def crack(manifest, passwords, notify=None):
manifest = readPlist(manifest)
if not manifest["IsEncrypted"]:
print "Backup is not encrypted"
return
iosFlag = 'ManifestKey' in manifest
kb = Keybag(manifest["BackupKeyBag"].data)
kb.deviceKey = None
if kb.type != BACKUP_KEYBAG and kb.type != OTA_KEYBAG:
print "Backup does not contain a backup keybag"
return
salt = kb.attrs["SALT"]
iter = kb.attrs["ITER"]
print 'iter', iter
dpsl = None
dpic = None
if iosFlag:
dpsl = kb.attrs["DPSL"]
dpic = kb.attrs["DPIC"]
print 'dpic', dpic
res = None
for password in passwords:
password = password.strip()
if not password:
continue
print "[%s]: Trying Crack" % (password)
stime = time()
res = try_password(password, iosFlag, dpsl, dpic, salt, iter, kb)
etime = time()
print "[%s]: Take time %s" % (password, etime - stime)
if res:
print 'Find Password: ', password
return password
def main():
# Get the arguments
if len(sys.argv) != 3:
print "Usage: backup_passwd_guess.py iOS_Backup_Dir Password_Dictionary"
sys.exit(1)
backup = sys.argv[1]
pwddict = sys.argv[2]
# Open the manifest plist
manifest_loc = backup + "/Manifest.plist"
if not os.path.exists(manifest_loc):
print "Can't find Manifest.plist - bad backup?"
sys.exit(1)
manifest = readPlist(manifest_loc)
# Open the dictionary
if not os.path.exists(pwddict):
print "Can't find dictionary"
sys.exit(1)
dictfile = open(pwddict)
# Get the backup information
info = readPlist(backup + "/Info.plist")
print "Backup Details:"
print " Device: %s" % (info['Product Name'])
print " Serial: %s" % (info['Serial Number'])
print " Firmware: %s" % (info['Product Version'])
print ""
# Make sure the backup is encrypted
if not manifest["IsEncrypted"]:
print "Backup is not encrypted"
sys.exit(1)
# Determine if we have the new format of the backup encryption
iosFlag = False
if 'ManifestKey' in manifest:
print "***** Backup is encrypted using newer algorithm. Time per try is now minutes instead of seconds *****"
print ""
iosFlag = True
# Get the keybag
kb = Keybag(manifest["BackupKeyBag"].data)
kb.deviceKey = None
if kb.type != BACKUP_KEYBAG and kb.type != OTA_KEYBAG:
print "Backup does not contain a backup keybag"
sys.exit(1)
salt = kb.attrs["SALT"]
iter = kb.attrs["ITER"]
if iosFlag:
dpsl = kb.attrs["DPSL"]
dpic = kb.attrs["DPIC"]
# Loop through the passwords in the file
while True:
password = dictfile.readline()
if password == "":
break
password = password[:-1]
opassword = password
print "Trying %s" % (opassword)
# Check the password
if iosFlag:
password = PBKDF2(password, dpsl, iterations = dpic, digestmodule=SHA256).read(32)
code = PBKDF2(password, salt, iterations=iter).read(32)
success = 0
for classkey in kb.classKeys.values():
k = classkey["WPKY"]
if classkey["WRAP"] & WRAP_PASSCODE:
k = AESUnwrap(code, classkey["WPKY"])
if not k:
success = 1
break
if classkey["WRAP"] & WRAP_DEVICE:
if not kb.deviceKey:
continue
k = AESdecryptCBC(k, kb.deviceKey)
if success == 0:
print "Password found - ",opassword
break