Colliding password protected MS office 97-2003 documents
#11
Good News, if I am right, the $3 version of the SHA1/RC4 also uses a truncated version of the key. In theory, all the same good things we can do with $0 and $1 will work on there, too. I will report here when I wrote some code to verify...
#12
I've optimized the RC4 mode for more speed.

7970: 75MH/s -> 85MH/s
290x: 130MH/s -> 144MH/s
#13
Can't wait to test it !
#14
SHA1 works fine, too :-)

Quote:
root@et:~/oclHashcat-1.31# ./oclHashcat64.bin -m 9810 -w 3 -o hash.rc4 hash -a 3 ?b?b?b?b?b --markov-disable
oclHashcat v1.31 starting...

Device #1: Tahiti, 2967MB, 1000Mhz, 32MCU
Device #2: Tahiti, 2967MB, 1000Mhz, 32MCU
Device #3: Tahiti, 2967MB, 1000Mhz, 32MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4098/m9810_a3.Tahiti_1526.3_1526.3 (VM).kernel (325112 bytes)
Device #1: Kernel ./kernels/4098/markov_le_v1.Tahiti_1526.3_1526.3 (VM).kernel (93212 bytes)
Device #1: Kernel ./kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)
Device #2: Kernel ./kernels/4098/m9810_a3.Tahiti_1526.3_1526.3 (VM).kernel (325112 bytes)
Device #2: Kernel ./kernels/4098/markov_le_v1.Tahiti_1526.3_1526.3 (VM).kernel (93212 bytes)
Device #2: Kernel ./kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)
Device #3: Kernel ./kernels/4098/m9810_a3.Tahiti_1526.3_1526.3 (VM).kernel (325112 bytes)
Device #3: Kernel ./kernels/4098/markov_le_v1.Tahiti_1526.3_1526.3 (VM).kernel (93212 bytes)
Device #3: Kernel ./kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)

Session.Name...: oclHashcat
Status.........: Cracked
Input.Mode.....: Mask (?b?b?b?b?b) [5]
Hash.Target....: $oldoffice$3*02506610865808803242045567403104*4b6442131e0171fd4ebd33c536f23b84*4c5c6a75ee6b771c31d3d26beb93265282d66e58
Hash.Type......: MS Office <= 2003 SHA1 + RC4, collision-mode #1
Time.Started...: Sat Sep 13 19:51:19 2014 (47 mins, 18 secs)
Speed.GPU.#1...: 82917.2 kH/s
Speed.GPU.#2...: 82917.1 kH/s
Speed.GPU.#3...: 82927.8 kH/s
Speed.GPU.#*...: 248.8 MH/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 706119467008/1099511627776 (64.22%)
Skipped........: 0/706119467008 (0.00%)
Rejected.......: 0/706119467008 (0.00%)
HWMon.GPU.#1...: 88% Util, 38c Temp, 27% Fan
HWMon.GPU.#2...: 88% Util, 39c Temp, 29% Fan
HWMon.GPU.#3...: 88% Util, 39c Temp, 29% Fan

Started: Sat Sep 13 19:51:19 2014
Stopped: Sat Sep 13 20:38:38 2014

Quote:
root@et:~/oclHashcat-1.31# ./oclHashcat64.bin -m 9820 -w 3 hash.rc4 -a 3 ?l?l?l?l?l?l?l?l?l?l
oclHashcat v1.31 starting...

Device #1: Tahiti, 2967MB, 1000Mhz, 32MCU
Device #2: Tahiti, 2967MB, 1000Mhz, 32MCU
Device #3: Tahiti, 2967MB, 1000Mhz, 32MCU

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: Kernel ./kernels/4098/m9820_a3.Tahiti_1526.3_1526.3 (VM).kernel (187012 bytes)
Device #1: Kernel ./kernels/4098/markov_be_v1.Tahiti_1526.3_1526.3 (VM).kernel (93292 bytes)
Device #1: Kernel ./kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)
Device #2: Kernel ./kernels/4098/m9820_a3.Tahiti_1526.3_1526.3 (VM).kernel (187012 bytes)
Device #2: Kernel ./kernels/4098/markov_be_v1.Tahiti_1526.3_1526.3 (VM).kernel (93292 bytes)
Device #2: Kernel ./kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)
Device #3: Kernel ./kernels/4098/m9820_a3.Tahiti_1526.3_1526.3 (VM).kernel (187012 bytes)
Device #3: Kernel ./kernels/4098/markov_be_v1.Tahiti_1526.3_1526.3 (VM).kernel (93292 bytes)
Device #3: Kernel ./kernels/4098/bzero.Tahiti_1526.3_1526.3 (VM).kernel (30484 bytes)

$oldoffice$3*02506610865808803242045567403104*4b6442131e0171fd4ebd33c536f23b84*4c5c6a75ee6b771c31d3d26beb93265282d66e58:188b5067a4:mpvwnxeqfa

[s]tatus [p]ause [r]esume [b]ypass [q]uit => q

...

On a sidenote, while computing with roughly the same speed, finding MD5 collisions was much more easy than with SHA1, as expected.
#15
Good stuff. I just have to ask... Would you care to share any (high or low level or just conceptual) details on how you managed to speed up RC4 on GPU?

I tried these obvious things when I played with 40-bit RC4 BF (even older office) on GPU a while ago:
  • Using char or uint for the state array
  • Putting state array in local memory or not
  • memcpy IV from a constant array [instead of using swap_state() in a for loop]
  • Unrolled set_key() for fixed length
  • Fixed-length decryption, unrolled to 32-bit stores
For a given GPU, a good combination of the above is significantly faster than a bad combination of it... but I just can't come up with any more ideas and iirc I was way below your speeds.
#16
Hi, thank you for your work on office modules. I have problem with this hash:

Quote:$oldoffice$1*ab89af231e69e38ec4ab428f5aaac154*2c9f05787534bbfd34c833841851a172*c69788ef69df9700960fc02c55524438

i cant crack rc4 like described above, i run this (on 2x7970, latest oclhashcat from web):
Quote:./oclHashcat64.bin -m 9710 hash -a 3 -w 3 ?b?b?b?b?b -o hash.rc4
and result:

Quote:Session.Name...: oclHashcat
Status.........: Exhausted
Input.Mode.....: Mask (?b?b?b?b?b) [5]
Hash.Target....: $oldoffice$1*ab89af231e69e38ec4ab428f5aaac154*2c9f05787534bbfd34c833841851a172*c69788ef69df9700960fc02c55524438
Hash.Type......: MS Office <= 2003 MD5 + RC4, collision-mode #1
Time.Started...: Wed Oct 29 13:07:21 2014 (1 hour, 57 mins)
Time.Estimated.: 0 secs
Speed.GPU.#1...: 77880.4 kH/s
Speed.GPU.#2...: 78220.1 kH/s
Speed.GPU.#*...: 156.1 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 1099511627776/1099511627776 (100.00%)
Skipped........: 0/1099511627776 (0.00%)
Rejected.......: 0/1099511627776 (0.00%)
HWMon.GPU.#1...: 87% Util, 65c Temp, 80% Fan
HWMon.GPU.#2...: 89% Util, 61c Temp, 73% Fan

Started: Wed Oct 29 13:07:21 2014
Stopped: Wed Oct 29 15:04:27 2014
any suggestions?
i get hash from regular old office word document, using office2john.py utility.
#17
There's a known bug in AMD's catalyst 14.9 driver whiches causes this problem. We have a workaround for this problem with oclHashcat v1.32 beta. If you want to use the beta, send me an email to get access. Otherwise you can just use and older driver, I think you'd need 14.4 or even less.
#18
(10-29-2014, 05:00 PM)atom Wrote: There's a known bug in AMD's catalyst 14.9 driver whiches causes this problem. We have a workaround for this problem with oclHashcat v1.32 beta. If you want to use the beta, send me an email to get access. Otherwise you can just use and older driver, I think you'd need 14.4 or even less.

ok, i sent you PM with my email address, i would like to try beta of 1.32.
#19
(10-29-2014, 05:31 PM)childintime Wrote:
(10-29-2014, 05:00 PM)atom Wrote: There's a known bug in AMD's catalyst 14.9 driver whiches causes this problem. We have a workaround for this problem with oclHashcat v1.32 beta. If you want to use the beta, send me an email to get access. Otherwise you can just use and older driver, I think you'd need 14.4 or even less.

ok, i sent you PM with my email address, i would like to try beta of 1.32.

my hash collides succesfully with beta version, thanks.
#20
A question : why do we need to provide the mask (?b?b?b?b?b here) ? A collision does not need that for example the collider of mysql323 of tobtu.
Thanks