]> cvs.zerfleddert.de Git - proxmark3-svn/blob - client/scripting.c
improve hf mf sim x reader attack
[proxmark3-svn] / client / scripting.c
1 //-----------------------------------------------------------------------------
2 // Copyright (C) 2013 m h swende <martin at swende.se>
3 //
4 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
5 // at your option, any later version. See the LICENSE.txt file for the text of
6 // the license.
7 //-----------------------------------------------------------------------------
8 // Some lua scripting glue to proxmark core.
9 //-----------------------------------------------------------------------------
10
11 #include <lua.h>
12 #include <lualib.h>
13 #include <lauxlib.h>
14 #include "proxmark3.h"
15 #include "usb_cmd.h"
16 #include "cmdmain.h"
17 #include "scripting.h"
18 #include "util.h"
19 #include "nonce2key/nonce2key.h"
20 #include "../common/iso15693tools.h"
21 #include "iso14443crc.h"
22 #include "../common/crc16.h"
23 #include "../common/crc64.h"
24 #include "../common/sha1.h"
25 #include "aes.h"
26 /**
27 * The following params expected:
28 * UsbCommand c
29 *@brief l_SendCommand
30 * @param L
31 * @return
32 */
33 static int l_SendCommand(lua_State *L){
34
35 /*
36 *
37 The SendCommand (native) expects the following structure:
38
39 typedef struct {
40 uint64_t cmd; //8 bytes
41 uint64_t arg[3]; // 8*3 bytes = 24 bytes
42 union {
43 uint8_t asBytes[USB_CMD_DATA_SIZE]; // 1 byte * 512 = 512 bytes (OR)
44 uint32_t asDwords[USB_CMD_DATA_SIZE/4]; // 4 byte * 128 = 512 bytes
45 } d;
46 } PACKED UsbCommand;
47
48 ==> A 544 byte buffer will do.
49 **/
50 //Pop cmd
51 size_t size;
52 const char *data = luaL_checklstring(L, 1, &size);
53 if(size != sizeof(UsbCommand))
54 {
55 printf("Got data size %d, expected %d" , (int) size,(int) sizeof(UsbCommand));
56 lua_pushstring(L,"Wrong data size");
57 return 1;
58 }
59
60 // UsbCommand c = (*data);
61 SendCommand((UsbCommand* )data);
62 return 0; // no return values
63 }
64 /**
65 * @brief The following params expected:
66 * uint32_t cmd
67 * size_t ms_timeout
68 * @param L
69 * @return
70 */
71 static int l_WaitForResponseTimeout(lua_State *L){
72
73 uint32_t cmd = 0;
74 size_t ms_timeout = -1;
75
76 //Check number of arguments
77 int n = lua_gettop(L);
78 if(n == 0)
79 {
80 //signal error by returning Nil, errorstring
81 lua_pushnil(L);
82 lua_pushstring(L,"You need to supply at least command to wait for");
83 return 2; // two return values
84 }
85 if(n >= 1)
86 {
87 //pop cmd
88 cmd = luaL_checkunsigned(L,1);
89 }
90 if(n >= 2)
91 {
92 //Did the user send a timeout ?
93 //Check if the current top of stack is an integer
94 ms_timeout = luaL_checkunsigned(L,2);
95 //printf("Timeout set to %dms\n" , (int) ms_timeout);
96 }
97
98 UsbCommand response;
99
100 if(WaitForResponseTimeout(cmd, &response, ms_timeout))
101 {
102 //Push it as a string
103 lua_pushlstring(L,(const char *)&response,sizeof(UsbCommand));
104
105 return 1;// return 1 to signal one return value
106 }else{
107 //Push a Nil instead
108 lua_pushnil(L);
109 return 1;// one return value
110 }
111 }
112
113 static int returnToLuaWithError(lua_State *L, const char* fmt, ...)
114 {
115 char buffer[200];
116 va_list args;
117 va_start(args,fmt);
118 vsnprintf(buffer, sizeof(buffer), fmt,args);
119 va_end(args);
120
121 lua_pushnil(L);
122 lua_pushstring(L,buffer);
123 return 2;
124 }
125
126 static int l_nonce2key(lua_State *L){
127
128 size_t size;
129 const char *p_uid = luaL_checklstring(L, 1, &size);
130 if(size != 4) return returnToLuaWithError(L,"Wrong size of uid, got %d bytes, expected 4", (int) size);
131
132 const char *p_nt = luaL_checklstring(L, 2, &size);
133 if(size != 4) return returnToLuaWithError(L,"Wrong size of nt, got %d bytes, expected 4", (int) size);
134
135 const char *p_nr = luaL_checklstring(L, 3, &size);
136 if(size != 4) return returnToLuaWithError(L,"Wrong size of nr, got %d bytes, expected 4", (int) size);
137
138 const char *p_par_info = luaL_checklstring(L, 4, &size);
139 if(size != 8) return returnToLuaWithError(L,"Wrong size of par_info, got %d bytes, expected 8", (int) size);
140
141 const char *p_pks_info = luaL_checklstring(L, 5, &size);
142 if(size != 8) return returnToLuaWithError(L,"Wrong size of ks_info, got %d bytes, expected 8", (int) size);
143
144
145 uint32_t uid = bytes_to_num(( uint8_t *)p_uid,4);
146 uint32_t nt = bytes_to_num(( uint8_t *)p_nt,4);
147
148 uint32_t nr = bytes_to_num(( uint8_t*)p_nr,4);
149 uint64_t par_info = bytes_to_num(( uint8_t *)p_par_info,8);
150 uint64_t ks_info = bytes_to_num(( uint8_t *)p_pks_info,8);
151
152 uint64_t key = 0;
153
154 int retval = nonce2key(uid,nt, nr, par_info,ks_info, &key);
155
156 //Push the retval on the stack
157 lua_pushinteger(L,retval);
158
159 //Push the key onto the stack
160 uint8_t dest_key[8];
161 num_to_bytes(key,sizeof(dest_key),dest_key);
162
163 //printf("Pushing to lua stack: %012"llx"\n",key);
164 lua_pushlstring(L,(const char *) dest_key,sizeof(dest_key));
165
166 return 2; //Two return values
167 }
168 //static int l_PrintAndLog(lua_State *L){ return CmdHF14AMfDump(luaL_checkstring(L, 1));}
169 static int l_clearCommandBuffer(lua_State *L){
170 clearCommandBuffer();
171 return 0;
172 }
173 /**
174 * @brief l_foobar is a dummy function to test lua-integration with
175 * @param L
176 * @return
177 */
178 static int l_foobar(lua_State *L)
179 {
180 //Check number of arguments
181 int n = lua_gettop(L);
182 printf("foobar called with %d arguments" , n);
183 lua_settop(L, 0);
184 printf("Arguments discarded, stack now contains %d elements", lua_gettop(L));
185
186 // todo: this is not used, where was it intended for?
187 // UsbCommand response = {CMD_MIFARE_READBL, {1337, 1338, 1339}};
188
189 printf("Now returning a uint64_t as a string");
190 uint64_t x = 0xDEADBEEF;
191 uint8_t destination[8];
192 num_to_bytes(x,sizeof(x),destination);
193 lua_pushlstring(L,(const char *)&x,sizeof(x));
194 lua_pushlstring(L,(const char *)destination,sizeof(destination));
195
196 return 2;
197 }
198
199
200 /**
201 * @brief Utility to check if a key has been pressed by the user. This method does not block.
202 * @param L
203 * @return boolean, true if kbhit, false otherwise.
204 */
205 static int l_ukbhit(lua_State *L)
206 {
207 lua_pushboolean(L,ukbhit() ? true : false);
208 return 1;
209 }
210 /**
211 * @brief Calls the command line parser to deal with the command. This enables
212 * lua-scripts to do stuff like "core.console('hf mf mifare')"
213 * @param L
214 * @return
215 */
216 static int l_CmdConsole(lua_State *L)
217 {
218 CommandReceived((char *)luaL_checkstring(L, 1));
219 return 0;
220 }
221
222 static int l_iso15693_crc(lua_State *L)
223 {
224 // uint16_t Iso15693Crc(uint8_t *v, int n);
225 size_t size;
226 const char *v = luaL_checklstring(L, 1, &size);
227 uint16_t retval = Iso15693Crc((uint8_t *) v, size);
228 lua_pushinteger(L, (int) retval);
229 return 1;
230 }
231
232 static int l_iso14443b_crc(lua_State *L)
233 {
234 /* void ComputeCrc14443(int CrcType,
235 const unsigned char *Data, int Length,
236 unsigned char *TransmitFirst,
237 unsigned char *TransmitSecond)
238 */
239 unsigned char buf[USB_CMD_DATA_SIZE];
240 size_t len = 0;
241 const char *data = luaL_checklstring(L, 1, &len);
242 if (USB_CMD_DATA_SIZE < len)
243 len = USB_CMD_DATA_SIZE-2;
244
245 for (int i = 0; i < len; i += 2) {
246 sscanf(&data[i], "%02x", (unsigned int *)&buf[i / 2]);
247 }
248 ComputeCrc14443(CRC_14443_B, buf, len, &buf[len], &buf[len+1]);
249
250 lua_pushlstring(L, (const char *)&buf, len+2);
251 return 1;
252 }
253 /*
254 Simple AES 128 cbc hook up to OpenSSL.
255 params: key, input
256 */
257 static int l_aes128decrypt_cbc(lua_State *L)
258 {
259 //Check number of arguments
260 int i;
261 size_t size;
262 const char *p_key = luaL_checklstring(L, 1, &size);
263 if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size);
264
265 const char *p_encTxt = luaL_checklstring(L, 2, &size);
266
267 unsigned char indata[16] = {0x00};
268 unsigned char outdata[16] = {0x00};
269 unsigned char aes_key[16] = {0x00};
270 unsigned char iv[16] = {0x00};
271
272 // convert key to bytearray and convert input to bytearray
273 for (i = 0; i < 32; i += 2) {
274 sscanf(&p_encTxt[i], "%02x", (unsigned int *)&indata[i / 2]);
275 sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]);
276 }
277
278 aes_context ctx;
279 aes_init(&ctx);
280 aes_setkey_dec(&ctx, aes_key, 128);
281 aes_crypt_cbc(&ctx,AES_DECRYPT,sizeof(indata), iv, indata,outdata );
282 //Push decrypted array as a string
283 lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
284 return 1;// return 1 to signal one return value
285 }
286 static int l_aes128decrypt_ecb(lua_State *L)
287 {
288 //Check number of arguments
289 int i;
290 size_t size;
291 const char *p_key = luaL_checklstring(L, 1, &size);
292 if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size);
293
294 const char *p_encTxt = luaL_checklstring(L, 2, &size);
295
296 unsigned char indata[16] = {0x00};
297 unsigned char outdata[16] = {0x00};
298 unsigned char aes_key[16] = {0x00};
299
300 // convert key to bytearray and convert input to bytearray
301 for (i = 0; i < 32; i += 2) {
302 sscanf(&p_encTxt[i], "%02x", (unsigned int *)&indata[i / 2]);
303 sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]);
304 }
305 aes_context ctx;
306 aes_init(&ctx);
307 aes_setkey_dec(&ctx, aes_key, 128);
308 aes_crypt_ecb(&ctx, AES_DECRYPT, indata, outdata );
309
310 //Push decrypted array as a string
311 lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
312 return 1;// return 1 to signal one return value
313 }
314
315 static int l_aes128encrypt_cbc(lua_State *L)
316 {
317 //Check number of arguments
318 int i;
319 size_t size;
320 const char *p_key = luaL_checklstring(L, 1, &size);
321 if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size);
322
323 const char *p_txt = luaL_checklstring(L, 2, &size);
324
325 unsigned char indata[16] = {0x00};
326 unsigned char outdata[16] = {0x00};
327 unsigned char aes_key[16] = {0x00};
328 unsigned char iv[16] = {0x00};
329
330 for (i = 0; i < 32; i += 2) {
331 sscanf(&p_txt[i], "%02x", (unsigned int *)&indata[i / 2]);
332 sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]);
333 }
334
335 aes_context ctx;
336 aes_init(&ctx);
337 aes_setkey_enc(&ctx, aes_key, 128);
338 aes_crypt_cbc(&ctx, AES_ENCRYPT, sizeof(indata), iv, indata, outdata );
339 //Push encrypted array as a string
340 lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
341 return 1;// return 1 to signal one return value
342 }
343
344 static int l_aes128encrypt_ecb(lua_State *L)
345 {
346 //Check number of arguments
347 int i;
348 size_t size;
349 const char *p_key = luaL_checklstring(L, 1, &size);
350 if(size != 32) return returnToLuaWithError(L,"Wrong size of key, got %d bytes, expected 32", (int) size);
351
352 const char *p_txt = luaL_checklstring(L, 2, &size);
353
354 unsigned char indata[16] = {0x00};
355 unsigned char outdata[16] = {0x00};
356 unsigned char aes_key[16] = {0x00};
357
358 for (i = 0; i < 32; i += 2) {
359 sscanf(&p_txt[i], "%02x", (unsigned int *)&indata[i / 2]);
360 sscanf(&p_key[i], "%02x", (unsigned int *)&aes_key[i / 2]);
361 }
362 aes_context ctx;
363 aes_init(&ctx);
364 aes_setkey_enc(&ctx, aes_key, 128);
365 aes_crypt_ecb(&ctx, AES_ENCRYPT, indata, outdata );
366 //Push encrypted array as a string
367 lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
368 return 1;// return 1 to signal one return value
369 }
370
371 static int l_crc16(lua_State *L)
372 {
373 size_t size;
374 const char *p_str = luaL_checklstring(L, 1, &size);
375
376 uint16_t retval = crc16_ccitt( (uint8_t*) p_str, size);
377 lua_pushinteger(L, (int) retval);
378 return 1;
379 }
380
381 static int l_crc64(lua_State *L)
382 {
383 size_t size;
384 uint64_t crc = 0;
385 unsigned char outdata[8] = {0x00};
386
387 const char *p_str = luaL_checklstring(L, 1, &size);
388
389 crc64( (uint8_t*) p_str, size, &crc);
390
391 outdata[0] = (uint8_t)(crc >> 56) & 0xff;
392 outdata[1] = (uint8_t)(crc >> 48) & 0xff;
393 outdata[2] = (uint8_t)(crc >> 40) & 0xff;
394 outdata[3] = (uint8_t)(crc >> 32) & 0xff;
395 outdata[4] = (uint8_t)(crc >> 24) & 0xff;
396 outdata[5] = (uint8_t)(crc >> 16) & 0xff;
397 outdata[6] = (uint8_t)(crc >> 8) & 0xff;
398 outdata[7] = crc & 0xff;
399 lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
400 return 1;
401 }
402
403 static int l_sha1(lua_State *L)
404 {
405 size_t size;
406 const char *p_str = luaL_checklstring(L, 1, &size);
407 unsigned char outdata[20] = {0x00};
408 sha1( (uint8_t*) p_str, size, outdata);
409 lua_pushlstring(L,(const char *)&outdata, sizeof(outdata));
410 return 1;
411 }
412
413 /**
414 * @brief Sets the lua path to include "./lualibs/?.lua", in order for a script to be
415 * able to do "require('foobar')" if foobar.lua is within lualibs folder.
416 * Taken from http://stackoverflow.com/questions/4125971/setting-the-global-lua-path-variable-from-c-c
417 * @param L
418 * @param path
419 * @return
420 */
421 int setLuaPath( lua_State* L, const char* path )
422 {
423 lua_getglobal( L, "package" );
424 lua_getfield( L, -1, "path" ); // get field "path" from table at top of stack (-1)
425 const char* cur_path = lua_tostring( L, -1 ); // grab path string from top of stack
426 int requiredLength = strlen(cur_path)+ strlen(path)+10; //A few bytes too many, whatever we can afford it
427 char * buf = malloc(requiredLength);
428 snprintf(buf, requiredLength, "%s;%s", cur_path, path);
429 lua_pop( L, 1 ); // get rid of the string on the stack we just pushed on line 5
430 lua_pushstring( L, buf ); // push the new one
431 lua_setfield( L, -2, "path" ); // set the field "path" in table at -2 with value at top of stack
432 lua_pop( L, 1 ); // get rid of package table from top of stack
433 free(buf);
434 return 0; // all done!
435 }
436
437
438 int set_pm3_libraries(lua_State *L)
439 {
440
441 static const luaL_Reg libs[] = {
442 {"SendCommand", l_SendCommand},
443 {"WaitForResponseTimeout", l_WaitForResponseTimeout},
444 {"nonce2key", l_nonce2key},
445 //{"PrintAndLog", l_PrintAndLog},
446 {"foobar", l_foobar},
447 {"ukbhit", l_ukbhit},
448 {"clearCommandBuffer", l_clearCommandBuffer},
449 {"console", l_CmdConsole},
450 {"iso15693_crc", l_iso15693_crc},
451 {"iso14443b_crc", l_iso14443b_crc},
452 {"aes128_decrypt", l_aes128decrypt_cbc},
453 {"aes128_decrypt_ecb", l_aes128decrypt_ecb},
454 {"aes128_encrypt", l_aes128encrypt_cbc},
455 {"aes128_encrypt_ecb", l_aes128encrypt_ecb},
456 {"crc16", l_crc16},
457 {"crc64", l_crc64},
458 {"sha1", l_sha1},
459 {NULL, NULL}
460 };
461
462 lua_pushglobaltable(L);
463 // Core library is in this table. Contains '
464 //this is 'pm3' table
465 lua_newtable(L);
466
467 //Put the function into the hash table.
468 for (int i = 0; libs[i].name; i++) {
469 lua_pushcfunction(L, libs[i].func);
470 lua_setfield(L, -2, libs[i].name);//set the name, pop stack
471 }
472 //Name of 'core'
473 lua_setfield(L, -2, "core");
474
475 //-- remove the global environment table from the stack
476 lua_pop(L, 1);
477
478 //-- Last but not least, add to the LUA_PATH (package.path in lua)
479 // so we can load libraries from the ./lualib/ - directory
480 setLuaPath(L,"./lualibs/?.lua");
481
482 return 1;
483 }
Impressum, Datenschutz