Add support for cracking Monero wallets

[kholia]

NOTE: I still have to clean up this code!

This fixes #3144.

[kholia]

Things to do,

• Reuse the existing Keccak code we have.

• Formatting, and whitespace cleanups.

Update:

Mapping the new Keccak "API" to our existing Keccak implementation doesn't look trivial.

[kholia]

This is a very slow hash,

$ ../run/john --test --format=monero  # i7-6600U CPU
Will run 4 OpenMP threads
Benchmarking: monero, monero Wallet [AES+ChaCha+Various 64/64]... (4xOMP) DONE
Raw:	9.1 c/s real, 2.4 c/s virtual

[magnumripper]

It's 2018!

[magnumripper]

We don't use to have + in algo names. I'd prefer spaces or perhaps /

[magnumripper]

...and perhaps it should say "pseudo AES" or something, since it's not a normal one.

[magnumripper]

Perhaps create (and source) a slow_hash.h?

[kholia]

I have addressed your code comments, thanks!

I am now testing cracking of Unicode passwords.

[kholia]

Update,

• I have added a Unicode test vector now.

• Our BLAKE2 implementation was somehow not working. Added BLAKE2 implementation from Monero project.

I don't like the duplicated implementations. Hopefully, we will be able to unify them somehow.

[kholia]

Monero wallet code base also supports legacy wallets. Support for them needs to be added and tested.

Note:

Search for "old format before JSON wallet key file format" string in wallet2.cpp file.

[kholia]

Maybe we don't need to support the old wallet format. Even the oldest downloadable release of Monero (i.e. 0.9.1 Hydrogen Helix) uses the new JSON wallet format.

$ head monero2john.py
...
# + Tested with monero-gui-v0.11.1.0 on Fedora 27.
# + Tested with monero.linux.x64.v0-9-0-0.tar.bz2 (from Jan, 2016) on Fedora 27.

[magnumripper]

Mapping the new Keccak "API" to our existing Keccak implementation doesn't look trivial.

In what way was it not trivial? I just had a (very) quick look and I didn't see anything weird. Can't you just write wrapper macros?

Our BLAKE2 implementation was somehow not working. Added BLAKE2 implementation from Monero project.

Do they produce different hashes? This should be investigated. I see there are flavours of Blake2... Here's test vectors for all of them: https://github.com/BLAKE2/BLAKE2/tree/master/testvectors

You have my "permission" to merge this as-is, although I'd rather see these issues fixed first (or it probably won't happen at all).

[kholia]

I have opened an issue about this code duplication stuff, and assigned it to myself. Hopefully, I will get the motivation and free time to work on it soon.