hf mf mifare:

[proxmark3-svn] / client / mifarehost.c

diff --git a/client/mifarehost.c b/client/mifarehost.c
index a01d3b5f0485bf43b6b0087bc40a81b357edf9de..471fbc4231745dc4a436995ae26e284d05e86488 100644 (file)
--- a/client/mifarehost.c
+++ b/client/mifarehost.c
@@ -73,13 +73,12 @@ static uint32_t intersection(uint64_t *list1, uint64_t *list2)
 \r
 \r
 // Darkside attack (hf mf mifare)\r
-static uint32_t nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_info, uint64_t ks_info, uint64_t **keys) {\r
+static uint32_t nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint32_t ar, uint64_t par_info, uint64_t ks_info, uint64_t **keys) {\r
        struct Crypto1State *states;\r
-       uint32_t i, pos, rr; //nr_diff;\r
+       uint32_t i, pos;\r
        uint8_t bt, ks3x[8], par[8][8];\r
        uint64_t key_recovered;\r
-       static uint64_t *keylist;\r
-       rr = 0;\r
+       uint64_t *keylist;\r
 \r
        // Reset the last three significant bits of the reader nonce\r
        nr &= 0xffffff1f;\r
@@ -92,7 +91,7 @@ static uint32_t nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_i
                }\r
        }\r
 \r
-       states = lfsr_common_prefix(nr, rr, ks3x, par, (par_info == 0));\r
+       states = lfsr_common_prefix(nr, ar, ks3x, par, (par_info == 0));\r
 \r
        if (states == NULL) {\r
                *keys = NULL;\r
@@ -116,7 +115,7 @@ static uint32_t nonce2key(uint32_t uid, uint32_t nt, uint32_t nr, uint64_t par_i
 int mfDarkside(uint64_t *key)\r
 {\r
        uint32_t uid = 0;\r
-       uint32_t nt = 0, nr = 0;\r
+       uint32_t nt = 0, nr = 0, ar = 0;\r
        uint64_t par_list = 0, ks_list = 0;\r
        uint64_t *keylist = NULL, *last_keylist = NULL;\r
        uint32_t keycount = 0;\r
@@ -159,18 +158,18 @@ int mfDarkside(uint64_t *key)
                                nt =  (uint32_t)bytes_to_num(resp.d.asBytes +  4, 4);\r
                                par_list = bytes_to_num(resp.d.asBytes +  8, 8);\r
                                ks_list = bytes_to_num(resp.d.asBytes +  16, 8);\r
-                               nr = bytes_to_num(resp.d.asBytes + 24, 4);\r
+                               nr = (uint32_t)bytes_to_num(resp.d.asBytes + 24, 4);\r
+                               ar = (uint32_t)bytes_to_num(resp.d.asBytes + 28, 4);\r
                                break;\r
                        }\r
                }\r
 \r
                if (par_list == 0 && c.arg[0] == true) {\r
                        PrintAndLog("Parity is all zero. Most likely this card sends NACK on every failed authentication.");\r
-                       PrintAndLog("Attack will take a few seconds longer because we need two consecutive successful runs.");\r
                }\r
                c.arg[0] = false;\r
 \r
-               keycount = nonce2key(uid, nt, nr, par_list, ks_list, &keylist);\r
+               keycount = nonce2key(uid, nt, nr, ar, par_list, ks_list, &keylist);\r
 \r
                if (keycount == 0) {\r
                        PrintAndLog("Key not found (lfsr_common_prefix list is null). Nt=%08x", nt);\r
@@ -201,9 +200,9 @@ int mfDarkside(uint64_t *key)
                        int size = keycount - i > max_keys ? max_keys : keycount - i;\r
                        for (int j = 0; j < size; j++) {\r
                                if (par_list == 0) {\r
-                                       num_to_bytes(last_keylist[i*max_keys + j], 6, keyBlock);\r
+                                       num_to_bytes(last_keylist[i*max_keys + j], 6, keyBlock+(j*6));\r
                                } else {\r
-                                       num_to_bytes(keylist[i*max_keys + j], 6, keyBlock);\r
+                                       num_to_bytes(keylist[i*max_keys + j], 6, keyBlock+(j*6));\r
                                }\r
                        }\r
                        if (!mfCheckKeys(0, 0, false, size, keyBlock, key)) {\r