT 1
31 #include "pbkdf2_hmac_sha256.h"
32 #include "ethereum_common.h"
33 #include "yescrypt/yescrypt.h"
34 #include "KeccakHash.h"
35 #include "aes.h"
36 #include "jumbo.h"
37
38 #define FORMAT_NAME "Ethereum Wallet"
39 #define FORMAT_LABEL "ethereum"
40 #ifdef SIMD_COEF_32
41 #define ALGORITHM_NAME "PBKDF2-SHA256/scrypt Keccak " SHA256_ALGORITHM_NAME
42 #else
43 #define ALGORITHM_NAME "PBKDF2-SHA256/scrypt Keccak 32/" ARCH_BITS_STR
44 #endif
45 #define BENCHMARK_COMMENT ""
46 #define BENCHMARK_LENGTH 7
47 #define BINARY_SIZE 16
48 #define PLAINTEXT_LENGTH 125
49 #define SALT_SIZE sizeof(*cur_salt)
50 #define BINARY_ALIGN sizeof(uint32_t)
51 #define SALT_ALIGN sizeof(uint64_t)
52 #ifdef SIMD_COEF_32
53 #define MIN_KEYS_PER_CRYPT SSE_GROUP_SZ_SHA256
54 #define MAX_KEYS_PER_CRYPT SSE_GROUP_SZ_SHA256
55 #else
56 #define MIN_KEYS_PER_CRYPT 1
57 #define MAX_KEYS_PER_CRYPT 1
58 #endif
59
60 #define OMP_SCALE 1
61
62 static int max_threads;
63 static yescrypt_local_t *local;
64
65 static char (*saved_key)[PLAINTEXT_LENGTH + 1];
66 static uint32_t (*crypt_out)[BINARY_SIZE * 2 / sizeof(uint32_t)];
67 static unsigned char (*saved_presale)[32];
68 static int new_keys;
69
70 static custom_salt *cur_salt;
71
72 static union {
73 uint64_t dummy;
74 unsigned char data[8];
75 } dpad;
76
init(struct fmt_main * self)77 static void init(struct fmt_main *self)
78 {
79 omp_autotune(self, OMP_SCALE);
80
81 #ifdef _OPENMP
82 max_threads = omp_get_max_threads();
83 #else
84 max_threads = 1;
85 #endif
86
87 local = mem_alloc(sizeof(*local) * max_threads);
88 int i;
89 for (i = 0; i < max_threads; i++)
90 yescrypt_init_local(&local[i]);
91
92 saved_key = mem_calloc(sizeof(*saved_key), self->params.max_keys_per_crypt);
93 saved_presale =
94 mem_calloc(sizeof(*saved_presale), self->params.max_keys_per_crypt);
95 crypt_out = mem_calloc(sizeof(*crypt_out), self->params.max_keys_per_crypt);
96
97 memcpy(dpad.data, "\x02\x00\x00\x00\x00\x00\x00\x00", 8);
98 }
99
done(void)100 static void done(void)
101 {
102 int i;
103 for (i = 0; i < max_threads; i++)
104 yescrypt_free_local(&local[i]);
105 MEM_FREE(local);
106
107 MEM_FREE(saved_presale);
108 MEM_FREE(saved_key);
109 MEM_FREE(crypt_out);
110 }
111
set_salt(void * salt)112 static void set_salt(void *salt)
113 {
114 cur_salt = (custom_salt *)salt;
115 }
116
ethereum_set_key(char * key,int index)117 static void ethereum_set_key(char *key, int index)
118 {
119 strnzcpy(saved_key[index], key, PLAINTEXT_LENGTH + 1);
120 new_keys = 1;
121 }
122
get_key(int index)123 static char *get_key(int index)
124 {
125 return saved_key[index];
126 }
127
crypt_all(int * pcount,struct db_salt * salt)128 static int crypt_all(int *pcount, struct db_salt *salt)
129 {
130 const int count = *pcount;
131 int index;
132 int failed = 0;
133
134 #ifdef _OPENMP
135 #pragma omp parallel for
136 #endif
137 for (index = 0; index < count; index += MIN_KEYS_PER_CRYPT) {
138 unsigned char master[MIN_KEYS_PER_CRYPT][32];
139 int i;
140 if (cur_salt->type == 0) {
141 #ifdef SIMD_COEF_32
142 int lens[MIN_KEYS_PER_CRYPT];
143 unsigned char *pin[MIN_KEYS_PER_CRYPT], *pout[MIN_KEYS_PER_CRYPT];
144 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
145 lens[i] = strlen(saved_key[index+i]);
146 pin[i] = (unsigned char*)saved_key[index+i];
147 pout[i] = master[i];
148 }
149 pbkdf2_sha256_sse((const unsigned char**)pin, lens, cur_salt->salt, cur_salt->saltlen, cur_salt->iterations, pout, 32, 0);
150 #else
151 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i)
152 pbkdf2_sha256((unsigned char *)saved_key[index+i],
153 strlen(saved_key[index+i]),
154 cur_salt->salt, cur_salt->saltlen,
155 cur_salt->iterations, master[i], 32,
156 0);
157 #endif
158 } else if (cur_salt->type == 1) {
159 #ifdef _OPENMP
160 int t = omp_get_thread_num();
161 if (t >= max_threads) {
162 #pragma omp atomic
163 failed |= 2;
164 continue;
165 }
166 #else
167 const int t = 0;
168 #endif
169 yescrypt_params_t params = { .N = cur_salt->N, .r = cur_salt->r, .p = cur_salt->p };
170 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
171 if (yescrypt_kdf(NULL, &local[t],
172 (const uint8_t *)saved_key[index + i],
173 strlen(saved_key[index + i]),
174 (const uint8_t *)cur_salt->salt,
175 strlen((const char *)cur_salt->salt),
176 ¶ms,
177 master[i], 32)) {
178 #ifdef _OPENMP
179 #pragma omp atomic
180 #endif
181 failed |= 1;
182 }
183 }
184 } else if (cur_salt->type == 2) {
185 if (new_keys) {
186 /* Presale. No salt! */
187 #ifdef SIMD_COEF_32
188 int lens[MIN_KEYS_PER_CRYPT];
189 int slens[MIN_KEYS_PER_CRYPT];
190 unsigned char *sin[MIN_KEYS_PER_CRYPT];
191 unsigned char *pin[MIN_KEYS_PER_CRYPT], *pout[MIN_KEYS_PER_CRYPT];
192 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
193 lens[i] = strlen(saved_key[index+i]);
194 pin[i] = (unsigned char*)saved_key[index+i];
195 pout[i] = master[i];
196 sin[i] = pin[i];
197 slens[i] = lens[i];
198 }
199 pbkdf2_sha256_sse_varying_salt((const unsigned char**)pin, lens, sin, slens, 2000, pout, 16, 0);
200 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
201 memcpy(saved_presale[index + i], pout[i], 32);
202 }
203 #else
204
205 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
206 pbkdf2_sha256((unsigned char *)saved_key[index+i], strlen(saved_key[index+i]), (unsigned char *)saved_key[index+i], strlen(saved_key[index+i]), 2000, master[i], 16, 0);
207 }
208 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
209 memcpy(saved_presale[index + i], master[i], 32);
210 }
211 #endif
212 } else {
213 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i)
214 memcpy(master[i], saved_presale[index + i], 32);
215 }
216 }
217
218 if (cur_salt->type == 0 || cur_salt->type == 1) {
219 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
220 Keccak_HashInstance hash;
221 Keccak_HashInitialize(&hash, 1088, 512, 256, 0x01); // delimitedSuffix is 0x06 for SHA-3, and 0x01 for Keccak
222 Keccak_HashUpdate(&hash, master[i] + 16, 16 * 8);
223 Keccak_HashUpdate(&hash, cur_salt->ct, cur_salt->ctlen * 8);
224 Keccak_HashFinal(&hash, (unsigned char*)crypt_out[index+i]);
225 }
226 } else {
227 for (i = 0; i < MIN_KEYS_PER_CRYPT; ++i) {
228 AES_KEY akey;
229 Keccak_HashInstance hash;
230 unsigned char iv[16];
231 unsigned char seed[4096];
232 int padbyte;
233 int datalen;
234
235 AES_set_decrypt_key(master[i], 128, &akey);
236 memcpy(iv, cur_salt->encseed, 16);
237 AES_cbc_encrypt(cur_salt->encseed + 16, seed, cur_salt->eslen - 16, &akey, iv, AES_DECRYPT);
238 if (check_pkcs_pad(seed, cur_salt->eslen - 16, 16) < 0) {
239 memset(crypt_out[index+i], 0, BINARY_SIZE);
240 continue;
241 }
242 padbyte = seed[cur_salt->eslen - 16 - 1];
243 datalen = cur_salt->eslen - 16 - padbyte;
244 if (datalen < 0) {
245 memset(crypt_out[index+i], 0, BINARY_SIZE);
246 continue;
247 }
248 Keccak_HashInitialize(&hash, 1088, 512, 256, 0x01);
249 Keccak_HashUpdate(&hash, seed, datalen * 8);
250 Keccak_HashUpdate(&hash, dpad.data, 1 * 8);
251 Keccak_HashFinal(&hash, (unsigned char*)crypt_out[index+i]);
252 }
253 }
254 }
255 new_keys = 0;
256
257 if (failed) {
258 #ifdef _OPENMP
259 if (failed & 2) {
260 fprintf(stderr, "OpenMP thread number out of range\n");
261 error();
262 }
263 #endif
264 fprintf(stderr, "scrypt failed: %s\n", strerror(errno));
265 error();
266 }
267
268 return count;
269 }
270
cmp_all(void * binary,int count)271 static int cmp_all(void *binary, int count)
272 {
273 int index;
274
275 for (index = 0; index < count; index++)
276 if (((uint32_t*)binary)[0] == crypt_out[index][0])
277 return 1;
278 return 0;
279 }
280
cmp_one(void * binary,int index)281 static int cmp_one(void *binary, int index)
282 {
283 return !memcmp(binary, crypt_out[index], BINARY_SIZE);
284 }
285
cmp_exact(char * source,int index)286 static int cmp_exact(char *source, int index)
287 {
288 return 1;
289 }
290
291 struct fmt_main fmt_ethereum = {
292 {
293 FORMAT_LABEL,
294 FORMAT_NAME,
295 ALGORITHM_NAME,
296 BENCHMARK_COMMENT,
297 BENCHMARK_LENGTH,
298 0,
299 PLAINTEXT_LENGTH,
300 BINARY_SIZE,
301 BINARY_ALIGN,
302 SALT_SIZE,
303 SALT_ALIGN,
304 MIN_KEYS_PER_CRYPT,
305 MAX_KEYS_PER_CRYPT,
306 FMT_CASE | FMT_8_BIT | FMT_OMP | FMT_HUGE_INPUT,
307 {
308 "iteration count",
309 "kdf [0:PBKDF2-SHA256 1:scrypt 2:PBKDF2-SHA256 presale]",
310 },
311 { FORMAT_TAG },
312 ethereum_tests
313 }, {
314 init,
315 done,
316 fmt_default_reset,
317 fmt_default_prepare,
318 ethereum_common_valid,
319 fmt_default_split,
320 ethereum_get_binary,
321 ethereum_common_get_salt,
322 {
323 ethereum_common_iteration_count,
324 ethereum_common_kdf_type,
325 },
326 fmt_default_source,
327 {
328 fmt_default_binary_hash
329 },
330 fmt_default_salt_hash,
331 NULL,
332 set_salt,
333 ethereum_set_key,
334 get_key,
335 fmt_default_clear_keys,
336 crypt_all,
337 {
338 fmt_default_get_hash
339 },
340 cmp_all,
341 cmp_one,
342 cmp_exact
343 }
344 };
345
346 #endif /* plugin stanza */
347