1 /*
2 * PKZIP patch for john to handle 'old' pkzip passwords (old 'native' format)
3 *
4 * Written by Jim Fougeron <jfoug at cox.net> in 2011. No copyright
5 * is claimed, and the software is hereby placed in the public domain.
6 * In case this attempt to disclaim copyright and place the software in the
7 * public domain is deemed null and void, then the software is
8 * Copyright (c) 2011 Jim Fougeron and it is hereby released to the
9 * general public under the following terms:
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted.
13 *
14 * There's ABSOLUTELY NO WARRANTY, express or implied.
15 *
16 */
17
18 #include "arch.h"
19 #if !AC_BUILT
20 #define HAVE_LIBZ 1 /* legacy build has -lz in LDFLAGS */
21 #endif
22
23 #if HAVE_LIBZ
24
25 #if FMT_EXTERNS_H
26 extern struct fmt_main fmt_pkzip;
27 #elif FMT_REGISTERS_H
28 john_register_one(&fmt_pkzip);
29 #else
30
31 #include <string.h>
32 #include <zlib.h>
33
34 #ifdef _OPENMP
35 #include <omp.h>
36 #endif
37
38 #include "common.h"
39 #include "misc.h"
40 #include "formats.h"
41 #define USE_PKZIP_MAGIC 1
42 #include "pkzip.h"
43 #include "pkzip_inffixed.h" // This file is a data file, taken from zlib
44 #include "loader.h"
45
46 #define FORMAT_LABEL "PKZIP"
47 #define FORMAT_NAME ""
48 #define ALGORITHM_NAME "32/" ARCH_BITS_STR
49 #define FORMAT_TAG "$pkzip$"
50 #define FORMAT_TAG2 "$pkzip2$"
51 #define FORMAT_TAG_LEN (sizeof(FORMAT_TAG)-1)
52 #define FORMAT_TAG2_LEN (sizeof(FORMAT_TAG2)-1)
53
54 #define BENCHMARK_COMMENT ""
55 #define BENCHMARK_LENGTH 7
56
57 #define PLAINTEXT_LENGTH 31
58
59 #define BINARY_SIZE 0
60 #define BINARY_ALIGN 1
61
62 #define SALT_SIZE (sizeof(PKZ_SALT*))
63 #define SALT_ALIGN (sizeof(uint64_t))
64
65 #define MIN_KEYS_PER_CRYPT 1
66 #define MAX_KEYS_PER_CRYPT 64
67
68 #ifndef OMP_SCALE
69 #define OMP_SCALE 32 // Tuned w/ MKPC for core i7
70 #endif
71
72 /*
73 * It is likely that this should be put into the arch.h files for the different systems,
74 * IF we find a system which operates faster doing the non-table work.
75 * However, in current testing, it is always faster to use the multiply table. It only
76 * takes 16kb, and almost always stays in the cache for any system newer than a 386.
77 */
78 #define PKZIP_USE_MULT_TABLE
79
80 #if ARCH_LITTLE_ENDIAN
81 #define KB1 0
82 #define KB2 3
83 #else
84 #define KB1 3
85 #define KB2 0
86 #endif
87
88 /*
89 * filename:$pkzip$C*B*[DT*MT{CL*UL*CR*OF*OX}*CT*DL*CS*DA]*$/pkzip$ (deprecated)
90 * filename:$pkzip2$C*B*[DT*MT{CL*UL*CR*OF*OX}*CT*DL*CS*TC*DA]*$/pkzip2$ (new format, with 2 checksums)
91 *
92 * All numeric and 'binary data' fields are stored in hex.
93 *
94 * C is the count of hashes present (the array of items, inside the [] C can be 1 to 3.).
95 * B is number of valid bytes in the checksum (1 or 2). Unix zip is 2 bytes, all others are 1
96 * ARRAY of data starts here (there will be C array elements)
97 * DT is a "Data Type enum". This will be 1 2 or 3. 1 is 'partial'. 2 and 3 are full file data (2 is inline, 3 is load from file).
98 * MT Magic Type enum. 0 is no 'type'. 255 is 'text'. Other types (like MS Doc, GIF, etc), see source.
99 * NOTE, CL, DL, CRC, OFF are only present if DT != 1
100 * CL Compressed length of file blob data (includes 12 byte IV).
101 * UL Uncompressed length of the file.
102 * CR CRC32 of the 'final' file.
103 * OF Offset to the PK\x3\x4 record for this file data. If DT==2, then this will be a 0, as it is not needed, all of the data is already included in the line.
104 * OX Additional offset (past OF), to get to the zip data within the file.
105 * END OF 'optional' fields.
106 * CT Compression type (0 or 8) 0 is stored, 8 is imploded.
107 * DL Length of the DA data.
108 * CS Checksum from crc32.
109 * TC Checksum from timestamp
110 * DA This is the 'data'. It will be hex data if DT==1 or 2. If DT==3, then it is a filename (name of the .zip file).
111 * END of array items.
112 * The format string will end with $/pkzip$
113 *
114 * NOTE, after some code testing, it has come to show, that the 'magic' may not be needed, or very useful. The problem with it, is IF the file
115 * ends up NOT starting with any of the magic values, then we will have a false negative, and NEVER be able to crack the zip's password. For now
116 * we have a #define (right before the #include "pkzip.h"). If that define is uncommented, then pkzip format will be built with magic logic.
117 * However, right now it is not being built that way.
118 *
119 */
120 static struct fmt_tests tests[] = {
121 /* compression of a perl file. We have the same password, same file used twice in a row (pkzip, 1 byte checksum). NOTE, pkzip uses random IV, so both encrypted blobs are different */
122 {"$pkzip$1*1*2*0*e4*1c5*eda7a8de*0*4c*8*e4*eda7*194883130e4c7419bd735c53dec36f0c4b6de6daefea0f507d67ff7256a49b5ea93ccfd9b12f2ee99053ee0b1c9e1c2b88aeaeb6bd4e60094a1ea118785d4ded6dae94cade41199330f4f11b37cba7cda5d69529bdfa43e2700ba517bd2f7ff4a0d4b3d7f2559690ec044deb818c44844d6dd50adbebf02cec663ae8ebb0dde05d2abc31eaf6de36a2fc19fda65dd6a7e449f669d1f8c75e9daa0a3f7be8feaa43bf84762d6dbcc9424285a93cedfa3a75dadc11e969065f94fe3991bc23c9b09eaa5318aa29fa02e83b6bee26cafec0a5e189242ac9e562c7a5ed673f599cefcd398617*$/pkzip$", "password" },
123 {"$pkzip$1*1*2*0*e4*1c5*eda7a8de*0*4c*8*e4*eda7*581f798527109cbadfca0b3318435a000be84366caf9723f841a2b13e27c2ed8cdb5628705a98c3fbbfb34552ed498c51a172641bf231f9948bca304a6be2138ab718f6a5b1c513a2fb80c49030ff1a404f7bd04dd47c684317adea4107e5d70ce13edc356c60bebd532418e0855428f9dd582265956e39a0b446a10fd8b7ffb2b4af559351bbd549407381c0d2acc270f3bcaffb275cbe2f628cb09e2978e87cd023d4ccb50caaa92b6c952ba779980d65f59f664dde2451cc456d435188be59301a5df1b1b4fed6b7509196334556c44208a9d7e2d9e237f591d6c9fc467b408bf0aaa*$/pkzip$", "password" },
124 /* Now the same file, compressed twice, using unix zip (info-zip), with 2 byte checksums */
125 {"$pkzip$1*2*2*0*e4*1c5*eda7a8de*0*47*8*e4*4bb6*436c9ffa4328870f6272349b591095e1b1126420c3041744650282bc4f575d0d4a5fc5fb34724e6a1cde742192387b9ed749ab5c72cd6bb0206f102e9216538f095fb773661cfde82c2e2a619332998124648bf4cd0da56279f0c297567d9b5d684125ee92920dd513fd18c27afba2a9633614f75d8f8b9a14095e3fafe8165330871287222e6681dd9c0f830cf5d464457b257d0900eed29107fad8af3ac4f87cf5af5183ff0516ccd9aeac1186006c8d11b18742dfb526aadbf2906772fbfe8fb18798967fd397a724d59f6fcd4c32736550986d227a6b447ef70585c049a1a4d7bf25*$/pkzip$", "password" },
126 {"$pkzip$1*2*2*0*e4*1c5*eda7a8de*0*47*8*e4*4bb6*436c9ffa4328870f6272349b591095e1b1126420c3041744650282bc4f575d0d4a5fc5fb34724e6a1cde742192387b9ed749ab5c72cd6bb0206f102e9216538f095fb773661cfde82c2e2a619332998124648bf4cd0da56279f0c297567d9b5d684125ee92920dd513fd18c27afba2a9633614f75d8f8b9a14095e3fafe8165330871287222e6681dd9c0f830cf5d464457b257d0900eed29107fad8af3ac4f87cf5af5183ff0516ccd9aeac1186006c8d11b18742dfb526aadbf2906772fbfe8fb18798967fd397a724d59f6fcd4c32736550986d227a6b447ef70585c049a1a4d7bf25*$/pkzip$", "password"},
127 /* now a pkzip archive, with 3 files, 1 byte checksum */
128 {"$pkzip$3*1*1*0*8*24*4001*8986ec4d693e86c1a42c1bd2e6a994cb0b98507a6ec937fe0a41681c02fe52c61e3cc046*1*0*8*24*4003*a087adcda58de2e14e73db0043a4ff0ed3acc6a9aee3985d7cb81d5ddb32b840ea2057d9*2*0*e4*1c5*eda7a8de*0*4c*8*e4*eda7*89a792af804bf38e31fdccc8919a75ab6eb75d1fd6e7ecefa3c5b9c78c3d50d656f42e582af95882a38168a8493b2de5031bb8b39797463cb4769a955a2ba72abe48ee75b103f93ef9984ae740559b9bd84cf848d693d86acabd84749853675fb1a79edd747867ef52f4ee82435af332d43f0d0bb056c49384d740523fa75b86a6d29a138da90a8de31dbfa89f2f6b0550c2b47c43d907395904453ddf42a665b5f7662de170986f89d46d944b519e1db9d13d4254a6b0a5ac02b3cfdd468d7a4965e4af05699a920e6f3ddcedb57d956a6b2754835b14e174070ba6aec4882d581c9f30*$/pkzip$", "3!files"},
129 /* following are from CMIYC 2012 */
130 {"$pkzip$1*1*2*0*163*2b5*cd154083*0*26*8*163*cd15*d6b094794b40116a8b387c10159225d776f815b178186e51faf16fa981fddbffdfa22f6c6f32d2f81dab35e141f2899841991f3cb8d53f8ee1f1d85657f7c7a82ebb2d63182803c6beee00e0bf6c72edeeb1b00dc9f07f917bb8544cc0e96ca01503cd0fb6632c296cebe3fb9b64543925daae6b7ea95cfd27c42f6f3465e0ab2c812b9aeeb15209ce3b691f27ea43a7a77b89c2387e31c4775866a044b6da783af8ddb72784ccaff4d9a246db96484e865ea208ade290b0131b4d2dd21f172693e6b5c90f2eb9b67572b55874b6d3a78763212b248629e744c07871a6054e24ef74b6d779e44970e1619df223b4e5a72a189bef40682b62be6fb7f65e087ca6ee19d1ebfc259fa7e3d98f3cb99347689f8360294352accffb146edafa9e91afba1f119f95145738ac366b332743d4ff40d49fac42b8758c43b0af5b60b8a1c63338359ffbff432774f2c92de3f8c49bd4611e134db98e6a3f2cfb148d2b20f75abab6*$/pkzip$", "passwort"},
131 {"$pkzip$1*1*2*0*163*2b6*46abc149*0*28*8*163*46ab*0f539b23b761a347a329f362f7f1f0249515f000404c77ec0b0ffe06f29140e8fa3e8e5a6354e57f3252fae3d744212d4d425dc44389dd4450aa9a4f2f3c072bee39d6ac6662620812978f7ab166c66e1acb703602707ab2da96bb28033485ec192389f213e48eda8fc7d9dad1965b097fafebfda6703117db90e0295db9a653058cb28215c3245e6e0f6ad321065bf7b8cc5f66f6f2636e0d02ea35a6ba64bbf0191c308098fd836e278abbce7f10c3360a0a682663f59f92d9c2dcfc87cde2aae27ea18a14d2e4a0752b6b51e7a5c4c8c2bab88f4fb0aba27fb20e448655021bb3ac63752fdb01e6b7c99f9223f9e15d71eb1bd8e323f522fc3da467ff0aae1aa17824085d5d6f1cdfc9c7c689cd7cb057005d94ba691f388484cfb842c8775baac220a5490ed945c8b0414dbfc4589254b856aade49f1aa386db86e9fc87e6475b452bd72c5e2122df239f8c2fd462ca54c1a5bddac36918c5f5cf0cc94aa6ee820*$/pkzip$", "Credit11"},
132 {"$pkzip$1*1*2*0*163*2b6*46abc149*0*26*8*163*46ab*7ea9a6b07ddc9419439311702b4800e7e1f620b0ab8535c5aa3b14287063557b176cf87a800b8ee496643c0b54a77684929cc160869db4443edc44338294458f1b6c8f056abb0fa27a5e5099e19a07735ff73dc91c6b20b05c023b3ef019529f6f67584343ac6d86fa3d12113f3d374b047efe90e2a325c0901598f31f7fb2a31a615c51ea8435a97d07e0bd4d4afbd228231dbc5e60bf1116ce49d6ce2547b63a1b057f286401acb7c21afbb673f3e26bc1b2114ab0b581f039c2739c7dd0af92c986fc4831b6c294783f1abb0765cf754eada132df751cf94cad7f29bb2fec0c7c47a7177dea82644fc17b455ba2b4ded6d9a24e268fcc4545cae73b14ceca1b429d74d1ebb6947274d9b0dcfb2e1ac6f6b7cd2be8f6141c3295c0dbe25b65ff89feb62cb24bd5be33853b88b8ac839fdd295f71e17a7ae1f054e27ba5e60ca03c6601b85c3055601ce41a33127938440600aaa16cfdd31afaa909fd80afc8690aaf*$/pkzip$", "7J0rdan!!"},
133 /* CMIYC 2013 "pro" hard hash */
134 {"$pkzip$1*2*2*0*6b*73*8e687a5b*0*46*8*6b*0d9d*636fedc7a78a7f80cda8542441e71092d87d13da94c93848c230ea43fab5978759e506110b77bd4bc10c95bc909598a10adfd4febc0d42f3cd31e4fec848d6f49ab24bb915cf939fb1ce09326378bb8ecafde7d3fe06b6013628a779e017be0f0ad278a5b04e41807ae9fc*$/pkzip$", "c00rslit3!"},
135 /* http://corkami.googlecode.com/files/ChristmasGIFts.zip (fixed with 2 byte checksums from timestamp, using new $pkzip2$ type) */
136 {"$pkzip2$3*2*1*2*8*c0*7224*72f6*6195f9f3401076b22f006105c4323f7ac8bb8ebf8d570dc9c7f13ddacd8f071783f6bef08e09ce4f749af00178e56bc948ada1953a0263c706fd39e96bb46731f827a764c9d55945a89b952f0503747703d40ed4748a8e5c31cb7024366d0ef2b0eb4232e250d343416c12c7cbc15d41e01e986857d320fb6a2d23f4c44201c808be107912dbfe4586e3bf2c966d926073078b92a2a91568081daae85cbcddec75692485d0e89994634c71090271ac7b4a874ede424dafe1de795075d2916eae*1*6*8*c0*26ee*461b*944bebb405b5eab4322a9ce6f7030ace3d8ec776b0a989752cf29569acbdd1fb3f5bd5fe7e4775d71f9ba728bf6c17aad1516f3aebf096c26f0c40e19a042809074caa5ae22f06c7dcd1d8e3334243bca723d20875bd80c54944712562c4ff5fdb25be5f4eed04f75f79584bfd28f8b786dd82fd0ffc760893dac4025f301c2802b79b3cb6bbdf565ceb3190849afdf1f17688b8a65df7bc53bc83b01a15c375e34970ae080307638b763fb10783b18b5dec78d8dfac58f49e3c3be62d6d54f9*2*0*2a*1e*4a204eab*ce8*2c*0*2a*4a20*7235*6b6e1a8de47449a77e6f0d126b217d6b2b72227c0885f7dc10a2fb3e7cb0e611c5c219a78f98a9069f30*$/pkzip2$", "123456"},
137 {NULL}
138 };
139
140 /* these static fields are used in the crypt_all loop, and the cmp_all/cmp_one we */
141 /* perform the pkzip 'checksum' checking. If we do get a 'hit', then that pass & */
142 /* salt pair is checked fully within the cmp_exact, where it gets inflated and */
143 /* checked (possibly also a 'sample TEXT record is done first, as a quick check */
144 static char (*saved_key)[PLAINTEXT_LENGTH + 1];
145 static u32 *K12;
146 static PKZ_SALT *salt;
147 static u8 *chk;
148 static int dirty=1;
149 #if USE_PKZIP_MAGIC
150 static ZIP_SIGS SIGS[256];
151 #endif
152 #ifdef PKZIP_USE_MULT_TABLE
153 static u8 mult_tab[16384];
154 #define PKZ_MULT(b,w) b^mult_tab[(u16)(w.u)>>2]
155 #else
PKZ_MULT(u8 b,MY_WORD w)156 inline u8 PKZ_MULT(u8 b, MY_WORD w) {u16 t = w.u|2; return b ^ (u8)(((u16)(t*(t^1))>>8)); }
157 #endif
158
159 extern struct fmt_main fmt_pkzip;
160 static const char *ValidateZipContents(FILE *in, long offset, u32 offex, int len, u32 crc);
161
162 /* Since the pkzip format textual representation is pretty complex, with multiple */
163 /* 'optional' sections, we have a VERY complete valid. Valid will make SURE that */
164 /* the format is completely valid. Thus, there is little or no error checking later */
165 /* in the rest of the code. It 'should' not be needed, and is done here. There is */
166 /* a little error checking later in the file, for some of the file opening stuff, */
167 /* since the file can change from the time of this 'valid' call, until when the data */
168 /* is actually read from the file. */
169 /* */
170 /* NOTE, we may want to later make a 'prepare()' function, and do all file loading */
171 /* there, so that we have a 'complete' format line, with the zip data contained. */
valid(char * ciphertext,struct fmt_main * self)172 static int valid(char *ciphertext, struct fmt_main *self)
173 {
174 c8 *p, *cp, *cpkeep;
175 int cnt, ret=0;
176 u64 data_len;
177 u32 crc;
178 FILE *in;
179 const char *sFailStr;
180 long offset;
181 u32 offex;
182 int type;
183 u64 complen = 0;
184 int type2 = 0;
185
186 if (strncmp(ciphertext, FORMAT_TAG, FORMAT_TAG_LEN)) {
187 if (!strncmp(ciphertext, FORMAT_TAG2, FORMAT_TAG2_LEN))
188 type2 = 1;
189 else
190 return ret;
191 }
192
193 cpkeep = strdup(ciphertext);
194 cp = cpkeep;
195
196 p = &cp[FORMAT_TAG_LEN];
197 if (type2)
198 ++p;
199 if ((cp = strtokm(p, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
200 sFailStr = "Out of data, reading count of hashes field";
201 goto Bail;
202 }
203 sscanf(cp, "%x", &cnt);
204 if (cnt < 1 || cnt > MAX_PKZ_FILES) {
205 sFailStr = "Count of hashes field out of range";
206 goto Bail;
207 }
208 if ((cp = strtokm(NULL, "*")) == NULL || cp[0] < '0' || cp[0] > '2' || cp[1]) {
209 sFailStr = "Number of valid hash bytes empty or out of range";
210 goto Bail;
211 }
212
213 while (cnt--) {
214 if ((cp = strtokm(NULL, "*")) == NULL || cp[0]<'1' || cp[0]>'3' || cp[1]) {
215 sFailStr = "Invalid data enumeration type";
216 goto Bail;
217 }
218 type = cp[0] - '0';
219 if ((cp = strtokm(NULL, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
220 sFailStr = "Invalid type enumeration";
221 goto Bail;
222 }
223 if (type > 1) {
224 if ((cp = strtokm(NULL, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
225 sFailStr = "Invalid compressed length";
226 goto Bail;
227 }
228 sscanf(cp, "%"PRIx64, &complen);
229 if ((cp = strtokm(NULL, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
230 sFailStr = "Invalid data length value";
231 goto Bail;
232 }
233 if ((cp = strtokm(NULL, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
234 sFailStr = "Invalid CRC value";
235 goto Bail;
236 }
237 sscanf(cp, "%x", &crc);
238 if ((cp = strtokm(NULL, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
239 sFailStr = "Invalid offset length";
240 goto Bail;
241 }
242 sscanf(cp, "%lx", &offset);
243 if ((cp = strtokm(NULL, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
244 sFailStr = "Invalid offset length";
245 goto Bail;
246 }
247 sscanf(cp, "%x", &offex);
248 }
249 if ((cp = strtokm(NULL, "*")) == NULL || (cp[0] != '0' && cp[0] != '8') || cp[1]) {
250 sFailStr = "Compression type enumeration";
251 goto Bail;
252 }
253 if ((cp = strtokm(NULL, "*")) == NULL || !cp[0] || !ishexlc_oddOK(cp)) {
254 sFailStr = "Invalid data length value";
255 goto Bail;
256 }
257 sscanf(cp, "%"PRIx64, &data_len);
258 if ((cp = strtokm(NULL, "*")) == NULL || !ishexlc(cp) || strlen(cp) != 4) {
259 sFailStr = "invalid checksum value";
260 goto Bail;
261 }
262 if (type2) {
263 if ((cp = strtokm(NULL, "*")) == NULL || !ishexlc(cp) || strlen(cp) != 4) {
264 sFailStr = "invalid checksum2 value";
265 goto Bail;}
266 }
267 if ((cp = strtokm(NULL, "*")) == NULL) goto Bail;
268 if (type > 1) {
269 if (type == 3) {
270 if ( strlen(cp) != data_len) {
271 sFailStr = "invalid checksum value";
272 goto Bail;
273 }
274 in = fopen(cp, "rb"); /* have to open in bin mode for OS's where this matters, DOS/Win32 */
275 if (!in) {
276 /* this error is listed, even if not in pkzip debugging mode. */
277 /* But not if we're just reading old pot lines */
278 if (!ldr_in_pot)
279 fprintf(stderr, "Error loading a pkzip hash line. The ZIP file '%s' could NOT be found\n", cp);
280 return 0;
281 }
282 sFailStr = ValidateZipContents(in, offset, offex, complen, crc);
283 if (*sFailStr) {
284 /* this error is listed, even if not in pkzip debugging mode. */
285 fprintf(stderr, "pkzip validation failed [%s] Hash is %s\n", sFailStr, ciphertext);
286 fclose(in);
287 return 0;
288 }
289 fseek(in, offset+offex, SEEK_SET);
290 if (complen < 16*1024) {
291 /* simply load the whole blob */
292 void *tbuf = mem_alloc(complen);
293 if (fread(tbuf, 1, complen, in) != complen) {
294 MEM_FREE(tbuf);
295 fclose(in);
296 return 0;
297 }
298 data_len = complen;
299 MEM_FREE(tbuf);
300 }
301 fclose(in);
302 } else {
303 /* 'inline' data. */
304 if (complen != data_len) {
305 sFailStr = "length of full data does not match the salt len";
306 goto Bail;
307 }
308 if (!ishexlc(cp) || strlen(cp) != data_len<<1) {
309 sFailStr = "invalid inline data";
310 goto Bail;
311 }
312 }
313 } else {
314 if (!ishexlc(cp) || strlen(cp) != data_len<<1) {
315 sFailStr = "invalid partial data";
316 goto Bail;
317 }
318 }
319 }
320 if ((cp = strtokm(NULL, "*")) == NULL) goto Bail;
321 if (strtokm(NULL, "") != NULL) goto Bail;
322 if (type2) ret = !strcmp(cp, "$/pkzip2$");
323 else ret = !strcmp(cp, "$/pkzip$");
324
325 Bail:;
326 #ifdef ZIP_DEBUG
327 if (!ret) fprintf(stderr, "pkzip validation failed [%s] Hash is %.64s\n", sFailStr, ciphertext);
328 #endif
329 MEM_FREE(cpkeep);
330 return ret;
331 }
332
ValidateZipContents(FILE * fp,long offset,u32 offex,int _len,u32 _crc)333 static const char *ValidateZipContents(FILE *fp, long offset, u32 offex, int _len, u32 _crc)
334 {
335 u32 id;
336 u16 version, flags, method, modtm, moddt, namelen, exlen;
337 u32 crc, complen, uncomplen;
338
339 if (fseek(fp, offset, SEEK_SET) != 0)
340 return "Not able to seek to specified offset in the .zip file, to read the zip blob data.";
341
342 id = fget32LE(fp);
343 if (id != 0x04034b50U)
344 return "Compressed zip file offset does not point to start of zip blob";
345
346 /* Ok, see if this IS the correct file blob. */
347 version = fget16LE(fp);
348 flags = fget16LE(fp);
349 method = fget16LE(fp);
350 modtm = fget16LE(fp);
351 moddt = fget16LE(fp);
352 crc = fget32LE(fp);
353 complen = fget32LE(fp);
354 uncomplen = fget32LE(fp);
355 namelen = fget16LE(fp);
356 exlen = fget16LE(fp);
357
358 /* unused vars. */
359 (void)uncomplen;
360 (void)modtm;
361 (void)moddt;
362
363 /* Even if we 'miss', we keep walking back. We 'can' miss if the CRC of file, or some other */
364 /* binary data happens to have the 0x04034b50 signature, thus giving us a false local header hit. */
365 if (_crc == crc && _len == complen && (0x14 == version || 0xA == version) && (flags & 1) && (method == 8 || method == 0) && offex==30+namelen+exlen)
366 return "";
367 return "We could NOT find the internal zip data in this ZIP file";
368 }
369
buf_copy(char * p,int len)370 static u8 *buf_copy (char *p, int len)
371 {
372 u8 *op = mem_alloc_tiny(len, MEM_ALIGN_NONE);
373 memcpy(op, p, len);
374 return op;
375 }
376
init(struct fmt_main * self)377 static void init(struct fmt_main *self)
378 {
379 #ifdef PKZIP_USE_MULT_TABLE
380 unsigned short n=0;
381 #endif
382
383 omp_autotune(self, OMP_SCALE);
384
385 saved_key = mem_calloc(sizeof(*saved_key), self->params.max_keys_per_crypt);
386 K12 = mem_calloc(sizeof(*K12) * 3, self->params.max_keys_per_crypt);
387 chk = mem_calloc(sizeof(*chk), self->params.max_keys_per_crypt);
388
389 /*
390 * Precompute the multiply mangling, within several parts of the hash. There is a pattern,
391 * 64k entries long. However the exact same value is produced 4 times in a row, every
392 * time. Thus, we can build a 16k wide array, and then access the array using this
393 * ((val&0xFFFF) >> 2) This is faster on all current HW, since the 16kb array access
394 * (and the and/shift) is faster than performing the whole mult, 2 shifts, 2 adds and
395 * an and (if the compiler can optimize it to that)
396 *
397 * There is a # define at the top of this file that turns this OFF. if that define is
398 * not set, then these mult's will be done in the crypt_all and decrypt functions
399 */
400 #ifdef PKZIP_USE_MULT_TABLE
401 for (n = 0; n < 16384; n++)
402 mult_tab[n] = (((unsigned)(n*4+3) * (n*4+2)) >> 8) & 0xff;
403 #endif
404
405 #if USE_PKZIP_MAGIC
406
407 //static char *MagicTypes[]= { "", "DOC", "XLS", "DOT", "XLT", "EXE", "DLL", "ZIP", "BMP", "DIB", "GIF", "PDF", "GZ", "TGZ", "BZ2", "TZ2", "FLV", "SWF", "MP3", NULL };
408 //static int MagicToEnum[] = {0, 1, 1, 1, 1, 2, 2, 3, 4, 4, 5, 6, 7, 7, 8, 8, 9, 10, 11, 0};
409 // decent sources of these:
410 // http://www.garykessler.net/library/file_sigs.html
411 // http://en.wikipedia.org/wiki/List_of_file_signatures
412 // http://toorcon.techpathways.com/uploads/headersig.txt
413 // not available, 2012-12-28)
414 // archive.org still has a version:
415 // http://web.archive.org/web/20110725085828/http://toorcon.techpathways.com/uploads/headersig.txt
416 // there are many more.
417
418 //case 1: // DOC/XLS
419 SIGS[1].magic_signature[0] = (u8*)str_alloc_copy("\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1");
420 SIGS[1].magic_sig_len[0] = 8;
421 SIGS[1].magic_signature[1] = buf_copy("\x50\x4B\x03\x04\x14\x00\x06\x00\x08", 10); // a .zip file 'sort of'
422 SIGS[1].magic_sig_len[1] = 9;
423 SIGS[1].magic_signature[2] = buf_copy("\x09\x04\x06\x00\x00\x00\x10\x00\xF6\x05\x5C\x00", 13); // older XLS format (office 95)
424 SIGS[1].magic_sig_len[2] = 12;
425 SIGS[1].magic_signature[3] = buf_copy("\x09\x02\x06\x00\x00\x00\x10\x00\xB9\x04\x5C\x00", 13); // older XLS v2
426 SIGS[1].magic_sig_len[3] = 12;
427 SIGS[1].magic_signature[4] = buf_copy("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00", 11); //DOC Star Writer 6.0
428 SIGS[1].magic_sig_len[4] = 10;
429 SIGS[1].magic_signature[5] = buf_copy("\x31\xBE\x00\x00\x00\xAB\x00\x00", 9); //DOC MS Word for DOS v6 File
430 SIGS[1].magic_sig_len[5] = 8;
431 SIGS[1].magic_signature[6] = (u8*)str_alloc_copy("\x12\x34\x56\x78\x90\xFF"); //DOC MS Word 6.0 File
432 SIGS[1].magic_sig_len[6] = 6;
433 SIGS[1].magic_signature[7] = (u8*)str_alloc_copy("\x7F\xFE\x34\x0A"); //MS Word File
434 SIGS[1].magic_sig_len[7] = 4;
435 SIGS[1].magic_count = 8;
436 SIGS[1].max_len = 12;
437 //case 2: // Win32/DOS exe file MZ
438 SIGS[2].magic_signature[0] = (u8*)str_alloc_copy("MZ");
439 SIGS[2].magic_sig_len[0] = 2;
440 SIGS[2].magic_count = 1;
441 SIGS[2].max_len = 2;
442 //case 3: // PKZIP
443 SIGS[3].magic_signature[0] = (u8*)str_alloc_copy("\x50\x4B\x03\x04");
444 SIGS[3].magic_sig_len[0] = 4;
445 SIGS[3].magic_count = 1;
446 SIGS[3].max_len = 4;
447 //case 4: // BMP
448 SIGS[4].magic_signature[0] = (u8*)str_alloc_copy("BM");
449 SIGS[4].magic_sig_len[0] = 2;
450 SIGS[4].magic_count = 1;
451 SIGS[4].max_len = 2;
452 //case 5: // GIF
453 SIGS[5].magic_signature[0] = (u8*)str_alloc_copy("GIF87a");
454 SIGS[5].magic_sig_len[0] = 6;
455 SIGS[5].magic_signature[1] = (u8*)str_alloc_copy("GIF89a");
456 SIGS[5].magic_sig_len[1] = 6;
457 SIGS[5].magic_count = 2;
458 SIGS[5].max_len = 6;
459 //case 6: // PDF
460 SIGS[6].magic_signature[0] = (u8*)str_alloc_copy("%PDF");
461 SIGS[6].magic_sig_len[0] = 4;
462 SIGS[6].magic_count = 1;
463 SIGS[6].max_len = 4;
464 //case 7: // GZ
465 SIGS[7].magic_signature[0] = (u8*)str_alloc_copy("\x1F\x8B\x08");
466 SIGS[7].magic_sig_len[0] = 3;
467 SIGS[7].magic_count = 1;
468 SIGS[7].max_len = 3;
469 //case 8: // BZ2 (there is a 'magic' pi, but byte 4 is 1 to 9, so skip the 'pi')
470 SIGS[8].magic_signature[0] = (u8*)str_alloc_copy("BZh");
471 SIGS[8].magic_sig_len[0] = 3;
472 SIGS[8].magic_signature[1] = (u8*)str_alloc_copy("BZ0");
473 SIGS[8].magic_sig_len[1] = 3;
474 SIGS[8].magic_count = 2;
475 SIGS[8].max_len = 3;
476 //case 9: // FLV
477 SIGS[9].magic_signature[0] = (u8*)str_alloc_copy("FLV\x01");
478 SIGS[9].magic_sig_len[0] = 4;
479 SIGS[9].magic_count = 1;
480 SIGS[9].max_len = 4;
481 //case 10: // SWF
482 SIGS[10].magic_signature[0] = (u8*)str_alloc_copy("FWS");
483 SIGS[10].magic_sig_len[0] = 3;
484 SIGS[10].magic_signature[1] = (u8*)str_alloc_copy("CWS");
485 SIGS[10].magic_sig_len[1] = 3;
486 SIGS[10].magic_signature[2] = (u8*)str_alloc_copy("ZWS");
487 SIGS[10].magic_sig_len[2] = 3;
488 SIGS[10].magic_count = 3;
489 SIGS[10].max_len = 3;
490 //case 11: // MP3
491 SIGS[11].magic_signature[0] = (u8*)str_alloc_copy("ID3");
492 SIGS[11].magic_sig_len[0] = 3;
493 SIGS[11].magic_count = 1;
494 SIGS[11].max_len = 3;
495
496 SIGS[255].max_len = 64;
497 #endif
498 }
499
done(void)500 static void done(void)
501 {
502 MEM_FREE(chk);
503 MEM_FREE(K12);
504 MEM_FREE(saved_key);
505 }
506
set_salt(void * _salt)507 static void set_salt(void *_salt)
508 {
509 salt = *((PKZ_SALT**)_salt);
510 if (salt->H[0].h && salt->H[1].h && salt->H[2].h)
511 return;
512 // we 'late' fixup the salt.
513 salt->H[0].h = &salt->zip_data[0];
514 salt->H[1].h = &salt->zip_data[1+salt->H[0].datlen];
515 salt->H[2].h = &salt->zip_data[2+salt->H[0].datlen+salt->H[1].datlen];
516 }
517
get_salt(char * ciphertext)518 static void *get_salt(char *ciphertext)
519 {
520 /* NOTE, almost NO error checking at all in this function. Proper error checking done in valid() */
521 static union alignment {
522 unsigned char c[8];
523 uint64_t a[1]; // salt alignment of 8 bytes required. uint64_t values in the salt.
524 } a;
525 unsigned char *salt_p = a.c;
526 PKZ_SALT *salt, *psalt;
527 long offset=0;
528 char *H[3] = {0,0,0};
529 long ex_len[3] = {0,0,0};
530 u32 offex;
531 size_t i, j;
532 c8 *p, *cp, *cpalloc = (char*)mem_alloc(strlen(ciphertext)+1);
533 int type2 = 0;
534
535 /* Needs word align on REQ_ALIGN systems. May crash otherwise (in the sscanf) */
536 salt = mem_calloc(1, sizeof(PKZ_SALT));
537
538 cp = cpalloc;
539 strcpy(cp, ciphertext);
540 if (!strncmp(cp, FORMAT_TAG, FORMAT_TAG_LEN))
541 p = &cp[FORMAT_TAG_LEN];
542 else {
543 p = &cp[FORMAT_TAG2_LEN];
544 type2 = 1;
545 }
546 cp = strtokm(p, "*");
547 sscanf(cp, "%x", &(salt->cnt));
548 cp = strtokm(NULL, "*");
549 sscanf(cp, "%x", &(salt->chk_bytes));
550 for (i = 0; i < salt->cnt; ++i) {
551 int data_enum;
552 cp = strtokm(NULL, "*");
553 data_enum = *cp - '0';
554 cp = strtokm(NULL, "*");
555 #if USE_PKZIP_MAGIC
556 {
557 // mingw can't handle %hhx. Use 'normal' %x and assign back to uint_8 var
558 unsigned jnk;
559 sscanf(cp, "%x", &jnk);
560 salt->H[i].magic = (unsigned char)jnk;
561 }
562 salt->H[i].pSig = &SIGS[salt->H[i].magic];
563 #endif
564
565 if (data_enum > 1) {
566 cp = strtokm(NULL, "*");
567 sscanf(cp, "%"PRIx64, &(salt->compLen));
568 cp = strtokm(NULL, "*");
569 sscanf(cp, "%"PRIx64, &(salt->deCompLen));
570 cp = strtokm(NULL, "*");
571 sscanf(cp, "%x", &(salt->crc32));
572 cp = strtokm(NULL, "*");
573 sscanf(cp, "%lx", &offset);
574 cp = strtokm(NULL, "*");
575 sscanf(cp, "%x", &offex);
576 }
577 cp = strtokm(NULL, "*");
578 sscanf(cp, "%x", &(salt->H[i].compType));
579 cp = strtokm(NULL, "*");
580 sscanf(cp, "%"PRIx64, &(salt->H[i].datlen));
581 cp = strtokm(NULL, "*");
582
583 for (j = 0; j < 4; ++j) {
584 salt->H[i].c <<= 4;
585 salt->H[i].c |= atoi16[ARCH_INDEX(cp[j])];
586 }
587 if (type2) {
588 cp = strtokm(NULL, "*");
589 for (j = 0; j < 4; ++j) {
590 salt->H[i].c2 <<= 4;
591 salt->H[i].c2 |= atoi16[ARCH_INDEX(cp[j])];
592 }
593 } else
594 salt->H[i].c2 = salt->H[i].c; // fake out 2nd hash, by copying first hash
595 cp = strtokm(NULL, "*");
596 if (data_enum > 1) {
597 /* if 2 or 3, we have the FULL zip blob for decrypting. */
598 if (data_enum == 3) {
599 /* read from file. */
600 FILE *fp;
601 fp = fopen(cp, "rb");
602 if (!fp) {
603 fprintf(stderr, "Error opening file for pkzip data: %s\n", cp);
604 MEM_FREE(cpalloc);
605 return 0;
606 }
607 fseek(fp, offset+offex, SEEK_SET);
608 if (salt->compLen < 16*1024) {
609 /* simply load the whole blob */
610 ex_len[i] = salt->compLen;
611 H[i] = mem_alloc(salt->compLen);
612 if (fread(H[i], 1, salt->compLen, fp) != salt->compLen) {
613 fprintf(stderr, "Error reading zip file for pkzip data: %s\n", cp);
614 fclose(fp);
615 MEM_FREE(cpalloc);
616 return 0;
617 }
618 fclose(fp);
619 salt->H[i].datlen = salt->compLen;
620 }
621 else {
622 /* Only load a small part (to be used in crypt_all), and set the filename in */
623 /* the salt->fname string, so that cmp_all can open the file, and buffered */
624 /* read the zip data only when it 'needs' it. */
625 strnzcpy(salt->fname, (const char *)cp, sizeof(salt->fname));
626 salt->offset = offset+offex;
627 ex_len[i] = 384;
628 H[i] = mem_alloc(384);
629 if (fread(H[i], 1, 384, fp) != 384) {
630 fprintf(stderr, "Error reading zip file for pkzip data: %s\n", cp);
631 fclose(fp);
632 MEM_FREE(cpalloc);
633 return 0;
634 }
635 fclose(fp);
636 salt->H[i].datlen = 384;
637 }
638 } else {
639 ex_len[i] = salt->compLen;
640 H[i] = mem_alloc(salt->compLen);
641 for (j = 0; j < salt->H[i].datlen; ++j)
642 H[i][j] = (atoi16[ARCH_INDEX(cp[j*2])]<<4) + atoi16[ARCH_INDEX(cp[j*2+1])];
643 }
644
645 /* we also load this into the 'building' salt */
646 salt->compType = salt->H[i].compType;
647
648 /* Now, set the 'is full zip' flag, so we later process as a zip file. */
649 salt->H[i].full_zip = 1;
650 salt->full_zip_idx = i;
651 } else {
652 ex_len[i] = salt->H[i].datlen;
653 H[i] = mem_alloc(salt->H[i].datlen);
654 for (j = 0; j < salt->H[i].datlen; ++j)
655 H[i][j] = (atoi16[ARCH_INDEX(cp[j*2])]<<4) + atoi16[ARCH_INDEX(cp[j*2+1])];
656 }
657 }
658
659 MEM_FREE(cpalloc);
660
661 // Ok, we want to add some 'logic' to remove the magic testing, except for specific cases.
662 // If the only file blobs we have are stored, and long blobs, then we want magic (3 file, 2 byte checksum does not need magic).
663 // A single 1 byte file, even if deflated, we want to keep magic. (possibly).
664 j = 0;
665 for (i = 0; i < salt->cnt; ++i) {
666 if (salt->H[i].compType == 8) {
667 if (salt->cnt == 1 && salt->chk_bytes == 1)
668 j += 10;
669 else
670 break;
671 }
672 j += 1;
673 }
674 // ok, if j == 1, then we 'might' want to use magic. Otherwise, we want to 'clear' all magic values.
675 if (j >= 20)
676 j = 0;
677 if (j && salt->chk_bytes == 2 && salt->cnt > 1)
678 j = 0; // we do not need to use magic, on 2 or 3 stored 2 byte checksum files. We already have 2^32 or 2^48 in the checksum checking
679 if (j && salt->chk_bytes == 1 && salt->cnt == 3)
680 j = 0; // we do not need to use magic, on 3 stored 2 byte checksum files. We already have 2^32 or 2^48 in the checksum checking
681 if (!j) {
682 for (i = 0; i < salt->cnt; ++i)
683 salt->H[i].magic = 0; // remove any 'magic' logic from this hash.
684 }
685
686 psalt = mem_calloc(1, sizeof(PKZ_SALT) + ex_len[0]+ex_len[1]+ex_len[2]+2);
687 memcpy(psalt, salt, sizeof(*salt));
688 memcpy(psalt->zip_data, H[0], ex_len[0]);
689 MEM_FREE(H[0]);
690 if (salt->cnt > 1)
691 memcpy(psalt->zip_data+ex_len[0]+1, H[1], ex_len[1]);
692 MEM_FREE(H[1]);
693 if (salt->cnt > 2)
694 memcpy(psalt->zip_data+ex_len[0]+ex_len[1]+2, H[2], ex_len[2]);
695 MEM_FREE(H[2]);
696 MEM_FREE(salt);
697
698 psalt->dsalt.salt_alloc_needs_free = 1; // we used mem_calloc, so JtR CAN free our pointer when done with them.
699
700 // set the JtR core linkage stuff for this dyna_salt
701 memcpy(salt_p, &psalt, sizeof(psalt));
702 psalt->dsalt.salt_cmp_offset = SALT_CMP_OFF(PKZ_SALT, cnt);
703 psalt->dsalt.salt_cmp_size =
704 SALT_CMP_SIZE(PKZ_SALT, cnt, zip_data, ex_len[0]+ex_len[1]+ex_len[2]+2);
705 return salt_p;
706 }
707
set_key(char * key,int index)708 static void set_key(char *key, int index)
709 {
710 /* Keep the PW, so we can return it in get_key if asked to do so */
711 strnzcpyn(saved_key[index], key, sizeof(*saved_key));
712 dirty = 1;
713 }
714
get_key(int index)715 static char *get_key(int index)
716 {
717 return saved_key[index];
718 }
719
cmp_one(void * binary,int idx)720 static int cmp_one(void *binary, int idx)
721 {
722 return chk[idx] == 1;
723 }
724
cmp_all(void * binary,int count)725 static int cmp_all(void *binary, int count)
726 {
727 int i,j;
728 for (i=j=0; i<count; ++i)
729 j+=chk[i]; /* hopefully addition like this is faster than 'count' conditional if statments */
730 return j;
731 }
732
733 /* this function is used by cmp_exact_loadfile. It will load the next
734 * part of the file then decrypt the data, and return just how many
735 * bytes were loaded.
736 *
737 * This function is 'similar' to an fread(). However, it also decrypts data
738 */
get_next_decrypted_block(u8 * in,int sizeof_n,FILE * fp,u32 * inp_used,MY_WORD * pkey0,MY_WORD * pkey1,MY_WORD * pkey2)739 static int get_next_decrypted_block(u8 *in, int sizeof_n, FILE *fp, u32 *inp_used, MY_WORD *pkey0, MY_WORD *pkey1, MY_WORD *pkey2)
740 {
741 u32 new_bytes = sizeof_n, k;
742 u8 C;
743
744 /* we have read all the bytes, we're done */
745 if (*inp_used >= salt->compLen)
746 return 0;
747 if (*inp_used + new_bytes > salt->compLen)
748 /* this is the last block. Only load the bytes that are left */
749 new_bytes = salt->compLen - *inp_used;
750 /* return the correct 'offset', so we can track when the file buffer has been fully read */
751 *inp_used += new_bytes;
752 /* read the data */
753 if (fread(in, 1, new_bytes, fp) != new_bytes)
754 return 0;
755
756 /* decrypt the data bytes (in place, in same buffer). Easy to do, only requires 1 temp character variable. */
757 for (k = 0; k < new_bytes; ++k) {
758 C = PKZ_MULT(in[k],(*pkey2));
759 pkey0->u = jtr_crc32 (pkey0->u, C);
760 pkey1->u = (pkey1->u + pkey0->c[KB1]) * 134775813 + 1;
761 pkey2->u = jtr_crc32 (pkey2->u, pkey1->c[KB2]);
762 in[k] = C;
763 }
764 /* return the number of bytes we read from the file on this read */
765 return new_bytes;
766 }
767
768 /* Ok, this is the more complex example. Here we have to load the file (which may be HUGE)
769 * decrypt the bytes from this file, and then inflate that data, and crc the bytes which we
770 * have inflated from that stream. Then in the end, when we use all input bytes, if we have
771 * inflated the right amount of data, ended up with a Z_STREAM_END, and the proper sized
772 * decompression buffer, and the CRC matches, then we know we have the correct password
773 *
774 * This function is called from cmp_exact(), when cmp_exact finds out we have to decrypt from
775 * the stored .zip file.
776 *
777 * this code is modifications made to the zpipe.c 'example' code from the zlib web site.
778 */
779 #define CHUNK (64*1024)
cmp_exact_loadfile(int index)780 static int cmp_exact_loadfile(int index)
781 {
782 int ret;
783 u32 have, k;
784 z_stream strm;
785 unsigned char in[CHUNK];
786 unsigned char out[CHUNK];
787 FILE *fp;
788 MY_WORD key0, key1, key2;
789 u8 *b, C;
790 u32 inp_used, decomp_len=0;
791 u32 crc = 0xFFFFFFFF;
792
793 /* Open the zip file, and 'seek' to the proper offset of the binary zip blob */
794 fp = fopen(salt->fname, "rb");
795 if (!fp) {
796 fprintf(stderr, "\nERROR, the zip file: %s has been removed.\nWe are a possible password has been found, but FULL validation can not be done!\n", salt->fname);
797 return 1;
798 }
799 if (fseek(fp, salt->offset, SEEK_SET)) {
800 fprintf(stderr, "\nERROR, the zip file: %s fseek() failed.\nWe are a possible password has been found, but FULL validation can not be done!\n", salt->fname);
801 fclose(fp);
802 return 1;
803 }
804
805 /* 'seed' the decryption with the IV. We do NOT use these bytes, they simply seed us. */
806 key0.u = K12[index*3], key1.u = K12[index*3+1], key2.u = K12[index*3+2];
807 k=12;
808 if (fread(in, 1, 12, fp) != 12) {
809 fprintf(stderr, "\nERROR, the zip file: %s fread() failed.\nWe are a possible password has been found, but FULL validation can not be done!\n", salt->fname);
810 fclose(fp);
811 return 1;
812 }
813
814 b = salt->H[salt->full_zip_idx].h;
815 do {
816 C = PKZ_MULT(*b++,key2);
817 key0.u = jtr_crc32 (key0.u, C);
818 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
819 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
820 }
821 while(--k);
822
823 /* this is 'sort of' our file pointer. It is the 'index' into the file's encrypted, compressed data buffer. */
824 /* we have read the 12 bytes of IV data, and updated our keys. Now we start processing the rest of the bytes */
825 /* to get the data to inflate, and crc check */
826 inp_used = 12;
827
828 if (salt->H[salt->full_zip_idx].compType == 0) {
829 // handle a stored blob (we do not have to decrypt it.
830 int avail_in;
831 crc = 0xFFFFFFFF;
832 avail_in = get_next_decrypted_block(in, CHUNK, fp, &inp_used, &key0, &key1, &key2);
833 while (avail_in) {
834 for (k = 0; k < avail_in; ++k)
835 crc = jtr_crc32(crc,in[k]);
836 avail_in = get_next_decrypted_block(in, CHUNK, fp, &inp_used, &key0, &key1, &key2);
837 }
838 fclose(fp);
839 return ~crc == salt->crc32;
840 }
841
842 /* allocate inflate state */
843 strm.zalloc = Z_NULL;
844 strm.zfree = Z_NULL;
845 strm.opaque = Z_NULL;
846 strm.avail_in = 0;
847 strm.next_in = Z_NULL;
848 ret = inflateInit2(&strm, -15);
849 if (ret != Z_OK) /* if zlib is hosed, then likely there is no reason at all to continue. Better to exit, and let the user 'fix' the system */
850 perror("Error, initializing the libz inflateInit2() system\n");
851
852 /* decompress until deflate stream ends or end of file */
853 do {
854 strm.avail_in = get_next_decrypted_block(in, CHUNK, fp, &inp_used, &key0, &key1, &key2);
855 if (ferror(fp)) {
856 inflateEnd(&strm);
857 fclose(fp);
858 fprintf(stderr, "\nERROR, the zip file: %s fread() failed.\nWe are a possible password has been found, but FULL validation can not be done!\n", salt->fname);
859 return 1;
860 }
861 if (strm.avail_in == 0)
862 break;
863 strm.next_in = in;
864
865 /* run inflate() on input until output buffer not full */
866 do {
867 strm.avail_out = CHUNK;
868 strm.next_out = out;
869 ret = inflate(&strm, Z_NO_FLUSH);
870 switch (ret) {
871 case Z_NEED_DICT:
872 case Z_DATA_ERROR:
873 case Z_MEM_ERROR:
874 inflateEnd(&strm);
875 fclose(fp);
876 return 0;
877 }
878 have = CHUNK - strm.avail_out;
879 /* now update our crc value */
880 for (k = 0; k < have; ++k)
881 crc = jtr_crc32(crc,out[k]);
882 decomp_len += have;
883 } while (strm.avail_out == 0);
884
885 /* done when inflate() says it's done */
886 } while (ret != Z_STREAM_END);
887
888 /* clean up and return */
889 inflateEnd(&strm);
890 fclose(fp);
891 return ret == Z_STREAM_END && inp_used == salt->compLen && decomp_len == salt->deCompLen && salt->crc32 == ~crc;
892 }
893
cmp_exact(char * source,int index)894 static int cmp_exact(char *source, int index)
895 {
896 const u8 *b;
897 u8 C, *decompBuf, *decrBuf, *B;
898 u32 k, crc;
899 MY_WORD key0, key1, key2;
900 z_stream strm;
901 int ret;
902
903 if (salt->H[salt->full_zip_idx].full_zip == 0)
904 /* we do not have a zip file, this is 'checksum' only
905 * POSSIBLY, we should log and output to screen that
906 * we are not 100% 'sure' we have the right password!! */
907 return 1;
908
909 #ifdef ZIP_DEBUG
910 fprintf(stderr, "FULL zip test being done. (pass=%s)\n", saved_key[index]);
911 #endif
912
913 if (salt->fname[0] == 0) {
914 /* we have the whole zip blob in memory, simply allocate a decrypt buffer, decrypt
915 * in one step, crc and be done with it. This is the 'trivial' type. */
916
917 decrBuf = mem_alloc(salt->compLen-12);
918
919 key0.u = K12[index*3], key1.u = K12[index*3+1], key2.u = K12[index*3+2];
920
921 b = salt->H[salt->full_zip_idx].h;
922 k=12;
923 do {
924 C = PKZ_MULT(*b++,key2);
925 key0.u = jtr_crc32 (key0.u, C);
926 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
927 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
928 }
929 while(--k);
930 B = decrBuf;
931 k = salt->compLen-12;
932 do {
933 C = PKZ_MULT(*b++,key2);
934 key0.u = jtr_crc32 (key0.u, C);
935 *B++ = C;
936 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
937 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
938 } while (--k);
939
940 if (salt->H[salt->full_zip_idx].compType == 0) {
941 // handle a stored blob (we do not have to decrypt it.
942 crc = 0xFFFFFFFF;
943 for (k = 0; k < salt->compLen-12; ++k)
944 crc = jtr_crc32(crc,decrBuf[k]);
945 MEM_FREE(decrBuf);
946 return ~crc == salt->crc32;
947 }
948
949 strm.zalloc = Z_NULL;
950 strm.zfree = Z_NULL;
951 strm.opaque = Z_NULL;
952 strm.next_in = Z_NULL;
953 strm.avail_in = 0;
954
955 ret = inflateInit2(&strm, -15); /* 'raw', since we do not have gzip header, or gzip crc. .ZIP files are 'raw' implode data. */
956 if (ret != Z_OK)
957 perror("Error, initializing the libz inflateInit2() system\n");
958
959 decompBuf = mem_alloc(salt->deCompLen);
960
961 strm.next_in = decrBuf;
962 strm.avail_in = salt->compLen-12;
963 strm.avail_out = salt->deCompLen;
964 strm.next_out = decompBuf;
965
966 ret = inflate(&strm, Z_SYNC_FLUSH);
967 inflateEnd(&strm);
968 if (ret != Z_STREAM_END || strm.total_out != salt->deCompLen) {
969 MEM_FREE(decompBuf);
970 MEM_FREE(decrBuf);
971 return 0;
972 }
973
974 crc = 0xFFFFFFFF;
975 for (k = 0; k < strm.total_out; ++k)
976 crc = jtr_crc32(crc,decompBuf[k]);
977 MEM_FREE(decompBuf);
978 MEM_FREE(decrBuf);
979 return ~crc == salt->crc32;
980 }
981 /* we have a stand alone function to handle this more complex method of
982 * loading from file, decrypting, decompressing, and crc'ing the data
983 * It is complex enough of a task, to have its own function. */
984 return cmp_exact_loadfile(index);
985 }
986
987 #if USE_PKZIP_MAGIC
988 const char exBytesUTF8[64] = {
989 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
990 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5
991 };
992
isLegalUTF8_char(const u8 * source,int length)993 static int isLegalUTF8_char(const u8 *source, int length)
994 {
995 u8 a;
996 int len;
997 const u8 *srcptr;
998
999 if (*source < 0xC0)
1000 return 1;
1001 len = exBytesUTF8[*source&0x3f];
1002 srcptr = source+len;
1003 if (len+1 > length)
1004 return -1;
1005
1006 switch (len) {
1007 default: return -1;
1008 /* Everything else falls through when "true"... */
1009 case 4: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return -1;
1010 case 3: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return -1;
1011 case 2: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return -1;
1012
1013 switch (*source) {
1014 /* no fall-through in this inner switch */
1015 case 0xE0: if (a < 0xA0) return -1;
1016 break;
1017 case 0xED: if (a > 0x9F) return -1;
1018 break;
1019 case 0xF0: if (a < 0x90) return -1;
1020 break;
1021 case 0xF4: if (a > 0x8F) return -1;
1022 }
1023
1024 case 1: if (*source >= 0x80 && *source < 0xC2) return -1;
1025 }
1026 if (*source > 0xF4) return -1;
1027 return len+1;
1028 }
1029
validate_ascii(const u8 * out,int inplen)1030 static int validate_ascii(const u8 *out, int inplen)
1031 {
1032 int i;
1033 int unicode=0;
1034
1035 for (i = 0; i < inplen-1; ++i) {
1036 if (out[i] > 0x7E) {
1037 // first check to 'see' if this is a valid utf8 character. If so, let it 'pass'.
1038 if (unicode)
1039 return 0; // in unicode mode, we ONLY handle 'ascii' bytes in the low byte.
1040
1041 if (out[i] > 0xC0) {
1042 int len;
1043 if (i > inplen-4)
1044 return 1;
1045 len = isLegalUTF8_char(&out[i], 5);
1046 if (len < 0) return 0;
1047 i += (len-1);
1048 }
1049 else {
1050 if (i) {
1051 // check for utf8 BOM \xEF \xBB \xBF
1052 if (out[0] == 0xEF && out[1] == 0xBB && out[2] == 0xBF) {
1053 i = 2;
1054 continue;
1055 }
1056 /* check for Unicode BOM (FF FE for utf16le, FE FF for utf16be, FF FE 00 00 for utf32le, not sure if 00 00 FE FF is utf32be, but likely is) */
1057 if (out[0] == 0xFF && out[1] == 0xFE) {
1058 unicode = 1;
1059 i++;
1060 continue;
1061 }
1062 /* unicode BE bom */
1063 if (out[0] == 0xFE && out[1] == 0xFF) {
1064 unicode = 1;
1065 i += 2;
1066 continue;
1067 }
1068 /* utf32 LE */
1069 if (out[0] == 0xFF && out[1] == 0xFE && out[2] == 0 && out[3] == 0) {
1070 unicode = 3;
1071 i += 3;
1072 continue;
1073 }
1074 /* utf32 BE bom */
1075 if (out[0] == 0 && out[1] == 0 && out[2] == 0xFE && out[3] == 0xFF) {
1076 unicode = 3;
1077 i += 6;
1078 continue;
1079 }
1080
1081 // allow a 'single' byte > 0x7E as long as bytes following are ascii.
1082 if (out[1] <= 0x7E && out[1] >= 0x20) {
1083 ++i;
1084 continue;
1085 }
1086 return 0;
1087 }
1088 }
1089 } else if (out[i] < 0x20) {
1090 /* we do not need to deal with DOS EOF char 0x1a, since we will never have the 'end' of the file */
1091 /* we do allow the ESC character for ANSI files, however, they are frequently also binary, so will fail in other places */
1092 if (out[i]!='\n' && out[i]!='\r' && out[i]!='\t' && out[i]!=0x1B)
1093 return 0;
1094 }
1095 i += unicode; // skip the null bytes
1096 }
1097 return 1;
1098 }
1099
CheckSigs(const u8 * p,int len,ZIP_SIGS * pSig)1100 static int CheckSigs(const u8 *p, int len, ZIP_SIGS *pSig)
1101 {
1102 int i, j;
1103
1104 for (i = 0; i < pSig->magic_count; ++i) {
1105 int fnd = 1;
1106 u8 *pS = pSig->magic_signature[i];
1107 for (j = 0; j < pSig->magic_sig_len[i]; ++j) {
1108 if (p[j] != pS[j]) {
1109 fnd = 0;
1110 break;
1111 }
1112 }
1113 if (fnd)
1114 return 1;
1115 }
1116 return 0;
1117 }
1118 #endif
1119
1120 /* note, Buf is the 'full' decrypted zip buffer (len bytes long). It DOES contain the first 3 bits, which have already
1121 * been decoded, and have told us we had a code 2 (var table block)
1122 * all done without BITS(), PULLBYTE(), BITSNEEDED() macros. We 'know' the data we need, and we know that we have
1123 * 'enough', so we do not worry about all of the overhead, and validation logic.
1124 *
1125 * In testing, this function catches ALL bad decryptions, except about 1/300 to 1/350. So, it is not too bad.
1126 */
check_inflate_CODE2(u8 * next)1127 MAYBE_INLINE static int check_inflate_CODE2(u8 *next)
1128 {
1129 u32 bits, hold, thisget, have, i;
1130 int left;
1131 u32 ncode;
1132 u32 ncount[2]; // ends up being an array of 8 u8 count values. But we can clear it, and later 'check' it with 2 u32 instructions.
1133 u8 *count; // this will point to ncount array. NOTE, this is alignment required 'safe' for Sparc systems or others requiring alignment.
1134 #if (ARCH_LITTLE_ENDIAN==1) && (ARCH_ALLOWS_UNALIGNED==1)
1135 // 'speedup' for x86 type systems. pkzip/inflate was designed here, so why not use it.
1136 hold = *((u32*)next);
1137 #else
1138 hold = *next + (((u32)next[1])<<8) + (((u32)next[2])<<16) + (((u32)next[3])<<24);
1139 #endif
1140 next += 3; // we pre-increment when pulling it in the loop, thus we need to be 1 byte back.
1141 hold >>= 3; // we already processed 3 bits
1142 count = (u8*)ncount;
1143
1144 if (257+(hold&0x1F) > 286)
1145 return 0; // nlen, but we do not use it.
1146 hold >>= 5;
1147 if (1+(hold&0x1F) > 30)
1148 return 0; // ndist, but we do not use it.
1149 hold >>= 5;
1150 ncode = 4+(hold&0xF);
1151 hold >>= 4;
1152
1153 // we have 15 bits left.
1154 hold += ((u32)(*++next)) << 15;
1155 hold += ((u32)(*++next)) << 23;
1156 // we now have 31 bits. We need to know this for the loop below.
1157 bits = 31;
1158
1159 // We have 31 bits now, in accum. If we are processing 19 codes, we do 7, then have 10 bits.
1160 // Add 16 more and have 26, then use 21, have 5. Then load 16 more, then eat 15 of them.
1161 have = 0;
1162
1163 ncount[0] = ncount[1] = 0;
1164 for (;;) {
1165 if (have+7>ncode)
1166 thisget = ncode-have;
1167 else
1168 thisget = 7;
1169 have += thisget;
1170 bits -= thisget*3;
1171 while (thisget--) {
1172 ++count[hold&7];
1173 hold>>=3;
1174 }
1175 if (have == ncode)
1176 break;
1177 hold += ((u32)(*++next)) << bits;
1178 bits += 8;
1179 hold += ((u32)(*++next)) << bits;
1180 bits += 8;
1181 }
1182 count[0] = 0;
1183 if (!ncount[0] && !ncount[1])
1184 return 0; /* if no codes at all, then simply bail, that is invalid */
1185
1186 /* check for an over-subscribed or incomplete set of lengths */
1187 /* this will catch about 319 out of 320 'bad' passwords that */
1188 /* have made it into this function. Note, only 1/4 of the */
1189 /* passwords which pass the checksum, can make it here. Of */
1190 /* those, we drop 319/320 or about that many (a good check!) */
1191 left = 1;
1192 for (i = 1; i <= 7; ++i) {
1193 left <<= 1;
1194 left -= count[i];
1195 if (left < 0)
1196 return 0; /* over-subscribed */
1197 }
1198 if (left > 0)
1199 return 0; /* incomplete set */
1200
1201 return 1; /* Passed this check! */
1202 }
1203
1204 //static code const * const lcode = lenfix;
1205 //static code const * const dcode = distfix;
1206
1207 /* This function handles inflate CODE type 1. This is a 'fixed' table code. We set the fixed table, */
1208 /* and then inflate some data (without writing anything. If we find any BAD lookback data, we can */
1209 /* return a failure. We have 24 bytes of inflate data, and this almost always is more than enough */
1210 /* to turn up an error. If we find we need more, we will do more than 24 */
check_inflate_CODE1(u8 * next,int left)1211 MAYBE_INLINE static int check_inflate_CODE1(u8 *next, int left)
1212 {
1213 u32 whave = 0, op, bits, hold,len;
1214 code here;
1215
1216 #if (ARCH_LITTLE_ENDIAN==1) && (ARCH_ALLOWS_UNALIGNED==1)
1217 // 'speedup' for x86 type systems. pkzip/inflate was designed here, so why not use it.
1218 hold = *((u32*)next);
1219 #else
1220 hold = *next + (((u32)next[1])<<8) + (((u32)next[2])<<16) + (((u32)next[3])<<24);
1221 #endif
1222 next += 3; // we pre-increment when pulling it in the loop, thus we need to be 1 byte back.
1223 left -= 4;
1224 hold >>= 3; // we already processed 3 bits
1225 bits = 32-3;
1226 for (;;) {
1227 if (bits < 15) {
1228 if (left < 2)
1229 return 1; // we are out of bytes. Return we had no error.
1230 left -= 2;
1231 hold += (u32)(*++next) << bits;
1232 bits += 8;
1233 hold += (u32)(*++next) << bits;
1234 bits += 8;
1235 }
1236 here=lenfix[hold & 0x1FF];
1237 op = (unsigned)(here.bits);
1238 hold >>= op;
1239 bits -= op;
1240 op = (unsigned)(here.op);
1241 if (op == 0) /* literal */
1242 ++whave;
1243 else if (op & 16) { /* length base */
1244 len = (unsigned)(here.val);
1245 op &= 15; /* number of extra bits */
1246 if (op) {
1247 if (bits < op) {
1248 if (!left)
1249 return 1; /*we are out of bytes. Return we had no error.*/
1250 --left;
1251 hold += (u32)(*++next) << bits;
1252 bits += 8;
1253 }
1254 len += (unsigned)hold & ((1U << op) - 1);
1255 hold >>= op;
1256 bits -= op;
1257 }
1258 if (bits < 15) {
1259 if (left < 2)
1260 return 1; /*we are out of bytes. Return we had no error.*/
1261 left -= 2;
1262 hold += (u32)(*++next) << bits;
1263 bits += 8;
1264 hold += (u32)(*++next) << bits;
1265 bits += 8;
1266 }
1267 here = distfix[hold & 0x1F];
1268 // dodist:
1269 op = (unsigned)(here.bits);
1270 hold >>= op;
1271 bits -= op;
1272 op = (unsigned)(here.op);
1273 if (op & 16) { /* distance base */
1274 u32 dist = (unsigned)(here.val);
1275 op &= 15; /* number of extra bits */
1276 if (bits < op) {
1277 if (!left)
1278 return 1; /*we are out of bytes. Return we had no error.*/
1279 --left;
1280 hold += (u32)(*++next) << bits;
1281 bits += 8;
1282 if (bits < op) {
1283 if (!left)
1284 return 1; /*we are out of bytes. Return we had no error.*/
1285 --left;
1286 hold += (u32)(*++next) << bits;
1287 bits += 8;
1288 }
1289 }
1290 dist += (unsigned)hold & ((1U << op) - 1);
1291 if (dist > whave)
1292 return 0; /*invalid distance too far back*/
1293 hold >>= op;
1294 bits -= op;
1295
1296 //***** start of patched code from Pavel Semjanov (see original code below)
1297 whave += len;
1298 }
1299 else
1300 return 0; /*invalid distance code*/
1301 }
1302 else if (op & 32) {
1303 // end of block [may present in short sequences, but only at the end.] NOTE, we need to find out if we EVER hit the end of a block, at only 24 bytes???
1304 if (left == 0)
1305 return 1;
1306 return 0;
1307 }
1308 else {
1309 return 0; // invalid literal/length code.
1310 }
1311 //***** End of patched code from Pavel
1312 }
1313 }
1314
1315 // original code block (for above), prior to patch from Pavel Semjanov [pavel@semjanov.com]
1316 // this code would be a direct drop in between the comments starting and stopping with //***** above
1317 // also the dodist label was commented out (no longer used).
1318 #if 0
1319 whave += dist;
1320 }
1321 else if ((op & 64) == 0) { /* 2nd level distance code */
1322 here = distfix[here.val + (hold & ((1U << op) - 1))];
1323 goto dodist;
1324 }
1325 else
1326 return 0; /*invalid distance code*/
1327 }
1328 else if (op & 64) {
1329 // 2nd level length code.
1330 //here = lcode[here.val + (hold & ((1U << op) - 1))];
1331 //goto dolen;
1332
1333 // this causes an infinite loop. Also, I VERY seriously doubt, this will EVER happen in the first
1334 // 24 bytes of code. NOTE, there may be problems, in the fact this causes a inf loop!, but for now,
1335 // simply return 0, then debug later.
1336 return 0;
1337 }
1338 else if (op & 32) {
1339 // end of block NOTE, we need to find out if we EVER hit the end of a block, at only 24 bytes???
1340 // It is VERY likely we do SHOULD NOT EVER hit this. If that is the case, return that this block is bogus.
1341 // check next OP (if we have enough bits left), if CODE=3, fail. If code==0, check
1342 return 0;
1343 }
1344 else {
1345 return 0; // invalid literal/length code.
1346 }
1347 #endif
1348
1349 /*
1350 * Crypt_all simply performs the checksum .zip validatation of the data. It performs
1351 * this for ALL hashes provided. If any of them fail to match, then crypt all puts the
1352 * complement of the 'proper' checksum of the first hash into the output. These 2 bytes
1353 * are checked against the binary for this salt/password combination. Thus, if any
1354 * checksum fails, it will never match binary. However, if ALL of the checksums match
1355 * we then put the checksum bytes from the first hash, into our output data. Then, when
1356 * the binary check (cmp_all, cmp_one) is performed, it WILL match. NOTE, this does
1357 * not mean we have found the password. Just that all hashes quick check checksums
1358 * for this password 'work'.
1359 */
crypt_all(int * pcount,struct db_salt * _salt)1360 static int crypt_all(int *pcount, struct db_salt *_salt)
1361 {
1362 const int _count = *pcount;
1363 int idx;
1364 #if (ZIP_DEBUG==2)
1365 static int CNT, FAILED, FAILED2;
1366 ++CNT;
1367 #endif
1368
1369 // pkzip kinda sucks a little for multi-threading, since there is different amount of work to be
1370 // done, depenging upon the password. Thus, we pack in OMP_MOD passwords into each thread, and
1371 // hopefully some of the differnces will even themselves out in the end. If we have 2 threads
1372 // then thread 1 gets 0 to 127 password, and thread 2 gets 128-256. Once they 'get' their data,
1373 // there should be no mutexing of the runtime data, thus the threads should run fast.
1374 // Also, since we have 'multiple' files in a .zip file (and multiple checksums), we bail as at the
1375 // first time we fail to match checksum. So, there may be some threads which check more checksums.
1376 // Again, hopefully globbing many tests into a threads working set will flatten out these differences.
1377 #ifdef _OPENMP
1378 #pragma omp parallel for private(idx)
1379 #endif
1380 for (idx = 0; idx < _count; ++idx) {
1381 int cur_hash_count = salt->cnt;
1382 int cur_hash_idx = -1;
1383 MY_WORD key0, key1, key2;
1384 u8 C;
1385 const u8 *b;
1386 u8 curDecryBuf[256];
1387 #if USE_PKZIP_MAGIC
1388 u8 curInfBuf[128];
1389 #endif
1390 int k, SigChecked;
1391 u16 e, e2, v1, v2;
1392 z_stream strm;
1393 int ret;
1394
1395 /* use the pwkey for each hash. We mangle on the 12 bytes of IV to what was computed in the pwkey load. */
1396
1397 if (dirty) {
1398 u8 *p = (u8*)saved_key[idx];
1399
1400 /* load the 'pwkey' one time, put it into the K12 array */
1401 key0.u = 0x12345678UL; key1.u = 0x23456789UL; key2.u = 0x34567890UL;
1402 do {
1403 key0.u = jtr_crc32 (key0.u, *p++);
1404 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1405 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1406 } while (*p);
1407 K12[idx*3] = key0.u, K12[idx*3+1] = key1.u, K12[idx*3+2] = key2.u;
1408 goto SkipKeyLoadInit;
1409 }
1410
1411 do
1412 {
1413 // 2nd, and later times through the loop, AND if keys are not dirty (i.e. multiple salts
1414 // for the same key load), we do NOT perform the key compute, but instead load the pre-computed
1415 // key data from the array.
1416 key0.u = K12[idx*3], key1.u = K12[idx*3+1], key2.u = K12[idx*3+2];
1417
1418 SkipKeyLoadInit:;
1419 b = salt->H[++cur_hash_idx].h;
1420 k=11;
1421 e = salt->H[cur_hash_idx].c;
1422 e2 = salt->H[cur_hash_idx].c2;
1423
1424 do
1425 {
1426 C = PKZ_MULT(*b++,key2);
1427 key0.u = jtr_crc32 (key0.u, C);
1428 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1429 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1430 }
1431 while(--k);
1432
1433 /* if the hash is a 2 byte checksum type, then check that value first */
1434 /* There is no reason to continue if this byte does not check out. */
1435 if (salt->chk_bytes == 2 && C != (e&0xFF) && C != (e2&0xFF))
1436 goto Failed_Bailout;
1437
1438 C = PKZ_MULT(*b++,key2);
1439 #if 1
1440 // https://github.com/magnumripper/JohnTheRipper/issues/467
1441 // Fixed, JimF. Added checksum test for crc32 and timestamp.
1442 if (C != (e>>8) && C != (e2>>8))
1443 goto Failed_Bailout;
1444 #endif
1445
1446 // Now, update the key data (with that last byte.
1447 key0.u = jtr_crc32 (key0.u, C);
1448 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1449 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1450
1451 // Ok, we now have validated this checksum. We need to 'do some' extra pkzip validation work.
1452 // What we do here, is to decrypt a little data (possibly only 1 byte), and perform a single
1453 // 'inflate' check (if type is 8). If type is 0 (stored), and we have a signature check, then
1454 // we do that here. Also, if the inflate code is a 0 (stored block), and we do sig check, then
1455 // we can do that WITHOUT having to call inflate. however, if there IS a sig check, we will have
1456 // to call inflate on 'some' data, to get a few bytes (or error code). Also, if this is a type
1457 // 2 or 3, then we do the FULL inflate, CRC check here.
1458 e = 0;
1459
1460 // First, we want to get the inflate CODE byte (the first one).
1461
1462 C = PKZ_MULT(*b++,key2);
1463 SigChecked = 0;
1464 if ( salt->H[cur_hash_idx].compType == 0) {
1465 // handle a stored file.
1466 // We can ONLY deal with these IF we are handling 'magic' testing.
1467
1468 #if USE_PKZIP_MAGIC
1469 // Ok, if we have a signature, check it here, WITHOUT having to call zLib's inflate.
1470 if (salt->H[cur_hash_idx].pSig->max_len) {
1471 int len = salt->H[cur_hash_idx].pSig->max_len;
1472 if (len > salt->H[cur_hash_idx].datlen-12)
1473 len = salt->H[cur_hash_idx].datlen-12;
1474 SigChecked = 1;
1475 curDecryBuf[0] = C;
1476 for (; e < len;) {
1477 key0.u = jtr_crc32 (key0.u, curDecryBuf[e]);
1478 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1479 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1480 curDecryBuf[++e] = PKZ_MULT(*b++,key2);
1481 }
1482
1483 if (salt->H[cur_hash_idx].magic == 255) {
1484 if (!validate_ascii(&curDecryBuf[5], len-5))
1485 goto Failed_Bailout;
1486 } else {
1487 if (!CheckSigs(curDecryBuf, len, salt->H[cur_hash_idx].pSig))
1488 goto Failed_Bailout;
1489 }
1490 }
1491 #endif
1492 continue;
1493 }
1494 #if 1
1495 // https://github.com/magnumripper/JohnTheRipper/issues/467
1496 // Ok, if this is a code 3, we are done.
1497 // Code moved to after the check for stored type. (FIXED) This check was INVALID for a stored type file.
1498 if ( (C & 6) == 6)
1499 goto Failed_Bailout;
1500 #endif
1501 if ( (C & 6) == 0) {
1502 // Check that checksum2 is 0 or 1. If not, I 'think' we can be done
1503 if (C > 1)
1504 goto Failed_Bailout;
1505 // now get 4 bytes. This is the length. It is made up of 2 16 bit values.
1506 // these 2 values are checksumed, so it is easy to tell if the data is WRONG.
1507 // correct data is u16_1 == (u16_2^0xFFFF)
1508 curDecryBuf[0] = C;
1509 for (e = 0; e <= 4; ) {
1510 key0.u = jtr_crc32 (key0.u, curDecryBuf[e]);
1511 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1512 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1513 curDecryBuf[++e] = PKZ_MULT(*b++,key2);
1514 }
1515 v1 = curDecryBuf[1] | (((u16)curDecryBuf[2])<<8);
1516 v2 = curDecryBuf[3] | (((u16)curDecryBuf[4])<<8);
1517 if (v1 != (v2^0xFFFF))
1518 goto Failed_Bailout;
1519 #if USE_PKZIP_MAGIC
1520 // Ok, if we have a signature, check it here, WITHOUT having to call zLib's inflate.
1521 if (salt->H[cur_hash_idx].pSig->max_len) {
1522 int len = salt->H[cur_hash_idx].pSig->max_len + 5;
1523 if (len > salt->H[cur_hash_idx].datlen-12)
1524 len = salt->H[cur_hash_idx].datlen-12;
1525 SigChecked = 1;
1526 for (; e < len;) {
1527 key0.u = jtr_crc32 (key0.u, curDecryBuf[e]);
1528 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1529 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1530 curDecryBuf[++e] = PKZ_MULT(*b++,key2);
1531 }
1532
1533 if (salt->H[cur_hash_idx].magic == 255) {
1534 if (!validate_ascii(&curDecryBuf[5], len-5))
1535 goto Failed_Bailout;
1536 } else {
1537 if (!CheckSigs(&curDecryBuf[5], len-5, salt->H[cur_hash_idx].pSig))
1538 goto Failed_Bailout;
1539 }
1540 }
1541 #endif
1542 }
1543 else {
1544 // Ok, now we have handled inflate code type 3 and inflate code 0 (50% of 'random' data)
1545 // We now have the 2 'hard' ones left (fixed table, and variable table)
1546
1547 curDecryBuf[0] = C;
1548
1549 if ((C&6) == 4) { // inflate 'code' 2 (variable table)
1550 #if (ZIP_DEBUG==2)
1551 static unsigned count, found;
1552 ++count;
1553 #endif
1554 // we need 4 bytes, + 2, + 4 at most.
1555 for (; e < 10;) {
1556 key0.u = jtr_crc32 (key0.u, curDecryBuf[e]);
1557 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1558 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1559 curDecryBuf[++e] = PKZ_MULT(*b++,key2);
1560 }
1561 if (!check_inflate_CODE2(curDecryBuf))
1562 goto Failed_Bailout;
1563 #if (ZIP_DEBUG==2)
1564 fprintf(stderr, "CODE2 Pass=%s count = %u, found = %u\n", saved_key[idx], count, ++found);
1565 #endif
1566 }
1567 else {
1568 int til;
1569 #if (ZIP_DEBUG==2)
1570 static unsigned count, found;
1571 ++count;
1572 #endif
1573 til = 36;
1574 if (salt->H[cur_hash_idx].datlen-12 < til)
1575 til = salt->H[cur_hash_idx].datlen-12;
1576 for (; e < til;) {
1577 key0.u = jtr_crc32 (key0.u, curDecryBuf[e]);
1578 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1579 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1580 curDecryBuf[++e] = PKZ_MULT(*b++,key2);
1581 }
1582 if (!check_inflate_CODE1(curDecryBuf, til))
1583 goto Failed_Bailout;
1584 #if (ZIP_DEBUG==2)
1585 fprintf(stderr, "CODE1 Pass=%s count = %u, found = %u\n", saved_key[idx], count, ++found);
1586 #endif
1587 }
1588 }
1589 #if USE_PKZIP_MAGIC
1590 // Ok, now see if we need to check sigs, or do a FULL inflate/crc check.
1591 if (!SigChecked && salt->H[cur_hash_idx].pSig->max_len) {
1592 int til = 180;
1593 if (salt->H[cur_hash_idx].datlen-12 < til)
1594 til = salt->H[cur_hash_idx].datlen-12;
1595 for (; e < til;) {
1596 key0.u = jtr_crc32 (key0.u, curDecryBuf[e]);
1597 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1598 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1599 curDecryBuf[++e] = PKZ_MULT(*b++,key2);
1600 }
1601 strm.zalloc = Z_NULL;
1602 strm.zfree = Z_NULL;
1603 strm.opaque = Z_NULL;
1604 strm.next_in = Z_NULL;
1605 strm.avail_in = til;
1606
1607 ret = inflateInit2(&strm, -15); /* 'raw', since we do not have gzip header, or gzip crc. .ZIP files are 'raw' implode data. */
1608 if (ret != Z_OK)
1609 perror("Error, initializing the libz inflateInit2() system\n");
1610
1611 strm.next_in = curDecryBuf;
1612 strm.avail_out = sizeof(curInfBuf);
1613 strm.next_out = curInfBuf;
1614
1615 ret = inflate(&strm, Z_SYNC_FLUSH);
1616
1617 inflateEnd(&strm);
1618 if (ret != Z_OK) {
1619 // we need to handle zips smaller than sizeof curInfBuf. If we find a zip of this
1620 // size, the return is Z_STREAM_END, BUT things are fine.
1621 if (ret == Z_STREAM_END && salt->deCompLen == strm.total_out)
1622 ; // things are ok.
1623 else
1624 goto Failed_Bailout;
1625 }
1626 if (!strm.total_out)
1627 goto Failed_Bailout;
1628
1629 ret = salt->H[cur_hash_idx].pSig->max_len;
1630 if (salt->H[cur_hash_idx].magic == 255) {
1631 if (!validate_ascii(curInfBuf, strm.total_out))
1632 goto Failed_Bailout;
1633 } else {
1634 if (strm.total_out < ret)
1635 goto Failed_Bailout;
1636 if (!CheckSigs(curInfBuf, strm.total_out, salt->H[cur_hash_idx].pSig))
1637 goto Failed_Bailout;
1638 }
1639 }
1640 #endif
1641
1642 if (salt->H[cur_hash_idx].full_zip) {
1643 u8 inflateBufTmp[1024];
1644 if (salt->compLen > 240 && salt->H[cur_hash_idx].datlen >= 200) {
1645 for (;e < 200;) {
1646 key0.u = jtr_crc32 (key0.u, curDecryBuf[e]);
1647 key1.u = (key1.u + key0.c[KB1]) * 134775813 + 1;
1648 key2.u = jtr_crc32 (key2.u, key1.c[KB2]);
1649 curDecryBuf[++e] = PKZ_MULT(*b++,key2);
1650 }
1651 strm.zalloc = Z_NULL;
1652 strm.zfree = Z_NULL;
1653 strm.opaque = Z_NULL;
1654 strm.next_in = Z_NULL;
1655 strm.avail_in = e;
1656
1657 ret = inflateInit2(&strm, -15); /* 'raw', since we do not have gzip header, or gzip crc. .ZIP files are 'raw' implode data. */
1658 if (ret != Z_OK)
1659 perror("Error, initializing the libz inflateInit2() system\n");
1660
1661 strm.next_in = curDecryBuf;
1662 strm.avail_out = sizeof(inflateBufTmp);
1663 strm.next_out = inflateBufTmp;
1664
1665 ret = inflate(&strm, Z_SYNC_FLUSH);
1666 inflateEnd(&strm);
1667
1668 if (ret != Z_OK) {
1669 #if (ZIP_DEBUG==2)
1670 fprintf(stderr, "fail=%d fail2=%d tot="LLd"\n", ++FAILED, FAILED2, ((long long)CNT)*_count);
1671 #endif
1672 goto Failed_Bailout;
1673 }
1674 }
1675 goto KnownSuccess;
1676 }
1677 }
1678 while(--cur_hash_count);
1679
1680 /* We got a checksum HIT!!!! All hash checksums matched. */
1681 /* We load the proper checksum value for the gethash */
1682 KnownSuccess: ;
1683 chk[idx] = 1;
1684
1685 continue;
1686
1687 Failed_Bailout: ;
1688 /* We load the wrong checksum value for the gethash */
1689 chk[idx] = 0;
1690 }
1691
1692 /* clear the 'dirty' flag. Then on multiple different salt calls, we will not have to */
1693 /* encrypt the passwords again. They will have already been loaded in the K12[] array. */
1694 dirty = 0;
1695
1696 return _count;
1697 }
1698
1699 struct fmt_main fmt_pkzip = {
1700 {
1701 FORMAT_LABEL,
1702 FORMAT_NAME,
1703 ALGORITHM_NAME,
1704 BENCHMARK_COMMENT,
1705 BENCHMARK_LENGTH,
1706 0,
1707 PLAINTEXT_LENGTH,
1708 BINARY_SIZE,
1709 BINARY_ALIGN,
1710 SALT_SIZE,
1711 SALT_ALIGN,
1712 MIN_KEYS_PER_CRYPT,
1713 MAX_KEYS_PER_CRYPT,
1714 FMT_CASE | FMT_8_BIT | FMT_OMP | FMT_DYNA_SALT | FMT_HUGE_INPUT,
1715 { NULL },
1716 { FORMAT_TAG, FORMAT_TAG2 },
1717 tests
1718 }, {
1719 init,
1720 done,
1721 fmt_default_reset,
1722 fmt_default_prepare,
1723 valid,
1724 fmt_default_split,
1725 fmt_default_binary,
1726 get_salt,
1727 { NULL },
1728 fmt_default_source,
1729 {
1730 fmt_default_binary_hash
1731 },
1732 fmt_default_dyna_salt_hash,
1733 NULL,
1734 set_salt,
1735 set_key,
1736 get_key,
1737 fmt_default_clear_keys,
1738 crypt_all,
1739 {
1740 fmt_default_get_hash
1741 },
1742 cmp_all,
1743 cmp_one,
1744 cmp_exact
1745 }
1746 };
1747
1748 #endif /* plugin stanza */
1749
1750 #else
1751
1752 #if !defined(FMT_EXTERNS_H) && !defined(FMT_REGISTERS_H)
1753 #ifdef __GNUC__
1754 #warning pkzip format requires zlib to function. The format has been disabled
1755 #elif _MSC_VER
1756 #pragma message(": warning pkzip format requires zlib to function. The format has been disabled :")
1757 #endif
1758 #endif
1759
1760 #endif /* HAVE_LIBZ */
1761