Aleksey Cherepanov
Aleksey Cherepanov
Indeed I get these warning with `--enable-asan` only. I don't get them in a regular build.
We really need some user-friendly reporting of lengths limits affecting actual cracking. Because it is hard to realize that john cannot crack something due to its limits. It is harder...
User with some assumptions might try to use `--max-length=` option to increase the limit (based on real story). There is a check for that in john. But for nt, 81...
I extracted the problem with truncation in NT as #5144. > I guess it might be helpful to show number/percent of candidates rejected by length in status line. NT truncates...
Also fuzzing `phps` yielded 2 samples that crash `dynamic_6` when in ASan build: ``` $dynamic_6$ad14afbbf0e16d4ad8c8985263a3d051$HEX$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$247824 $dynamic_6$ad14afbbf0e16d4ad8c8985263a3d051$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$HEX$247824 ``` They produce similar outputs from ASan: ``` $ ./run/john --format=dynamic_6 t.pw [...] ==26330==ERROR:...
Crackable `md5(md5($pass).$salt)` with password `test` and salt `$$$$$$`: ``` $dynamic_6$f8055d63608f56ab8a90d49f751d1dc7$HEX$$$$$$$ ``` It can be cracked as `dynamic_6`. But `phps` cannot crack it. `$HEX$` gets replaced with `$`. Actually `$HEX$` may...
Crash in dynamic can happen without `$HEX$`. Dynamic is intended to check lengths of salts pretty well. But `$$` in salt disables checks. Crasher without `$HEX$`: ``` python -c 'print...
> Dynamic has dynamic_FIXED_SALT_SIZE -23. I mean `dynamic_6`, of course.
``` $ run/john --format=dynamic --list=format-tests | grep '2424' dynamic_15 6 $dynamic_15$6093d5cb3e2f99d9110eb9c4bbca5f8c$HEX$6161615358422424556a6f65626c6f77 test1 [...] ``` That's a hash embedded into `src/dynamic_preloads.c`. And according to `--show=formats` that's the canonical form. `dynamic_15: md5($u.md5($p).$s)`....
I dislike encoding fields together into hex. There is opportunity to implement correct support for arbitrary data: field delimiters are not encoded, hex is used to protect them when delimiters...