Merge pull request #4123 from PenguinKeeper7/metamask-false-positive

Raise Metamask false positive rate
2025-07-19 13:08:19 +00:00 · 2025-07-09 16:15:55 +02:00 · 2025-07-09 16:15:55 +02:00 · 5ffbc5edc4
commit 5ffbc5edc4
parent d1b36ea184 dcfa17100e
1 changed files with 32 additions and 1 deletions
--- a/OpenCL/m26610-pure.cl
+++ b/OpenCL/m26610-pure.cl
@ -368,7 +368,7 @@ KERNEL_FQ KERNEL_FA void m26610_comp (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t,

  AES_GCM_decrypt (key, J0, ct, 32, pt, s_te0, s_te1, s_te2, s_te3, s_te4);

-  const int correct = is_valid_printable_32 (pt[0])
+  int correct = is_valid_printable_32 (pt[0])
                    + is_valid_printable_32 (pt[1])
                    + is_valid_printable_32 (pt[2])
                    + is_valid_printable_32 (pt[3])
@ -379,6 +379,37 @@ KERNEL_FQ KERNEL_FA void m26610_comp (KERN_ATTR_TMPS_ESALT (pbkdf2_sha256_tmp_t,

  if (correct != 8) return;

+  u32 ct2[8];
+
+  ct2[0] = pbkdf2_sha256_aes_gcm->ct_buf[8]; // third block of ciphertext
+  ct2[1] = pbkdf2_sha256_aes_gcm->ct_buf[9];
+  ct2[2] = pbkdf2_sha256_aes_gcm->ct_buf[10];
+  ct2[3] = pbkdf2_sha256_aes_gcm->ct_buf[11];
+  ct2[4] = pbkdf2_sha256_aes_gcm->ct_buf[12]; // fourth block of ciphertext
+  ct2[5] = pbkdf2_sha256_aes_gcm->ct_buf[13];
+  ct2[6] = pbkdf2_sha256_aes_gcm->ct_buf[14];
+  ct2[7] = pbkdf2_sha256_aes_gcm->ct_buf[15];
+
+  // Only a single increment as the previous AES_GCM_DECRYPT already does one for us
+  J0[3]++;
+
+  u32 pt2[8] = { 0 };
+
+  AES_GCM_decrypt (key, J0, ct2, 32, pt2, s_te0, s_te1, s_te2, s_te3, s_te4);
+
+  correct = is_valid_printable_32 (pt2[0])
+                    + is_valid_printable_32 (pt2[1])
+                    + is_valid_printable_32 (pt2[2])
+                    + is_valid_printable_32 (pt2[3])
+                    + is_valid_printable_32 (pt2[4])
+                    + is_valid_printable_32 (pt2[5])
+                    + is_valid_printable_32 (pt2[6])
+                    + is_valid_printable_32 (pt2[7]);
+
+  // We need to check a third and fourth block to avoid extremely rare false-positives. See:
+  // https://github.com/hashcat/hashcat/issues/4121
+  if (correct != 8) return;
+
  /*
  const int pt_len = 28; // not using 32 byte but 28 because our UTF8 allows up to 4 byte per character and since we decrypt 32 byte
                         // only we can't guarantee it is not in the middle of a UTF8 byte stream at that point