97 lines
2.7 KiB
Markdown
97 lines
2.7 KiB
Markdown
Read more about the akira decryption process at https://tinyhack.com
|
|
|
|
|
|
Initial chacha8 code is from : https://github.com/madMAx43v3r/chia-plotter, the license is Apache 2: https://github.com/madMAx43v3r/chia-plotter/blob/master/LICENSE
|
|
|
|
Initial kcipher2 code is from https://github.com/l00sy4/LCipher2, the license is GPL v3: https://github.com/l00sy4/LCipher2/blob/main/LICENSE
|
|
|
|
The License for this software is GPL v3
|
|
|
|
## Requirements
|
|
|
|
I tested this on Debian Bookworm, but Ubuntu might be easier to setup
|
|
|
|
```
|
|
apt-get install -y nettle-dev libssl-dev nvidia-cuda-toolkit nvidia-cuda-toolkit-gcc build-essential git nasm
|
|
```
|
|
|
|
## Building
|
|
|
|
```
|
|
git clone https://github.com/yohanes/akira-bruteforce
|
|
cd akira-bruteforce
|
|
make
|
|
```
|
|
|
|
## Testing
|
|
|
|
I have provided akira encrypted files (the akira ransomware is patched with my own code to record the timing), you can test it by running
|
|
|
|
```
|
|
cd tests
|
|
# Note: this will take several minutes and will make your GPU fans spin fast
|
|
./akira-bruteforce run2 config-test.json
|
|
```
|
|
|
|
Meaning of the fields:
|
|
|
|
* `count`: number nano seconds tested starting from `start_timestamp`
|
|
* `start_timestamp`: the timestamp when the test started
|
|
* `brute_force_time_range`: the time range in nano seconds that we are testing (the "offset range")
|
|
* `offset`: the start offset of the brute force
|
|
* `matches`: the list of matches to check, the `filename` is used to make the output to be more readable
|
|
|
|
```json
|
|
{
|
|
"count": 20000000,
|
|
"start_timestamp": 1741841294358440000,
|
|
"brute_force_time_range": 30000,
|
|
"offset": 1111000,
|
|
"matches": [
|
|
{
|
|
"filename": "zeroes.vmdk",
|
|
"plaintext": "0x0000000000000000",
|
|
"encrypted": "0xd5b71efb8d6969e5",
|
|
"bitmask": " 0xffffffffffffffff"
|
|
},
|
|
{
|
|
"filename" :"ones.vmdk",
|
|
"plaintext": "0x0101010101010101",
|
|
"encrypted": "0x9d1c37f111077987",
|
|
"bitmask": " 0xffffffffffffffff"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
Obtaining plaintext: as explained in the blog post, this depends on the file type
|
|
|
|
Obtaining ciphertext: use a hex editor, or use the "readhex" in the util directory
|
|
|
|
```
|
|
./util/readhex tests/ones.vmdk.akira
|
|
./util/readhex tests/ones.vmdk.akira 65535 # for chacha8
|
|
```
|
|
|
|
## chacha8 bruteforce
|
|
|
|
An example chacha config is like this
|
|
|
|
```json
|
|
{
|
|
"t3_ts": 1741841294374553498,
|
|
"t3_t1_offset": 3000000,
|
|
"t1_t2_start_offset": 1300000,
|
|
"t1_t2_end_offset": 2000000,
|
|
"encrypted": "0x03d3319ddbf9caee",
|
|
"plaintext": "0x0"
|
|
}
|
|
```
|
|
|
|
* `t3_ts` is the timestamp found by akira-bruteforce
|
|
* `t3_t1_offset` is how far back (maximum) the time from `t1` to `t3`
|
|
* `t1_t2_start_offset` is the start offset of the brute force
|
|
* `t1_t2_end_offset` is the end offset of the brute force
|
|
* `encrypted` is the encrypted value
|
|
* `plaintext` is the plaintext value
|