Open jaytaph opened 4 years ago
jaytaph
commented
4 years ago ok.. i'm so far that I can extract the "notes" from the file. Checksum checks out, i've got an iv, but it needs a derived key from the master password called logSessionKey. I'm not sure how this works, is there a key per session? Meaning, a new session will mean a new key? How does it decrypt data from the previous session?
jaytaph
commented
4 years ago It seems that the logSessionKey is created from WallSessionKey, which is a key generated from the master password and a constant log session salt.. (sorry for the rubber ducking :duck:)
I'm stuck at the "masterSalt"... It should be stored somewhere, but I'm not sure where.
Edit: I found the masterSalt in the notes & settings file, which includes a plist at the start. Among other things, I've found hastIterationCount as well, which is a different number than the default one (8000)
Edit: I'm trying to check if my computed master key matches the verification key... it doesn't and I'm not sure why not.
jaytaph
commented
4 years ago I've got the computer masterkey matching the verification (yay!). The next step is to compute the key and iv for the aes-256-cbc decryption, which I think i did right (i got the nvalt to compile through AppCode and i can output the actual key and iv, which is the same ones that I generate).
Unfortunately, i get an error during decryption (EVP_DecryptFinal fails), which could indicate a wrong key (which would result from a wrong passphrase).. I'm a bit stuck again.. but hopeful I can figure this out...
Edit: I can decrypt my main notes&settings database with the help of the dataSessionSalt. It seems that everything is correct. The only thing that might be an issue, is the logSessionKey. This is taken from the sessionSalt, which is a constant salt "Salt for encrypting a write-ahead-log session\0"
Edit: I finally decrypted the notes (it uses a constant logsessionkey), and could decompress my note. Strange thing is that i still find 244 notes (which is the same amount i have right now).. however, the interim note-changes file is 460kb, while my notes&settings file is only 300kb.. yet, they seem to hold the same number of notes?
After repartitioning a disk, it seems I've lost some notes. Not all of them, just from the last two months. Since the directory was gone, I had to change the Notes & Settings directory so it points again to the correct "Notational Data" directory. This restored everything but the last few months.
I think this is related to https://github.com/ttscoff/nv/issues/339, which looks like the last data is written to
~/Library/Caches/net.elasticthreads.nv/Interim Note-Changesfile.This file is about 440Kb, while my regular "Notes & Settings" is only 320kb.
I've tried things like renaming the interim file, but nothing seems to work. I have the master password and looked around in WALController.m to see how things work, but my C# is pretty lousy to be honest. Is it possible to extract the data from this file?