Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 23 Dec 2006 23:18:58 +0300
From: Solar Designer <>
Subject: Re: Need Help with JTR's rules

On Sat, Dec 23, 2006 at 07:20:27PM +0100, websiteaccess wrote:
> wolf -> wwoollff
>  x01d = extract letter '"w"olf' then w duplicated (duplicated with "d") 
> = ww

Correct.  However, at this point you only have "ww"; everything else is
lost, and you can't operate on it.

>  x11d = extract letter 'w"o"lf' then o duplicated (duplicated with "d") 
> = oo

This would work if it were the first thing you did, but it does not work
after the above commands.

>  finally ww+oo+ll+ff = "wwoollff", but it wasn't the right thing to do.

Even if all of the above commands would have worked the way you wanted
them to, this would require that JtR memorizes 3 or 4 separate parts of
the resulting candidate password.  Apparently, this is what you wanted
to use the "M" (memorize) command for, but it does not do that.  There's
only one "memory location" (besides the current word being operated on)
and its only use is for comparison with the "Q" (query) command:

> Could you show us how works your example, with clear explaination like 
> I do ?

You can obtain similar "explanations" by specifying multiple simpler
rules instead of a complex one, adding one or a few commands at a time:


Then run it on a file with only "wolf" in it:

	john -w=wolf --rules --stdout

The output is:


As you can see, ">3<5" does not change the word at all; its purpose is
to reject words that are not four characters long because the rest of
the commands in our complicated rule will assume that we operate on a
4 character long word.

Then "f" reflects the word, as specified in doc/RULES.  For "wolf", we
get "wolfflow".  Note that at this point we already have the sequence
"ff" which we will need, and also we can easily obtain "ww":

When we add "}" - rotate right - we get the last "w" of "wolfflow" in
the first character position.  So we have "ww" and "ff" somewhere in our
current "word".  But we do not yet have "oo" or "ll"; also, while we do
have two o's and two l's in our entire "word", we only have one of each
of these letters before the "ff".  So we can't yet obtain "oo" or "ll"
before the "ff" by merely deleting some characters.  If that's the
approach we want to use (although there might be others), then we need
to duplicate more characters, so we:

Do another "f" (reflect), resulting in "wwolffloolffloww".  Now we have
"oo", but no "ll" yet.  Also, if we would start deleting characters
until we obtain "wwooll" then we would not have any f's left after the
"ll".  We resolve that in the same way:

Do yet another "f" (reflect), resulting in "wwolffloolfflowwwwolffloolffloww"
which finally has a sufficient number of f's after the o's and l's.  Now
we can proceed to delete everything that we don't need:

With "D3D3D3D3D3", we delete 5 characters after "wwo".  Specifically, we
delete the substring "lfflo".  So we get "wwoolfflowwwwolffloolffloww".

With "D5D5", we delete the "ff" after "wwool".  So we get

With "D6D6D6D6D6D6D6", we delete the "owwwwol" after "wwooll".  So we
get "wwoollffloolffloww".

Finally, we truncate this "word" at 8 characters, achieving the desired
result - "wwoollff".

Didn't I say it was a hack? :-)  Actually, here's a simpler one:


Alexander Peslyak <solar at>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.