/** * Author......: See docs/credits.txt * License.....: MIT */ /* * Implements cracking of a password-protected mega.nz link * The algorithm is described at https://github.com/meganz/webclient/blob/4790e52b1eb1856a47e60b52615ffc58242c2d1c/js/ui/export.js#L1 * The module expects the link tag as an input (everything starting with P!) */ #include "common.h" #include "types.h" #include "modules.h" #include "bitops.h" #include "convert.h" #include "shared.h" static const u32 ATTACK_EXEC = ATTACK_EXEC_OUTSIDE_KERNEL; static const u32 DGST_POS0 = 0; static const u32 DGST_POS1 = 1; static const u32 DGST_POS2 = 2; static const u32 DGST_POS3 = 3; static const u32 DGST_SIZE = DGST_SIZE_4_8; // TODO: not sure about this choice static const u32 HASH_CATEGORY = HASH_CATEGORY_APPLICATION_DATABASE; static const char *HASH_NAME = "mega.nz password-protected link (PBKDF2-HMAC-SHA512)"; static const u64 KERN_TYPE = 33400; static const u32 OPTI_TYPE = OPTI_TYPE_ZERO_BYTE | OPTI_TYPE_USES_BITS_64 | OPTI_TYPE_SLOW_HASH_SIMD_LOOP; static const u64 OPTS_TYPE = OPTS_TYPE_STOCK_MODULE | OPTS_TYPE_PT_GENERATE_LE | OPTS_TYPE_MP_MULTI_DISABLE; static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED; // A fake link generated by the same algorithm. It has a dummy public id (ffffffffffff) and a dummy encrypted key (ffffffffffffffffffffffffffffffff), but the seed is properly random and HMAC is valid. static const char *ST_PASS = "hashcat"; static const char *ST_HASH = "P!AgD________U2XVjJi1vxkJgMPf5rkQYUn1H_6WI_sKtiic69mqBKP_____________________O_PDG0Om7BSapL1QoRAgUrz9vzaZmrYnU8t-Au6hteg"; u32 module_attack_exec (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC; } u32 module_dgst_pos0 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0; } u32 module_dgst_pos1 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS1; } u32 module_dgst_pos2 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS2; } u32 module_dgst_pos3 (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS3; } u32 module_dgst_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_SIZE; } u32 module_hash_category (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_CATEGORY; } const char *module_hash_name (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_NAME; } u64 module_kern_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return KERN_TYPE; } u32 module_opti_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTI_TYPE; } u64 module_opts_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTS_TYPE; } u32 module_salt_type (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return SALT_TYPE; } const char *module_st_hash (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_HASH; } const char *module_st_pass (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_PASS; } typedef struct mega_tmp { u64 ipad[8]; u64 opad[8]; u64 dgst[24]; u64 out [24]; } mega_tmp_t; typedef struct mega { // data that is HMACed, padded with zeroes to the next 16-byte boundary // (because the GPU implementation of HMAC-SHA256 requires that) u32 hmacced_len; u32 data[80]; } mega_t; u64 module_esalt_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { const u64 esalt_size = (const u64) sizeof (mega_t); return esalt_size; } u64 module_tmp_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { const u64 tmp_size = (const u64) sizeof (mega_tmp_t); return tmp_size; } u32 module_pw_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { // this overrides the reductions of PW_MAX in case optimized kernel is selected // IOW, even in optimized kernel mode it supports length 256 const u32 pw_max = PW_MAX; return pw_max; } int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED void *hook_salt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len) { u32 *digest = (u32 *) digest_buf; mega_t *mega = (mega_t *) esalt_buf; if (line_buf[0] != 'P' || line_buf[1] != '!') return (PARSER_SIGNATURE_UNMATCHED); // the base64-decoded data after the P! is either 88 or 104 bytes, depending on whether it is a folder or a file link u8 decoded_buf[0x100]; if (line_len > 140) return (PARSER_GLOBAL_LENGTH); const size_t base64_decode_len = base64_decode (base64url_to_int, (u8 *)line_buf + 2, line_len - 2, decoded_buf); /* * An extract from the mega.nz source code: * * In constructing the protected link, the format is as follows: * algorithm || file/folder || public handle || salt || encrypted key || MAC tag * * algorithm = 1 byte - A byte to identify which algorithm was used (for future upgradability), initially is set to 0 * file/folder = 1 byte - A byte to identify if the link is a file or folder link (0 = folder, 1 = file) * public handle = 6 bytes - The public folder/file handle * salt = 32 bytes - A 256 bit randomly generated salt * encrypted key = 16 or 32 bytes - The encrypted actual folder or file key (folder key is 16 bytes, file key is 32 bytes) * MAC tag = 32 bytes - The MAC of all the previous data to ensure integrity of the link i.e. calculated as: * HMAC-SHA256(MAC key, (algorithm || file/folder || public handle || salt || encrypted key)) */ if (base64_decode_len < 88) return (PARSER_GLOBAL_LENGTH); // this is the "algorithm" field // we only support version 2 for now if (decoded_buf[0] != 2) return (PARSER_SALT_VALUE); // this is the "file/folder" field if (decoded_buf[1] != 0 && decoded_buf[1] != 1) return (PARSER_SALT_VALUE); const size_t expected_len = 1 + 1 + 6 + 32 + (decoded_buf[1] == 0 ? 16 : 32) + 32; if (base64_decode_len != expected_len) return (PARSER_GLOBAL_LENGTH); salt->salt_iter = 100000 - 1; // salt const u8 *salt_pos = decoded_buf + 8; memcpy(salt->salt_buf, salt_pos, 32); salt->salt_buf[0] = byte_swap_32 (salt->salt_buf[0]); salt->salt_buf[1] = byte_swap_32 (salt->salt_buf[1]); salt->salt_buf[2] = byte_swap_32 (salt->salt_buf[2]); salt->salt_buf[3] = byte_swap_32 (salt->salt_buf[3]); salt->salt_buf[4] = byte_swap_32 (salt->salt_buf[4]); salt->salt_buf[5] = byte_swap_32 (salt->salt_buf[5]); salt->salt_buf[6] = byte_swap_32 (salt->salt_buf[6]); salt->salt_buf[7] = byte_swap_32 (salt->salt_buf[7]); salt->salt_len = 32; // digest (mac tag) const u8 *mac_pos = decoded_buf + 8 + 32 + (decoded_buf[1] == 0 ? 16 : 32); memcpy(digest, mac_pos, 32); digest[0] = byte_swap_32 (digest[0]); digest[1] = byte_swap_32 (digest[1]); digest[2] = byte_swap_32 (digest[2]); digest[3] = byte_swap_32 (digest[3]); digest[4] = byte_swap_32 (digest[4]); digest[5] = byte_swap_32 (digest[5]); digest[6] = byte_swap_32 (digest[6]); digest[7] = byte_swap_32 (digest[7]); // data // all the data except hmac is hmacced // this is how we determine that the password is correct const u32 hmacced_len = 1 + 1 + 6 + 32 + (decoded_buf[1] == 0 ? 16 : 32); // hmacced data, padded with zeroes to the next 16-byte boundary memset(mega->data, 0, sizeof(mega->data)); memcpy(mega->data, decoded_buf, hmacced_len); mega->hmacced_len = hmacced_len; for (size_t i = 0; i < hmacced_len / 4; i++) { mega->data[i] = byte_swap_32 (mega->data[i]); } return (PARSER_OK); } int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const void *hook_salt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size) { const mega_t *mega = (const mega_t *) esalt_buf; const size_t hmacced_len = mega->hmacced_len; const size_t data_len = hmacced_len + 32; u32 unswap_buffer [104]; for (size_t i = 0; i < hmacced_len / 4; i++) { unswap_buffer[i] = mega->data[i]; } // the "data" does not include the HMAC tag, it is stored in the digest // copy it over memcpy(unswap_buffer + hmacced_len / 4, digest_buf, 32); // swap the bytes back for (size_t i = 0; i < data_len / 4; i++) { unswap_buffer[i] = byte_swap_32 (unswap_buffer[i]); } char base64_buf [0x100]; size_t base64_len = base64_encode(int_to_base64url, (const u8 *) unswap_buffer, data_len, (u8 *)base64_buf); // trim the base64 padding while (base64_len > 0 && base64_buf[base64_len - 1] == '=') { base64_buf[base64_len - 1] = '\0'; base64_len--; } const int line_len = snprintf (line_buf, line_size, "P!%s", base64_buf); return line_len; } void module_init (module_ctx_t *module_ctx) { module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT; module_ctx->module_interface_version = MODULE_INTERFACE_VERSION_CURRENT; module_ctx->module_attack_exec = module_attack_exec; module_ctx->module_benchmark_esalt = MODULE_DEFAULT; module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT; module_ctx->module_benchmark_mask = MODULE_DEFAULT; module_ctx->module_benchmark_charset = MODULE_DEFAULT; module_ctx->module_benchmark_salt = MODULE_DEFAULT; module_ctx->module_build_plain_postprocess = MODULE_DEFAULT; module_ctx->module_deep_comp_kernel = MODULE_DEFAULT; module_ctx->module_deprecated_notice = MODULE_DEFAULT; module_ctx->module_dgst_pos0 = module_dgst_pos0; module_ctx->module_dgst_pos1 = module_dgst_pos1; module_ctx->module_dgst_pos2 = module_dgst_pos2; module_ctx->module_dgst_pos3 = module_dgst_pos3; module_ctx->module_dgst_size = module_dgst_size; module_ctx->module_dictstat_disable = MODULE_DEFAULT; module_ctx->module_esalt_size = module_esalt_size; module_ctx->module_extra_buffer_size = MODULE_DEFAULT; module_ctx->module_extra_tmp_size = MODULE_DEFAULT; module_ctx->module_extra_tuningdb_block = MODULE_DEFAULT; module_ctx->module_forced_outfile_format = MODULE_DEFAULT; module_ctx->module_hash_binary_count = MODULE_DEFAULT; module_ctx->module_hash_binary_parse = MODULE_DEFAULT; module_ctx->module_hash_binary_save = MODULE_DEFAULT; module_ctx->module_hash_decode_postprocess = MODULE_DEFAULT; module_ctx->module_hash_decode_potfile = MODULE_DEFAULT; module_ctx->module_hash_decode_zero_hash = MODULE_DEFAULT; module_ctx->module_hash_decode = module_hash_decode; module_ctx->module_hash_encode_status = MODULE_DEFAULT; module_ctx->module_hash_encode_potfile = MODULE_DEFAULT; module_ctx->module_hash_encode = module_hash_encode; module_ctx->module_hash_init_selftest = MODULE_DEFAULT; module_ctx->module_hash_mode = MODULE_DEFAULT; module_ctx->module_hash_category = module_hash_category; module_ctx->module_hash_name = module_hash_name; module_ctx->module_hashes_count_min = MODULE_DEFAULT; module_ctx->module_hashes_count_max = MODULE_DEFAULT; module_ctx->module_hlfmt_disable = MODULE_DEFAULT; module_ctx->module_hook_extra_param_size = MODULE_DEFAULT; module_ctx->module_hook_extra_param_init = MODULE_DEFAULT; module_ctx->module_hook_extra_param_term = MODULE_DEFAULT; module_ctx->module_hook12 = MODULE_DEFAULT; module_ctx->module_hook23 = MODULE_DEFAULT; module_ctx->module_hook_salt_size = MODULE_DEFAULT; module_ctx->module_hook_size = MODULE_DEFAULT; module_ctx->module_jit_build_options = MODULE_DEFAULT; module_ctx->module_jit_cache_disable = MODULE_DEFAULT; module_ctx->module_kernel_accel_max = MODULE_DEFAULT; module_ctx->module_kernel_accel_min = MODULE_DEFAULT; module_ctx->module_kernel_loops_max = MODULE_DEFAULT; module_ctx->module_kernel_loops_min = MODULE_DEFAULT; module_ctx->module_kernel_threads_max = MODULE_DEFAULT; module_ctx->module_kernel_threads_min = MODULE_DEFAULT; module_ctx->module_kern_type = module_kern_type; module_ctx->module_kern_type_dynamic = MODULE_DEFAULT; module_ctx->module_opti_type = module_opti_type; module_ctx->module_opts_type = module_opts_type; module_ctx->module_outfile_check_disable = MODULE_DEFAULT; module_ctx->module_outfile_check_nocomp = MODULE_DEFAULT; module_ctx->module_potfile_custom_check = MODULE_DEFAULT; module_ctx->module_potfile_disable = MODULE_DEFAULT; module_ctx->module_potfile_keep_all_hashes = MODULE_DEFAULT; module_ctx->module_pwdump_column = MODULE_DEFAULT; module_ctx->module_pw_max = module_pw_max; module_ctx->module_pw_min = MODULE_DEFAULT; module_ctx->module_salt_max = MODULE_DEFAULT; module_ctx->module_salt_min = MODULE_DEFAULT; module_ctx->module_salt_type = module_salt_type; module_ctx->module_separator = MODULE_DEFAULT; module_ctx->module_st_hash = module_st_hash; module_ctx->module_st_pass = module_st_pass; module_ctx->module_tmp_size = module_tmp_size; module_ctx->module_unstable_warning = MODULE_DEFAULT; module_ctx->module_warmup_disable = MODULE_DEFAULT; }