]> git.zerfleddert.de Git - proxmark3-svn/blobdiff - client/cmdhfmfhard.c
FIX: 'hf mf hardnested' @matrix https://github.com/iceman1001/proxmark3/commit/e0828...
[proxmark3-svn] / client / cmdhfmfhard.c
index acdea7158dab3eb7d035020caf55c2eb6860c0be..1f739dc46c3babf9af6d603659b017360745efcc 100644 (file)
@@ -1,6 +1,7 @@
 //-----------------------------------------------------------------------------
 // Copyright (C) 2015 piwi
 // fiddled with 2016 Azcid (hardnested bitsliced Bruteforce imp)
+// fiddled with 2016 Matrix ( sub testing of nonces while collecting )
 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
 // at your option, any later version. See the LICENSE.txt file for the text of
 // the license.
 //   Mifare Classic Cards" in Proceedings of the 22nd ACM SIGSAC Conference on 
 //   Computer and Communications Security, 2015
 //-----------------------------------------------------------------------------
-
-#include <stdlib.h> 
-#include <stdio.h>
-#include <string.h>
-#include <pthread.h>
-#include <locale.h>
-#include <math.h>
-#include "proxmark3.h"
-#include "cmdmain.h"
-#include "ui.h"
-#include "util.h"
-#include "nonce2key/crapto1.h"
-#include "nonce2key/crypto1_bs.h"
-#include "parity.h"
-#ifdef __WIN32
-       #include <windows.h>
-#endif
-// don't include for APPLE/mac which has malloc stuff elsewhere.
-#ifndef __APPLE__
-       #include <malloc.h>
-#endif
-#include <assert.h>
+#include "cmdhfmfhard.h"
 
 #define CONFIDENCE_THRESHOLD   0.95            // Collect nonces until we are certain enough that the following brute force is successfull
-#define GOOD_BYTES_REQUIRED            13          // default 28, could be smaller == faster
+#define GOOD_BYTES_REQUIRED    13              // default 28, could be smaller == faster
+#define NONCES_THRESHOLD       5000            // every N nonces check if we can crack the key
+#define CRACKING_THRESHOLD     38.00f          // as 2^38
 
 #define END_OF_LIST_MARKER             0xFFFFFFFF
 
@@ -132,6 +114,11 @@ static partial_indexed_statelist_t partial_statelist[17];
 static partial_indexed_statelist_t statelist_bitflip;
 static statelist_t *candidates = NULL;
 
+bool field_off = false;
+
+static bool generate_candidates(uint16_t, uint16_t);
+static bool brute_force(void);
+
 static int add_nonce(uint32_t nonce_enc, uint8_t par_enc) 
 {
        uint8_t first_byte = nonce_enc >> 24;
@@ -293,6 +280,8 @@ static float sum_probability(uint16_t K, uint16_t n, uint16_t k)
        if (k > K || p_K[K] == 0.0) return 0.0;
 
        double p_T_is_k_when_S_is_K = p_hypergeometric(N, K, n, k);
+       if (p_T_is_k_when_S_is_K == 0.0) return 0.0;
+
        double p_S_is_K = p_K[K];
        double p_T_is_k = 0;
        for (uint16_t i = 0; i <= 256; i++) {
@@ -300,10 +289,10 @@ static float sum_probability(uint16_t K, uint16_t n, uint16_t k)
                        p_T_is_k += p_K[i] * p_hypergeometric(N, i, n, k);
                }
        }
+       if (p_T_is_k == 0.0) return 0.0;
        return(p_T_is_k_when_S_is_K * p_S_is_K / p_T_is_k);
 }
 
-       
 static inline uint_fast8_t common_bits(uint_fast8_t bytes_diff) 
 {
        static const uint_fast8_t common_bits_LUT[256] = {
@@ -505,7 +494,7 @@ static void sort_best_first_bytes(void)
                        }
                }
                        best_first_bytes[j] = i;
-               }
+       }
 
        // determine how many are above the CONFIDENCE_THRESHOLD
        uint16_t num_good_nonces = 0;
@@ -568,9 +557,11 @@ static void sort_best_first_bytes(void)
        }       
 
        // swap best possible first byte to the pole position
+       if (best_first_byte != 0) {
        uint16_t temp = best_first_bytes[0];
        best_first_bytes[0] = best_first_bytes[best_first_byte];
        best_first_bytes[best_first_byte] = temp;
+       }
        
 }
 
@@ -732,7 +723,7 @@ static void simulate_acquire_nonces()
                        if (total_num_nonces > next_fivehundred) {
                                next_fivehundred = (total_num_nonces/500+1) * 500;
                                printf("Acquired %5d nonces (%5d with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > %1.1f%%: %d\n",
-                                       total_num_nonces, 
+                                       total_num_nonces,
                                        total_added_nonces,
                                        CONFIDENCE_THRESHOLD * 100.0,
                                        num_good_first_bytes);
@@ -756,7 +747,6 @@ static int acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_
 {
        clock_t time1 = clock();
        bool initialize = true;
-       bool field_off = false;
        bool finished = false;
        bool filter_flip_checked = false;
        uint32_t flags = 0;
@@ -764,31 +754,37 @@ static int acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_
        uint32_t total_num_nonces = 0;
        uint32_t next_fivehundred = 500;
        uint32_t total_added_nonces = 0;
+       uint32_t idx = 1;
        FILE *fnonces = NULL;
        UsbCommand resp;
-
-       printf("Acquiring nonces...\n");
+       field_off = false;
+       UsbCommand c = {CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, 0}};
+       memcpy(c.d.asBytes, key, 6);
        
-       clearCommandBuffer();
-
+       printf("Acquiring nonces...\n");
        do {
                flags = 0;
                flags |= initialize ? 0x0001 : 0;
                flags |= slow ? 0x0002 : 0;
                flags |= field_off ? 0x0004 : 0;
-               UsbCommand c = {CMD_MIFARE_ACQUIRE_ENCRYPTED_NONCES, {blockNo + keyType * 0x100, trgBlockNo + trgKeyType * 0x100, flags}};
-               memcpy(c.d.asBytes, key, 6);
-
+               c.arg[2] = flags;
+               clearCommandBuffer();
                SendCommand(&c);
                
-               if (field_off) finished = true;
-               
-               if (initialize) {
-                       if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) return 1;
-                       if (resp.arg[0]) return resp.arg[0];  // error during nested_hard
+               if (field_off) break;
 
+               if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
+                       if (fnonces) fclose(fnonces);
+                       return 1;
+               }
+               if (resp.arg[0]) {
+                       if (fnonces) fclose(fnonces);
+                       return resp.arg[0];  // error during nested_hard
+               }
+                       
+               if (initialize) {
+                       // global var CUID
                        cuid = resp.arg[1];
-                       // PrintAndLog("Acquiring nonces for CUID 0x%08x", cuid); 
                        if (nonce_file_write && fnonces == NULL) {
                                if ((fnonces = fopen("nonces.bin","wb")) == NULL) { 
                                        PrintAndLog("Could not create file nonces.bin");
@@ -799,73 +795,65 @@ static int acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_
                                fwrite(write_buf, 1, 4, fnonces);
                                fwrite(&trgBlockNo, 1, 1, fnonces);
                                fwrite(&trgKeyType, 1, 1, fnonces);
+                               fflush(fnonces);
                        }
+                       initialize = false;                     
                }
-
-               if (!initialize) {
-                       uint32_t nt_enc1, nt_enc2;
-                       uint8_t par_enc;
-                       uint16_t num_acquired_nonces = resp.arg[2];
-                       uint8_t *bufp = resp.d.asBytes;
-                       for (uint16_t i = 0; i < num_acquired_nonces; i+=2) {
-                               nt_enc1 = bytes_to_num(bufp, 4);
-                               nt_enc2 = bytes_to_num(bufp+4, 4);
-                               par_enc = bytes_to_num(bufp+8, 1);
-                               
-                               //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc1, par_enc >> 4);
-                               total_added_nonces += add_nonce(nt_enc1, par_enc >> 4);
-                               //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc2, par_enc & 0x0f);
-                               total_added_nonces += add_nonce(nt_enc2, par_enc & 0x0f);
-                               
-                               if (nonce_file_write) {
-                                       fwrite(bufp, 1, 9, fnonces);
-                               }
-                               
-                               bufp += 9;
+               
+               uint32_t nt_enc1, nt_enc2;
+               uint8_t par_enc;
+               uint16_t num_acquired_nonces = resp.arg[2];
+               uint8_t *bufp = resp.d.asBytes;
+               for (uint16_t i = 0; i < num_acquired_nonces; i+=2) {
+                       nt_enc1 = bytes_to_num(bufp, 4);
+                       nt_enc2 = bytes_to_num(bufp+4, 4);
+                       par_enc = bytes_to_num(bufp+8, 1);
+                       
+                       //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc1, par_enc >> 4);
+                       total_added_nonces += add_nonce(nt_enc1, par_enc >> 4);
+                       //printf("Encrypted nonce: %08x, encrypted_parity: %02x\n", nt_enc2, par_enc & 0x0f);
+                       total_added_nonces += add_nonce(nt_enc2, par_enc & 0x0f);
+                       
+                       if (nonce_file_write && fnonces) {
+                               fwrite(bufp, 1, 9, fnonces);
+                               fflush(fnonces);
                        }
-
-                       total_num_nonces += num_acquired_nonces;
+                       bufp += 9;
                }
-               
-               if (first_byte_num == 256 ) {
-                       // printf("first_byte_num = %d, first_byte_Sum = %d\n", first_byte_num, first_byte_Sum);
+               total_num_nonces += num_acquired_nonces;
+
+               if (first_byte_num == 256) {
+
                        if (!filter_flip_checked) {
                                Check_for_FilterFlipProperties();
                                filter_flip_checked = true;
                        }
+
                        num_good_first_bytes = estimate_second_byte_sum();
+
                        if (total_num_nonces > next_fivehundred) {
                                next_fivehundred = (total_num_nonces/500+1) * 500;
-                               printf("Acquired %5d nonces (%5d with distinct bytes 0 and 1). Number of bytes with probability for correctly guessed Sum(a8) > %1.1f%%: %d\n",
-                                       total_num_nonces, 
+                               printf("Acquired %5d nonces (%5d/%5d with distinct bytes 0,1). #bytes with probability for correctly guessed Sum(a8) > %1.1f%%: %d\n",
+                                       total_num_nonces,
                                        total_added_nonces,
+                                       NONCES_THRESHOLD * idx,
                                        CONFIDENCE_THRESHOLD * 100.0,
                                        num_good_first_bytes);
                        }
-                       if (num_good_first_bytes >= GOOD_BYTES_REQUIRED) {
-                               field_off = true;       // switch off field with next SendCommand and then finish
-                       }
-               }
 
-               if (!initialize) {
-                       if (!WaitForResponseTimeout(CMD_ACK, &resp, 3000)) {
-                               fclose(fnonces);
-                               return 1;
-                       }
-                       if (resp.arg[0]) {
-                               fclose(fnonces);
-                               return resp.arg[0];  // error during nested_hard
+                       if (total_added_nonces >= (NONCES_THRESHOLD * idx) && num_good_first_bytes > 0 ) {
+                               bool cracking = generate_candidates(first_byte_Sum, nonces[best_first_bytes[0]].Sum8_guess);
+                               if (cracking || known_target_key != -1) {
+                                       field_off = brute_force(); // switch off field with next SendCommand and then finish
+                               }
+                               idx++;
                        }
                }
 
-               initialize = false;
-
        } while (!finished);
 
-       
-       if (nonce_file_write) {
+       if (nonce_file_write && fnonces)
                fclose(fnonces);
-       }
        
        time1 = clock() - time1;
        if ( time1 > 0 ) {
@@ -881,7 +869,8 @@ static int acquire_nonces(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_
 static int init_partial_statelists(void)
 {
        const uint32_t sizes_odd[17] = { 126757, 0, 18387, 0, 74241, 0, 181737, 0, 248801, 0, 182033, 0, 73421, 0, 17607, 0, 125601 };
-       const uint32_t sizes_even[17] = { 125723, 0, 17867, 0, 74305, 0, 178707, 0, 248801, 0, 185063, 0, 73356, 0, 18127, 0, 126634 };
+//     const uint32_t sizes_even[17] = { 125723, 0, 17867, 0, 74305, 0, 178707, 0, 248801, 0, 185063, 0, 73356, 0, 18127, 0, 126634 };
+       const uint32_t sizes_even[17] = { 125723, 0, 17867, 0, 74305, 0, 178707, 0, 248801, 0, 185063, 0, 73357, 0, 18127, 0, 126635 };
        
        printf("Allocating memory for partial statelists...\n");
        for (odd_even_t odd_even = EVEN_STATE; odd_even <= ODD_STATE; odd_even++) {
@@ -1169,7 +1158,7 @@ static int add_matching_states(statelist_t *candidates, uint16_t part_sum_a0, ui
        for (uint32_t *p1 = partial_statelist[part_sum_a0].states[odd_even]; *p1 != END_OF_LIST_MARKER; p1++) {
                uint32_t search_mask = 0x000ffff0;
                uint32_t *p2 = find_first_state((*p1 << 4), search_mask, &partial_statelist[part_sum_a8], odd_even);
-               if (p2 != NULL) {
+               if (p1 != NULL && p2 != NULL) {
                        while (((*p1 << 4) & search_mask) == (*p2 & search_mask) && *p2 != END_OF_LIST_MARKER) {
                                if ((nonces[best_first_bytes[0]].BitFlip[odd_even] && find_first_state((*p1 << 4) | *p2, 0x000fffff, &statelist_bitflip, 0))
                                        || !nonces[best_first_bytes[0]].BitFlip[odd_even]) {
@@ -1207,6 +1196,8 @@ static statelist_t *add_more_candidates(statelist_t *current_candidates)
        } else {
                new_candidates = current_candidates->next = (statelist_t *)malloc(sizeof(statelist_t));
        }
+       if (!new_candidates) return NULL;
+
        new_candidates->next = NULL;
        new_candidates->len[ODD_STATE] = 0;
        new_candidates->len[EVEN_STATE] = 0;
@@ -1215,7 +1206,7 @@ static statelist_t *add_more_candidates(statelist_t *current_candidates)
        return new_candidates;
 }
 
-static void TestIfKeyExists(uint64_t key)
+static bool TestIfKeyExists(uint64_t key)
 {
        struct Crypto1State *pcs;
        pcs = crypto1_create(key);
@@ -1224,7 +1215,7 @@ static void TestIfKeyExists(uint64_t key)
        uint32_t state_odd = pcs->odd & 0x00ffffff;
        uint32_t state_even = pcs->even & 0x00ffffff;
        //printf("Tests: searching for key %llx after first byte 0x%02x (state_odd = 0x%06x, state_even = 0x%06x) ...\n", key, best_first_bytes[0], state_odd, state_even);
-       
+       printf("Validating keysearch space\n");
        uint64_t count = 0;
        for (statelist_t *p = candidates; p != NULL; p = p->next) {
                bool found_odd = false;
@@ -1246,7 +1237,7 @@ static void TestIfKeyExists(uint64_t key)
                }
                count += (p_odd - p->states[ODD_STATE]) * (p_even - p->states[EVEN_STATE]);
                if (found_odd && found_even) {
-                       PrintAndLog("Key Found after testing %lld (2^%1.1f) out of %lld (2^%1.1f) keys. ", 
+                       PrintAndLog("Key Found after testing %llu (2^%1.1f) out of %lld (2^%1.1f) keys.", 
                                count,
                                log(count)/log(2), 
                                maximum_states,
@@ -1256,7 +1247,7 @@ static void TestIfKeyExists(uint64_t key)
                                fprintf(fstats, "1\n");
                        }
                        crypto1_destroy(pcs);
-                       return;
+                       return true;
                }
        }
 
@@ -1265,9 +1256,11 @@ static void TestIfKeyExists(uint64_t key)
                fprintf(fstats, "0\n");
        }
        crypto1_destroy(pcs);
+
+       return false;
 }
 
-static void generate_candidates(uint16_t sum_a0, uint16_t sum_a8)
+static bool generate_candidates(uint16_t sum_a0, uint16_t sum_a8)
 {
        printf("Generating crypto1 state candidates... \n");
        
@@ -1281,26 +1274,30 @@ static void generate_candidates(uint16_t sum_a0, uint16_t sum_a8)
                        }
                }
        }
-       printf("Number of possible keys with Sum(a0) = %d: %"PRIu64" (2^%1.1f)\n", sum_a0, maximum_states, log(maximum_states)/log(2.0));
+
+       if (maximum_states == 0) return false; // prevent keyspace reduction error (2^-inf)
+
+       printf("Number of possible keys with Sum(a0) = %d: %"PRIu64" (2^%1.1f)\n", sum_a0, maximum_states, log(maximum_states)/log(2));
        
        init_statelist_cache();
        
        for (uint16_t p = 0; p <= 16; p += 2) {
                for (uint16_t q = 0; q <= 16; q += 2) {
                        if (p*(16-q) + (16-p)*q == sum_a0) {
-                               printf("Reducing Partial Statelists (p,q) = (%d,%d) with lengths %d, %d\n", 
-                                               p, q, partial_statelist[p].len[ODD_STATE], partial_statelist[q].len[EVEN_STATE]);
+                               // printf("Reducing Partial Statelists (p,q) = (%d,%d) with lengths %d, %d\n", 
+                                               // p, q, partial_statelist[p].len[ODD_STATE], partial_statelist[q].len[EVEN_STATE]);
                                for (uint16_t r = 0; r <= 16; r += 2) {
                                        for (uint16_t s = 0; s <= 16; s += 2) {
                                                if (r*(16-s) + (16-r)*s == sum_a8) {
                                                        current_candidates = add_more_candidates(current_candidates);
+                                                       if (current_candidates != NULL) {
                                                        // check for the smallest partial statelist. Try this first - it might give 0 candidates 
                                                        // and eliminate the need to calculate the other part
                                                        if (MIN(partial_statelist[p].len[ODD_STATE], partial_statelist[r].len[ODD_STATE]) 
                                                                        < MIN(partial_statelist[q].len[EVEN_STATE], partial_statelist[s].len[EVEN_STATE])) { 
-                                                       add_matching_states(current_candidates, p, r, ODD_STATE);
+                                                               add_matching_states(current_candidates, p, r, ODD_STATE);
                                                                if(current_candidates->len[ODD_STATE]) {
-                                                       add_matching_states(current_candidates, q, s, EVEN_STATE);
+                                                                       add_matching_states(current_candidates, q, s, EVEN_STATE);
                                                                } else {
                                                                        current_candidates->len[EVEN_STATE] = 0;
                                                                        uint32_t *p = current_candidates->states[EVEN_STATE] = malloc(sizeof(uint32_t));
@@ -1324,20 +1321,28 @@ static void generate_candidates(uint16_t sum_a0, uint16_t sum_a8)
                        }
                }
        }                                       
+       }                                       
 
-       
        maximum_states = 0;
-       for (statelist_t *sl = candidates; sl != NULL; sl = sl->next) {
+       unsigned int n = 0;
+       for (statelist_t *sl = candidates; sl != NULL && n < 128; sl = sl->next, n++) {
                maximum_states += (uint64_t)sl->len[ODD_STATE] * sl->len[EVEN_STATE];
        }
-       printf("Number of remaining possible keys: %"PRIu64" (2^%1.1f)\n", maximum_states, log(maximum_states)/log(2.0));
+
+       if (maximum_states == 0) return false; // prevent keyspace reduction error (2^-inf)
+
+       float kcalc = log(maximum_states)/log(2);
+       printf("Number of remaining possible keys: %"PRIu64" (2^%1.1f)\n", maximum_states, kcalc);
        if (write_stats) {
                if (maximum_states != 0) {
-                       fprintf(fstats, "%1.1f;", log(maximum_states)/log(2.0));
+                       fprintf(fstats, "%1.1f;", kcalc);
                } else {
                        fprintf(fstats, "%1.1f;", 0.0);
                }
        }
+       if (kcalc < CRACKING_THRESHOLD) return true;
+
+       return false;
 }
 
 static void    free_candidates_memory(statelist_t *sl)
@@ -1361,10 +1366,11 @@ static void free_statelist_cache(void)
        }               
 }
 
+#define MAX_BUCKETS 128
 uint64_t foundkey = 0;
 size_t keys_found = 0;
 size_t bucket_count = 0;
-statelist_t* buckets[128];
+statelist_t* buckets[MAX_BUCKETS];
 size_t total_states_tested = 0;
 size_t thread_count = 4;
 
@@ -1474,7 +1480,7 @@ static const uint64_t crack_states_bitsliced(statelist_t *p){
         const bitslice_value_t odd_feedback = odd_feedback_bit ? bs_ones.value : bs_zeroes.value;
 
         for(size_t block_idx = 0; block_idx < bitsliced_blocks; ++block_idx){
-            const bitslice_t const * restrict bitsliced_even_state = bitsliced_even_states[block_idx];
+            const bitslice_t * const restrict bitsliced_even_state = bitsliced_even_states[block_idx];
             size_t state_idx;
             // set even bits
             for(state_idx = 0; state_idx < STATE_SIZE-ROLLBACK_SIZE; state_idx+=2){
@@ -1630,73 +1636,75 @@ static void* crack_states_thread(void* x){
     return NULL;
 }
 
-static void brute_force(void)
-{
+static bool brute_force(void) {
+       if (maximum_states == 0) return false; // prevent keyspace reduction error (2^-inf)
+               
+       bool ret = false;
        if (known_target_key != -1) {
                PrintAndLog("Looking for known target key in remaining key space...");
-               TestIfKeyExists(known_target_key);
+               ret = TestIfKeyExists(known_target_key);
        } else {
-        PrintAndLog("Brute force phase starting.");
-        time_t start, end;
-        time(&start);
-        keys_found = 0;
+               PrintAndLog("Brute force phase starting.");
+
+               clock_t time1 = clock();                
+               keys_found = 0;
                foundkey = 0;
-               
-        crypto1_bs_init();
 
-        PrintAndLog("Using %u-bit bitslices", MAX_BITSLICES);
-        PrintAndLog("Bitslicing best_first_byte^uid[3] (rollback byte): %02x...", best_first_bytes[0]^(cuid>>24));
-        // convert to 32 bit little-endian
+               crypto1_bs_init();
+
+               PrintAndLog("Using %u-bit bitslices", MAX_BITSLICES);
+               PrintAndLog("Bitslicing best_first_byte^uid[3] (rollback byte): %02X ...", best_first_bytes[0]^(cuid>>24));
+               // convert to 32 bit little-endian
                crypto1_bs_bitslice_value32((best_first_bytes[0]<<24)^cuid, bitsliced_rollback_byte, 8);
-                       
-        PrintAndLog("Bitslicing nonces...");
-        for(size_t tests = 0; tests < NONCE_TESTS; tests++){
-            uint32_t test_nonce = brute_force_nonces[tests]->nonce_enc;
-            uint8_t test_parity = brute_force_nonces[tests]->par_enc;
-            // pre-xor the uid into the decrypted nonces, and also pre-xor the cuid parity into the encrypted parity bits - otherwise an exta xor is required in the decryption routine
-            crypto1_bs_bitslice_value32(cuid^test_nonce, bitsliced_encrypted_nonces[tests], 32);
-            // convert to 32 bit little-endian
-            crypto1_bs_bitslice_value32(rev32( ~(test_parity ^ ~(parity(cuid>>24 & 0xff)<<3 | parity(cuid>>16 & 0xff)<<2 | parity(cuid>>8 & 0xff)<<1 | parity(cuid&0xff)))), bitsliced_encrypted_parity_bits[tests], 4);
+
+               PrintAndLog("Bitslicing nonces...");
+               for(size_t tests = 0; tests < NONCE_TESTS; tests++){
+                       uint32_t test_nonce = brute_force_nonces[tests]->nonce_enc;
+                       uint8_t test_parity = brute_force_nonces[tests]->par_enc;
+                       // pre-xor the uid into the decrypted nonces, and also pre-xor the cuid parity into the encrypted parity bits - otherwise an exta xor is required in the decryption routine
+                       crypto1_bs_bitslice_value32(cuid^test_nonce, bitsliced_encrypted_nonces[tests], 32);
+                       // convert to 32 bit little-endian
+                       crypto1_bs_bitslice_value32(rev32( ~(test_parity ^ ~(parity(cuid>>24 & 0xff)<<3 | parity(cuid>>16 & 0xff)<<2 | parity(cuid>>8 & 0xff)<<1 | parity(cuid&0xff)))), bitsliced_encrypted_parity_bits[tests], 4);
                }
-        total_states_tested = 0;
+               total_states_tested = 0;
 
-        // count number of states to go
-        bucket_count = 0;
-        for (statelist_t *p = candidates; p != NULL; p = p->next) {
-            buckets[bucket_count] = p;
-            bucket_count++;
-        }
+               // count number of states to go
+               bucket_count = 0;
+               for (statelist_t *p = candidates; p != NULL && bucket_count < MAX_BUCKETS; p = p->next) {
+                       buckets[bucket_count] = p;
+                       bucket_count++;
+               }
+               buckets[bucket_count] = NULL;
 
 #ifndef __WIN32
-        thread_count = sysconf(_SC_NPROCESSORS_CONF);
+               thread_count = sysconf(_SC_NPROCESSORS_CONF);
                if ( thread_count < 1)
                        thread_count = 1;
 #endif  /* _WIN32 */
 
-        pthread_t threads[thread_count];
-               
-        // enumerate states using all hardware threads, each thread handles one bucket
-        PrintAndLog("Starting %u cracking threads to search %u buckets containing a total of %"PRIu64" states...", thread_count, bucket_count, maximum_states);
-               
-        for(size_t i = 0; i < thread_count; i++){
-            pthread_create(&threads[i], NULL, crack_states_thread, (void*) i);
-        }
-        for(size_t i = 0; i < thread_count; i++){
-            pthread_join(threads[i], 0);
-        }
+               pthread_t threads[thread_count];
 
-        time(&end);            
-        double elapsed_time = difftime(end, start);
+               // enumerate states using all hardware threads, each thread handles one bucket
+               PrintAndLog("Starting %u cracking threads to search %u buckets containing a total of %"PRIu64" states...", thread_count, bucket_count, maximum_states);
 
-        if(keys_found){
-                       PrintAndLog("Success! Tested %"PRIu32" states, found %u keys after %.f seconds", total_states_tested, keys_found, elapsed_time);
-                       PrintAndLog("\nFound key: %012"PRIx64"\n", foundkey);
-        } else {
-                       PrintAndLog("Fail! Tested %"PRIu32" states, in %.f seconds", total_states_tested, elapsed_time);
+               for(size_t i = 0; i < thread_count; i++){
+                       pthread_create(&threads[i], NULL, crack_states_thread, (void*) i);
+               }
+               for(size_t i = 0; i < thread_count; i++){
+                       pthread_join(threads[i], 0);
                }
-        // reset this counter for the next call
-        nonces_to_bruteforce = 0;
+
+               time1 = clock() - time1;
+               PrintAndLog("\nTime for bruteforce %0.1f seconds.",((float)time1)/CLOCKS_PER_SEC);              
+               
+               if (keys_found && TestIfKeyExists(foundkey)) {
+                       PrintAndLog("\nFound key: %012"PRIx64"\n", foundkey);
+                       ret = true;
+               } 
+               // reset this counter for the next call
+               nonces_to_bruteforce = 0;
        }
+       return ret;
 }
 
 int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBlockNo, uint8_t trgKeyType, uint8_t *trgkey, bool nonce_file_read, bool nonce_file_write, bool slow, int tests) 
@@ -1737,15 +1745,28 @@ int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBloc
                        candidates = NULL;
                }
                fclose(fstats);
+               fstats = NULL;
        } else {
                init_nonce_memory();
-               if (nonce_file_read) {          // use pre-acquired data from file nonces.bin
+               if (nonce_file_read) { // use pre-acquired data from file nonces.bin
                        if (read_nonce_file() != 0) {
                                return 3;
                        }
                        Check_for_FilterFlipProperties();
                        num_good_first_bytes = MIN(estimate_second_byte_sum(), GOOD_BYTES_REQUIRED);
-               } else {                                        // acquire nonces.
+                       PrintAndLog("Number of first bytes with confidence > %2.1f%%: %d", CONFIDENCE_THRESHOLD*100.0, num_good_first_bytes);
+
+                       clock_t time1 = clock();
+                       bool cracking = generate_candidates(first_byte_Sum, nonces[best_first_bytes[0]].Sum8_guess);
+                       time1 = clock() - time1;
+                       if (time1 > 0)
+                               PrintAndLog("Time for generating key candidates list: %1.0f seconds", ((float)time1)/CLOCKS_PER_SEC);
+
+                       if (cracking || known_target_key != -1) {
+                               brute_force();
+                       }
+
+               } else { // acquire nonces.
                        uint16_t is_OK = acquire_nonces(blockNo, keyType, key, trgBlockNo, trgKeyType, nonce_file_write, slow);
                        if (is_OK != 0) {
                                return is_OK;
@@ -1753,36 +1774,10 @@ int mfnestedhard(uint8_t blockNo, uint8_t keyType, uint8_t *key, uint8_t trgBloc
                }
 
                //Tests();
-
-               //PrintAndLog("");
-               //PrintAndLog("Sum(a0) = %d", first_byte_Sum);
-               // PrintAndLog("Best 10 first bytes: %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x, %02x",
-                       // best_first_bytes[0],
-                       // best_first_bytes[1],
-                       // best_first_bytes[2],
-                       // best_first_bytes[3],
-                       // best_first_bytes[4],
-                       // best_first_bytes[5],
-                       // best_first_bytes[6],
-                       // best_first_bytes[7],
-                       // best_first_bytes[8],
-                       // best_first_bytes[9]  );
-               PrintAndLog("Number of first bytes with confidence > %2.1f%%: %d", CONFIDENCE_THRESHOLD*100.0, num_good_first_bytes);
-
-               clock_t time1 = clock();
-               generate_candidates(first_byte_Sum, nonces[best_first_bytes[0]].Sum8_guess);
-               time1 = clock() - time1;
-               if ( time1 > 0 )
-                       PrintAndLog("Time for generating key candidates list: %1.0f seconds", ((float)time1)/CLOCKS_PER_SEC);
-       
-               brute_force();
-               
                free_nonces_memory();
                free_statelist_cache();
                free_candidates_memory(candidates);
                candidates = NULL;
-       }       
+       }
        return 0;
 }
-
-
Impressum, Datenschutz