restore file format in 1.36

[Aleksey]

Can somebody describe restore file format for version 1.36?
I found some info here - https://hashcat.net/wiki/doku.php?id=ocl...store-file ... but its not fully correct ...

also i found this - https://github.com/philsmd/analyze_hc_restore and found that after pw_cur we must skip 9 bytes ... but in my output I must skip 12 bytes

Thanks in advance, Aleksey

[atom]

maybe 32 / 64 bit problematic ?

[Aleksey]

Whell may be...but you use structue with uint32 and uint64
typedef struct
{
uint32_t version_bin;
char cwd[256];
uint32_t pid;
uint32_t dictpos;
uint32_t maskpos;
uint64_t pw_cur;
uint32_t argc;
char **argv;
} restore_data_t;

i take it here - https://hashcat.net/wiki/doku.php?id=ocl...store-file


I dont know how to add my restore file...but i also try to use cudahashcat 1.33 on linux_x64... with the same result...

Its look like after argc in this struct presents 2 extra field
uint32_t ? - always zero for me
uint64_t ? - big number.... i dont know exactly (may be total keyspace? or number of password checked)

[atom]

but char * on a 64 bit system, wouldn' it produce an 8-byte address while on a 32 bit system it produces a 4-byte address. you can ignore them (big number).

The total keyspace depends on the attack-mode, but do not confuse it with the progress number. You can retrieve the keyspace with --keyspace

[Aleksey]

ok thanks... So in file we have

typedef struct
{
uint32_t version_bin;
char cwd[256];
uint32_t pid;
uint32_t dictpos;
uint32_t maskpos;
uint64_t pw_cur;
uint32_t argc;
char **argv;
} restore_data_t;
and after this struct we have string (argv)....

on x64 between argc & argv we have 4 bytes for alignement...