From ba39db376c12c945f3ba1bc0ad5b8cc188e21d6f Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Fri, 28 Oct 2016 16:37:01 +0200 Subject: [PATCH 1/1] CHG: just some parameter / variable name changes. Nuttin' special. --- client/cmdhf14a.c | 6 ++--- client/cmdhfmf.c | 12 ++++----- client/cmdhfmf.h | 2 +- client/cmdhfmfhard.c | 21 ++++++++------- client/nonce2key/nonce2key.c | 50 +++++++++++++++++------------------- client/nonce2key/nonce2key.h | 4 +-- 6 files changed, 47 insertions(+), 48 deletions(-) diff --git a/client/cmdhf14a.c b/client/cmdhf14a.c index c5585386..abb786f4 100644 --- a/client/cmdhf14a.c +++ b/client/cmdhf14a.c @@ -448,7 +448,7 @@ int CmdHF14ASim(const char *Cmd) { uint8_t uid[10] = {0,0,0,0,0,0,0,0,0,0}; int uidlen = 0; bool useUIDfromEML = TRUE; - bool showMaths = false; + bool verbose = false; while(param_getchar(Cmd, cmdp) != 0x00) { switch(param_getchar(Cmd, cmdp)) { @@ -481,7 +481,7 @@ int CmdHF14ASim(const char *Cmd) { break; case 'v': case 'V': - showMaths = true; + verbose = true; cmdp++; break; case 'x': @@ -520,7 +520,7 @@ int CmdHF14ASim(const char *Cmd) { if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break; memcpy( data, resp.d.asBytes, sizeof(data) ); - readerAttack(data, TRUE, showMaths); + readerAttack(data, TRUE, verbose); } return 0; } diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index ea73bf95..a840969e 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1365,7 +1365,7 @@ int CmdHF14AMfChk(const char *Cmd) { #define ATTACK_KEY_COUNT 8 sector *k_sector = NULL; uint8_t k_sectorsCount = 16; -void readerAttack(nonces_t data[], bool setEmulatorMem, bool showMaths) { +void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose) { // initialize storage for found keys if (k_sector == NULL) @@ -1389,7 +1389,7 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool showMaths) { // We can probably skip this, mfkey32v2 is more reliable. #ifdef HFMF_TRYMFK32 - if (tryMfk32(data[i], &key)) { + if (tryMfk32(data[i], &key, verbose)) { PrintAndLog("Found Key%s for sector %02d: [%012"llx"]" , (data[i].keytype) ? "B" : "A" , data[i].sector @@ -1414,7 +1414,7 @@ void readerAttack(nonces_t data[], bool setEmulatorMem, bool showMaths) { } #endif //moebius attack - if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, showMaths)) { + if (tryMfk32_moebius(data[i+ATTACK_KEY_COUNT], &key, verbose)) { uint8_t sectorNum = data[i+ATTACK_KEY_COUNT].sector; uint8_t keyType = data[i+ATTACK_KEY_COUNT].keytype; @@ -1456,7 +1456,7 @@ int CmdHF14AMf1kSim(const char *Cmd) { bool errors = false; // If set to true, we should show our workings when doing NR_AR_ATTACK. - bool showMaths = false; + bool verbose = false; while(param_getchar(Cmd, cmdp) != 0x00) { switch(param_getchar(Cmd, cmdp)) { @@ -1491,7 +1491,7 @@ int CmdHF14AMf1kSim(const char *Cmd) { break; case 'v': case 'V': - showMaths = true; + verbose = true; cmdp++; break; case 'x': @@ -1533,7 +1533,7 @@ int CmdHF14AMf1kSim(const char *Cmd) { if ( (resp.arg[0] & 0xffff) != CMD_SIMULATE_MIFARE_CARD ) break; memcpy( data, resp.d.asBytes, sizeof(data) ); - readerAttack(data, setEmulatorMem, showMaths); + readerAttack(data, setEmulatorMem, verbose); } if (k_sector != NULL) { diff --git a/client/cmdhfmf.h b/client/cmdhfmf.h index d381a852..d9964261 100644 --- a/client/cmdhfmf.h +++ b/client/cmdhfmf.h @@ -60,6 +60,6 @@ int CmdHF14AMfCLoad(const char* cmd); int CmdHF14AMfCSave(const char* cmd); int CmdHf14MfDecryptBytes(const char *Cmd); -void readerAttack(nonces_t data[], bool setEmulatorMem, bool showMaths); +void readerAttack(nonces_t data[], bool setEmulatorMem, bool verbose); void printKeyTable( uint8_t sectorscnt, sector *e_sector ); #endif diff --git a/client/cmdhfmfhard.c b/client/cmdhfmfhard.c index cb234e03..fcf3a949 100644 --- a/client/cmdhfmfhard.c +++ b/client/cmdhfmfhard.c @@ -261,7 +261,10 @@ static double p_hypergeometric(uint16_t N, uint16_t K, uint16_t n, uint16_t k) for (int16_t i = N; i >= N-n+1; i--) { log_result -= log(i); } - return exp(log_result); + if ( log_result > 0 ) + return exp(log_result); + else + return 0.0; } else { if (n-k == N-K) { // special case. The published recursion below would fail with a divide by zero exception double log_result = 0.0; @@ -1313,7 +1316,7 @@ static bool generate_candidates(uint16_t sum_a0, uint16_t sum_a8) if (maximum_states == 0) return false; // prevent keyspace reduction error (2^-inf) - printf("Number of possible keys with Sum(a0) = %d: %"PRIu64" (2^%1.1f)\n", sum_a0, maximum_states, log(maximum_states)/log(2.0)); + printf("Number of possible keys with Sum(a0) = %d: %"PRIu64" (2^%1.1f)\n", sum_a0, maximum_states, log(maximum_states)/log(2)); init_statelist_cache(); @@ -1330,9 +1333,9 @@ static bool generate_candidates(uint16_t sum_a0, uint16_t sum_a8) // and eliminate the need to calculate the other part if (MIN(partial_statelist[p].len[ODD_STATE], partial_statelist[r].len[ODD_STATE]) < MIN(partial_statelist[q].len[EVEN_STATE], partial_statelist[s].len[EVEN_STATE])) { - add_matching_states(current_candidates, p, r, ODD_STATE); + add_matching_states(current_candidates, p, r, ODD_STATE); if(current_candidates->len[ODD_STATE]) { - add_matching_states(current_candidates, q, s, EVEN_STATE); + add_matching_states(current_candidates, q, s, EVEN_STATE); } else { current_candidates->len[EVEN_STATE] = 0; uint32_t *p = current_candidates->states[EVEN_STATE] = malloc(sizeof(uint32_t)); @@ -1364,7 +1367,7 @@ static bool generate_candidates(uint16_t sum_a0, uint16_t sum_a8) if (maximum_states == 0) return false; // prevent keyspace reduction error (2^-inf) - float kcalc = log(maximum_states)/log(2.0); + float kcalc = log(maximum_states)/log(2); printf("Number of remaining possible keys: %"PRIu64" (2^%1.1f)\n", maximum_states, kcalc); if (write_stats) { if (maximum_states != 0) { @@ -1706,7 +1709,7 @@ static bool brute_force(void) crypto1_bs_init(); PrintAndLog("Using %u-bit bitslices", MAX_BITSLICES); - PrintAndLog("Bitslicing best_first_byte^uid[3] (rollback byte): %02x...", best_first_bytes[0]^(cuid>>24)); + PrintAndLog("Bitslicing best_first_byte^uid[3] (rollback byte): %02X ...", best_first_bytes[0]^(cuid>>24)); // convert to 32 bit little-endian crypto1_bs_bitslice_value32((best_first_bytes[0]<<24)^cuid, bitsliced_rollback_byte, 8); @@ -1747,14 +1750,14 @@ static bool brute_force(void) } time(&end); - double elapsed_time = difftime(end, start); + unsigned long elapsed_time = difftime(end, start); if (keys_found && TestIfKeyExists(foundkey)) { - PrintAndLog("Success! Tested %"PRIu32" states, found %u keys after %.f seconds", total_states_tested, keys_found, elapsed_time); + PrintAndLog("Success! Tested %"PRIu32" states, found %u keys after %u seconds", total_states_tested, keys_found, elapsed_time); PrintAndLog("\nFound key: %012"PRIx64"\n", foundkey); ret = true; } else { - PrintAndLog("Fail! Tested %"PRIu32" states, in %.f seconds", total_states_tested, elapsed_time); + PrintAndLog("Fail! Tested %"PRIu32" states, in %u seconds", total_states_tested, elapsed_time); } // reset this counter for the next call diff --git a/client/nonce2key/nonce2key.c b/client/nonce2key/nonce2key.c index aeaecbe6..95c4cf5f 100644 --- a/client/nonce2key/nonce2key.c +++ b/client/nonce2key/nonce2key.c @@ -156,7 +156,7 @@ int nonce2key_ex(uint8_t blockno, uint8_t keytype, uint32_t uid, uint32_t nt, ui } // 32 bit recover key from 2 nonces -bool tryMfk32(nonces_t data, uint64_t *outputkey) { +bool tryMfk32(nonces_t data, uint64_t *outputkey, bool verbose) { struct Crypto1State *s,*t; uint64_t outkey = 0; uint64_t key=0; // recovered key @@ -166,22 +166,24 @@ bool tryMfk32(nonces_t data, uint64_t *outputkey) { uint32_t ar0_enc = data.ar; // first encrypted reader response uint32_t nr1_enc = data.nr2; // second encrypted reader challenge uint32_t ar1_enc = data.ar2; // second encrypted reader response - clock_t t1 = clock(); bool isSuccess = FALSE; uint8_t counter = 0; - - printf("Recovering key for:\n"); - printf(" uid: %08x\n",uid); - printf(" nt: %08x\n",nt); - printf(" {nr_0}: %08x\n",nr0_enc); - printf(" {ar_0}: %08x\n",ar0_enc); - printf(" {nr_1}: %08x\n",nr1_enc); - printf(" {ar_1}: %08x\n",ar1_enc); - - printf("\nLFSR succesors of the tag challenge:\n"); + + clock_t t1 = clock(); uint32_t p64 = prng_successor(nt, 64); - printf(" nt': %08x\n", p64); - printf(" nt'': %08x\n", prng_successor(p64, 32)); + + if ( verbose ) { + printf("Recovering key for:\n"); + printf(" uid: %08x\n",uid); + printf(" nt: %08x\n",nt); + printf(" {nr_0}: %08x\n",nr0_enc); + printf(" {ar_0}: %08x\n",ar0_enc); + printf(" {nr_1}: %08x\n",nr1_enc); + printf(" {ar_1}: %08x\n",ar1_enc); + printf("\nLFSR succesors of the tag challenge:\n"); + printf(" nt': %08x\n", p64); + printf(" nt'': %08x\n", prng_successor(p64, 32)); + } s = lfsr_recovery32(ar0_enc ^ p64, 0); @@ -193,7 +195,6 @@ bool tryMfk32(nonces_t data, uint64_t *outputkey) { crypto1_word(t, uid ^ nt, 0); crypto1_word(t, nr1_enc, 1); if (ar1_enc == (crypto1_word(t, 0, 0) ^ p64)) { - //PrintAndLog("Found Key: [%012"llx"]", key); outkey = key; ++counter; if (counter==20) break; @@ -208,7 +209,7 @@ bool tryMfk32(nonces_t data, uint64_t *outputkey) { return isSuccess; } -bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool showMaths) { +bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool verbose) { struct Crypto1State *s, *t; uint64_t outkey = 0; uint64_t key = 0; // recovered key @@ -222,8 +223,13 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool showMaths) { uint32_t ar1_enc = data.ar2; // second encrypted reader response bool isSuccess = FALSE; int counter = 0; + + clock_t t1 = clock(); + + uint32_t p640 = prng_successor(nt0, 64); + uint32_t p641 = prng_successor(nt1, 64); - if (showMaths) { + if (verbose) { printf("Recovering key for:\n"); printf(" uid: %08x\n", uid); printf(" nt_0: %08x\n", nt0); @@ -232,15 +238,6 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool showMaths) { printf(" nt_1: %08x\n", nt1); printf(" {nr_1}: %08x\n", nr1_enc); printf(" {ar_1}: %08x\n", ar1_enc); - } - - //PrintAndLog("Enter mfkey32_moebius"); - clock_t t1 = clock(); - - uint32_t p640 = prng_successor(nt0, 64); - uint32_t p641 = prng_successor(nt1, 64); - - if (showMaths) { printf("\nLFSR succesors of the tag challenge:\n"); printf(" nt': %08x\n", p640); printf(" nt'': %08x\n", prng_successor(p640, 32)); @@ -257,7 +254,6 @@ bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool showMaths) { crypto1_word(t, uid ^ nt1, 0); crypto1_word(t, nr1_enc, 1); if (ar1_enc == (crypto1_word(t, 0, 0) ^ p641)) { - //PrintAndLog("Found Key: [%012"llx"]",key); outkey=key; ++counter; if (counter==20) break; diff --git a/client/nonce2key/nonce2key.h b/client/nonce2key/nonce2key.h index b274feca..026b8cfc 100644 --- a/client/nonce2key/nonce2key.h +++ b/client/nonce2key/nonce2key.h @@ -27,8 +27,8 @@ extern int nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, extern int nonce2key_ex(uint8_t blockno, uint8_t keytype, uint32_t uid, uint32_t nt, uint32_t nr, uint64_t ks_info, uint64_t * key); //iceman, added these to be able to crack key direct from "hf 14 sim" && "hf mf sim" -bool tryMfk32(nonces_t data, uint64_t *outputkey ); -bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool showMaths ); // <<-- this one has best success +bool tryMfk32(nonces_t data, uint64_t *outputkey, bool verbose ); +bool tryMfk32_moebius(nonces_t data, uint64_t *outputkey, bool verbose); // <<-- this one has best success int tryMfk64_ex(uint8_t *data, uint64_t *outputkey ); int tryMfk64(uint32_t uid, uint32_t nt, uint32_t nr_enc, uint32_t ar_enc, uint32_t at_enc, uint64_t *outputkey); #endif -- 2.39.5