New KDF
Banaanhangwagen opened this issue · comments
Since Phantom v24.9
Phantom changed the way the KDF is derived. The extracted vault mentions now scrypt
instead of pbkdf
.
Example of an extraction with password password
:
{"encryptedKey":{"digest":"sha256","encrypted":"4q67Hurr6i5g3iC9i93qgevw1AHByfu4cB2hX7GGuGKGMwPazQ7eJu7PAfnYZaaCyD","iterations":10000,"kdf":"scrypt","nonce":"EokY5qjXKHXiGg6LuZYDtgLFP1dtYpLVM","salt":"HopKt4jDL62TD8i8d2gTTh"},"version":1}
I tried to change the code by simply using key = scrypt(password, salt, 32,16384,8,1)
, but that would be too easy, right ?
maybe someone has another idea ?
This is confirmed on Phantom v24.9.1
. In order to decrypt these, phantom_decryptor
logic will have to be rewritten to support scrypt. I'll look into this as time allows.
Added support to phantom_extractor
so it can extract hashes from Phantom v24.9.x vaults. ef1c864
Hello, have you had any time to look into it? Anything you have already checked and a status would be nice! Ill try to work on this tomorrow. By the way, in your writeup on the decryptor for new vaults you say that you get a payload which you can use on the other json strings - but i dont get that payload? I only get a password.
Hello, have you had any time to look into it? Anything you have already checked and a status would be nice! Ill try to work on this tomorrow.
I've only briefly looked into this, but the v24.9.x
vault appears similar to v24.6.x
, but uses scrypt
rather than pbkdf2
for the KDF.
By the way, in your writeup on the decryptor for new vaults you say that you get a payload which you can use on the other json strings - but i dont get that payload? I only get a password.
The phantom_decryptor
tool only cracks the vault password on <= v24.6
which is the previous version. Decrypting the full payload on v24.6
vaults is a process described here: https://github.com/cyclone-github/writeups/blob/main/Pwning%20Phantom%20Wallets.pdf
For anyone else following along, here's the scrypt parameters found in Phantom v24.11
source code:
src/background/background.js
N=4096
r=8
p=1
dkLen=32
case "scrypt":
return c.from(yield(0, i.scryptAsync)(e, t(s).decode(r.salt), {
N: 4096,
r: 8,
p: 1,
dkLen: u.secretbox.keyLength
}));
Phantom source code (Chrome Extension):
https://gofile.io/d/YXhKek