Latest Threema 4.43 Backup Zip Android

[thunderbolt78]

Hi, i have a small zip file, encrypted with the latest threema build in zip function. zip2john produce a 0KB Hash file. Any idea whats wrong ?

attached an example zip file

12.zip

maybe someone can look at this .

[magnumripper]

You probably used some old version. Current version extracts 22 zip "hashes" and cracks all of them almost instantly.

[thunderbolt78]

hi, using zip2john from john-1.9.0-jumbo-1-win64

[solardiz]

@thunderbolt78 This is what we call "old" for the purposes of GitHub issues - here, we're working on the latest source code in this repo. You can, too, use the latest from here. Since you're on Windows, you can click the "Download Windows build" badge in this repo's README.md.

Curiously, zip2john from 2019 (such as one included in the 1.9.0-jumbo-1 release) actually segfaults on this archive. The segfault is inside the sprintf call here:

                                for (i = 0; i < real_cmpr_len; i++) {
                                        d = fgetc(fp);
                                        if (store)
                                                cp += sprintf(cp, "%c%c",
                                                              itoa16[ARCH_INDEX(d >> 4)],
                                                              itoa16[ARCH_INDEX(d & 0x0f)]);
                                }

Indeed, this problematic code is removed in b717067a545b7933caa9e6a57a606d83d26b9606 (January 2020).

You could want to add the example archive with a pull request to https://github.com/openwall/john-samples, but then I'm not sure if it's appropriate as there's e.g. contacts.csv inside. I don't know if all of those files inside are dummy (if so, appropriate for inclusion in the john-samples repo) or have real content (then they are not appropriate).

Other than that, there's nothing for us to do on this issue. Closing.

[thunderbolt78]

this was quite fast

used the zip2john from this repo https://github.com/openwall/john-packages/releases/tag/jumbo-dev

same here, the hash is 0KB

zip2john is from 27.03.2021, the file is 0KB, no errors or something

threema4.43.zip

i try to add the file into the zip repositiry

i created a normal zip file with winzip and used the aes stuff, zip2john is extracting the hash. maybe the threema guys did something special....

[solardiz]

This threema4.43.zip file is exactly the same as 12.zip you had attached earlier. So zip2john just works on it for us. However, my testing is on Linux, and magnum's is probably also not on Windows. While it is possible we have a Windows specific issue there, I suspect it's actually user error. So @thunderbolt78 can you show us how you're invoking zip2john and checking the resulting hash file size? Maybe you're actually still invoking the older version.

[thunderbolt78]

damn, you are right .... i renamed the 12.zip to threema4.43.zip and didnt changed the command ... sorry fo this ... please close or remove the last comments ....

[solardiz]

please close or remove the last comments ....

The issue is already closed, and I think it's OK to leave the comments as they are.