Skip to content
Permalink
Browse files

Reverse engineer gen_otp for task6

  • Loading branch information...
vladistan committed Jan 11, 2019
1 parent a9eecea commit e10b3191e93f168bd320f76127ca6700adfda399
Showing with 76 additions and 0 deletions.
  1. +37 −0 RunAllTests.cpp
  2. +37 −0 cid.c
  3. +2 −0 stubs.h
@@ -272,6 +272,43 @@ TEST(Task3, BinEncKey) {

}

TEST_GROUP(Task6) {
void setup() {
char otp[20];
_BYTE src[4] = {10, 0, 114, 22};
time_t ts = time(NULL);
ts = 1534166795;
gen_otp(ts, otp);
set_loc_data(src, otp);
}

void teardown() {}
};

TEST(Task6, MakeNewCID) {

const char *expotp = "206446";
char otpBuf[9];
_BYTE client_id_b[128];
char client_id_hx[128];
unsigned int localip = 0x12345678;

const char *expCid = "b784c8325a15d7b7d62d4ded79b86b08fd0cbc8ed0099fee200b55ef8791eae6";

bzero(client_id_b, sizeof(client_id_b));
bzero(client_id_hx, sizeof(client_id_hx));
bzero(otp, sizeof(otp));

bool n = cid(&localip, client_id_b, otpBuf);

bcvh(client_id_b, 32, (_BYTE *) client_id_hx, 65);


STRCMP_EQUAL(expotp, otpBuf);

}


TEST_GROUP(Task5) {
const char *CIDs[5];
const char *NegCIDs[5];
37 cid.c
@@ -58,6 +58,43 @@ int c_hh(void *data, size_t data_len, void *sign, size_t sign_len) {
_BYTE locAddr[4];
_BYTE locOtp[20];

int get_totp_token(int ts, unsigned int *res )
{
__int64 scratch; // rsi
unsigned int v17; // eax
unsigned int reshuffle; // ecx
__int64 ts_shuffled; // [rsp+0h] [rbp-58h]
unsigned char sign[160]; // [rsp+10h] [rbp-48h]

const char *bKey;
unsigned int bKey_len; // ST1C_4
const EVP_MD *evp_md; // rax
int sign_len;

bzero(sign, sizeof(sign));
ts_shuffled = (__int64)htonl(ts / 30) << 32;

bKey = getBinEncKey(&bKey_len);

evp_md = EVP_sha1();
HMAC(evp_md, bKey, bKey_len, &ts_shuffled, 8, sign, &sign_len);

v17 = sign[19] & 0xF;
scratch = sign[v17 + 3];
reshuffle = ((sign[v17 + 1] << 16) + scratch + (sign[sign[19] & 0xF] << 24) + (sign[v17 + 2] << 8)) & 0x7FFFFFFF;
*res = reshuffle % 1000000;
return 1;
}

void gen_otp(time_t ts, char * otp)
{
unsigned int res;

get_totp_token(ts, &res);
snprintf(otp, 7, "%06d", res );

}

void set_loc_data(_BYTE* addr, const char* otp) {
memcpy(locAddr, addr, 4);
memcpy(locOtp, otp, 6);
@@ -12,6 +12,8 @@ bool enc_ki(void *, long long int len);
bool dispatch_server_command(void *ptr, char *alias_3);
void set_loc_data(_BYTE *addr, const char *otp);

void gen_otp(time_t ts, char * otp);

void encByte(_BYTE src, _BYTE *dst);

#endif

0 comments on commit e10b319

Please sign in to comment.
You can’t perform that action at this time.