hashcat Forum

Full Version: ETH-presale-wallet Question
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all,

I've got one of these famous ETH Presale-Wallets and will give it a try...

However, there are some questions that occured.

First, I wanted to test Hashcat to get comfortable with using it. For this purpose, I created on a Linux Debian system an MF5-hash of the word "test". The hash I got was d8e8fca2dc0f896fd7cb4cb0031ba249.

Tested it with a wordlist which had the word "test" in it with no success. Eventually, I went on the site https://www.md5.cz/ and the MD5sum for "test" was 098f6bcd4621d373cade4e832627b4f6.

So now Hashcat worked like a charm. So I frankly don't know why the md5sum-program gave a different hash than the one on the site. Has anybody an explanation for this?

In the next step, I created a wordlist with all the possible passwords and ran Hashcat with the following command:

hashcat -m 16300 -o cracktest.txt wallethash.txt passwords.txt

Using the example from this site:

https://github.com/hashcat/hashcat/issues/1279

I indeed get the correct password for the test hash.

Now, as expected, I didn't get any result when trying my custom wordlist with my real pre-sale-wallet.

Then I see the following text on the site quoted above:

Quote:It sounds like return characters were incorrectly considered during the KDF portion instead of being stripped, which caused wallets that implement the KDF correctly to fail to decrypt due to the lack of the return characters? If so, it should be trivial to apply those characters using a rule or a hex wordlist with those characters applied to the ends of the plaintexts.


Now frankly: This sounds reasonable - but I don't understand what it means. If I want to write a rule or apply a hex wordlist with those characters applied to the plaintext  - what would I be looking for? KDF (I have no idea what this means, and aunt Google wasn't of much help).

If anybody could direct me to the right direction, I would be very glad. Thank you!

Edit:

I just put 0x0a at the end of every potential password. Would this be the correct way to do it? (With no success so far, however)
Your hash is not correct, this is what the hash looks like for this mod:

$ethereum$w*e94a8e49deac2d62206bf9bfb7d2aaea7eb06c1a378cfc1ac056cc599a569793c0ecc40e6a0c242dee2812f06b644d70f43331b1fa2ce4bd6cbb9f62dd25b443235bdb4c1ffb222084c9ded8c719624b338f17e0fd827b34d79801298ac75f74ed97ae16f72fccecf862d09a03498b1b8bd1d984fc43dd507ede5d4b6223a582352386407266b66c671077eefc1e07b5f42508bf926ab5616658c984968d8eec25c9d5197a4a30eed54c161595c3b4d558b17ab8a75ccca72b3d949919d197158ea5cfbc43ac7dd73cf77807dc2c8fe4ef1e942ccd11ec24fe8a410d48ef4b8a35c93ecf1a21c51a51a08f3225fbdcc338b1e7fdafd7d94b82a81d88c2e9a429acc3f8a5974eafb7af8c912597eb6fdcd80578bd12efddd99de47b44e7c8f6c38f2af3116b08796172eda89422e9ea9b99c7f98a7e331aeb4bb1b06f611e95082b629332c31dbcfd878aed77d300c9ed5c74af9cd6f5a8c4a261dd124317fb790a04481d93aec160af4ad8ec84c04d943a869f65f07f5ccf8295dc1c876f30408eac77f62192cbb25842470b4a5bdb4c8096f56da7e9ed05c21f61b94c54ef1c2e9e417cce627521a40a99e357dd9b7a7149041d589cbacbe0302db57ddc983b9a6d79ce3f2e9ae8ad45fa40b934ed6b36379b780549ae7553dbb1cab238138c05743d0103335325bd90e27d8ae1ea219eb8905503c5ad54fa12d22e9a7d296eee07c8a7b5041b8d56b8af290274d01eb0e4ad174eb26b23b5e9fb46ff7f88398e6266052292acb36554ccb9c2c03139fe72d3f5d30bd5d10bd79d7cb48d2ab24187d8efc3750d5a24980fb12122591455d14e75421a2074599f1cc9fdfc8f498c92ad8b904d3c4307f80c46921d8128*f3abede76ac15228f1b161dd9660bb9094e81b1b*d201ccd492c284484c7824c4d37b1593

pass: hashcat
Thanks, yes, that's what the hash for the presale wallet looks like. The other hash I mentioned was just for testing hashcat with an MD5-hash. Strange, though, that md5sum gave another hash than the homepage I visited.
(07-12-2023, 05:46 PM)Malatesta Wrote: [ -> ]Thanks, yes, that's what the hash for the presale wallet looks like. The other hash I mentioned was just for testing hashcat with an MD5-hash. Strange, though, that md5sum gave another hash than the homepage I visited.

your command for generating the md5 hash is wrong, you hashed it with linebrake 

WRONG
echo test | md5sum -> d8e8fca2dc0f896fd7cb4cb0031ba249
RIGHT
echo -n test | md5sum -> 098f6bcd4621d373cade4e832627b4f6
(07-12-2023, 05:57 PM)Snoopy Wrote: [ -> ]WRONG
echo test | md5sum -> d8e8fca2dc0f896fd7cb4cb0031ba249
RIGHT
echo -n test | md5sum -> 098f6bcd4621d373cade4e832627b4f6

Thanks a lot. This was helpful. So I try to understand the implication of this for my wordlist.

When I look at it with ghex, I see 0a after every word. So I assume that shouldn't be, right?

So what to do then? As mentioned before, some wallets seem to  "fail to decrypt due to the lack of the return characters".

I now have produced a hex-list of my potential passwords via this command:

xxd -plain list.txt > list.hex

Could I now just exchange every occurance of 0a in the hex list with 0x0d?

And what about the rules? Do they apply for the hex-wordlist or do I have to make "hex"-rules?