xmrwallet
xmrwallet copied to clipboard
m2049r
Fun with CrAzYpass! - 2k$ bounty!
You guys made me proud, and very surprised... and in someway a bit stressed.
I can truly call it "Crazy Secure Protection for Android Monero Wallets"...
So, situation is that i been running oneplus, and for some reason GUI just DIED. However i was able to load trwp recovery, access adb shell, and copy over data from /data/media/0/monerujo to over my new phone which i just purchased, and you have no idea how surprised I was when none of my passwords actually worked for wallets, omg, i was surprised - later after little bit of research i found out about CrAzYpass (Simply amazing idea tho)...
However, shame on me I neither had a seed or actual crazy pass. just...
-rw-r--r-- 1 ninja ninja 2,0M гру 29 14:16 main-rw-r--r-- 1 ninja ninja 95 гру 26 15:16 main.address.txt-rw-r--r-- 1 ninja ninja 1,5K гру 26 15:16 main.keys
After bit of more research i figured out that keystore of android is located /data/misc/keystore/user_0 and it did contain 10112_USRCERT_MonerujoRSA along with 10112_USRPKEY_MonerujoRSA. So much happiness.. but not for long.
I figured - I'll create "test" wallet on new phone, so it creates their own RSA's in keystore, so they did it was called - 10108_. Figured i might just replace 10108_ with 10112_* keys, add my 3 wallet files from old device, and bravo.
Unfortunately not. I did all that.. It did not work, however it did't really say that password was wrong like before (without proper keys) - app simply just crashed, when openning the wallet, or getting to show secrets of the wallet.
Noway I'm expert but looking at m2049r/xmrwallet/util/KeyStoreHelper.java, I came up with conclusion that apk/app might need to be signed too ? (total guess)
At this point I'm bit lost, and have really no idea, what steps i should be taking next. Any assistance ?
Especially from my favorite crypto guy u/m2049r who actually came up with this brilliant idea. )
Been working on this for a while, since there is quite a lot of money held up there. I would also like to offer an bounty for an assistance. Basically my phones GUI was not load up, and i was not able to load xmrwallet in anyway. Only way i was able to access data was via TWRP recovery, so first thing what i did was backup of whole system ( https://i.imgur.com/5wvOPcQ.png )
I been trying copying files to other phone, and try access the wallet (unsuccessfully) Then eventually, since i had backup of everything figured I might just try restore the old phone on which GUI died, and re-import wallet and i was hopeful that would help.... It does't actually say that password is bad, app just actually crashes.
Main wallet file - -rw-r--r-- 1 ninja ninja 2,0M січ 2 22:59 main -rw-r--r-- 1 ninja ninja 95 січ 2 22:59 main.address.txt -rw-r--r-- 1 ninja ninja 1,5K січ 2 22:59 main.keys
Then as per whitepaper files that work with keystore located at (/data/misc/keystore/user_0) -rw-r--r-- 1 ninja ninja 88 січ 2 22:58 .masterkey -rw-r--r-- 1 ninja ninja 141 січ 2 22:58 .10112_chr_USRPKEY_MonerujoRSA -rw-r--r-- 1 ninja ninja 707 січ 2 22:58 10112_USRCERT_MonerujoRSA -rw-r--r-- 1 ninja ninja 1,7K січ 2 22:58 10112_USRPKEY_MonerujoRSA
As per my thoughts those files and password which i know should be enough...
Since this isn't much of a bug (however, not sure elsewhere to paste) i did on reddit. If ideas for better place, let me know.
and the bounty is 2,0000$ for assistance on getting me work that wallet. .
The BOUNTY is 2,000$ just to wanted to clarify for getting funds out of that wallet. )
use ADB to copy
-rw-r--r-- 1 ninja ninja 2,0M січ 2 22:59 main
and
-rw-r--r-- 1 ninja ninja 1,5K січ 2 22:59 main.keys
files to your local PC then use the official Monero GUI app and open main.keys with your password and it should open the wallet file no issue.
use ADB to copy
-rw-r--r-- 1 ninja ninja 2,0M січ 2 22:59 mainand-rw-r--r-- 1 ninja ninja 1,5K січ 2 22:59 main.keysfiles to your local PC then use the official Monero GUI app and open main.keys with your password and it should open the wallet file no issue.
It's all about the xmrwallet's thee crazypass function. It encryptes your normal pass which you would use for main/main.keys, and makes it harder. https://monerujo.io/recources/crazy_secure_passphrase.pdf https://medium.com/@anhdres/how-monerujos-crazypass-crazy-secure-password-scheme-works-dc4f99a99ff0
More about this CraAzypass )
Saving the wallet seed is the number one rule. How many warnings do you need to not ignore this? Using the seed is probably your only option to get your coins back. Unless you manage to find a bug in the 'CrazyPass' implementation.
The number two rule is to not store large sums of coins in your mobile phone's wallet.
For your new wallet make sure to create an empty file called .nocrazypass in the monerujo folder before creating a new wallet to disable 'CrazyPass'.
It should be the user's responsibility to create a strong wallet password, it should not be done for you with a feature like 'CrazyPass'.
if you have the masterkey file, you may be able to use https://github.com/nelenkov/keystore-decryptor to extract the actual keys because the files you have are encrypted with that file and the PIN of the phone as well.
link unbroken: March 19, 2018 http://web.archive.org/web/20180507224523/https://www.monerujo.io/recources/crazy_secure_passphrase.pdf
The BOUNTY is 2,000$ just to wanted to clarify for getting funds out of that wallet. )
ask: https://parallelrecovery.com/wallet-password.html to get in the competition.
its 2k euros? or usd.? or 2000 XMR ?
@juanpc2018 It clearly notes $ -> USD. Although officially the Dollar Symbol comes before the amount, so: $2000 is correct.
