Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AD encryption (decryption) #192

Open
Agile86 opened this issue Oct 10, 2023 · 3 comments
Open

AD encryption (decryption) #192

Agile86 opened this issue Oct 10, 2023 · 3 comments

Comments

@Agile86
Copy link

Agile86 commented Oct 10, 2023

Seems that AD encryption section (it's decryption part) is wrong.
Trying to decrypt a simple E01 encrypted file (created with the help of AccessData FTK Imager 4.7.1.2) using password "test" (file attached):

#include <iostream>
#include <fstream>
#include <vector>
#include <cassert>

#include <openssl/evp.h>
#include <openssl/hmac.h>

std::vector<unsigned char> read_at_offset(const char* fn, unsigned offset, size_t size) {
    std::vector<unsigned char> buffer;
    std::ifstream file(fn, std::ios::binary);
    if (!file.is_open()) {
        std::cerr << "Failed to open file " << fn << std::endl;
        return buffer;
    }

    file.seekg(offset, std::ios::beg);

    // read the data
    buffer.resize(size);

    file.read((char*)buffer.data(), buffer.size());
    assert(file.gcount() == buffer.size());
    return buffer;
}

int main()
{
    const char fp[] = "C:/temp/E01/small-enc-pass.E01";
    char pass[] = "test";
    
    auto iter_count = *(unsigned int*)read_at_offset(fp, 32, 4).data();
    auto salt_len = *(unsigned int*)read_at_offset(fp, 36, 4).data();
    auto key_len = *(unsigned int*)read_at_offset(fp, 40, 4).data();
    auto hmac_len = *(unsigned int*)read_at_offset(fp, 44, 4).data();

    auto salt = read_at_offset(fp, 48, salt_len);
    auto fkey = read_at_offset(fp, 48 + salt_len, key_len);
    auto hmac = read_at_offset(fp, 48 + salt_len + key_len, hmac_len);

    auto pkey = std::vector<unsigned char>(key_len);
    auto success = PKCS5_PBKDF2_HMAC(pass, sizeof(pass)-1, salt.data(), salt.size(), iter_count, EVP_sha512(), pkey.size(), pkey.data());
    assert(success == 1);

    assert(hmac_len == EVP_MAX_MD_SIZE);
    unsigned char hmac_result[EVP_MAX_MD_SIZE];
    HMAC(EVP_sha512(), pkey.data(), pkey.size(), fkey.data(), fkey.size(), hmac_result, &hmac_len);

    assert(EVP_MAX_MD_SIZE == hmac.size());

    for (auto i = 0; i < EVP_MAX_MD_SIZE; i++) {
        printf("%02u\n", hmac[i]);
        printf("%02u\n", hmac_result[i]);
        assert(hmac[i] == hmac_result[i]);
    }

    printf("OK\n");
}
@Agile86
Copy link
Author

Agile86 commented Oct 10, 2023

test file
small-enc-pass.zip

@Agile86
Copy link
Author

Agile86 commented Oct 13, 2023

An official document, describing AD Image Encryption.
AD Image Encryption v1.2.pdf

@joachimmetz
Copy link
Member

ah nice find, I'll have a look when time permits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Agile86 @joachimmetz