|
|
|
@ -45,7 +45,7 @@ my $hashcat = "./hashcat";
|
|
|
|
|
|
|
|
|
|
my $MAX_LEN = 55;
|
|
|
|
|
|
|
|
|
|
my @modes = (0, 10, 11, 12, 20, 21, 22, 23, 30, 40, 50, 60, 100, 101, 110, 111, 112, 120, 121, 122, 125, 130, 131, 132, 133, 140, 141, 150, 160, 200, 300, 400, 500, 900, 1000, 1100, 1300, 1400, 1410, 1420, 1430, 1440, 1441, 1450, 1460, 1500, 1600, 1700, 1710, 1711, 1720, 1730, 1740, 1722, 1731, 1750, 1760, 1800, 2100, 2400, 2410, 2500, 2600, 2611, 2612, 2711, 2811, 3000, 3100, 3200, 3710, 3711, 3300, 3500, 3610, 3720, 3800, 3910, 4010, 4110, 4210, 4300, 4400, 4500, 4600, 4700, 4800, 4900, 5000, 5100, 5300, 5400, 5500, 5600, 5700, 5800, 6000, 6100, 6300, 6400, 6500, 6600, 6700, 6800, 6900, 7100, 7200, 7300, 7400, 7500, 7600, 7700, 7800, 7900, 8000, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8900, 9100, 9200, 9300, 9400, 9500, 9600, 9700, 9800, 9900, 10000, 10100, 10200, 10300, 10400, 10500, 10600, 10700, 10800, 10900, 11000, 11100, 11200, 11300, 11400, 11500, 11600, 11900, 12000, 12100, 12200, 12300, 12400, 12600, 12700, 12800, 12900, 13000, 13100, 13200, 13300, 13400, 13500, 13600, 13800, 13900, 14000, 14100, 14400, 99999);
|
|
|
|
|
my @modes = (0, 10, 11, 12, 20, 21, 22, 23, 30, 40, 50, 60, 100, 101, 110, 111, 112, 120, 121, 122, 125, 130, 131, 132, 133, 140, 141, 150, 160, 200, 300, 400, 500, 900, 1000, 1100, 1300, 1400, 1410, 1420, 1430, 1440, 1441, 1450, 1460, 1500, 1600, 1700, 1710, 1711, 1720, 1730, 1740, 1722, 1731, 1750, 1760, 1800, 2100, 2400, 2410, 2500, 2600, 2611, 2612, 2711, 2811, 3000, 3100, 3200, 3710, 3711, 3300, 3500, 3610, 3720, 3800, 3910, 4010, 4110, 4210, 4300, 4400, 4500, 4600, 4700, 4800, 4900, 5000, 5100, 5300, 5400, 5500, 5600, 5700, 5800, 6000, 6100, 6300, 6400, 6500, 6600, 6700, 6800, 6900, 7100, 7200, 7300, 7400, 7500, 7600, 7700, 7800, 7900, 8000, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8900, 9100, 9200, 9300, 9400, 9500, 9600, 9700, 9800, 9900, 10000, 10100, 10200, 10300, 10400, 10500, 10600, 10700, 10800, 10900, 11000, 11100, 11200, 11300, 11400, 11500, 11600, 11900, 12000, 12100, 12200, 12300, 12400, 12600, 12700, 12800, 12900, 13000, 13100, 13200, 13300, 13400, 13500, 13600, 13800, 13900, 14000, 14100, 14400, 14700, 99999);
|
|
|
|
|
|
|
|
|
|
my %is_unicode = map { $_ => 1 } qw(30 40 130 131 132 133 140 141 1000 1100 1430 1440 1441 1730 1740 1731 5500 5600 8000 9400 9500 9600 9700 9800 11600 13500 13800);
|
|
|
|
|
my %less_fifteen = map { $_ => 1 } qw(500 1600 1800 2400 2410 3200 6300 7400 10500 10700);
|
|
|
|
@ -2406,6 +2406,79 @@ sub verify
|
|
|
|
|
|
|
|
|
|
next unless (exists ($db->{$hash_in}) and (! defined ($db->{$hash_in})));
|
|
|
|
|
}
|
|
|
|
|
# itunes backup 9/10
|
|
|
|
|
elsif (($mode == 14700) || ($mode == 14800))
|
|
|
|
|
{
|
|
|
|
|
($hash_in, $word) = split ":", $line;
|
|
|
|
|
|
|
|
|
|
my $index1 = index ($hash_in, '*');
|
|
|
|
|
|
|
|
|
|
next unless ($index1 == 15);
|
|
|
|
|
|
|
|
|
|
# signature
|
|
|
|
|
|
|
|
|
|
my $signature = substr ($hash_in, 0, $index1);
|
|
|
|
|
|
|
|
|
|
next unless ($signature eq '$itunes_backup$');
|
|
|
|
|
|
|
|
|
|
my $index2 = index ($hash_in, '*', $index1 + 1);
|
|
|
|
|
|
|
|
|
|
next unless ($index2 >= 0);
|
|
|
|
|
|
|
|
|
|
# version
|
|
|
|
|
|
|
|
|
|
my $version = substr ($hash_in, $index1 + 1, $index2 - $index1 - 1);
|
|
|
|
|
|
|
|
|
|
if ($mode == 14700)
|
|
|
|
|
{
|
|
|
|
|
next unless ($version eq "9");
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
next unless ($version eq "10");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$index1 = index ($hash_in, '*', $index2 + 1);
|
|
|
|
|
|
|
|
|
|
next unless ($index1 >= 0);
|
|
|
|
|
|
|
|
|
|
# wpky
|
|
|
|
|
|
|
|
|
|
my $wpky = substr ($hash_in, $index2 + 1, $index1 - $index2 - 1);
|
|
|
|
|
|
|
|
|
|
next unless (length ($wpky) == 80);
|
|
|
|
|
|
|
|
|
|
$wpky = pack ("H*", $wpky);
|
|
|
|
|
|
|
|
|
|
$index2 = index ($hash_in, '*', $index1 + 1);
|
|
|
|
|
|
|
|
|
|
next unless ($index2 >= 0);
|
|
|
|
|
|
|
|
|
|
# iterations
|
|
|
|
|
|
|
|
|
|
$iter = substr ($hash_in, $index1 + 1, $index2 - $index1 - 1);
|
|
|
|
|
$iter = int ($iter);
|
|
|
|
|
|
|
|
|
|
next unless ($iter > 0);
|
|
|
|
|
|
|
|
|
|
$index1 = index ($hash_in, '*', $index2 + 1);
|
|
|
|
|
|
|
|
|
|
next unless ($index1 >= 0);
|
|
|
|
|
|
|
|
|
|
# salt
|
|
|
|
|
|
|
|
|
|
$salt = substr ($hash_in, $index2 + 1, $index1 - $index2 - 1);
|
|
|
|
|
|
|
|
|
|
next unless (length ($salt) == 40);
|
|
|
|
|
|
|
|
|
|
# dpic and dpsl (for v10.x we need to do more than just skip them)
|
|
|
|
|
|
|
|
|
|
$index2 = index ($hash_in, '**', $index1 + 1);
|
|
|
|
|
|
|
|
|
|
next unless ($index2 != $index1 + 1);
|
|
|
|
|
|
|
|
|
|
$param = $wpky;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
print "ERROR: hash mode is not supported\n";
|
|
|
|
@ -2707,6 +2780,14 @@ sub verify
|
|
|
|
|
|
|
|
|
|
return unless (substr ($line, 0, $len) eq $hash_out);
|
|
|
|
|
}
|
|
|
|
|
elsif (($mode == 14700) || ($mode == 14800))
|
|
|
|
|
{
|
|
|
|
|
$hash_out = gen_hash ($mode, $word, $salt, $iter, $param);
|
|
|
|
|
|
|
|
|
|
$len = length $hash_out;
|
|
|
|
|
|
|
|
|
|
return unless (substr ($line, 0, $len) eq $hash_out);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
$hash_out = gen_hash ($mode, $word, $salt, $iter);
|
|
|
|
@ -3183,6 +3264,10 @@ sub passthrough
|
|
|
|
|
{
|
|
|
|
|
$tmp_hash = gen_hash ($mode, $word_buf, substr ($salt_buf, 0, 20));
|
|
|
|
|
}
|
|
|
|
|
elsif ($mode == 14700)
|
|
|
|
|
{
|
|
|
|
|
$tmp_hash = gen_hash ($mode, $word_buf, substr ($salt_buf, 0, 40));
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
print "ERROR: Unsupported hash type\n";
|
|
|
|
@ -3616,7 +3701,7 @@ sub single
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
elsif ($mode == 8400 || $mode == 11200)
|
|
|
|
|
elsif ($mode == 8400 || $mode == 11200 || $mode == 14700)
|
|
|
|
|
{
|
|
|
|
|
for (my $i = 1; $i < 32; $i++)
|
|
|
|
|
{
|
|
|
|
@ -7507,6 +7592,55 @@ END_CODE
|
|
|
|
|
|
|
|
|
|
$tmp_hash = sprintf ("%s:%s", $hash_buf, $salt_buf);
|
|
|
|
|
}
|
|
|
|
|
elsif ($mode == 14700)
|
|
|
|
|
{
|
|
|
|
|
my $iterations = 10000;
|
|
|
|
|
|
|
|
|
|
if (length ($iter))
|
|
|
|
|
{
|
|
|
|
|
$iterations = int ($iter);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my $pbkdf2 = Crypt::PBKDF2->new
|
|
|
|
|
(
|
|
|
|
|
hasher => Crypt::PBKDF2->hasher_from_algorithm ('HMACSHA1'),
|
|
|
|
|
iterations => $iterations,
|
|
|
|
|
output_len => 32
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$salt_buf = pack ("H*", $salt_buf);
|
|
|
|
|
|
|
|
|
|
my $key = $pbkdf2->PBKDF2 ($salt_buf, $word_buf);
|
|
|
|
|
|
|
|
|
|
my $ITUNES_BACKUP_KEY = 12008468691120727718;
|
|
|
|
|
|
|
|
|
|
my $WPKY = "\x00" x 40;
|
|
|
|
|
|
|
|
|
|
if (defined $additional_param)
|
|
|
|
|
{
|
|
|
|
|
my ($A, $R) = itunes_aes_unwrap ($key, $additional_param);
|
|
|
|
|
|
|
|
|
|
if ($A == $ITUNES_BACKUP_KEY)
|
|
|
|
|
{
|
|
|
|
|
$WPKY = itunes_aes_wrap ($key, $A, $R);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
my $max_number = 18446744073709551615; # 0xffffffffffffffff
|
|
|
|
|
|
|
|
|
|
my @R;
|
|
|
|
|
|
|
|
|
|
for (my $i = 0; $i < 4; $i++)
|
|
|
|
|
{
|
|
|
|
|
$R[$i] = get_random_num (0, $max_number);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$WPKY = itunes_aes_wrap ($key, $ITUNES_BACKUP_KEY, \@R);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$tmp_hash = sprintf ("\$itunes_backup\$*9*%s*%i*%s**", unpack ("H*", $WPKY), $iterations, unpack ("H*", $salt_buf));
|
|
|
|
|
}
|
|
|
|
|
elsif ($mode == 99999)
|
|
|
|
|
{
|
|
|
|
|
$tmp_hash = sprintf ("%s", $word_buf);
|
|
|
|
@ -9774,6 +9908,109 @@ sub wpa_prf_512
|
|
|
|
|
return $prf_buf;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub itunes_aes_wrap
|
|
|
|
|
{
|
|
|
|
|
my $key = shift;
|
|
|
|
|
my $A = shift;
|
|
|
|
|
my $R_l = shift;
|
|
|
|
|
|
|
|
|
|
my $k = scalar (@$R_l);
|
|
|
|
|
my $n = $k + 1;
|
|
|
|
|
|
|
|
|
|
my @R;
|
|
|
|
|
|
|
|
|
|
for (my $i = 0; $i < $n; $i++)
|
|
|
|
|
{
|
|
|
|
|
$R[$i] = @$R_l[$i];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# AES mode ECB
|
|
|
|
|
|
|
|
|
|
my $m = Crypt::Mode::ECB->new ('AES', 0);
|
|
|
|
|
|
|
|
|
|
# main wrap loop
|
|
|
|
|
|
|
|
|
|
my ($i, $j, $a);
|
|
|
|
|
|
|
|
|
|
for ($j = 0; $j <= 5; $j++)
|
|
|
|
|
{
|
|
|
|
|
for ($i = 1, $a = 0; $i <= $k; $i++, $a++)
|
|
|
|
|
{
|
|
|
|
|
my $input;
|
|
|
|
|
|
|
|
|
|
$input = pack ("Q>", $A);
|
|
|
|
|
$input .= pack ("Q>", $R[$a]);
|
|
|
|
|
|
|
|
|
|
my $t = $m->encrypt ($input, $key);
|
|
|
|
|
|
|
|
|
|
$A = unpack ("Q>", substr ($t, 0, 8));
|
|
|
|
|
$A ^= $k * $j + $i;
|
|
|
|
|
|
|
|
|
|
$R[$a] = unpack ("Q>", substr ($t, 8, 8));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my $WPKY = pack ("Q>", $A);
|
|
|
|
|
|
|
|
|
|
for (my $i = 0; $i < $k; $i++)
|
|
|
|
|
{
|
|
|
|
|
$WPKY .= pack ("Q>", $R[$i]);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $WPKY;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub itunes_aes_unwrap
|
|
|
|
|
{
|
|
|
|
|
my $key = shift;
|
|
|
|
|
my $WPKY = shift;
|
|
|
|
|
|
|
|
|
|
my @B;
|
|
|
|
|
|
|
|
|
|
for (my $i = 0; $i < length ($WPKY) / 8; $i++)
|
|
|
|
|
{
|
|
|
|
|
$B[$i] = unpack ("Q>", substr ($WPKY, $i * 8, 8));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my $n = scalar (@B);
|
|
|
|
|
my $k = $n - 1;
|
|
|
|
|
|
|
|
|
|
my @R;
|
|
|
|
|
|
|
|
|
|
for (my $i = 0; $i < $k; $i++)
|
|
|
|
|
{
|
|
|
|
|
$R[$i] = $B[$i + 1];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# AES mode ECB
|
|
|
|
|
|
|
|
|
|
my $m = Crypt::Mode::ECB->new ('AES', 0);
|
|
|
|
|
|
|
|
|
|
# main unwrap loop
|
|
|
|
|
|
|
|
|
|
my $A = $B[0];
|
|
|
|
|
|
|
|
|
|
my ($i, $j, $a);
|
|
|
|
|
|
|
|
|
|
for ($j = 5; $j >= 0; $j--)
|
|
|
|
|
{
|
|
|
|
|
for ($i = $k, $a = $k - 1; $i > 0; $i--, $a--)
|
|
|
|
|
{
|
|
|
|
|
my $input;
|
|
|
|
|
|
|
|
|
|
$input = pack ("Q>", $A ^ ($k * $j + $i));
|
|
|
|
|
$input .= pack ("Q>", $R[$a]);
|
|
|
|
|
|
|
|
|
|
my $t = $m->decrypt ($input, $key);
|
|
|
|
|
|
|
|
|
|
$A = unpack ("Q>", substr ($t, 0, 8));
|
|
|
|
|
$R[$a] = unpack ("Q>", substr ($t, 8, 8));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ($A, \@R);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sub memcmp
|
|
|
|
|
{
|
|
|
|
|
my $str1 = shift;
|
|
|
|
|