├── LICENSE
├── README.md
├── module_code
    └── module_19850.c
└── opencl_code
    ├── m19850_a0-pure.cl
    ├── m19850_a1-pure.cl
    └── m19850_a3-pure.cl


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 Christopher Panayi, MWR CyberSec
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AES-128 ConfigMgr CryptDeriveKey Hashcat Module
 2 | 
 3 | This repo contains the module and OpenCL code that implements an AES-128 key derivation for ConfigMgr media variable files. This key derivation is based completely on the documented steps at [https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptderivekey#remarks](https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptderivekey#remarks).The code has recently been updated to work with Hashcat 6.2.5. In order to use it, you will need to compile Hashcat to obtain a .so/.dll/.dylib library of `module_19850.c`. The OpenCL code is dynamically compiled by Hashcat during module initialisation. 
 4 | 
 5 | ## Instructions
 6 | 
 7 | 1. Clone the Hashcat source repository. Remember, this code base was developed with 6.2.5 in mind, but it will likely work with the latest version unless there has been a recent breaking change to the code base
 8 | 2. Copy `module_19850.c` into src/modules/ folder of the main Hashcat code base
 9 | 3. Copy `m19850_a0-pure.cl`, `m19850_a1-pure.cl` and `m19850_a3-pure.cl` into the OpenCL/ folder of the main Hashcat code base
10 | 4. Follow the compilation instructions in Hashcat's BUILD.md. I would very highly recommend using the WSL option if you are compiling on Windows, as I had the best results with that. 
11 | 5. After it is compiled, use it as you would any other Hashcat module. Keep in mind that it is tuned for the hashes produced with PXEThief by `pxethief 5 <media variables file name>`, although it should be straightforward to adapt this to any AES-128 CryptDeriveKey based key fairly easily
12 | 
13 | ## Author Credit 
14 | 
15 | Copyright (C) 2022 Christopher Panayi, MWR CyberSec
16 | 


--------------------------------------------------------------------------------
/module_code/module_19850.c:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Author......: Christopher Panayi, MWR CyberSec
  3 |  * License.....: MIT
  4 |  */
  5 | 
  6 | #include "common.h"
  7 | #include "types.h"
  8 | #include "modules.h"
  9 | #include "bitops.h"
 10 | #include "convert.h"
 11 | #include "shared.h"
 12 | 
 13 | static const u32   ATTACK_EXEC    = ATTACK_EXEC_INSIDE_KERNEL; //Fast Kernel
 14 | static const u32   DGST_POS0      = 0;
 15 | static const u32   DGST_POS1      = 1;
 16 | static const u32   DGST_POS2      = 2;
 17 | static const u32   DGST_POS3      = 3;
 18 | static const u32   DGST_SIZE      = DGST_SIZE_4_4;
 19 | static const u32   HASH_CATEGORY  = HASH_CATEGORY_GENERIC_KDF;
 20 | static const char *HASH_NAME      = "ConfigMgr CryptDeriveKey encrypted media variable file, AES-128";
 21 | static const u64   KERN_TYPE      = 19850;
 22 | static const u32   OPTI_TYPE      = OPTI_TYPE_ZERO_BYTE
 23 |                                   | OPTI_TYPE_NOT_ITERATED
 24 |                                   | OPTI_TYPE_NOT_SALTED;
 25 | static const u64   OPTS_TYPE      = OPTS_TYPE_PT_GENERATE_LE 
 26 |                                   | OPTS_TYPE_HASH_COPY;     //This copies the string of the hash to host memory, so that you can just print it out in hash_encode
 27 | static const u32   SALT_TYPE      = SALT_TYPE_NONE;          //No Salt
 28 | static const char *ST_PASS        = "Password1";
 29 | static const char *ST_HASH        = "$sccm$aes128$0000edec14000000b2320000c03200000e6600000000000011cb54aa3b699f61f86ab312e6fb97ec"; //Custom "hash" format, first 40 bytes of file
 30 | 
 31 | u32         module_attack_exec    (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC;     }
 32 | u32         module_dgst_pos0      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0;       }
 33 | u32         module_dgst_pos1      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS1;       }
 34 | u32         module_dgst_pos2      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS2;       }
 35 | u32         module_dgst_pos3      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS3;       }
 36 | u32         module_dgst_size      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_SIZE;       }
 37 | u32         module_hash_category  (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_CATEGORY;   }
 38 | const char *module_hash_name      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return HASH_NAME;       }
 39 | u64         module_kern_type      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return KERN_TYPE;       }
 40 | u32         module_opti_type      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTI_TYPE;       }
 41 | u64         module_opts_type      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return OPTS_TYPE;       }
 42 | u32         module_salt_type      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return SALT_TYPE;       }
 43 | const char *module_st_hash        (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_HASH;         }
 44 | const char *module_st_pass        (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ST_PASS;         }
 45 | 
 46 | static const char *SIGNATURE_SCCMAES128 = "$sccm$aes128$"; 
 47 | 
 48 | int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED void *digest_buf, MAYBE_UNUSED salt_t *salt, MAYBE_UNUSED void *esalt_buf, MAYBE_UNUSED void *hook_salt_buf, MAYBE_UNUSED hashinfo_t *hash_info, const char *line_buf, MAYBE_UNUSED const int line_len)
 49 | {
 50 |   const u32 aes_bytes = 26126U; //CALG_AES_128	0x0000660e as unsigned int
 51 | 
 52 |   u32 *digest = (u32 *) digest_buf;
 53 |   u32 payload[4];
 54 |   token_t token;
 55 | 
 56 |   token.token_cnt  = 5;
 57 | /* 40 byte header
 58 |  * 16 byte - Header bytes (Maybe Magic bytes?)
 59 |  * 4 byte  - ALG_ID bytes (https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
 60 |  * 4 byte  - Header bytes (Maybe Magic bytes?)
 61 |  * 16 byte - Payload bytes (Encrypted data)
 62 |  */
 63 | 
 64 |   token.signatures_cnt    = 1;
 65 |   token.signatures_buf[0] = SIGNATURE_SCCMAES128;
 66 | 
 67 |   token.len[0]  = 13;
 68 |   token.attr[0] = TOKEN_ATTR_FIXED_LENGTH
 69 |                 | TOKEN_ATTR_VERIFY_SIGNATURE;
 70 | 
 71 |   token.len[1]     = 32; //Header
 72 |   token.attr[1]    = TOKEN_ATTR_FIXED_LENGTH
 73 |                    | TOKEN_ATTR_VERIFY_HEX;
 74 |   token.len[2]     = 8; //ALG_ID
 75 |   token.attr[2]    = TOKEN_ATTR_FIXED_LENGTH
 76 |                    | TOKEN_ATTR_VERIFY_HEX;
 77 |   token.len[3]     = 8; //Header
 78 |   token.attr[3]    = TOKEN_ATTR_FIXED_LENGTH
 79 |                    | TOKEN_ATTR_VERIFY_HEX;
 80 |   token.len[4]     = 32; //Encrypted data
 81 |   token.attr[4]    = TOKEN_ATTR_FIXED_LENGTH
 82 |                    | TOKEN_ATTR_VERIFY_HEX;
 83 | 
 84 |   setbuf(stdout, NULL);
 85 |   const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token); 
 86 |   if (rc_tokenizer != PARSER_OK) return (rc_tokenizer);
 87 | 
 88 |   u32 enc_alg_sig[1];
 89 |   u8 bytes_sig[token.len[2]];
 90 |   u8 bytes_digest[token.len[4]]; 
 91 | 
 92 |   //Decode hex string to u8
 93 |   hex_decode(token.buf[2],token.len[2],bytes_sig); 
 94 |   hex_decode(token.buf[4],token.len[4],bytes_digest);
 95 |   
 96 |   //Convert u8 to u32 data types
 97 |   memcpy(enc_alg_sig, bytes_sig, 4);
 98 |   memcpy(payload, bytes_digest, 16);
 99 | 
100 |   //Check that ALG_ID == CALG_AES_128	(0x0000660e), else the file is not AES encrypted
101 |   if(*enc_alg_sig != aes_bytes)
102 |   {
103 |     return (PARSER_SIGNATURE_UNMATCHED);
104 |   }
105 | 
106 |   //Correct endianess of payload bytes
107 |   int i;
108 |   for (i = 0; i < 4; i++) 
109 |   {
110 |     payload[i] = byte_swap_32 (payload[i]);
111 |   }
112 | 
113 |   //Store encrypted data as digest for comparison in kernel code
114 |   digest[0] = payload[0];
115 |   digest[1] = payload[1];
116 |   digest[2] = payload[2];
117 |   digest[3] = payload[3];
118 |   return (PARSER_OK);
119 | }
120 | 
121 | //Idea here is that this module will never really be called with many of these "hashes", so maybe it is worth storing the original hash on the host in this case
122 | int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const void *digest_buf, MAYBE_UNUSED const salt_t *salt, MAYBE_UNUSED const void *esalt_buf, MAYBE_UNUSED const void *hook_salt_buf, MAYBE_UNUSED const hashinfo_t *hash_info, char *line_buf, MAYBE_UNUSED const int line_size)
123 | {
124 |   const int line_len = snprintf (line_buf, line_size, "%s",
125 |     hash_info->orighash);
126 | 
127 |   return line_len;
128 | }
129 | 
130 | void module_init (module_ctx_t *module_ctx)
131 | {
132 |   module_ctx->module_context_size             = MODULE_CONTEXT_SIZE_CURRENT;
133 |   module_ctx->module_interface_version        = MODULE_INTERFACE_VERSION_CURRENT;
134 | 
135 |   module_ctx->module_attack_exec              = module_attack_exec;
136 |   module_ctx->module_benchmark_esalt          = MODULE_DEFAULT;
137 |   module_ctx->module_benchmark_hook_salt      = MODULE_DEFAULT;
138 |   module_ctx->module_benchmark_mask           = MODULE_DEFAULT;
139 |   module_ctx->module_benchmark_salt           = MODULE_DEFAULT;
140 |   module_ctx->module_build_plain_postprocess  = MODULE_DEFAULT;
141 |   module_ctx->module_deep_comp_kernel         = MODULE_DEFAULT;
142 |   module_ctx->module_deprecated_notice        = MODULE_DEFAULT;
143 |   module_ctx->module_dgst_pos0                = module_dgst_pos0;
144 |   module_ctx->module_dgst_pos1                = module_dgst_pos1;
145 |   module_ctx->module_dgst_pos2                = module_dgst_pos2;
146 |   module_ctx->module_dgst_pos3                = module_dgst_pos3;
147 |   module_ctx->module_dgst_size                = module_dgst_size;
148 |   module_ctx->module_dictstat_disable         = MODULE_DEFAULT;
149 |   module_ctx->module_esalt_size               = MODULE_DEFAULT;
150 |   module_ctx->module_extra_buffer_size        = MODULE_DEFAULT;
151 |   module_ctx->module_extra_tmp_size           = MODULE_DEFAULT;
152 |   module_ctx->module_extra_tuningdb_block     = MODULE_DEFAULT;
153 |   module_ctx->module_forced_outfile_format    = MODULE_DEFAULT;
154 |   module_ctx->module_hash_binary_count        = MODULE_DEFAULT;
155 |   module_ctx->module_hash_binary_parse        = MODULE_DEFAULT;
156 |   module_ctx->module_hash_binary_save         = MODULE_DEFAULT;
157 |   module_ctx->module_hash_decode_potfile      = MODULE_DEFAULT;
158 |   module_ctx->module_hash_decode_zero_hash    = MODULE_DEFAULT;
159 |   module_ctx->module_hash_decode              = module_hash_decode;
160 |   module_ctx->module_hash_encode_status       = MODULE_DEFAULT;
161 |   module_ctx->module_hash_encode_potfile      = MODULE_DEFAULT;
162 |   module_ctx->module_hash_encode              = module_hash_encode;
163 |   module_ctx->module_hash_init_selftest       = MODULE_DEFAULT;
164 |   module_ctx->module_hash_mode                = MODULE_DEFAULT;
165 |   module_ctx->module_hash_category            = module_hash_category;
166 |   module_ctx->module_hash_name                = module_hash_name;
167 |   module_ctx->module_hashes_count_min         = MODULE_DEFAULT;
168 |   module_ctx->module_hashes_count_max         = MODULE_DEFAULT;
169 |   module_ctx->module_hlfmt_disable            = MODULE_DEFAULT;
170 |   module_ctx->module_hook_extra_param_size    = MODULE_DEFAULT;
171 |   module_ctx->module_hook_extra_param_init    = MODULE_DEFAULT;
172 |   module_ctx->module_hook_extra_param_term    = MODULE_DEFAULT;
173 |   module_ctx->module_hook12                   = MODULE_DEFAULT;
174 |   module_ctx->module_hook23                   = MODULE_DEFAULT;
175 |   module_ctx->module_hook_salt_size           = MODULE_DEFAULT;
176 |   module_ctx->module_hook_size                = MODULE_DEFAULT;
177 |   module_ctx->module_jit_build_options        = MODULE_DEFAULT;
178 |   module_ctx->module_jit_cache_disable        = MODULE_DEFAULT;
179 |   module_ctx->module_kernel_accel_max         = MODULE_DEFAULT;
180 |   module_ctx->module_kernel_accel_min         = MODULE_DEFAULT;
181 |   module_ctx->module_kernel_loops_max         = MODULE_DEFAULT;
182 |   module_ctx->module_kernel_loops_min         = MODULE_DEFAULT;
183 |   module_ctx->module_kernel_threads_max       = MODULE_DEFAULT;
184 |   module_ctx->module_kernel_threads_min       = MODULE_DEFAULT;
185 |   module_ctx->module_kern_type                = module_kern_type;
186 |   module_ctx->module_kern_type_dynamic        = MODULE_DEFAULT;
187 |   module_ctx->module_opti_type                = module_opti_type;
188 |   module_ctx->module_opts_type                = module_opts_type;
189 |   module_ctx->module_outfile_check_disable    = MODULE_DEFAULT;
190 |   module_ctx->module_outfile_check_nocomp     = MODULE_DEFAULT;
191 |   module_ctx->module_potfile_custom_check     = MODULE_DEFAULT;
192 |   module_ctx->module_potfile_disable          = MODULE_DEFAULT;
193 |   module_ctx->module_potfile_keep_all_hashes  = MODULE_DEFAULT;
194 |   module_ctx->module_pwdump_column            = MODULE_DEFAULT;
195 |   module_ctx->module_pw_max                   = MODULE_DEFAULT;
196 |   module_ctx->module_pw_min                   = MODULE_DEFAULT;
197 |   module_ctx->module_salt_max                 = MODULE_DEFAULT;
198 |   module_ctx->module_salt_min                 = MODULE_DEFAULT;
199 |   module_ctx->module_salt_type                = module_salt_type;
200 |   module_ctx->module_separator                = MODULE_DEFAULT;
201 |   module_ctx->module_st_hash                  = module_st_hash;
202 |   module_ctx->module_st_pass                  = module_st_pass;
203 |   module_ctx->module_tmp_size                 = MODULE_DEFAULT;
204 |   module_ctx->module_unstable_warning         = MODULE_DEFAULT;
205 |   module_ctx->module_warmup_disable           = MODULE_DEFAULT;
206 | }


--------------------------------------------------------------------------------
/opencl_code/m19850_a0-pure.cl:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Author......: Christopher Panayi, MWR CyberSec
  3 |  * License.....: MIT
  4 |  */
  5 | 
  6 | #ifdef KERNEL_STATIC
  7 | #include "inc_vendor.h"
  8 | #include "inc_types.h"
  9 | #include "inc_platform.cl"
 10 | #include "inc_common.cl"
 11 | #include "inc_rp.h"
 12 | #include "inc_rp.cl"
 13 | #include "inc_hash_sha1.cl"
 14 | #include "inc_cipher_aes.cl"
 15 | #include "inc_scalar.cl"
 16 | #endif
 17 | 
 18 | DECLSPEC void crypt_derive_key_password_derivation (sha1_hmac_ctx_t *ctx, const u32 *w, const int len)
 19 | {
 20 |   u32 w0[4];
 21 |   u32 w1[4];
 22 |   u32 w2[4];
 23 |   u32 w3[4];
 24 | 
 25 |   sha1_ctx_t tmp;
 26 | 
 27 |   sha1_init (&tmp);
 28 | 
 29 |   sha1_update_utf16le_swap (&tmp, w, len);
 30 | 
 31 |   sha1_final (&tmp);
 32 | 
 33 |   w0[0] = tmp.h[0];
 34 |   w0[1] = tmp.h[1];
 35 |   w0[2] = tmp.h[2];
 36 |   w0[3] = tmp.h[3];
 37 |   w1[0] = tmp.h[4];
 38 |   w1[1] = 0;
 39 |   w1[2] = 0;
 40 |   w1[3] = 0;
 41 |   w2[0] = 0;
 42 |   w2[1] = 0;
 43 |   w2[2] = 0;
 44 |   w2[3] = 0;
 45 |   w3[0] = 0;
 46 |   w3[1] = 0;
 47 |   w3[2] = 0;
 48 |   w3[3] = 0;
 49 | 
 50 |   u32 t0[4];
 51 |   u32 t1[4];
 52 |   u32 t2[4];
 53 |   u32 t3[4];
 54 | 
 55 |   // ipad
 56 | 
 57 |   t0[0] = w0[0] ^ 0x36363636;
 58 |   t0[1] = w0[1] ^ 0x36363636;
 59 |   t0[2] = w0[2] ^ 0x36363636;
 60 |   t0[3] = w0[3] ^ 0x36363636;
 61 |   t1[0] = w1[0] ^ 0x36363636;
 62 |   t1[1] = w1[1] ^ 0x36363636;
 63 |   t1[2] = w1[2] ^ 0x36363636;
 64 |   t1[3] = w1[3] ^ 0x36363636;
 65 |   t2[0] = w2[0] ^ 0x36363636;
 66 |   t2[1] = w2[1] ^ 0x36363636;
 67 |   t2[2] = w2[2] ^ 0x36363636;
 68 |   t2[3] = w2[3] ^ 0x36363636;
 69 |   t3[0] = w3[0] ^ 0x36363636;
 70 |   t3[1] = w3[1] ^ 0x36363636;
 71 |   t3[2] = w3[2] ^ 0x36363636;
 72 |   t3[3] = w3[3] ^ 0x36363636;
 73 | 
 74 |   sha1_init (&ctx->ipad);
 75 | 
 76 |   sha1_update_64 (&ctx->ipad, t0, t1, t2, t3, 64);
 77 | 
 78 |   sha1_final(&ctx->ipad);
 79 | }
 80 | 
 81 | KERNEL_FQ void m19850_mxx (KERN_ATTR_RULES())
 82 | {
 83 |   /**
 84 |    * base
 85 |    */
 86 | 
 87 |   const u64 gid = get_global_id (0);
 88 |   const u64 lid = get_local_id (0);
 89 |   const u64 lsz = get_local_size (0);
 90 | 
 91 |   /**
 92 |    * aes shared
 93 |    */
 94 | 
 95 |   #ifdef REAL_SHM
 96 | 
 97 |   LOCAL_VK u32 s_td0[256];
 98 |   LOCAL_VK u32 s_td1[256];
 99 |   LOCAL_VK u32 s_td2[256];
100 |   LOCAL_VK u32 s_td3[256];
101 |   LOCAL_VK u32 s_td4[256];
102 | 
103 |   LOCAL_VK u32 s_te0[256];
104 |   LOCAL_VK u32 s_te1[256];
105 |   LOCAL_VK u32 s_te2[256];
106 |   LOCAL_VK u32 s_te3[256];
107 |   LOCAL_VK u32 s_te4[256];
108 | 
109 |   for (u32 i = lid; i < 256; i += lsz)
110 |   {
111 |     s_td0[i] = td0[i];
112 |     s_td1[i] = td1[i];
113 |     s_td2[i] = td2[i];
114 |     s_td3[i] = td3[i];
115 |     s_td4[i] = td4[i];
116 | 
117 |     s_te0[i] = te0[i];
118 |     s_te1[i] = te1[i];
119 |     s_te2[i] = te2[i];
120 |     s_te3[i] = te3[i];
121 |     s_te4[i] = te4[i];
122 |   }
123 | 
124 |   SYNC_THREADS ();
125 | 
126 |   #else
127 | 
128 |   CONSTANT_AS u32a *s_td0 = td0;
129 |   CONSTANT_AS u32a *s_td1 = td1;
130 |   CONSTANT_AS u32a *s_td2 = td2;
131 |   CONSTANT_AS u32a *s_td3 = td3;
132 |   CONSTANT_AS u32a *s_td4 = td4;
133 | 
134 |   CONSTANT_AS u32a *s_te0 = te0;
135 |   CONSTANT_AS u32a *s_te1 = te1;
136 |   CONSTANT_AS u32a *s_te2 = te2;
137 |   CONSTANT_AS u32a *s_te3 = te3;
138 |   CONSTANT_AS u32a *s_te4 = te4;
139 | 
140 |   #endif
141 | 
142 |   if (gid >= gid_max) return;
143 | 
144 |   COPY_PW (pws[gid]);
145 |   
146 |   /**
147 |    * loop
148 |    */
149 | 
150 |   for (u32 il_pos = 0; il_pos < il_cnt; il_pos++)
151 |   {
152 |     pw_t tmp = PASTE_PW; 
153 |     
154 |     tmp.pw_len = apply_rules (rules_buf[il_pos].cmds, tmp.i, tmp.pw_len);
155 | 
156 |     sha1_hmac_ctx_t sha1_hmac_ctx;
157 | 
158 |     crypt_derive_key_password_derivation(&sha1_hmac_ctx, tmp.i,tmp.pw_len);
159 |     
160 |     u32 aes_key[4];
161 | 
162 |     aes_key[0] = sha1_hmac_ctx.ipad.h[0];
163 |     aes_key[1] = sha1_hmac_ctx.ipad.h[1];
164 |     aes_key[2] = sha1_hmac_ctx.ipad.h[2];
165 |     aes_key[3] = sha1_hmac_ctx.ipad.h[3];
166 | 
167 |     u32 aes_cbc_encrypt_xml_ks[44];
168 |     u32 encrypted_block[4];
169 | 
170 |     AES128_set_encrypt_key (aes_cbc_encrypt_xml_ks, aes_key, s_te0, s_te1, s_te2, s_te3);
171 | 
172 |     const u32 enc_blocks [4] = {1006649088U,2013293824U,1811947520U,1979737344U}; // UTF-16LE "<?xm" represented in unsigned int
173 |     //enc_blocks[0] = 1006649088U; // UTF-16LE: <
174 |     //enc_blocks[1] = 2013293824U; // UTF-16LE: ?
175 |     //enc_blocks[2] = 1811947520U; // UTF-16LE: x
176 |     //enc_blocks[3] = 1979737344U; // UTF-16LE: m
177 | 
178 |     AES128_encrypt (aes_cbc_encrypt_xml_ks, enc_blocks, encrypted_block, s_te0, s_te1, s_te2, s_te3,s_te4);
179 | 
180 |     const u32 r0 = encrypted_block[DGST_R0];
181 |     const u32 r1 = encrypted_block[DGST_R1];
182 |     const u32 r2 = encrypted_block[DGST_R2];
183 |     const u32 r3 = encrypted_block[DGST_R3];
184 | 
185 |     COMPARE_M_SCALAR (r0, r1, r2, r3);
186 |   }
187 | }
188 | 
189 | KERNEL_FQ void m19850_sxx (KERN_ATTR_RULES())
190 | {
191 |   /**
192 |    * base
193 |    */
194 | 
195 |   const u64 gid = get_global_id (0);
196 |   const u64 lid = get_local_id (0);
197 |   const u64 lsz = get_local_size (0);
198 | 
199 |   if (gid >= gid_max) return;
200 | 
201 |   /**
202 |    * aes shared
203 |    */
204 | 
205 |   #ifdef REAL_SHM
206 | 
207 |   LOCAL_VK u32 s_td0[256];
208 |   LOCAL_VK u32 s_td1[256];
209 |   LOCAL_VK u32 s_td2[256];
210 |   LOCAL_VK u32 s_td3[256];
211 |   LOCAL_VK u32 s_td4[256];
212 | 
213 |   LOCAL_VK u32 s_te0[256];
214 |   LOCAL_VK u32 s_te1[256];
215 |   LOCAL_VK u32 s_te2[256];
216 |   LOCAL_VK u32 s_te3[256];
217 |   LOCAL_VK u32 s_te4[256];
218 | 
219 |   for (u32 i = lid; i < 256; i += lsz)
220 |   {
221 |     s_td0[i] = td0[i];
222 |     s_td1[i] = td1[i];
223 |     s_td2[i] = td2[i];
224 |     s_td3[i] = td3[i];
225 |     s_td4[i] = td4[i];
226 | 
227 |     s_te0[i] = te0[i];
228 |     s_te1[i] = te1[i];
229 |     s_te2[i] = te2[i];
230 |     s_te3[i] = te3[i];
231 |     s_te4[i] = te4[i];
232 |   }
233 | 
234 |   SYNC_THREADS ();
235 | 
236 |   #else
237 | 
238 |   CONSTANT_AS u32a *s_td0 = td0;
239 |   CONSTANT_AS u32a *s_td1 = td1;
240 |   CONSTANT_AS u32a *s_td2 = td2;
241 |   CONSTANT_AS u32a *s_td3 = td3;
242 |   CONSTANT_AS u32a *s_td4 = td4;
243 | 
244 |   CONSTANT_AS u32a *s_te0 = te0;
245 |   CONSTANT_AS u32a *s_te1 = te1;
246 |   CONSTANT_AS u32a *s_te2 = te2;
247 |   CONSTANT_AS u32a *s_te3 = te3;
248 |   CONSTANT_AS u32a *s_te4 = te4;
249 | 
250 |   #endif
251 | 
252 |   const u32 search[4] =
253 |   {
254 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R0],
255 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R1],
256 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R2],
257 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R3]
258 |   };
259 | 
260 |   COPY_PW (pws[gid]);
261 | 
262 |   /**
263 |    * loop
264 |    */
265 | 
266 |   for (u32 il_pos = 0; il_pos < il_cnt; il_pos++)
267 |   {
268 |     pw_t tmp = PASTE_PW;
269 | 
270 |     tmp.pw_len = apply_rules (rules_buf[il_pos].cmds, tmp.i, tmp.pw_len);
271 | 
272 |     sha1_hmac_ctx_t sha1_hmac_ctx;
273 | 
274 |     crypt_derive_key_password_derivation(&sha1_hmac_ctx, tmp.i,tmp.pw_len);
275 |     
276 |     u32 aes_key[4];
277 | 
278 |     aes_key[0] = sha1_hmac_ctx.ipad.h[0];
279 |     aes_key[1] = sha1_hmac_ctx.ipad.h[1];
280 |     aes_key[2] = sha1_hmac_ctx.ipad.h[2];
281 |     aes_key[3] = sha1_hmac_ctx.ipad.h[3];
282 | 
283 |     u32 aes_cbc_encrypt_xml_ks[44];
284 |     u32 encrypted_block[4];
285 | 
286 |     AES128_set_encrypt_key (aes_cbc_encrypt_xml_ks, aes_key, s_te0, s_te1, s_te2, s_te3);
287 | 
288 |     const u32 enc_blocks [4] = {1006649088U,2013293824U,1811947520U,1979737344U}; // UTF-16LE "<?xm" represented in unsigned int
289 |     //enc_blocks[0] = 1006649088U; // UTF-16LE: <
290 |     //enc_blocks[1] = 2013293824U; // UTF-16LE: ?
291 |     //enc_blocks[2] = 1811947520U; // UTF-16LE: x
292 |     //enc_blocks[3] = 1979737344U; // UTF-16LE: m
293 | 
294 |     AES128_encrypt (aes_cbc_encrypt_xml_ks, enc_blocks, encrypted_block, s_te0, s_te1, s_te2, s_te3,s_te4);
295 | 
296 |     const u32 r0 = encrypted_block[DGST_R0];
297 |     const u32 r1 = encrypted_block[DGST_R1];
298 |     const u32 r2 = encrypted_block[DGST_R2];
299 |     const u32 r3 = encrypted_block[DGST_R3];
300 | 
301 |     COMPARE_S_SCALAR (r0, r1, r2, r3);
302 |   }
303 | }
304 | 


--------------------------------------------------------------------------------
/opencl_code/m19850_a1-pure.cl:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Author......: Christopher Panayi, MWR CyberSec
  3 |  * License.....: MIT
  4 |  */
  5 | 
  6 | #ifdef KERNEL_STATIC
  7 | #include "inc_vendor.h"
  8 | #include "inc_types.h"
  9 | #include "inc_platform.cl"
 10 | #include "inc_common.cl"
 11 | #include "inc_rp.h"
 12 | #include "inc_rp.cl"
 13 | #include "inc_hash_sha1.cl"
 14 | #include "inc_cipher_aes.cl"
 15 | #include "inc_scalar.cl"
 16 | #endif
 17 | 
 18 | //CryptDeriveKey is basically sha1hmac if the input is forced to be greater than 64. Based on the code from sha1_hmac_init_vector and ipad from sha1_hmac_init_vector_64. 
 19 | //I only implement ipad calculation though, because this allows for the generation of up to a max of 512bit symmetric keys, which is already a lot
 20 | //This implementation is initialised with a sha1_ctx_t object for the left-hand side password (pws) as part of the combinator attack, and updated with the right-hand side password (combs_buf)
 21 | DECLSPEC void crypt_derive_key_password_derivation (sha1_hmac_ctx_t *ctx, sha1_ctx_t *pwsorig, GLOBAL_AS const u32 *w, const int len)
 22 | {
 23 |   u32 w0[4];
 24 |   u32 w1[4];
 25 |   u32 w2[4];
 26 |   u32 w3[4];
 27 | 
 28 |   //Add right side password to left side password with a second call to sha1_update_global_utf16le_swap
 29 |   sha1_ctx_t *tmp = pwsorig;
 30 | 
 31 |   sha1_update_global_utf16le_swap (tmp, w, len);
 32 | 
 33 |   sha1_final (tmp);
 34 | 
 35 |   w0[0] = tmp->h[0];
 36 |   w0[1] = tmp->h[1];
 37 |   w0[2] = tmp->h[2];
 38 |   w0[3] = tmp->h[3];
 39 |   w1[0] = tmp->h[4];
 40 |   w1[1] = 0;
 41 |   w1[2] = 0;
 42 |   w1[3] = 0;
 43 |   w2[0] = 0;
 44 |   w2[1] = 0;
 45 |   w2[2] = 0;
 46 |   w2[3] = 0;
 47 |   w3[0] = 0;
 48 |   w3[1] = 0;
 49 |   w3[2] = 0;
 50 |   w3[3] = 0;
 51 | 
 52 |   u32 t0[4];
 53 |   u32 t1[4];
 54 |   u32 t2[4];
 55 |   u32 t3[4];
 56 | 
 57 |   // ipad
 58 | 
 59 |   t0[0] = w0[0] ^ 0x36363636;
 60 |   t0[1] = w0[1] ^ 0x36363636;
 61 |   t0[2] = w0[2] ^ 0x36363636;
 62 |   t0[3] = w0[3] ^ 0x36363636;
 63 |   t1[0] = w1[0] ^ 0x36363636;
 64 |   t1[1] = w1[1] ^ 0x36363636;
 65 |   t1[2] = w1[2] ^ 0x36363636;
 66 |   t1[3] = w1[3] ^ 0x36363636;
 67 |   t2[0] = w2[0] ^ 0x36363636;
 68 |   t2[1] = w2[1] ^ 0x36363636;
 69 |   t2[2] = w2[2] ^ 0x36363636;
 70 |   t2[3] = w2[3] ^ 0x36363636;
 71 |   t3[0] = w3[0] ^ 0x36363636;
 72 |   t3[1] = w3[1] ^ 0x36363636;
 73 |   t3[2] = w3[2] ^ 0x36363636;
 74 |   t3[3] = w3[3] ^ 0x36363636;
 75 | 
 76 |   sha1_init (&ctx->ipad);
 77 | 
 78 |   sha1_update_64 (&ctx->ipad, t0, t1, t2, t3, 64);
 79 | 
 80 |   sha1_final(&ctx->ipad);
 81 | }
 82 | 
 83 | KERNEL_FQ void m19850_mxx (KERN_ATTR_BASIC())
 84 | {
 85 |   /**
 86 |    * base
 87 |    */
 88 | 
 89 |   const u64 gid = get_global_id (0);
 90 |   const u64 lid = get_local_id (0);
 91 |   const u64 lsz = get_local_size (0);
 92 | 
 93 |   /**
 94 |    * aes shared
 95 |    */
 96 | 
 97 |   #ifdef REAL_SHM
 98 | 
 99 |   LOCAL_VK u32 s_td0[256];
100 |   LOCAL_VK u32 s_td1[256];
101 |   LOCAL_VK u32 s_td2[256];
102 |   LOCAL_VK u32 s_td3[256];
103 |   LOCAL_VK u32 s_td4[256];
104 | 
105 |   LOCAL_VK u32 s_te0[256];
106 |   LOCAL_VK u32 s_te1[256];
107 |   LOCAL_VK u32 s_te2[256];
108 |   LOCAL_VK u32 s_te3[256];
109 |   LOCAL_VK u32 s_te4[256];
110 | 
111 |   for (u32 i = lid; i < 256; i += lsz)
112 |   {
113 |     s_td0[i] = td0[i];
114 |     s_td1[i] = td1[i];
115 |     s_td2[i] = td2[i];
116 |     s_td3[i] = td3[i];
117 |     s_td4[i] = td4[i];
118 | 
119 |     s_te0[i] = te0[i];
120 |     s_te1[i] = te1[i];
121 |     s_te2[i] = te2[i];
122 |     s_te3[i] = te3[i];
123 |     s_te4[i] = te4[i];
124 |   }
125 | 
126 |   SYNC_THREADS ();
127 | 
128 |   #else
129 | 
130 |   CONSTANT_AS u32a *s_td0 = td0;
131 |   CONSTANT_AS u32a *s_td1 = td1;
132 |   CONSTANT_AS u32a *s_td2 = td2;
133 |   CONSTANT_AS u32a *s_td3 = td3;
134 |   CONSTANT_AS u32a *s_td4 = td4;
135 | 
136 |   CONSTANT_AS u32a *s_te0 = te0;
137 |   CONSTANT_AS u32a *s_te1 = te1;
138 |   CONSTANT_AS u32a *s_te2 = te2;
139 |   CONSTANT_AS u32a *s_te3 = te3;
140 |   CONSTANT_AS u32a *s_te4 = te4;
141 | 
142 |   #endif
143 | 
144 |   if (gid >= gid_max) return;
145 | 
146 |   //First call to sha1_update_global_utf16le_swap for the left hand side password (pws)
147 |   sha1_ctx_t tmp;
148 | 
149 |   sha1_init (&tmp);
150 | 
151 |   sha1_update_global_utf16le_swap (&tmp, pws[gid].i, pws[gid].pw_len);
152 | 
153 |   /**
154 |    * loop
155 |    */
156 | 
157 |   for (u32 il_pos = 0; il_pos < il_cnt; il_pos++)
158 |   {
159 |     sha1_hmac_ctx_t sha1_hmac_ctx;
160 |     sha1_ctx_t pwsorig = tmp; //Make a copy of the existing sha1_ctx_t object already calculated for pws, per loop iteration
161 | 
162 |     //Call to crypt_derive_key_password_derivation, with the right hand side password (combs_buf) passed as a parameter
163 |     crypt_derive_key_password_derivation(&sha1_hmac_ctx, &pwsorig, combs_buf[il_pos].i, combs_buf[il_pos].pw_len);
164 |     
165 |     u32 aes_key[4];
166 | 
167 |     aes_key[0] = sha1_hmac_ctx.ipad.h[0];
168 |     aes_key[1] = sha1_hmac_ctx.ipad.h[1];
169 |     aes_key[2] = sha1_hmac_ctx.ipad.h[2];
170 |     aes_key[3] = sha1_hmac_ctx.ipad.h[3];
171 | 
172 |     u32 aes_cbc_encrypt_xml_ks[44];
173 |     u32 encrypted_block[4];
174 | 
175 |     AES128_set_encrypt_key (aes_cbc_encrypt_xml_ks, aes_key, s_te0, s_te1, s_te2, s_te3);
176 | 
177 |     const u32 enc_blocks [4] = {1006649088U,2013293824U,1811947520U,1979737344U}; // UTF-16LE "<?xm" represented in unsigned int
178 |     //enc_blocks[0] = 1006649088U; // UTF-16LE: <
179 |     //enc_blocks[1] = 2013293824U; // UTF-16LE: ?
180 |     //enc_blocks[2] = 1811947520U; // UTF-16LE: x
181 |     //enc_blocks[3] = 1979737344U; // UTF-16LE: m
182 | 
183 |     AES128_encrypt (aes_cbc_encrypt_xml_ks, enc_blocks, encrypted_block, s_te0, s_te1, s_te2, s_te3,s_te4);
184 | 
185 |     const u32 r0 = encrypted_block[DGST_R0];
186 |     const u32 r1 = encrypted_block[DGST_R1];
187 |     const u32 r2 = encrypted_block[DGST_R2];
188 |     const u32 r3 = encrypted_block[DGST_R3];
189 | 
190 |     COMPARE_M_SCALAR (r0, r1, r2, r3);
191 |   }
192 | }
193 | 
194 | KERNEL_FQ void m19850_sxx (KERN_ATTR_BASIC())
195 | {
196 |   /**
197 |    * base
198 |    */
199 | 
200 |   const u64 gid = get_global_id (0);
201 |   const u64 lid = get_local_id (0);
202 |   const u64 lsz = get_local_size (0);
203 | 
204 |   /**
205 |    * aes shared
206 |    */
207 | 
208 |   #ifdef REAL_SHM
209 | 
210 |   LOCAL_VK u32 s_td0[256];
211 |   LOCAL_VK u32 s_td1[256];
212 |   LOCAL_VK u32 s_td2[256];
213 |   LOCAL_VK u32 s_td3[256];
214 |   LOCAL_VK u32 s_td4[256];
215 | 
216 |   LOCAL_VK u32 s_te0[256];
217 |   LOCAL_VK u32 s_te1[256];
218 |   LOCAL_VK u32 s_te2[256];
219 |   LOCAL_VK u32 s_te3[256];
220 |   LOCAL_VK u32 s_te4[256];
221 | 
222 |   for (u32 i = lid; i < 256; i += lsz)
223 |   {
224 |     s_td0[i] = td0[i];
225 |     s_td1[i] = td1[i];
226 |     s_td2[i] = td2[i];
227 |     s_td3[i] = td3[i];
228 |     s_td4[i] = td4[i];
229 | 
230 |     s_te0[i] = te0[i];
231 |     s_te1[i] = te1[i];
232 |     s_te2[i] = te2[i];
233 |     s_te3[i] = te3[i];
234 |     s_te4[i] = te4[i];
235 |   }
236 | 
237 |   SYNC_THREADS ();
238 | 
239 |   #else
240 | 
241 |   CONSTANT_AS u32a *s_td0 = td0;
242 |   CONSTANT_AS u32a *s_td1 = td1;
243 |   CONSTANT_AS u32a *s_td2 = td2;
244 |   CONSTANT_AS u32a *s_td3 = td3;
245 |   CONSTANT_AS u32a *s_td4 = td4;
246 | 
247 |   CONSTANT_AS u32a *s_te0 = te0;
248 |   CONSTANT_AS u32a *s_te1 = te1;
249 |   CONSTANT_AS u32a *s_te2 = te2;
250 |   CONSTANT_AS u32a *s_te3 = te3;
251 |   CONSTANT_AS u32a *s_te4 = te4;
252 | 
253 |   #endif
254 | 
255 |   if (gid >= gid_max) return;
256 | 
257 |   const u32 search[4] =
258 |   {
259 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R0],
260 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R1],
261 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R2],
262 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R3]
263 |   };
264 | 
265 |   sha1_ctx_t tmp;
266 | 
267 |   sha1_init (&tmp);
268 | 
269 |   sha1_update_global_utf16le_swap (&tmp, pws[gid].i, pws[gid].pw_len);
270 | 
271 |   /**
272 |    * loop
273 |    */
274 | 
275 |   for (u32 il_pos = 0; il_pos < il_cnt; il_pos++)
276 |   {
277 |     sha1_hmac_ctx_t sha1_hmac_ctx;    
278 |     sha1_ctx_t pwsorig = tmp;
279 | 
280 |     crypt_derive_key_password_derivation(&sha1_hmac_ctx, &pwsorig, combs_buf[il_pos].i, combs_buf[il_pos].pw_len);
281 |     
282 |     u32 aes_key[4];
283 | 
284 |     aes_key[0] = sha1_hmac_ctx.ipad.h[0];
285 |     aes_key[1] = sha1_hmac_ctx.ipad.h[1];
286 |     aes_key[2] = sha1_hmac_ctx.ipad.h[2];
287 |     aes_key[3] = sha1_hmac_ctx.ipad.h[3];
288 | 
289 |     u32 aes_cbc_encrypt_xml_ks[44];
290 |     u32 encrypted_block[4];
291 | 
292 |     AES128_set_encrypt_key (aes_cbc_encrypt_xml_ks, aes_key, s_te0, s_te1, s_te2, s_te3);
293 | 
294 |     const u32 enc_blocks [4] = {1006649088U,2013293824U,1811947520U,1979737344U}; // UTF-16LE "<?xm" represented in unsigned int
295 |     //enc_blocks[0] = 1006649088U; // UTF-16LE: <
296 |     //enc_blocks[1] = 2013293824U; // UTF-16LE: ?
297 |     //enc_blocks[2] = 1811947520U; // UTF-16LE: x
298 |     //enc_blocks[3] = 1979737344U; // UTF-16LE: m
299 | 
300 |     AES128_encrypt (aes_cbc_encrypt_xml_ks, enc_blocks, encrypted_block, s_te0, s_te1, s_te2, s_te3,s_te4);
301 | 
302 |     const u32 r0 = encrypted_block[DGST_R0];
303 |     const u32 r1 = encrypted_block[DGST_R1];
304 |     const u32 r2 = encrypted_block[DGST_R2];
305 |     const u32 r3 = encrypted_block[DGST_R3];
306 | 
307 |     COMPARE_S_SCALAR (r0, r1, r2, r3);
308 |   }
309 | }
310 | 


--------------------------------------------------------------------------------
/opencl_code/m19850_a3-pure.cl:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Author......: Christopher Panayi, MWR CyberSec
  3 |  * License.....: MIT
  4 |  */
  5 | 
  6 | #define NEW_SIMD_CODE
  7 | 
  8 | #ifdef KERNEL_STATIC
  9 | #include "inc_vendor.h"
 10 | #include "inc_types.h"
 11 | #include "inc_platform.cl"
 12 | #include "inc_common.cl"
 13 | #include "inc_simd.cl"
 14 | #include "inc_hash_sha1.cl"
 15 | #include "inc_cipher_aes.cl"
 16 | #include "inc_scalar.cl"
 17 | #endif
 18 | 
 19 | //CryptDeriveKey is basically sha1hmac if the input is forced to be greater than 64. Based on the code from sha1_hmac_init_vector and ipad from sha1_hmac_init_vector_64. 
 20 | //I only implement ipad calculation, because this allows for the generation of up to a max of 512bit symmetric keys, which is already a lot
 21 | DECLSPEC void crypt_derive_key_password_derivation_vector (sha1_hmac_ctx_vector_t *ctx, const u32x *w, const int len)
 22 | {
 23 |   u32x w0[4];
 24 |   u32x w1[4];
 25 |   u32x w2[4];
 26 |   u32x w3[4];
 27 | 
 28 |   sha1_ctx_vector_t tmp;
 29 | 
 30 |   sha1_init_vector (&tmp);
 31 | 
 32 |   sha1_update_vector_utf16le_swap (&tmp, w, len);
 33 | 
 34 |   sha1_final_vector (&tmp);
 35 | 
 36 |   w0[0] = tmp.h[0];
 37 |   w0[1] = tmp.h[1];
 38 |   w0[2] = tmp.h[2];
 39 |   w0[3] = tmp.h[3];
 40 |   w1[0] = tmp.h[4];
 41 |   w1[1] = 0;
 42 |   w1[2] = 0;
 43 |   w1[3] = 0;
 44 |   w2[0] = 0;
 45 |   w2[1] = 0;
 46 |   w2[2] = 0;
 47 |   w2[3] = 0;
 48 |   w3[0] = 0;
 49 |   w3[1] = 0;
 50 |   w3[2] = 0;
 51 |   w3[3] = 0;
 52 | 
 53 |   u32x t0[4];
 54 |   u32x t1[4];
 55 |   u32x t2[4];
 56 |   u32x t3[4];
 57 | 
 58 |   // ipad
 59 | 
 60 |   t0[0] = w0[0] ^ 0x36363636;
 61 |   t0[1] = w0[1] ^ 0x36363636;
 62 |   t0[2] = w0[2] ^ 0x36363636;
 63 |   t0[3] = w0[3] ^ 0x36363636;
 64 |   t1[0] = w1[0] ^ 0x36363636;
 65 |   t1[1] = w1[1] ^ 0x36363636;
 66 |   t1[2] = w1[2] ^ 0x36363636;
 67 |   t1[3] = w1[3] ^ 0x36363636;
 68 |   t2[0] = w2[0] ^ 0x36363636;
 69 |   t2[1] = w2[1] ^ 0x36363636;
 70 |   t2[2] = w2[2] ^ 0x36363636;
 71 |   t2[3] = w2[3] ^ 0x36363636;
 72 |   t3[0] = w3[0] ^ 0x36363636;
 73 |   t3[1] = w3[1] ^ 0x36363636;
 74 |   t3[2] = w3[2] ^ 0x36363636;
 75 |   t3[3] = w3[3] ^ 0x36363636;
 76 | 
 77 |   sha1_init_vector (&ctx->ipad);
 78 | 
 79 |   sha1_update_vector_64 (&ctx->ipad, t0, t1, t2, t3, 64);
 80 | 
 81 |   sha1_final_vector (&ctx->ipad);
 82 | }
 83 | 
 84 | KERNEL_FQ void m19850_mxx (KERN_ATTR_VECTOR ())
 85 | {
 86 |   /**
 87 |    * base
 88 |    */
 89 | 
 90 |   const u64 lid = get_local_id (0);
 91 |   const u64 gid = get_global_id (0);
 92 |   const u64 lsz = get_local_size (0);
 93 | 
 94 |   if (gid >= gid_max) return;
 95 |   /**
 96 |    * aes shared
 97 |    */
 98 | 
 99 |   #ifdef REAL_SHM
100 | 
101 |   LOCAL_VK u32 s_td0[256];
102 |   LOCAL_VK u32 s_td1[256];
103 |   LOCAL_VK u32 s_td2[256];
104 |   LOCAL_VK u32 s_td3[256];
105 |   LOCAL_VK u32 s_td4[256];
106 | 
107 |   LOCAL_VK u32 s_te0[256];
108 |   LOCAL_VK u32 s_te1[256];
109 |   LOCAL_VK u32 s_te2[256];
110 |   LOCAL_VK u32 s_te3[256];
111 |   LOCAL_VK u32 s_te4[256];
112 | 
113 |   for (u32 i = lid; i < 256; i += lsz)
114 |   {
115 |     s_td0[i] = td0[i];
116 |     s_td1[i] = td1[i];
117 |     s_td2[i] = td2[i];
118 |     s_td3[i] = td3[i];
119 |     s_td4[i] = td4[i];
120 | 
121 |     s_te0[i] = te0[i];
122 |     s_te1[i] = te1[i];
123 |     s_te2[i] = te2[i];
124 |     s_te3[i] = te3[i];
125 |     s_te4[i] = te4[i];
126 |   }
127 | 
128 |   SYNC_THREADS ();
129 | 
130 |   #else
131 | 
132 |   CONSTANT_AS u32a *s_td0 = td0;
133 |   CONSTANT_AS u32a *s_td1 = td1;
134 |   CONSTANT_AS u32a *s_td2 = td2;
135 |   CONSTANT_AS u32a *s_td3 = td3;
136 |   CONSTANT_AS u32a *s_td4 = td4;
137 | 
138 |   CONSTANT_AS u32a *s_te0 = te0;
139 |   CONSTANT_AS u32a *s_te1 = te1;
140 |   CONSTANT_AS u32a *s_te2 = te2;
141 |   CONSTANT_AS u32a *s_te3 = te3;
142 |   CONSTANT_AS u32a *s_te4 = te4;
143 | 
144 |   #endif
145 | 
146 |   //Begin common hashcat vector code 
147 |   const u32 pw_len = pws[gid].pw_len;
148 | 
149 |   u32x w[64] = { 0 };
150 | 
151 |   for (u32 i = 0, idx = 0; i < pw_len; i += 4, idx += 1)
152 |   {
153 |     w[idx] = pws[gid].i[idx];
154 |   }
155 | 
156 |   /**
157 |    * loop
158 |    */
159 | 
160 |   u32x w0l = w[0];
161 | 
162 |   for (u32 il_pos = 0; il_pos < il_cnt; il_pos += VECT_SIZE)
163 |   {
164 |     const u32x w0r = words_buf_r[il_pos / VECT_SIZE];
165 | 
166 |     const u32x w0 = w0l | w0r;
167 | 
168 |     w[0] = w0;
169 | 
170 |     //End common hashcat vector code 
171 | 
172 |     sha1_hmac_ctx_vector_t sha1_hmac_ctx_vec;
173 | 
174 |     crypt_derive_key_password_derivation_vector(&sha1_hmac_ctx_vec, w, pw_len);
175 |     
176 |     u32 aes_key[4];
177 | 
178 |     //You can assign scalar values from a vector hash calculation without issue
179 |     aes_key[0] = sha1_hmac_ctx_vec.ipad.h[0];
180 |     aes_key[1] = sha1_hmac_ctx_vec.ipad.h[1];
181 |     aes_key[2] = sha1_hmac_ctx_vec.ipad.h[2];
182 |     aes_key[3] = sha1_hmac_ctx_vec.ipad.h[3];
183 | 
184 |     u32 aes_cbc_encrypt_xml_ks[44];
185 |     u32 encrypted_block[4];
186 | 
187 |     AES128_set_encrypt_key (aes_cbc_encrypt_xml_ks, aes_key, s_te0, s_te1, s_te2, s_te3);
188 | 
189 |     const u32 enc_blocks [4] = {1006649088U,2013293824U,1811947520U,1979737344U}; // UTF-16LE "<?xm" represented in unsigned int
190 |     //enc_blocks[0] = 1006649088U; // UTF-16LE: <
191 |     //enc_blocks[1] = 2013293824U; // UTF-16LE: ?
192 |     //enc_blocks[2] = 1811947520U; // UTF-16LE: x
193 |     //enc_blocks[3] = 1979737344U; // UTF-16LE: m
194 | 
195 |     AES128_encrypt (aes_cbc_encrypt_xml_ks, enc_blocks, encrypted_block, s_te0, s_te1, s_te2, s_te3,s_te4);
196 | 
197 |     const u32 r0 = encrypted_block[DGST_R0];
198 |     const u32 r1 = encrypted_block[DGST_R1];
199 |     const u32 r2 = encrypted_block[DGST_R2];
200 |     const u32 r3 = encrypted_block[DGST_R3];
201 | 
202 |     COMPARE_M_SCALAR (r0, r1, r2, r3);
203 |   }
204 | }
205 | 
206 | KERNEL_FQ void m19850_sxx (KERN_ATTR_VECTOR ())
207 | {
208 |   /**
209 |    * base
210 |    */
211 | 
212 |   const u64 lid = get_local_id (0);
213 |   const u64 gid = get_global_id (0);
214 |   const u64 lsz = get_local_size (0);
215 | 
216 |   if (gid >= gid_max) return;
217 | 
218 |   /**
219 |    * aes shared
220 |    */
221 | 
222 |   #ifdef REAL_SHM
223 | 
224 |   LOCAL_VK u32 s_td0[256];
225 |   LOCAL_VK u32 s_td1[256];
226 |   LOCAL_VK u32 s_td2[256];
227 |   LOCAL_VK u32 s_td3[256];
228 |   LOCAL_VK u32 s_td4[256];
229 | 
230 |   LOCAL_VK u32 s_te0[256];
231 |   LOCAL_VK u32 s_te1[256];
232 |   LOCAL_VK u32 s_te2[256];
233 |   LOCAL_VK u32 s_te3[256];
234 |   LOCAL_VK u32 s_te4[256];
235 | 
236 |   for (u32 i = lid; i < 256; i += lsz)
237 |   {
238 |     s_td0[i] = td0[i];
239 |     s_td1[i] = td1[i];
240 |     s_td2[i] = td2[i];
241 |     s_td3[i] = td3[i];
242 |     s_td4[i] = td4[i];
243 | 
244 |     s_te0[i] = te0[i];
245 |     s_te1[i] = te1[i];
246 |     s_te2[i] = te2[i];
247 |     s_te3[i] = te3[i];
248 |     s_te4[i] = te4[i];
249 |   }
250 | 
251 |   SYNC_THREADS ();
252 | 
253 |   #else
254 | 
255 |   CONSTANT_AS u32a *s_td0 = td0;
256 |   CONSTANT_AS u32a *s_td1 = td1;
257 |   CONSTANT_AS u32a *s_td2 = td2;
258 |   CONSTANT_AS u32a *s_td3 = td3;
259 |   CONSTANT_AS u32a *s_td4 = td4;
260 | 
261 |   CONSTANT_AS u32a *s_te0 = te0;
262 |   CONSTANT_AS u32a *s_te1 = te1;
263 |   CONSTANT_AS u32a *s_te2 = te2;
264 |   CONSTANT_AS u32a *s_te3 = te3;
265 |   CONSTANT_AS u32a *s_te4 = te4;
266 | 
267 |   #endif
268 | 
269 |   //The compare_s code macro uses the search array to compare against
270 |   const u32 search[4] =
271 |   {
272 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R0],
273 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R1],
274 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R2],
275 |     digests_buf[DIGESTS_OFFSET].digest_buf[DGST_R3]
276 |   };
277 | 
278 | 
279 |   //Begin common hashcat vector code. This is shared by all _a3-pure fast kernels
280 |   const u32 pw_len = pws[gid].pw_len;
281 | 
282 |   u32x w[64] = { 0 };
283 | 
284 |   for (u32 i = 0, idx = 0; i < pw_len; i += 4, idx += 1)
285 |   {
286 |     w[idx] = pws[gid].i[idx];
287 |   }
288 | 
289 |   /**
290 |    * loop
291 |    */
292 | 
293 |   u32x w0l = w[0];
294 | 
295 |   for (u32 il_pos = 0; il_pos < il_cnt; il_pos += VECT_SIZE)
296 |   {
297 |     const u32x w0r = words_buf_r[il_pos / VECT_SIZE];
298 | 
299 |     const u32x w0 = w0l | w0r;
300 | 
301 |     w[0] = w0;
302 | 
303 |     //End common hashcat vector code 
304 | 
305 |     sha1_hmac_ctx_vector_t sha1_hmac_ctx_vec;
306 | 
307 |     crypt_derive_key_password_derivation_vector(&sha1_hmac_ctx_vec, w, pw_len);
308 |     
309 |     u32 aes_key[4];
310 | 
311 |     aes_key[0] = sha1_hmac_ctx_vec.ipad.h[0];
312 |     aes_key[1] = sha1_hmac_ctx_vec.ipad.h[1];
313 |     aes_key[2] = sha1_hmac_ctx_vec.ipad.h[2];
314 |     aes_key[3] = sha1_hmac_ctx_vec.ipad.h[3];
315 | 
316 |     u32 aes_cbc_encrypt_xml_ks[44];
317 |     u32 encrypted_block[4];
318 | 
319 |     AES128_set_encrypt_key (aes_cbc_encrypt_xml_ks, aes_key, s_te0, s_te1, s_te2, s_te3);
320 |     
321 |     const u32 enc_blocks [4] = {1006649088U,2013293824U,1811947520U,1979737344U}; // UTF-16LE "<?xm" represented in unsigned int
322 |     //enc_blocks[0] = 1006649088U; // UTF-16LE: <
323 |     //enc_blocks[1] = 2013293824U; // UTF-16LE: ?
324 |     //enc_blocks[2] = 1811947520U; // UTF-16LE: x
325 |     //enc_blocks[3] = 1979737344U; // UTF-16LE: m
326 | 
327 |     AES128_encrypt (aes_cbc_encrypt_xml_ks, enc_blocks, encrypted_block, s_te0, s_te1, s_te2, s_te3,s_te4);
328 | 
329 |     const u32 r0 = encrypted_block[DGST_R0];
330 |     const u32 r1 = encrypted_block[DGST_R1];
331 |     const u32 r2 = encrypted_block[DGST_R2];
332 |     const u32 r3 = encrypted_block[DGST_R3];
333 | 
334 |     //This compares the calculated answer against GPU registers
335 |     COMPARE_S_SCALAR (r0, r1, r2, r3);
336 |   }
337 | }
338 | 


--------------------------------------------------------------------------------