X-Git-Url: http://cvs.zerfleddert.de/cgi-bin/gitweb.cgi/proxmark3-svn/blobdiff_plain/f89c705002842291e39d000f27dbaea1ddd78917..9984b1735acccec9503494c02fccdeefb2dafd86:/client/nonce2key/crapto1.c?ds=inline

diff --git a/client/nonce2key/crapto1.c b/client/nonce2key/crapto1.c
index c0a158b5..13c4c063 100644
--- a/client/nonce2key/crapto1.c
+++ b/client/nonce2key/crapto1.c
@@ -31,29 +31,70 @@ static void __attribute__((constructor)) fill_lut()
 #define filter(x) (filterlut[(x) & 0xfffff])
 #endif
 
-static void quicksort(uint32_t* const start, uint32_t* const stop)
-{
-	uint32_t *it = start + 1, *rit = stop;
 
-	if(it > rit)
-		return;
 
-	while(it < rit)
-		if(*it <= *start)
-			++it;
-		else if(*rit > *start)
-			--rit;
-		else
-			*it ^= (*it ^= *rit, *rit ^= *it);
+typedef struct bucket {
+	uint32_t *head;
+	uint32_t *bp;
+} bucket_t;
+
+typedef bucket_t bucket_array_t[2][0x100];
+
+typedef struct bucket_info {
+	struct {
+		uint32_t *head, *tail;
+		} bucket_info[2][0x100];
+		uint32_t numbuckets;
+	} bucket_info_t;
 
-	if(*rit >= *start)
-		--rit;
-	if(rit != start)
-		*rit ^= (*rit ^= *start, *start ^= *rit);
 
-	quicksort(start, rit - 1);
-	quicksort(rit + 1, stop);
+static void bucket_sort_intersect(uint32_t* const estart, uint32_t* const estop,
+								  uint32_t* const ostart, uint32_t* const ostop,
+								  bucket_info_t *bucket_info, bucket_array_t bucket)
+{
+	uint32_t *p1, *p2;
+	uint32_t *start[2];
+	uint32_t *stop[2];
+
+	start[0] = estart;
+	stop[0] = estop;
+	start[1] = ostart;
+	stop[1] = ostop;
+
+	// init buckets to be empty
+	for (uint32_t i = 0; i < 2; i++) {
+		for (uint32_t j = 0x00; j <= 0xff; j++) {
+			bucket[i][j].bp = bucket[i][j].head;
+		}
+	}
+
+	// sort the lists into the buckets based on the MSB (contribution bits)
+	for (uint32_t i = 0; i < 2; i++) {
+		for (p1 = start[i]; p1 <= stop[i]; p1++) {
+			uint32_t bucket_index = (*p1 & 0xff000000) >> 24;
+			*(bucket[i][bucket_index].bp++) = *p1;
+		}
+	}
+
+
+	// write back intersecting buckets as sorted list.
+	// fill in bucket_info with head and tail of the bucket contents in the list and number of non-empty buckets.
+	uint32_t nonempty_bucket;
+	for (uint32_t i = 0; i < 2; i++) {
+		p1 = start[i];
+		nonempty_bucket = 0;
+		for (uint32_t j = 0x00; j <= 0xff; j++) {
+			if (bucket[0][j].bp != bucket[0][j].head && bucket[1][j].bp != bucket[1][j].head) { // non-empty intersecting buckets only
+				bucket_info->bucket_info[i][nonempty_bucket].head = p1;
+				for (p2 = bucket[i][j].head; p2 < bucket[i][j].bp; *p1++ = *p2++);
+				bucket_info->bucket_info[i][nonempty_bucket].tail = p1 - 1;
+				nonempty_bucket++;
+			}
+		}
+		bucket_info->numbuckets = nonempty_bucket;
+		}
 }
+
 /** binsearch
  * Binary search for the first occurence of *stop's MSB in sorted [start,stop]
  */
@@ -90,21 +131,28 @@ static inline void
 extend_table(uint32_t *tbl, uint32_t **end, int bit, int m1, int m2, uint32_t in)
 {
 	in <<= 24;
-	for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
-		if(filter(*tbl) ^ filter(*tbl | 1)) {
-			*tbl |= filter(*tbl) ^ bit;
-			update_contribution(tbl, m1, m2);
-			*tbl ^= in;
-		} else if(filter(*tbl) == bit) {
-			*++*end = tbl[1];
-			tbl[1] = tbl[0] | 1;
-			update_contribution(tbl, m1, m2);
-			*tbl++ ^= in;
-			update_contribution(tbl, m1, m2);
-			*tbl ^= in;
-		} else
-			*tbl-- = *(*end)--;
+
+	for(uint32_t *p = tbl; p <= *end; p++) {
+		*p <<= 1;
+		if(filter(*p) != filter(*p | 1)) {			 	// replace
+			*p |= filter(*p) ^ bit;
+			update_contribution(p, m1, m2);
+			*p ^= in;
+		} else if(filter(*p) == bit) {					// insert
+			*++*end = p[1];
+			p[1] = p[0] | 1;
+			update_contribution(p, m1, m2);
+			*p++ ^= in;
+			update_contribution(p, m1, m2);
+			*p ^= in;
+		} else {										// drop
+			*p-- = *(*end)--;
+	}
+	}
+
 }
+
+
 /** extend_table_simple
  * using a bit of the keystream extend the table of possible lfsr states
  */
@@ -112,23 +160,26 @@ static inline void
 extend_table_simple(uint32_t *tbl, uint32_t **end, int bit)
 {
 	for(*tbl <<= 1; tbl <= *end; *++tbl <<= 1)
-		if(filter(*tbl) ^ filter(*tbl | 1)) {
+		if(filter(*tbl) ^ filter(*tbl | 1)) {	// replace
 			*tbl |= filter(*tbl) ^ bit;
-		} else if(filter(*tbl) == bit) {
+		} else if(filter(*tbl) == bit) {		// insert
 			*++*end = *++tbl;
 			*tbl = tbl[-1] | 1;
-		} else
+		} else									// drop
 			*tbl-- = *(*end)--;
 }
+
+
 /** recover
  * recursively narrow down the search space, 4 bits of keystream at a time
  */
 static struct Crypto1State*
 recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
 	uint32_t *e_head, uint32_t *e_tail, uint32_t eks, int rem,
-	struct Crypto1State *sl, uint32_t in)
+	struct Crypto1State *sl, uint32_t in, bucket_array_t bucket)
 {
-	uint32_t *o, *e, i;
+	uint32_t *o, *e;
+	bucket_info_t bucket_info;
 
 	if(rem == -1) {
 		for(e = e_head; e <= e_tail; ++e) {
@@ -136,13 +187,13 @@ recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
 			for(o = o_head; o <= o_tail; ++o, ++sl) {
 				sl->even = *o;
 				sl->odd = *e ^ parity(*o & LF_POLY_ODD);
-				sl[1].odd = sl[1].even = 0;
 			}
 		}
+		sl->odd = sl->even = 0;
 		return sl;
 	}
 
-	for(i = 0; i < 4 && rem--; i++) {
+	for(uint32_t i = 0; i < 4 && rem--; i++) {
 		extend_table(o_head, &o_tail, (oks >>= 1) & 1,
 			LF_POLY_EVEN << 1 | 1, LF_POLY_ODD << 1, 0);
 		if(o_head > o_tail)
@@ -154,20 +205,13 @@ recover(uint32_t *o_head, uint32_t *o_tail, uint32_t oks,
 			return sl;
 	}
 
-	quicksort(o_head, o_tail);
-	quicksort(e_head, e_tail);
+	bucket_sort_intersect(e_head, e_tail, o_head, o_tail, &bucket_info, bucket);
 
-	while(o_tail >= o_head && e_tail >= e_head)
-		if(((*o_tail ^ *e_tail) >> 24) == 0) {
-			o_tail = binsearch(o_head, o = o_tail);
-			e_tail = binsearch(e_head, e = e_tail);
-			sl = recover(o_tail--, o, oks,
-				     e_tail--, e, eks, rem, sl, in);
-		}
-		else if(*o_tail > *e_tail)
-			o_tail = binsearch(o_head, o_tail) - 1;
-		else
-			e_tail = binsearch(e_head, e_tail) - 1;
+	for (int i = bucket_info.numbuckets - 1; i >= 0; i--) {
+		sl = recover(bucket_info.bucket_info[1][i].head, bucket_info.bucket_info[1][i].tail, oks,
+				     bucket_info.bucket_info[0][i].head, bucket_info.bucket_info[0][i].tail, eks,
+					 rem, sl, in, bucket);
+	}
 
 	return sl;
 }
@@ -183,6 +227,7 @@ struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
 	uint32_t *even_head = 0, *even_tail = 0, eks = 0;
 	int i;
 
+	// split the keystream into an odd and even part
 	for(i = 31; i >= 0; i -= 2)
 		oks = oks << 1 | BEBIT(ks2, i);
 	for(i = 30; i >= 0; i -= 2)
@@ -191,11 +236,22 @@ struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
 	odd_head = odd_tail = malloc(sizeof(uint32_t) << 21);
 	even_head = even_tail = malloc(sizeof(uint32_t) << 21);
 	statelist =  malloc(sizeof(struct Crypto1State) << 18);
-	if(!odd_tail-- || !even_tail-- || !statelist)
+	if(!odd_tail-- || !even_tail-- || !statelist) {
 		goto out;
-
+	}
 	statelist->odd = statelist->even = 0;
 
+	// allocate memory for out of place bucket_sort
+	bucket_array_t bucket;
+	for (uint32_t i = 0; i < 2; i++)
+		for (uint32_t j = 0; j <= 0xff; j++) {
+			bucket[i][j].head = malloc(sizeof(uint32_t)<<14);
+			if (!bucket[i][j].head) {
+				goto out;
+			}
+		}
+
+	// initialize statelists: add all possible states which would result into the rightmost 2 bits of the keystream
 	for(i = 1 << 20; i >= 0; --i) {
 		if(filter(i) == (oks & 1))
 			*++odd_tail = i;
@@ -203,18 +259,27 @@ struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in)
 			*++even_tail = i;
 	}
 
+	// extend the statelists. Look at the next 8 Bits of the keystream (4 Bit each odd and even):
 	for(i = 0; i < 4; i++) {
 		extend_table_simple(odd_head,  &odd_tail, (oks >>= 1) & 1);
 		extend_table_simple(even_head, &even_tail, (eks >>= 1) & 1);
 	}
 
-	in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);
-	recover(odd_head, odd_tail, oks,
-		even_head, even_tail, eks, 11, statelist, in << 1);
+	// the statelists now contain all states which could have generated the last 10 Bits of the keystream.
+	// 22 bits to go to recover 32 bits in total. From now on, we need to take the "in"
+	// parameter into account.
+
+	in = (in >> 16 & 0xff) | (in << 16) | (in & 0xff00);		// Byte swapping
+
+	recover(odd_head, odd_tail, oks, even_head, even_tail, eks, 11, statelist, in << 1, bucket);
 
 out:
 	free(odd_head);
 	free(even_head);
+	for (uint32_t i = 0; i < 2; i++)
+		for (uint32_t j = 0; j <= 0xff; j++)
+			free(bucket[i][j].head);
+
 	return statelist;
 }
 
@@ -314,9 +379,12 @@ struct Crypto1State* lfsr_recovery64(uint32_t ks2, uint32_t ks3)
 void lfsr_rollback_bit(struct Crypto1State *s, uint32_t in, int fb)
 {
 	int out;
+	uint32_t tmp;
 
 	s->odd &= 0xffffff;
-	s->odd ^= (s->odd ^= s->even, s->even ^= s->odd);
+	tmp = s->odd;
+	s->odd = s->even;
+	s->even = tmp;
 
 	out = s->even & 1;
 	out ^= LF_POLY_EVEN & (s->even >>= 1);
@@ -413,7 +481,7 @@ uint32_t *lfsr_prefix_ks(uint8_t ks[8], int isodd)
  */
 static struct Crypto1State*
 brute_top(uint32_t prefix, uint32_t rresp, unsigned char parities[8][8],
-          uint32_t odd, uint32_t even, struct Crypto1State* sl)
+          uint32_t odd, uint32_t even, struct Crypto1State* sl, uint8_t no_chk)
 {
 	struct Crypto1State s;
 	uint32_t ks1, nr, ks2, rr, ks3, good, c;
@@ -421,17 +489,20 @@ brute_top(uint32_t prefix, uint32_t rresp, unsigned char parities[8][8],
 	for(c = 0; c < 8; ++c) {
 		s.odd = odd ^ fastfwd[1][c];
 		s.even = even ^ fastfwd[0][c];
-		
+
 		lfsr_rollback_bit(&s, 0, 0);
 		lfsr_rollback_bit(&s, 0, 0);
 		lfsr_rollback_bit(&s, 0, 0);
-		
+
 		lfsr_rollback_word(&s, 0, 0);
 		lfsr_rollback_word(&s, prefix | c << 5, 1);
-		
+
 		sl->odd = s.odd;
 		sl->even = s.even;
-	
+
+		if (no_chk)
+			break;
+
 		ks1 = crypto1_word(&s, prefix | c << 5, 1);
 		ks2 = crypto1_word(&s,0,0);
 		ks3 = crypto1_word(&s, 0,0);
@@ -450,7 +521,7 @@ brute_top(uint32_t prefix, uint32_t rresp, unsigned char parities[8][8],
 	}
 
 	return ++sl;
-} 
+}
 
 
 /** lfsr_common_prefix
@@ -462,8 +533,7 @@ brute_top(uint32_t prefix, uint32_t rresp, unsigned char parities[8][8],
  * It returns a zero terminated list of possible cipher states after the
  * tag nonce was fed in
  */
-struct Crypto1State*
-lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8])
+struct Crypto1State* lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8], uint8_t no_par)
 {
 	struct Crypto1State *statelist, *s;
 	uint32_t *odd, *even, *o, *e, top;
@@ -471,24 +541,92 @@ lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8])
 	odd = lfsr_prefix_ks(ks, 1);
 	even = lfsr_prefix_ks(ks, 0);
 
-	statelist = malloc((sizeof *statelist) << 20);
+	statelist = malloc((sizeof *statelist) << 21);	//how large should be?
 	if(!statelist || !odd || !even)
-                return 0;
-
+	{
+		free(statelist);
+		free(odd);
+		free(even);
+		return 0;
+	}
 
 	s = statelist;
-	for(o = odd; *o != 0xffffffff; ++o)
-		for(e = even; *e != 0xffffffff; ++e)
+	for(o = odd; *o != -1; ++o)
+		for(e = even; *e != -1; ++e)
 			for(top = 0; top < 64; ++top) {
 				*o = (*o & 0x1fffff) | (top << 21);
 				*e = (*e & 0x1fffff) | (top >> 3) << 21;
-				s = brute_top(pfx, rr, par, *o, *e, s);
+				s = brute_top(pfx, rr, par, *o, *e, s, no_par);
 			}
 
-	s->odd = s->even = 0;
+	s->odd = s->even = -1;
+	//printf("state count = %d\n",s-statelist);
 
 	free(odd);
 	free(even);
 
 	return statelist;
 }
+
+/*
+struct Crypto1State* lfsr_common_prefix(uint32_t pfx, uint32_t rr, uint8_t ks[8], uint8_t par[8][8], uint8_t no_par, uint32_t nt, uint32_t uid)
+{
+    long long int amount = 0;
+    struct Crypto1State *statelist, *s;
+    uint32_t *odd, *even, *o, *e, top;
+
+    odd = lfsr_prefix_ks(ks, 1);
+    even = lfsr_prefix_ks(ks, 0);
+
+    s = statelist = malloc((sizeof *statelist) << 20);
+    if(!s || !odd || !even) {
+		free(odd);
+		free(even);
+		free(statelist);
+		return 0;
+    }
+
+    char filename[50] = "archivo.txt";
+    sprintf(filename, "logs/%x.txt", nt);
+    PrintAndLog("Name: %s\n", filename);
+    FILE *file = fopen(filename,"w+");
+	if ( !file ) {
+		s->odd = s->even = 0;
+		free(odd);
+		free(even);
+		PrintAndLog("Failed to create file");
+		return 0;
+	}
+    PrintAndLog("Creating file... ");
+	uint32_t xored = uid^nt;
+	
+    int lastOdd = 0;
+    for(o = odd; *o + 1; ++o)
+        for(e = even; *e + 1; ++e)
+            for(top = 0; top < 64; ++top) {
+                *o += 1 << 21;
+                *e += (!(top & 7) + 1) << 21;
+
+                //added by MG
+                if(lastOdd != statelist->odd){
+					// Here I create a temporal crypto1 state, 
+					// where I load the odd and even state and work with it,
+					// in order not to interfere with regular mechanism, This is what I save to file
+					struct Crypto1State *state;
+                    lastOdd = state->odd = statelist->odd; state->even = statelist->even;
+                    lfsr_rollback_word(state,xored,0);
+                    fprintf(file,"%x %x \n",state->odd,state->even);
+                    amount++;
+                }
+                //s = check_pfx_parity(pfx, rr, par, *o, *e, s); //This is not useful at all when attacking chineese cards
+				s = brute_top(pfx, rr, par, *o, *e, s, no_par); 
+            }
+
+	PrintAndLog("File created, amount %u\n",amount);
+	fclose(file);
+	s->odd = s->even = 0;
+	free(odd);
+	free(even);
+    return statelist;
+}
+ */