11-07-2017, 02:22 AM
(11-03-2017, 09:27 PM)philsmd Wrote: I think that you are looking at the whole disk instead of just the VeraCrypt boot volume.
Anyways, in your specific case, from offset 0xd000 (where the bytes ea 1e 7c 00 00 20 56 65 72 61 43 72 79 70 74 20 are, including the string "VeraCrypt") you need to skip 31744 bytes and extract 512 bytes after it.
I.e. (again in your specific case if you include the additional/preceding 0xd000 bytes) only 0x14C00 (84992) to 0x14DFF (85503) are interesting for us
the 512 bytes that you extract should look really random and should not contain a fixed string and should also not contain several zeros one after each other (it should look like really good random data).
Thanks for answering.
1 question.. 0x14C00 - 0x14DFF is 1KB and not 512 bytes. what I have to do?
BTW in which option to use in hashcat? 13722 is fine or another?