Bitcoin encryption algorithm
#1
Hello everyone!



I want to implement a bitcoin wallet password crack algorithm on my own, or at least to understand how it works. I hope you help me to reinvent this wheel) i didnt manage to get enougth info on that, but need to.



As far as i learned, the result of bitcoin2john.py gives the hash, that contains master key, salt, number of iterations and some public keys, that refer to operations with the wallet. Also, i got that the whole algorithm consists of two steps:

1. password+salt are hashed with SHA512 a number of times, defined in the wallet

2. master_key in the wallet is encrypted with the resulted hash using AES256.



So, i get some password that i think must work, concatenate it with salt from the wallet, then SHA512 a number of times from the wallet, then AES256 with the master_key from the wallet, and... how i check that the result is correct? Or my understanding is entirely wrong?

Help me, please. =_=
Reply
#2
One good thing about hashcat source code, is that we also have several high-level tests (like the test framework in perl)... this is very easy code to understand, even if you are only fluent with python/php etc... it's very straight-forward how the hashes are generated and tested:
https://github.com/hashcat/hashcat/blob/...pm#L24-L54

or look at the hashcat kernel code:
https://github.com/hashcat/hashcat/blob/...#L299-L348 (there is only one optional exception for the "Nexus" wallet, you might not need this special case in your code)
Reply
#3
(03-17-2020, 09:47 AM)philsmd Wrote: One good thing about hashcat source code, is that we also have several high-level tests (like the test framework in perl)... this is very easy code to understand, even if you are only fluent with python/php etc... it's very straight-forward how the hashes are generated and tested:

https://github.com/hashcat/hashcat/blob/...pm#L24-L54



or look at the hashcat kernel code:

https://github.com/hashcat/hashcat/blob/...#L299-L348 (there is only one optional exception for the "Nexus" wallet, you might not need this special case in your code)
Thanks alot!
Now the contents of the hash file is clear, but still i can't get it how to check the password. But hashcat kernel code is quite complex to understand. 

Here we have tmps array of 64-bit words, that (i suppose) is a hash from SHA512. It is split into 32-bit words and stored in the key array. Actually, not the whole tmps was transformed, but the first 4 elements of it (256 bits). After that, key is additionally transformed by AES256_set_decrypt_key function that expands the key for use with AES256.
After that we get the iv and data variables. We get them from the same element of esalts_buf(Is it an encrypted master_key?)
iv gets the first four 32-bit words of the value, data gets the 4 last of them, and bits (or bytes?) in both arrays are swapped.
After that, only data is decrypted with ks as key. Output is stored in out and xor'ed with iv. If all the words in the result are the same as pad (0x10101010), then we used the correct hash (and thus the correct password (?)).

So, to check the password we decrypt only half of the master_key and xor it with another, encrypted, part of the master_key, and expect the result to match the pad? Is it correct?
Reply