From b882b54314a484e2de70e55a5b820aa5b609a3b3 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Tue, 16 Feb 2016 23:46:34 +0100 Subject: [PATCH] FIX: introduced a bug in a loop by uint8_t inside crapto1.c CHG: textual helptext change in "hf mf nested" CHG: loop inside "nested". Still not fast enough. I wonder if qsort can be exchanged for radixsort or bucket sort? --- client/cmdhfmf.c | 11 +++---- client/mifarehost.c | 61 ++++++++++++++++++-------------------- client/nonce2key/crapto1.c | 6 ++-- 3 files changed, 38 insertions(+), 40 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 3142fcd8..6e665519 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -593,10 +593,11 @@ int CmdHF14AMfNested(const char *Cmd) PrintAndLog("t - transfer keys into emulator memory"); PrintAndLog("d - write keys to binary file"); PrintAndLog(" "); - PrintAndLog(" sample1: hf mf nested 1 0 A FFFFFFFFFFFF "); - PrintAndLog(" sample2: hf mf nested 1 0 A FFFFFFFFFFFF t "); - PrintAndLog(" sample3: hf mf nested 1 0 A FFFFFFFFFFFF d "); - PrintAndLog(" sample4: hf mf nested o 0 A FFFFFFFFFFFF 4 A"); + PrintAndLog(" samples:"); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF t "); + PrintAndLog(" hf mf nested 1 0 A FFFFFFFFFFFF d "); + PrintAndLog(" hf mf nested o 0 A FFFFFFFFFFFF 4 A"); return 0; } @@ -1125,7 +1126,7 @@ int CmdHF14AMfChk(const char *Cmd) clock_t t1 = clock(); // check keys. - for (trgKeyType = 0; trgKeyType < 2; ++trgKeyType) { + for (trgKeyType = !keyType; trgKeyType < 2; (keyType==2) ? (++trgKeyType) : (trgKeyType=2) ) { int b = blockNo; for (int i = 0; i < SectorsCnt; ++i) { diff --git a/client/mifarehost.c b/client/mifarehost.c index 3ab1b568..3aaf9e07 100644 --- a/client/mifarehost.c +++ b/client/mifarehost.c @@ -22,26 +22,26 @@ int compar_int(const void * a, const void * b) { //return (*(uint64_t*)b - *(uint64_t*)a); // better: - if (*(uint64_t*)b < *(uint64_t*)a) return -1; + /*if (*(uint64_t*)b < *(uint64_t*)a) return -1; if (*(uint64_t*)b > *(uint64_t*)a) return 1; return 0; - - //return (*(uint64_t*)b > *(uint64_t*)a) - (*(uint64_t*)b < *(uint64_t*)a); +*/ + return (*(uint64_t*)b > *(uint64_t*)a) - (*(uint64_t*)b < *(uint64_t*)a); } // Compare 16 Bits out of cryptostate int Compare16Bits(const void * a, const void * b) { +/* if ((*(uint64_t*)b & 0x00ff000000ff0000) < (*(uint64_t*)a & 0x00ff000000ff0000)) return -1; if ((*(uint64_t*)b & 0x00ff000000ff0000) > (*(uint64_t*)a & 0x00ff000000ff0000)) return 1; return 0; - - /*return +*/ + return ((*(uint64_t*)b & 0x00ff000000ff0000) > (*(uint64_t*)a & 0x00ff000000ff0000)) - ((*(uint64_t*)b & 0x00ff000000ff0000) < (*(uint64_t*)a & 0x00ff000000ff0000)) ; -*/ } typedef @@ -69,7 +69,7 @@ void* nested_worker_thread(void *arg) struct Crypto1State *p1; StateList_t *statelist = arg; - statelist->head.slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid); + statelist->head.slhead = lfsr_recovery32(statelist->ks1, statelist->nt ^ statelist->uid); for (p1 = statelist->head.slhead; *(uint64_t *)p1 != 0; p1++); @@ -97,8 +97,7 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo // error during nested if (resp.arg[0]) return resp.arg[0]; -// memcpy(&uid, resp.d.asBytes, 4); - uid = bytes_to_num(resp.d.asBytes, 4); + memcpy(&uid, resp.d.asBytes, 4); for (i = 0; i < 2; i++) { statelists[i].blockNo = resp.arg[2] & 0xff; @@ -185,34 +184,32 @@ int mfnested(uint8_t blockNo, uint8_t keyType, uint8_t * key, uint8_t trgBlockNo // uint32_t max_keys = keycnt > (USB_CMD_DATA_SIZE/6) ? (USB_CMD_DATA_SIZE/6) : keycnt; uint32_t numOfCandidates = statelists[0].len; - if ( numOfCandidates == 0 ) goto out; - - uint8_t *keyBlock = malloc(numOfCandidates*6); - if (keyBlock == NULL) return -6; + if ( numOfCandidates > 0 ) { - for (i = 0; i < numOfCandidates; ++i){ - crypto1_get_lfsr(statelists[0].head.slhead + i, &key64); - num_to_bytes(key64, 6, keyBlock + i * 6); - } + uint8_t keyBlock[USB_CMD_DATA_SIZE] = {0x00}; - if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, false, numOfCandidates, keyBlock, &key64)) { - free(statelists[0].head.slhead); - free(statelists[1].head.slhead); - free(keyBlock); - num_to_bytes(key64, 6, resultKey); + for (i = 0; i < numOfCandidates; ++i){ + crypto1_get_lfsr(statelists[0].head.slhead + i, &key64); + num_to_bytes(key64, 6, keyBlock + i * 6); + } - PrintAndLog("UID: %08x target block:%3u key type: %c -- Found key [%012"llx"]", - uid, - (uint16_t)resp.arg[2] & 0xff, - (resp.arg[2] >> 8) ? 'B' : 'A', - key64 - ); - return -5; + if (!mfCheckKeys(statelists[0].blockNo, statelists[0].keyType, false, numOfCandidates, keyBlock, &key64)) { + free(statelists[0].head.slhead); + free(statelists[1].head.slhead); + num_to_bytes(key64, 6, resultKey); + + PrintAndLog("UID: %08x target block:%3u key type: %c -- Found key [%012"llx"]", + uid, + (uint16_t)resp.arg[2] & 0xff, + (resp.arg[2] >> 8) ? 'B' : 'A', + key64 + ); + return -5; + } + } - -out: PrintAndLog("UID: %08x target block:%3u key type: %c", - uid, + uid, (uint16_t)resp.arg[2] & 0xff, (resp.arg[2] >> 8) ? 'B' : 'A' ); diff --git a/client/nonce2key/crapto1.c b/client/nonce2key/crapto1.c index 919820e9..f005a9e3 100644 --- a/client/nonce2key/crapto1.c +++ b/client/nonce2key/crapto1.c @@ -188,11 +188,11 @@ struct Crypto1State* lfsr_recovery32(uint32_t ks2, uint32_t in) recover(odd_head, odd_tail, oks, even_head, even_tail, eks, 11, statelist, in << 1, bucket); out: + for (uint32_t i = 0; i < 2; i++) + for (uint32_t j = 0; j <= 0xff; j++) + free(bucket[i][j].head); free(odd_head); free(even_head); - for (uint8_t i = 0; i < 2; i++) - for (uint8_t j = 0; j <= 0xff; j++) - free(bucket[i][j].head); return statelist; } -- 2.39.5