Posts: 12
Threads: 2
Joined: Jan 2021
I have not used hashcat in a VERY long time, but I need it again.
A game came out recently and it has a password system to input cheat codes. The community hasn't yet found all codes, but we have found them encrypted.
What we got: - The game's code is open source, including the cheat system and encrypted passwords
- The salt for the encryption is also visible (0L4rlK}{9ay6'VJS)
- All encrypted passwords are 88 characters long and end in "==" (eg.:
Code: i5u5sIsMs5eITy+LzAXvKm6D9OzOVKhUqSy1mTTV/oUxJX6RPsk8OcyLbNaey9Vc6wXOhz+2+mTXILkIRzvXqA==
)
- Some passwords use normal words; a dictionary attack is possible
- The game lowercases any text input for the cheats, therefore all passwords lowercase (however, numbers and special characters are still used)
- According to the game's code, the encryption does 2 passes.
What I need: - Figure out what encryption this is (i think it's SHA, not sure)
- Figure out how to use hashcat to crack the passwords, using the salt
Is this possible? if so, how?
inb4 "using password cracking software to cheat at a game"
in my defense, most of these passwords are stuff like unlocking characters and levels, or using big head mode (not kidding)
just for an example, the above hash is "squish it skew it"
final note, the "big head mode" hash is Code: V+YkwthNUePKS7zs5uB90VwN6Jeqgl+1r663U5zSGOEIxAO6BoWipzZoxa5H//LM+5Ag9GIGRnEcLbU21hjGfQ==
Posts: 12
Threads: 2
Joined: Jan 2021
also also not naming the game itself, lest the devs take note. if need be however, I will post code
Posts: 197
Threads: 0
Joined: Nov 2017
The algorithm is Argon2 with the params, "iterations 2, memory 8192, parallelism 1, hash length 64 bytes, type Argon2id".
See for example your text "squish it skew it" encoded here: https://gchq.github.io/CyberChef/#recipe...XQ&oeol=VT
Hashcat does not support Argon2 as far as I know, however online I see some "argon 2 crackers" such asĀ https://github.com/CyberKnight00/Argon2_Cracker
The format you need to provide is "$ argon2id$v=19$m=8192,t=2,p=1$ MEw0cmxLfXs5YXk2J1ZKUw$ i5u5sIsMs5eITy+LzAXvKm6D9OzOVKhUqSy1mTTV/oUxJX6RPsk8OcyLbNaey9Vc6wXOhz+2+mTXILkIRzvXqA"
Green = relevant options
Blue = base64 encoded salt (so "0L4rlK}{9ay6'VJS" turns into "MEw0cmxLfXs5YXk2J1ZKUw")
Red = hash you want to crack, ('i5u5sIsMs5eITy+LzAXvKm6D9OzOVKhUqSy1mTTV/oUxJX6RPsk8OcyLbNaey9Vc6wXOhz+2+mTXILkIRzvXqA==' for 'squish it skew it')
Posts: 197
Threads: 0
Joined: Nov 2017
remember to remove the last '==' when using the Argon2_Cracker, if you leave them at the end it will not find the word
Posts: 12
Threads: 2
Joined: Jan 2021
(04-30-2024, 09:09 AM)DanielG Wrote: The algorithm is Argon2 with the params, "iterations 2, memory 8192, parallelism 1, hash length 64 bytes, type Argon2id".
[...]
thanks for the tip, will test when possible
Posts: 12
Threads: 2
Joined: Jan 2021
04-30-2024, 11:05 AM
(This post was last modified: 04-30-2024, 11:05 AM by genen.)
Code: python crack_argon2.py -c '$argon2id$v=19$m=8192,t=2,p=1$MEw0cmxLfXs5YXk2J1ZKUw$i5u5sIsMs5eITy+LzAXvKm6D9OzOVKhUqSy1mTTV/oUxJX6RPsk8OcyLbNaey9Vc6wXOhz+2+mTXILkIRzvXq' -w './fasttrack.txt'
Plain text not found !!!
i had to find a seperate dictionary file for fastrack.txt. it has all the words for the password but it won't output "squish it skew it"
Posts: 197
Threads: 0
Joined: Nov 2017
You are missing the last letter in your hash, so yours ends in zvXq in stead of zvXqA. Also is "squish it skew it" in the file fasttrack.txt? It can only successfully find passwords that are in your list.
Code: > cat wordz.txt
squish it skew it
> python3 crack_argon2.py -c '$argon2id$v=19$m=8192,t=2,p=1$MEw0cmxLfXs5YXk2J1ZKUw$i5u5sIsMs5eITy+LzAXvKm6D9OzOVKhUqSy1mTTV/oUxJX6RPsk8OcyLbNaey9Vc6wXOhz+2+mTXILkIRzvXqA' -w wordz.txt
$argon2id$v=19$m=8192,t=2,p=1$MEw0cmxLfXs5YXk2J1ZKUw$i5u5sIsMs5eITy+LzAXvKm6D9OzOVKhUqSy1mTTV/oUxJX6RPsk8OcyLbNaey9Vc6wXOhz+2+mTXILkIRzvXqA -> squish it skew it
Total time taken : 0.009251832962036133
Posts: 197
Threads: 0
Joined: Nov 2017
other words found for your open source game are:
Code: WAJJ66pw2rSopXOuw4c4iKzIz3goKtivrv7b/THqYP8ev+E/sRn2LMXHqv8s+uzwMcVNoDxNn+AgG26xi+wgzg -> banana
dSZpCST31Tu3rPJ4z18iR9Tcv+9Xi8/f7nQGplj2mvruy2A4CJJqZm1gzi6CQKl68pRXiNGUX0n4BI2LjaBcoA -> chaos zero 64
aSk8dw6FzJtTEmovh8fVEtUBpu6lj3QlRT/B5lwiEhAw8dAhRBQLdvtYlPaQcZISWI4wneAfAo6w5d6uf5r++g -> sonic in paynt
zYCIZw2qcnUbtF0P2ybLNHajdl8zrje0hzGex7yuMFe7fj4mvx4AegoMmvir28YvAbfAqkz/ekQRzr+RhrycHw -> creature capture
u/Svaf+DCnCpJ8xmP3AVP4CK6X6X4O3fY73cmIq88ZJEygwz+n+L66q4Vhlv13vWgld1PEyRszFErzflQt9WZw -> cartridge tilt
MohmPqpaGSd3MEHLfQKUFl/Yg8pHE+12X1LHEP59Gs/5w1u8mPtGUXNv1GYTF+c8gQqT5hXpZ3FeZ/EfCxo34g -> rouge's gallery
dZgxKNagOtB9F7wXqUUPzsuq4tfQlfK8ZqEeFXdI3Hd+k5tYfRm3ToLgbqawaNmwuLVrJ8PB+QnH4gT3ojnTMw -> play it loud
mFu5OB9d6jnc2kth7HE66wJ42F/GHDzSvuciK1Qw++6iGnpBccxcKjpoxgOvD3eIoqR606ruBINuXi23proXHQ -> juicebox
MKjOtEFLkgXf21uiECdBTU6XtbkuFWaGh7i8znKo7JrXXEDrCBJmGwINvPg0T3TLn0zlscLvmC5nve7I+NTrnA -> speed demon
Other forums on the internet have found these apparently.
Posts: 12
Threads: 2
Joined: Jan 2021
(04-30-2024, 11:38 AM)DanielG Wrote: You are missing the last letter in your hash, so yours ends in zvXq in stead of zvXqA. Also is "squish it skew it" in the file fasttrack.txt? It can only successfully find passwords that are in your list.
The program didn't come with fasttrack.txt and since I'm using windows, I thought I had to find some other dictionary list. I found one that did have all those words separately. I also found another Argon2 cracker.https://github.com/p0dalirius/Argon2Cracker
As for some codes already being known, the devs leaked some on purpose, to help people who didn't want the grind.
Posts: 12
Threads: 2
Joined: Jan 2021
(04-30-2024, 11:41 AM)DanielG Wrote: Code: WAJJ66pw2rSopXOuw4c4iKzIz3goKtivrv7b/THqYP8ev+E/sRn2LMXHqv8s+uzwMcVNoDxNn+AgG26xi+wgzg -> banana
Screw anonymity. Where'd you find "banana"?
|