arno/hashcat
1
0
Fork 0
mirror of https://github.com/hashcat/hashcat.git synced 2024-11-22 16:18:09 +00:00
Code Issues Releases Wiki Activity

Fixed an invalid optimization code in kernel 7700 depending on the input hash, causing the kernel to loop forever

Browse Source
This commit is contained in:
jsteube 2017-09-03 13:36:14 +02:00
parent 151dbc5349
commit 8b0e7087c7
4 changed files with 48 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
OpenCL/m07700_a0-optimized.cl
View File

@ -88,10 +88,10 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
t[15] = 0;
u32 sum20 = ((a >> 24) & 3)
+ ((a >> 16) & 3)
+ ((a >> 8) & 3)
+ ((a >> 0) & 3)
+ ((b >> 8) & 3);
+ ((a >> 16) & 3)
+ ((a >> 8) & 3)
+ ((a >> 0) & 3)
+ ((b >> 8) & 3);
sum20 |= 0x20;
@ -105,88 +105,36 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
u32 i2 = 0;
u32 i3 = 0;
// we can assume this because the password must be at least 3
// and the username must be at least 1 so we can save the if ()
u32 t0 = 0;
if ((d >> 24) & 1)
while (i2 < sum20)
{
t0 |= bcodeArray[47] << 0;
t0 |= (w[0] & 0xff) << 8;
t0 |= (s[0] & 0xff) << 16;
t0 |= bcodeArray[ 1] << 24;
i1 = 1;
i2 = 5;
i3 = 1;
}
else
{
t0 |= (w[0] & 0xff) << 0;
t0 |= (s[0] & 0xff) << 8;
t0 |= bcodeArray[ 0] << 16;
i1 = 1;
i2 = 4;
i3 = 1;
}
t[0] = t0;
// because the following code can increase i2 by a maximum of 5,
// there is an overflow potential of 4 before it comes to the next test for i2 >= sum20
// we need to truncate in that case
while ((i1 < pw_len) && (i3 < salt_len))
{
u32 x0 = 0;
u32 i2_sav = i2;
if (GETCHAR (saved_key, 15 - i1) & 1)
{
x0 |= bcodeArray[48 - 1 - i1] << 0; i2++;
x0 |= GETCHAR (w, i1) << 8; i2++; i1++;
x0 |= GETCHAR (s, i3) << 16; i2++; i3++;
x0 |= bcodeArray[i2 - i1 - i3] << 24; i2++; i2++;
}
else
{
x0 |= GETCHAR (w, i1) << 0; i2++; i1++;
x0 |= GETCHAR (s, i3) << 8; i2++; i3++;
x0 |= bcodeArray[i2 - i1 - i3] << 16; i2++; i2++;
}
SETSHIFTEDINT (t, i2_sav, x0);
if (i2 >= sum20)
{
return sum20;
}
}
while ((i1 < pw_len) || (i3 < salt_len))
{
if (i1 < pw_len) // max 8
if (i1 < pw_len)
{
if (GETCHAR (saved_key, 15 - i1) & 1)
{
PUTCHAR (t, i2, bcodeArray[48 - 1 - i1]);
i2++;
if (i2 == sum20) break;
}
PUTCHAR (t, i2, GETCHAR (w, i1));
i1++;
i2++;
if (i2 == sum20) break;
i1++;
}
else
if (i3 < salt_len)
{
PUTCHAR (t, i2, GETCHAR (s, i3));
i2++;
if (i2 == sum20) break;
i3++;
}
@ -194,19 +142,6 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
i2++;
i2++;
if (i2 >= sum20)
{
return sum20;
}
}
while (i2 < sum20)
{
PUTCHAR (t, i2, bcodeArray[i2 - i1 - i3]);
i2++;
i2++;
}
return sum20;

99
OpenCL/m07700_a1-optimized.cl
View File

@ -86,10 +86,10 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
t[15] = 0;
u32 sum20 = ((a >> 24) & 3)
+ ((a >> 16) & 3)
+ ((a >> 8) & 3)
+ ((a >> 0) & 3)
+ ((b >> 8) & 3);
+ ((a >> 16) & 3)
+ ((a >> 8) & 3)
+ ((a >> 0) & 3)
+ ((b >> 8) & 3);
sum20 |= 0x20;
@ -103,88 +103,36 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
u32 i2 = 0;
u32 i3 = 0;
// we can assume this because the password must be at least 3
// and the username must be at least 1 so we can save the if ()
u32 t0 = 0;
if ((d >> 24) & 1)
while (i2 < sum20)
{
t0 |= bcodeArray[47] << 0;
t0 |= (w[0] & 0xff) << 8;
t0 |= (s[0] & 0xff) << 16;
t0 |= bcodeArray[ 1] << 24;
i1 = 1;
i2 = 5;
i3 = 1;
}
else
{
t0 |= (w[0] & 0xff) << 0;
t0 |= (s[0] & 0xff) << 8;
t0 |= bcodeArray[ 0] << 16;
i1 = 1;
i2 = 4;
i3 = 1;
}
t[0] = t0;
// because the following code can increase i2 by a maximum of 5,
// there is an overflow potential of 4 before it comes to the next test for i2 >= sum20
// we need to truncate in that case
while ((i1 < pw_len) && (i3 < salt_len))
{
u32 x0 = 0;
u32 i2_sav = i2;
if (GETCHAR (saved_key, 15 - i1) & 1)
{
x0 |= bcodeArray[48 - 1 - i1] << 0; i2++;
x0 |= GETCHAR (w, i1) << 8; i2++; i1++;
x0 |= GETCHAR (s, i3) << 16; i2++; i3++;
x0 |= bcodeArray[i2 - i1 - i3] << 24; i2++; i2++;
}
else
{
x0 |= GETCHAR (w, i1) << 0; i2++; i1++;
x0 |= GETCHAR (s, i3) << 8; i2++; i3++;
x0 |= bcodeArray[i2 - i1 - i3] << 16; i2++; i2++;
}
SETSHIFTEDINT (t, i2_sav, x0);
if (i2 >= sum20)
{
return sum20;
}
}
while ((i1 < pw_len) || (i3 < salt_len))
{
if (i1 < pw_len) // max 8
if (i1 < pw_len)
{
if (GETCHAR (saved_key, 15 - i1) & 1)
{
PUTCHAR (t, i2, bcodeArray[48 - 1 - i1]);
i2++;
if (i2 == sum20) break;
}
PUTCHAR (t, i2, GETCHAR (w, i1));
i1++;
i2++;
if (i2 == sum20) break;
i1++;
}
else
if (i3 < salt_len)
{
PUTCHAR (t, i2, GETCHAR (s, i3));
i2++;
if (i2 == sum20) break;
i3++;
}
@ -192,19 +140,6 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
i2++;
i2++;
if (i2 >= sum20)
{
return sum20;
}
}
while (i2 < sum20)
{
PUTCHAR (t, i2, bcodeArray[i2 - i1 - i3]);
i2++;
i2++;
}
return sum20;

100
OpenCL/m07700_a3-optimized.cl
View File

@ -17,15 +17,6 @@
#define GETCHAR(a,p) (((a)[(p) / 4] >> (((p) & 3) * 8)) & 0xff)
#define PUTCHAR(a,p,c) ((a)[(p) / 4] = (((a)[(p) / 4] & ~(0xff << (((p) & 3) * 8))) | ((c) << (((p) & 3) * 8))))
#define SETSHIFTEDINT(a,n,v) \
{ \
const u32 s = ((n) & 3) * 8; \
const u64 x = (u64) (v) << s; \
(a)[((n)/4)+0] &= ~(0xff << ((n & 3) * 8)); \
(a)[((n)/4)+0] |= x; \
(a)[((n)/4)+1] = x >> 32; \
}
__constant u32a sapb_trans_tbl[256] =
{
// first value hack for 0 byte as part of an optimization
@ -103,88 +94,36 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
u32 i2 = 0;
u32 i3 = 0;
// we can assume this because the password must be at least 3
// and the username must be at least 1 so we can save the if ()
u32 t0 = 0;
if ((d >> 24) & 1)
while (i2 < sum20)
{
t0 |= bcodeArray[47] << 0;
t0 |= (w[0] & 0xff) << 8;
t0 |= (s[0] & 0xff) << 16;
t0 |= bcodeArray[ 1] << 24;
i1 = 1;
i2 = 5;
i3 = 1;
}
else
{
t0 |= (w[0] & 0xff) << 0;
t0 |= (s[0] & 0xff) << 8;
t0 |= bcodeArray[ 0] << 16;
i1 = 1;
i2 = 4;
i3 = 1;
}
t[0] = t0;
// because the following code can increase i2 by a maximum of 5,
// there is an overflow potential of 4 before it comes to the next test for i2 >= sum20
// we need to truncate in that case
while ((i1 < pw_len) && (i3 < salt_len))
{
u32 x0 = 0;
u32 i2_sav = i2;
if (GETCHAR (saved_key, 15 - i1) & 1)
{
x0 |= bcodeArray[48 - 1 - i1] << 0; i2++;
x0 |= GETCHAR (w, i1) << 8; i2++; i1++;
x0 |= GETCHAR (s, i3) << 16; i2++; i3++;
x0 |= bcodeArray[i2 - i1 - i3] << 24; i2++; i2++;
}
else
{
x0 |= GETCHAR (w, i1) << 0; i2++; i1++;
x0 |= GETCHAR (s, i3) << 8; i2++; i3++;
x0 |= bcodeArray[i2 - i1 - i3] << 16; i2++; i2++;
}
SETSHIFTEDINT (t, i2_sav, x0);
if (i2 >= sum20)
{
return sum20;
}
}
while ((i1 < pw_len) || (i3 < salt_len))
{
if (i1 < pw_len) // max 8
if (i1 < pw_len)
{
if (GETCHAR (saved_key, 15 - i1) & 1)
{
PUTCHAR (t, i2, bcodeArray[48 - 1 - i1]);
i2++;
if (i2 == sum20) break;
}
PUTCHAR (t, i2, GETCHAR (w, i1));
i1++;
i2++;
if (i2 == sum20) break;
i1++;
}
else
if (i3 < salt_len)
{
PUTCHAR (t, i2, GETCHAR (s, i3));
i2++;
if (i2 == sum20) break;
i3++;
}
@ -192,19 +131,6 @@ u32 walld0rf_magic (const u32 w0[4], const u32 pw_len, const u32 salt_buf0[4], c
i2++;
i2++;
if (i2 >= sum20)
{
return sum20;
}
}
while (i2 < sum20)
{
PUTCHAR (t, i2, bcodeArray[i2 - i1 - i3]);
i2++;
i2++;
}
return sum20;

1
docs/changes.txt
View File

@ -25,6 +25,7 @@
- Fixed a missing barrier() call in the RACF OpenCL kernel
- Fixed a missing salt length value in benchmark mode for SIP
- Fixed an invalid progress value in status view if words from the base wordlist get rejected because of length
- Fixed an invalid optimization code in kernel 7700 depending on the input hash, causing the kernel to loop forever
- Fixed an integer overflow in innerloop_step and innerloop_cnt variables
- Fixed an integer overflow in masks not skipped when loaded from file
- Fixed an integer overflow in hash buffer size calculation