Electrum Wallet: Added new entropy-based check to test whether the decryption was successful or not

3 years ago · eb4b9d8c99
parent 49a7bb227b
commit eb4b9d8c99
2 changed files with 45 additions and 6 deletions
--- a/OpenCL/m21800-pure.cl
+++ b/OpenCL/m21800-pure.cl
@ -35,6 +35,9 @@ typedef struct electrum_tmp

 } electrum_tmp_t;

+#define MIN_ENTROPY 3.0
+#define MAX_ENTROPY 6.0
+
 DECLSPEC void hmac_sha512_run_V (u32x *w0, u32x *w1, u32x *w2, u32x *w3, u32x *w4, u32x *w5, u32x *w6, u32x *w7, u64x *ipad, u64x *opad, u64x *digest)
 {
  digest[0] = ipad[0];
@ -489,8 +492,8 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t))

  // #define AES_LEN 1024
  // in my tests it also worked with only 128 input bytes !
-  #define AES_LEN       128
-  #define AES_LEN_DIV_4  32
+  #define AES_LEN       1024
+  #define AES_LEN_DIV_4  256

  u32 buf_full[AES_LEN_DIV_4];

@ -513,7 +516,11 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t))

  // early reject

-  if ((buf[0] & 0x0006ffff) != 0x00049c78) return; // allow 0b100 or 0b101 at the end of 3rd byte
+  // changed: 17.11.2021
+  // I had not cracked some sample Salt Type 5 wallets with known passwords provided by the owner.
+  // It was necessary to remove this early rejection and add a new signature
+  // The decrypted data was this: {"seed_version": ...
+  //if ((buf[0] & 0x0006ffff) != 0x00049c78) return; // allow 0b100 or 0b101 at the end of 3rd byte

  buf[1] ^= iv[1];
  buf[2] ^= iv[2];
@ -556,7 +563,6 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t))
    buf_full[j + 3] = buf[3];
  }

-
  /*
   * zlib inflate/decompress:
   */
@ -572,9 +578,9 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t))

  // output:

-  #define OUT_SIZE 16
+  #define OUT_SIZE 1024

-  u8 tmp[OUT_SIZE];
+  u8 tmp[OUT_SIZE] = { 0 };

  infstream.avail_out = OUT_SIZE;
  infstream.next_out  = tmp;
@ -593,6 +599,38 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t))
    return;
  }

+  /*
+   * Check with some strange signature.
+   * The main problem is that the (invalid) decrypted data processed by zlib often results in random patterns but with low entropy,
+   * so that a simple entropy check is not sufficient
+   */
+
+  if (tmp[0] == '{')
+  {
+    int qcnt = 0;
+    int ccnt = 0;
+
+    for (int i = 1; i < 1024; i++)
+    {
+      if (tmp[i] == '"') qcnt++;
+      if (tmp[i] == ':') ccnt++;
+    }
+
+    if ((qcnt >= 3) && (ccnt >= 3))
+    {
+      const float entropy = hc_get_entropy ((const u32 *) tmp, 256);
+
+      if ((entropy >= MIN_ENTROPY) && (entropy <= MAX_ENTROPY))
+      {
+        if (hc_atomic_inc (&hashes_shown[DIGESTS_OFFSET]) == 0)
+        {
+          mark_hash (plains_buf, d_return_buf, SALT_POS, digests_cnt, 0, DIGESTS_OFFSET + 0, gid, 0, 0, 0);
+        }
+
+        return;
+      }
+    }
+  }

  /*
   * Verify if decompressed data is either:
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -36,6 +36,7 @@
 - Backend devices: In non -S mode, limit the number of workitems so that no more than 4GB of host memory is required per backend device
 - Backend types: The default filter for the device types is now set so that only the GPU is used, except for APPLE, where we set CPU
 - Benchmark: Update benchmark_deep.pl with new hash modes added (also new hash modes which were added with v6.2.3)
+- Electrum Wallet: Added new entropy-based check to test whether the decryption was successful or not
 - Module Optimizers: Added OPTS_TYPE_MAXIMUM_THREADS to deactivate the else branch route in the section to find -T before compilation
 - Makefile: Added wildcard include src/modules/module_*.mk directive so that plugin developers can add 3rd party libraries for their plugins
 - Rejects: Disabled checking of the minimum and maximum length of the password candidate in attack-mode 9 because they are incompatible