From eb4b9d8c992896586e5c390fffa1fddf82249316 Mon Sep 17 00:00:00 2001 From: Jens Steube Date: Thu, 18 Nov 2021 11:41:55 +0100 Subject: [PATCH] Electrum Wallet: Added new entropy-based check to test whether the decryption was successful or not --- OpenCL/m21800-pure.cl | 50 +++++++++++++++++++++++++++++++++++++------ docs/changes.txt | 1 + 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/OpenCL/m21800-pure.cl b/OpenCL/m21800-pure.cl index 6de91529b..0fa671837 100644 --- a/OpenCL/m21800-pure.cl +++ b/OpenCL/m21800-pure.cl @@ -35,6 +35,9 @@ typedef struct electrum_tmp } electrum_tmp_t; +#define MIN_ENTROPY 3.0 +#define MAX_ENTROPY 6.0 + DECLSPEC void hmac_sha512_run_V (u32x *w0, u32x *w1, u32x *w2, u32x *w3, u32x *w4, u32x *w5, u32x *w6, u32x *w7, u64x *ipad, u64x *opad, u64x *digest) { digest[0] = ipad[0]; @@ -489,8 +492,8 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t)) // #define AES_LEN 1024 // in my tests it also worked with only 128 input bytes ! - #define AES_LEN 128 - #define AES_LEN_DIV_4 32 + #define AES_LEN 1024 + #define AES_LEN_DIV_4 256 u32 buf_full[AES_LEN_DIV_4]; @@ -513,7 +516,11 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t)) // early reject - if ((buf[0] & 0x0006ffff) != 0x00049c78) return; // allow 0b100 or 0b101 at the end of 3rd byte + // changed: 17.11.2021 + // I had not cracked some sample Salt Type 5 wallets with known passwords provided by the owner. + // It was necessary to remove this early rejection and add a new signature + // The decrypted data was this: {"seed_version": ... + //if ((buf[0] & 0x0006ffff) != 0x00049c78) return; // allow 0b100 or 0b101 at the end of 3rd byte buf[1] ^= iv[1]; buf[2] ^= iv[2]; @@ -556,7 +563,6 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t)) buf_full[j + 3] = buf[3]; } - /* * zlib inflate/decompress: */ @@ -572,9 +578,9 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t)) // output: - #define OUT_SIZE 16 + #define OUT_SIZE 1024 - u8 tmp[OUT_SIZE]; + u8 tmp[OUT_SIZE] = { 0 }; infstream.avail_out = OUT_SIZE; infstream.next_out = tmp; @@ -593,6 +599,38 @@ KERNEL_FQ void m21800_comp (KERN_ATTR_TMPS_ESALT (electrum_tmp_t, electrum_t)) return; } + /* + * Check with some strange signature. + * The main problem is that the (invalid) decrypted data processed by zlib often results in random patterns but with low entropy, + * so that a simple entropy check is not sufficient + */ + + if (tmp[0] == '{') + { + int qcnt = 0; + int ccnt = 0; + + for (int i = 1; i < 1024; i++) + { + if (tmp[i] == '"') qcnt++; + if (tmp[i] == ':') ccnt++; + } + + if ((qcnt >= 3) && (ccnt >= 3)) + { + const float entropy = hc_get_entropy ((const u32 *) tmp, 256); + + if ((entropy >= MIN_ENTROPY) && (entropy <= MAX_ENTROPY)) + { + if (hc_atomic_inc (&hashes_shown[DIGESTS_OFFSET]) == 0) + { + mark_hash (plains_buf, d_return_buf, SALT_POS, digests_cnt, 0, DIGESTS_OFFSET + 0, gid, 0, 0, 0); + } + + return; + } + } + } /* * Verify if decompressed data is either: diff --git a/docs/changes.txt b/docs/changes.txt index 93a8f237e..54866cf60 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -36,6 +36,7 @@ - Backend devices: In non -S mode, limit the number of workitems so that no more than 4GB of host memory is required per backend device - Backend types: The default filter for the device types is now set so that only the GPU is used, except for APPLE, where we set CPU - Benchmark: Update benchmark_deep.pl with new hash modes added (also new hash modes which were added with v6.2.3) +- Electrum Wallet: Added new entropy-based check to test whether the decryption was successful or not - Module Optimizers: Added OPTS_TYPE_MAXIMUM_THREADS to deactivate the else branch route in the section to find -T before compilation - Makefile: Added wildcard include src/modules/module_*.mk directive so that plugin developers can add 3rd party libraries for their plugins - Rejects: Disabled checking of the minimum and maximum length of the password candidate in attack-mode 9 because they are incompatible