flat assembler
Message board for the users of flat assembler.
Index
> Projects and Ideas > MD5 Password Recovery Tool Goto page Previous 1, 2, 3, 4 Next |
Author |
|
Turok 20 Jun 2006, 02:17
Feryno thanks for advice and sample of using MMX Now the tool uses normal, MMX and SSE registers so it calculates 7 hashes in one pass. However the benefit is "only" 50% (i was expecting more ). Its probably due to more memory reads and slower execution of MMX and SSE instructions. Or it might be some error i made in the code Anyhow its still quite a substantial gain and i hope we will be able to improve it further
|
|||||||||||
20 Jun 2006, 02:17 |
|
Feryno 20 Jun 2006, 05:47
to Turok:
Wow, that's the real creative science thinking! I have ever thought that using xmm and 4 hashes in 1 cycle is limit, but now I see, one more clever brain thought 7 hashes in 1 cycle!!! (Older people are loosing their child's sense of combinations and doing things simple...) the problem is that there aren't instructions of rotation with mm/xmm registers (ROL and ROR with 32-bit general purpose registers) you must use mov for save xmm to second xmm pslld first xmm (like shl with 32-bit GPR) psrld second xmm (like shr with 32-bit GPR) or first xmm, second xmm if you compare MD5 speeds between 32 bit general purpose registers and 64 bit mm registers, the speedup is only about 10% (2 hashes instead of 1, but some extra instructions). But speedup between 64 bit mm and 128 bit xmm should be about 50% because 4 hashes instead of 2 and no extra instructions Don't forget to align 16 datas for xmm to be able to use movdqa instead of slower movdqu I'm sure you can rearrange instructions order according to optimalization rules, see AMD or Intel CPU optimalization manuals (I didn't follow the rules very exactly and I stopped development after decrypting some doc files which I stole - lamer admin in my previous job - even I had an idea how to make 4 hashes of RC4 in 1 cycle using AMD64 in long mode). |
|||
20 Jun 2006, 05:47 |
|
UCM 30 Jun 2006, 20:32
Another version, based on Turok's latest code:
Changes:
Added logging capabilites Created icons for the program* Added an XP manifest* I have split the resource into a seperate file, which now has 4 versions for combinations of icons and manifest on/off. Files in enhanced.zip:
MD5password.svg - icon in SVG format md5prt+.asm - source code md5prt+.exe - executable (compiled with icons and manifest) md5prt-icon.res - resource file, with icons md5prt-icon-man.res resource file, with icons and manifest md5prt-man.res - resource file, with manifest md5prt-mini.res - resource file, with no icons or manifest An example log: Code: - 16:05:57.0596 - MD5 password recovery begins with hash: 12227AC1EA36D1AB2C0656099BE9F8CB - 16:05:57.0596 - Testing length: 1 - 16:05:57.0596 - Testing length: 2 - 16:05:57.0596 - Testing length: 3 - 16:05:57.0612 - Testing length: 4 - 16:05:57.0690 - MD5 password recovery complete, password: fasm Time format goes like this: Hours:Minutes:Seconds.Milliseconds Please share your comments. * Icons and manifest can be turned on/off in source code _________________ This calls for... Ultra CRUNCHY Man! Ta da!! *crunch* |
|||
30 Jun 2006, 20:32 |
|
Turok 01 Jul 2006, 12:11
Really nice job UCM You aded a lot of usefull things Also if you have the time please correct all inc reg instructions for add reg,1 and dec reg for sub reg,1 (supposed to be faster) i dont want to double post that minor change
|
|||
01 Jul 2006, 12:11 |
|
sylwek32 01 Jul 2006, 17:32
but its really slow now
|
|||
01 Jul 2006, 17:32 |
|
sylwek32 01 Jul 2006, 17:37
It´s not working!
- 19:28:49.0981 - MD5 password recovery begins with hash: 7a071b35544b4bc4a21a0791dc43f213 - 19:28:49.0981 - Testing length: 1 - 19:28:49.0997 - Testing length: 2 - 19:28:49.0997 - Testing length: 3 - 19:28:49.0997 - Testing length: 4 - 19:28:50.0262 - Testing length: 5 - 19:29:00.0997 - Testing length: 6 - 19:35:28.0669 - Testing length: 7 HASH WAS: 7a071b35544b4bc4a21a0791dc43f213 HASH PHRASE: fuckya |
|||
01 Jul 2006, 17:37 |
|
UCM 01 Jul 2006, 18:12
What are you doing?
the hash should be be5ebe9f3c2ddca54d3a76cda105e008 Code: - 14:12:02.879 - MD5 password recovery begins with hash: be5ebe9f3c2ddca54d3a76cda105e008 - 14:12:02.879 - Testing length: 1 - 14:12:02.879 - Testing length: 2 - 14:12:02.879 - Testing length: 3 - 14:12:02.879 - Testing length: 4 - 14:12:03.005 - Testing length: 5 - 14:12:08.190 - Testing length: 6 - 14:13:05.316 - MD5 password recovery complete, password: fuckya |
|||
01 Jul 2006, 18:12 |
|
sylwek32 01 Jul 2006, 20:27
Still it doesnt work
Code: - 22:27:19.0856 - MD5 password recovery begins with hash: be5ebe9f3c2ddca54d3a76cda105e008 - 22:27:19.0856 - Testing length: 1 - 22:27:19.0872 - Testing length: 2 - 22:27:19.0872 - Testing length: 3 - 22:27:19.0887 - Testing length: 4 - 22:27:20.0153 - Testing length: 5 - 22:27:30.0903 - Testing length: 6 - 22:33:58.0309 - Testing length: 7 Last edited by sylwek32 on 05 Oct 2006, 12:12; edited 2 times in total |
|||
01 Jul 2006, 20:27 |
|
sylwek32 05 Oct 2006, 12:10
for example
here: md5 sum of "hans" is f2a0ffe83ec8d44f2be4b624b0f47dde and i enter f2a0ffe83ec8d44f2be4b624b0f47dde to the md5 bruteforcer and nothing happends. it just comes up to 10chrs - 14:11:52.0828 - MD5 password recovery begins with hash: f2a0ffe83ec8d44f2be4b624b0f47dde - 14:11:52.0828 - Testing length: 1 - 14:11:52.0828 - Testing length: 2 - 14:11:52.0828 - Testing length: 3 - 14:11:52.0828 - Testing length: 4 - 14:11:53.0093 - Testing length: 5 |
|||
05 Oct 2006, 12:10 |
|
f0dder 05 Oct 2006, 12:26
Now you need to make it multithreaded
|
|||
05 Oct 2006, 12:26 |
|
Madis731 05 Oct 2006, 12:47
Maybe it breaks on some OSs. It works on 2K.
|
|||
05 Oct 2006, 12:47 |
|
f0dder 05 Oct 2006, 14:57
Hm, there's probably something wrong with the tool - it didn't find the source value for a 7-digit string with lower-case ascii and numeric values.
_________________ - carpe noctem |
|||
05 Oct 2006, 14:57 |
|
UCM 05 Oct 2006, 21:45
Maybe this will work:
_________________ This calls for... Ultra CRUNCHY Man! Ta da!! *crunch* |
|||||||||||
05 Oct 2006, 21:45 |
|
f0dder 05 Oct 2006, 22:07
That one works, at least for "f0dd", "f0dde", "f0dder" . Didn't work for uppercase stuff though, so I assume you only do lowercase and numerals.
|
|||
05 Oct 2006, 22:07 |
|
Turok 06 Oct 2006, 13:38
Yeah it only does lowercase and numerals becose 90% people use this . Some interesting password analysis:
http://cyber-knowledge.net/blog/2006/09/16/analyzing-20000-myspace-passwords/ I'll probably implement uppercase with settings so you could choose what char set you will be using (i dont mind if somebody else does it for me ). Anyhow i need to write comments too i guess (i'm kindoff lazy ). I was also thinking of making it run in 1,2 or 4 threads so that it uses all the cores in multicore cpus. Even further i was thinking of making it for 64bit cpus but i dont own one atm so i guess i'll have to wait :/ On 64bit cpu an algorithm could be implemented that could calculate 16 hashes in one pass! Also salting should be implemented to calculate password from salted hashes if salt is known (one of the things this project is really usefull for): http://en.wikipedia.org/wiki/Salt_%28cryptography%29 Later also algorithms for other hashes could be added (some use double or triple hashing for "more" protection). So you could calculate these hashes as well. Anyhow i would be really glad if more people would be working on this project, as when i was starting it i thought of it as a fasm community project and i still do I hope it will gather more people and fasten its developement |
|||
06 Oct 2006, 13:38 |
|
weiss 17 Nov 2006, 15:14
when i was writing an ntlm1 cracker, i found that the best way was to use 32-bit code with 2 hashes at once.
i never tried using SSE2, so maybe it is better..but as someone said, the main problem with SSE2 is that it doesn't support bit-rotations efficiently. source code to mdcrack is very good example of how to crack md5 hashes efficiently. if you can read C source code, i would highly recommend you peek into the core* source files. also, take a look at the assembly sources of Eric Leays ssl project (old source code you can find on packetstormsecurity.org it is macro based output from GCC with optimised instructions. i based my md4 code on it..have a look at link below. http://board.flatassembler.net/topic.php?t=4574 |
|||
17 Nov 2006, 15:14 |
|
weiss 17 Nov 2006, 15:56
i just thought i would show this output from 2 programs to show
why using MMX or SSE* is not always a winner. The NTLM1 hash to be cracked is:297d8acb5039800a26e496543aa1fc85 which is composed of 5 Z's (ZZZZZ) First using MDCrack-SSE Version 1.7 on single-core P4. Code: X:\>mdcrack-sse -M NTLM1 297d8acb5039800a26e496543aa1fc85 ( System ) MDCrack v1.7 ( Win32 | Pentium built ) ( System ) Running as mdcrack-sse -M NTLM1 297d8acb5039800a26e496543aa1fc85 ( System ) Detected processor(s): 1 x INTEL Pentium IV | MMX | SSE | SSE2 ( System ) Charset is: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTU VWXYZ ( System ) Target hash: 297d8acb5039800a26e496543aa1fc85 ( System ) >> Entering NTLM1 Core 1: candidate/salt max size: 9. ( System ) Press a key at any time to see Core statistics (Ctrl-C to quit) ** console text omitted** ----------------------------------------------------------/ Thread #0 (Success) \---- ( Core ) Collision found: ZZZZZ ( Core ) Candidate/Hash pairs tested: 931151402 ( 9.31e+008 ) in 1min 44s 533ms. ( Core ) Total key space: 4.85e+028 candidates, 0.00% done. ( Core ) Average speed: 8907724 ( 8.91e+006 ) h/s. We see an average of 8 million 907 thousand 724 hashes per second. Now this is just the output of the next program Code: Found password: ZZZZZ Average speed 9162000 p/s. roughly 200 thousand more hashes per second & using only 386 32-bit code |
|||
17 Nov 2006, 15:56 |
|
asmdemon 24 Jan 2007, 05:07
i have noticed a prob, unless there is a simple edit i can do to fix.
- 00:02:53.859 - MD5 password recovery begins with hash: 02c425157ecd32f259548b33402ff6d3 - 00:02:53.859 - Testing length: 1 - 00:02:53.859 - Testing length: 2 - 00:02:53.859 - Testing length: 3 - 00:02:53.875 - Testing length: 4 - 00:02:54.125 - MD5 password recovery complete, password: zzzz this is good, but "ZZZZ" hash is 4ddf7fd96ffcf749d2f1ee6efb64cc88 and it doesn't find it. is it not doing upper case letters. and does it do special chars like ":;,." etc. |
|||
24 Jan 2007, 05:07 |
|
weiss 09 Jun 2007, 02:33
hi, i wrote this md5 cracker using sse2, its just experimental, but has good potential if studied and worked on more.
i've only done this in another assembler, won't say...just look you saw it here first!
|
|||||||||||
09 Jun 2007, 02:33 |
|
Goto page Previous 1, 2, 3, 4 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.