Fix updated vault decryption (#63)

MetaMask · Dec 15, 2023 · fc05554 · fc05554
1 parent 685462b
commit fc05554
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 6 deletions.
diff --git a/app/lib.js b/app/lib.js
@@ -64,11 +64,25 @@ function extractVaultFromFile (data) {
     // attempt 4: chromium 000006.log on MacOS
     // this variant also contains a 'keyMetadata' key in the vault, which should be
     // a nested object.
-    const matches = data.match(/KeyringController":(\{"vault":".*=\\"\}"\})/);
+    const matches = data.match(/KeyringController":(\{"vault":".*?=\\"\}"\})/);
     if (matches && matches.length) {
-      keyringControllerState = matches[1];
       try {
-        return JSON.parse(JSON.parse(keyringControllerState).vault);
+        const keyringControllerStateFragment = matches[1];
+        const dataRegex = /\\"data\\":\\"([A-Za-z0-9+\/]*=*)/u
+        const ivRegex = /,\\"iv\\":\\"([A-Za-z0-9+\/]{10,40}=*)/u
+        const saltRegex = /,\\"salt\\":\\"([A-Za-z0-9+\/]{10,100}=*)\\"/
+        const keyMetaRegex = /,\\"keyMetadata\\":(.*}})/
+
+        const vaultParts = [dataRegex, ivRegex, saltRegex, keyMetaRegex]
+          .map(reg => keyringControllerStateFragment.match(reg))
+          .map(match => match[1]);
+
+        return {
+          data: vaultParts[0],
+          iv: vaultParts[1],
+          salt: vaultParts[2],
+          keyMetadata: JSON.parse(vaultParts[3].replaceAll('\\', '')),
+        };
       } catch (err) {
         // Not valid JSON: continue
       }

diff --git a/app/lib.test.js b/app/lib.test.js
@@ -32,6 +32,11 @@ const FIXTURES = [
     path: 'chrome-119.0.6045.199-macos-arm64/000006.log',
     mnemonic: 'position ship hill notice replace truth science angle merit reunion direct steak',
     passphrase: 'r!chSloth14',
+  },
+  {
+    path: 'chromium-120.0.6099.71-macos-arm64/000003.log',
+    mnemonic: 'because carpet thought flame ride regular wink weather lazy spice unveil device',
+    passphrase: 'correct horse battery staple',
   }
 ]
 

diff --git a/bundle.js b/bundle.js
@@ -67,7 +67,35 @@ function extractVaultFromFile(data) {
       return JSON.parse(JSON.parse(vaultBody));
     }
   }
-  // attempt 4: chromium 000005.ldb on windows
+  {
+    // attempt 4: chromium 000006.log on MacOS
+    // this variant also contains a 'keyMetadata' key in the vault, which should be
+    // a nested object.
+    var _matches2 = data.match(/KeyringController":(\{"vault":".*?=\\"\}"\})/);
+    if (_matches2 && _matches2.length) {
+      try {
+        var keyringControllerStateFragment = _matches2[1];
+        var _dataRegex = /\\"data\\":\\"([\+\/-9A-Za-z]*=*)/;
+        var _ivRegex = /,\\"iv\\":\\"([\+\/-9A-Za-z]{10,40}=*)/;
+        var _saltRegex = /,\\"salt\\":\\"([A-Za-z0-9+\/]{10,100}=*)\\"/;
+        var keyMetaRegex = /,\\"keyMetadata\\":(.*}})/;
+        var vaultParts = [_dataRegex, _ivRegex, _saltRegex, keyMetaRegex].map(function (reg) {
+          return keyringControllerStateFragment.match(reg);
+        }).map(function (match) {
+          return match[1];
+        });
+        return {
+          data: vaultParts[0],
+          iv: vaultParts[1],
+          salt: vaultParts[2],
+          keyMetadata: JSON.parse(vaultParts[3].replaceAll('\\', ''))
+        };
+      } catch (err) {
+        // Not valid JSON: continue
+      }
+    }
+  }
+  // attempt 5: chromium 000005.ldb on windows
   var matchRegex = /Keyring[0-9](?:[\0-\|~-\uD7FF\uE000-\uFFFF]|[\uD800-\uDBFF][\uDC00-\uDFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF])*(\{(?:[\0-z\|~-\uD7FF\uE000-\uFFFF]|[\uD800-\uDBFF][\uDC00-\uDFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF])*\\"\})/g;
   var captureRegex = /Keyring[0-9](?:[\0-\|~-\uD7FF\uE000-\uFFFF]|[\uD800-\uDBFF][\uDC00-\uDFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF])*(\{(?:[\0-z\|~-\uD7FF\uE000-\uFFFF]|[\uD800-\uDBFF][\uDC00-\uDFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF])*\\"\})/;
   var ivRegex = /\\"iv(?:[\0-\t\x0B\f\x0E-\u2027\u202A-\uD7FF\uE000-\uFFFF]|[\uD800-\uDBFF][\uDC00-\uDFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]){1,4}(?:[\0-\*,-\.:-@\[-`\{-\uD7FF\uE000-\uFFFF]|[\uD800-\uDBFF][\uDC00-\uDFFF]|[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?:[^\uD800-\uDBFF]|^)[\uDC00-\uDFFF]){1,10}([\+\/-9A-Za-z]{10,40}=*)/;

diff --git a/jest.config.js b/jest.config.js
@@ -43,8 +43,8 @@ module.exports = {
     global: {
       branches: 94.73,
       functions: 100,
-      lines: 98.03,
-      statements: 98.18,
+      lines: 98.27,
+      statements: 98.38,
     },
   },
 

diff --git a/test/fixtures/chromium-120.0.6099.71-macos-arm64/000003.log b/test/fixtures/chromium-120.0.6099.71-macos-arm64/000003.log