Re: Decryt AES / try to guess salt

On Wed, 29 Apr 2009 21:18:08 +0200, Tim Ritberg <tim_rit@xxxxxx>

rossum schrieb:
On Tue, 28 Apr 2009 16:20:09 +0200, Tim Ritberg <tim_rit@xxxxxx>

rossum schrieb:
That is a lot clearer. The salt is included in the header, and should
look random - just use it as it is. The key is the first 128 bits of
the SHA1 hash after 262,144 repetitions. The IV is 16 bytes extracted
from the hash, one every 16,384 cycles.

I try to "guess" the salt offset on basis of my uncrypted rar with same
file in it. The offset is 46 and hopefully is same in crypted version of

Let me make an overview:

It take password, make in front of each char 0x00.
Then I do loop over
<wchar password> + <salt> + <index>
OK so far.

after 16384 rounds I take first 16 byte as IV
No. The relevant part of the code reads:

if (i % (hashRounds / 16) == 0)
NSha1::CContext shaTemp = sha;
Byte digest[NSha1::kDigestSize];
aesInit[i / (hashRounds / 16)] = (Byte)digest[4 * 4 + 3];

Sorry, I can't read C very well; I try to write it in Pascal.
Thats my frame to day:

for i:=1 to 262144 do
// stuff with "pass+salt+index" =UpdateHash

if (i mod (hashround div 16)) = 0 then
// do SHA1 on "pass+salt+key" with 1 byte from // UpdateHash as IV
shaTemp <- copy of current state of hash.
declare byte array digest.
digest <- finalise shaTemp.
aesInit[i DIV (hashRounds DIV 16)] <- digest[19].