Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation Fault: SAK is 0x28 #72

Open
recolic opened this issue Jun 4, 2019 · 3 comments
Open

Segmentation Fault: SAK is 0x28 #72

recolic opened this issue Jun 4, 2019 · 3 comments

Comments

@recolic
Copy link

recolic commented Jun 4, 2019

I run autoreconf --install ; ./configure ; make, then gdb src/mfcuk. then run -C -R 0:A. Then it booms.

I tried run -C -R -1, run -C -R 0, run -C -R 0 -s 250 -S 250. All of them booms at mfcuk.c:1512.

My mfcuk version: git-b333a7925a3be80d9496c88c9fef816777827a83

My libnfc version: libnfc 1.7.1+204+g4ae4cc8-1

Here's gdb logs:

mfcuk - 0.3.8
Mifare Classic DarkSide Key Recovery Tool - 0.3
by Andrei Costin, [email protected], https://andreicostin.com

WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_skgt.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_ratb.mfd'
WARN: cannot open template file './data/tmpls_fingerprints/mfcuk_tmpl_oyster.mfd'
[New Thread 0x7ffff78f8700 (LWP 14154)]

INFO: Connected to NFC reader: ACS ACR122U 00 00 / ACR122U215


VERIFY: 
	Key A sectors: 0
Thread 1 "mfcuk" received signal SIGSEGV, Segmentation fault.
0x00000000004089ec in main (argc=4, argv=0x7fffffffd518) at mfcuk.c:1512
1512	      for (j = 0; (j < crntNumVerifKeys) && (ptr_trailer->abtAccessBits[action_byte] & ACTIONS_VERIFY) && !(ptr_trailer->abtAccessBits[result_byte] & ACTIONS_VERIFY); j++) {
(gdb) info locals 
crntVerifKey = 0
action_byte = 0 '\000'
crntVerifTagType = 40 '('
crntNumVerifKeys = 1
mp = {mpa = {abtKey = "\000\000\000\000\000", abtAuthUid = "\000\000\000"}, mpd = {abtData = '\000' <repeats 15 times>}, mpv = {abtValue = "\000\000\000"}}
result_byte = 1 '\001'
ch = -1
strOutputFilename = '\000' <repeats 255 times>
keyOpt = "\000\000\000\000\000"
uidOpt = "\000\000\000"
ptr_trailer = 0x8000ffff9fb3
ptr_trailer_dump = 0x0
sector = 0
block = 4294967295
action = 2 '\002'
specific_key_type = 96 '`'
max_sectors = 40 '('
iSleepAtFieldOFF = 10
iSleepAfterFieldON = 50
token = 0x0
sep = 0x40b398 ":"
str = 0x0
iter = 2
context = 0x110f8e0
pnd = 0x1123cb0
ti = {nti = {nai = {abtAtqa = "\004", btSak = 40 '(', szUidLen = 4, abtUid = "\025\070#\350\000\000\000\000\000", szAtsLen = 0, abtAts = '\000' <repeats 253 times>}, nfi = {szLen = 69730308, btResCode = 0 '\000', abtId = "\000\000\025\070#\350\000", 
      abtPad = "\000\000\000\000\000\000\000", abtSysCode = "\000"}, nbi = {abtPupi = "\004\000(\004", abtApplicationData = "\000\000\000", abtProtocolInfo = "\000\000", ui8CardIdentifier = 21 '\025'}, nii = {abtDIV = "\004\000(\004", 
      btVerLog = 0 '\000', btConfig = 0 '\000', szAtrLen = 2537801479767457792, abtAtr = "\350", '\000' <repeats 31 times>}, nsi = {abtUID = "\004\000(\004\000\000\000"}, nci = {abtUID = "\004\000(\004", btProdCode = 0 '\000', btFabCode = 0 '\000'}, 
    nji = {btSensRes = "\004", btId = "(\004\000"}, nti = {szDataLen = 69730308, abtData = "\000\000\000\025\070#\350", '\000' <repeats 24 times>}, ndi = {abtNFCID3 = "\004\000(\004\000\000\000\000\000", btDID = 0 '\000', btBS = 21 '\025', 
      btBR = 56 '8', btTO = 35 '#', btPP = 232 '\350', abtGB = '\000' <repeats 47 times>, szGB = 0, ndm = NDM_UNDEFINED}}, nm = {nmt = NMT_ISO14443A, nbr = NBR_106}}
uiErrCode = 0
ui64KeyRecovered = 0
dump_loaded_tag = {uid = 0, type = 0 '\000', datetime = '\000' <repeats 13 times>, description = '\000' <repeats 127 times>, tag_basic = {amb = {{mbm = {abtUID = "\000\000\000", btBCC = 0 '\000', btUnknown = 0 '\000', abtATQA = "\000", 
          abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = '\000' <repeats 15 times>}, mbt = {abtKeyA = "\000\000\000\000\000", abtAccessBits = "\000\000\000", abtKeyB = "\000\000\000\000\000"}} <repeats 256 times>}}}
tag_on_reader = {uid = 356000744, type = 40 '(', datetime = '\000' <repeats 13 times>, description = '\000' <repeats 127 times>, tag_basic = {amb = {{mbm = {abtUID = "\025\070", <incomplete sequence \350>, btBCC = 0 '\000', btUnknown = 40 '(', 
          abtATQA = "\000", abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = "\025\070#\350\000(\000\000\000\000\000\000\000\000\000"}, mbt = {abtKeyA = "\025\070#\350\000(", abtAccessBits = "\000\000\000", 
          abtKeyB = "\000\000\000\000\000"}}, {mbm = {abtUID = "\000\000\000", btBCC = 0 '\000', btUnknown = 0 '\000', abtATQA = "\000", abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = '\000' <repeats 15 times>}, mbt = {
          abtKeyA = "\000\000\000\000\000", abtAccessBits = "\000\000\000", abtKeyB = "\000\000\000\000\000"}} <repeats 255 times>}}}
tag_recover_verify = {uid = 356000744, type = 40 '(', datetime = '\000' <repeats 13 times>, description = '\000' <repeats 127 times>, tag_basic = {amb = {{mbm = {abtUID = "\025\070", <incomplete sequence \350>, btBCC = 0 '\000', btUnknown = 40 '(', 
          abtATQA = "\000", abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = "\025\070#\350\000(\000\000\000\000\000\000\000\000\000"}, mbt = {abtKeyA = "\025\070#\350\000(", abtAccessBits = "\000\000\000", 
          abtKeyB = "\000\000\000\000\000"}}, {mbm = {abtUID = "\000\000\000", btBCC = 0 '\000', btUnknown = 0 '\000', abtATQA = "\000", abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = '\000' <repeats 15 times>}, mbt = {
          abtKeyA = "\000\000\000\000\000", abtAccessBits = "\000\000\000", abtKeyB = "\000\000\000\000\000"}}, {mbm = {abtUID = "\000\000\000", btBCC = 0 '\000', btUnknown = 0 '\000', abtATQA = "\000", abtUnknown = "\000\000\000\000\000\000\000"}, 
        mbd = {abtData = '\000' <repeats 15 times>}, mbt = {abtKeyA = "\000\000\000\000\000", abtAccessBits = "\000\000\000", abtKeyB = "\000\000\000\000\000"}}, {mbm = {abtUID = "\000\000\000", btBCC = 0 '\000', btUnknown = 0 '\000', abtATQA = "\002", 
          abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = "\000\000\000\000\000\000\002\000\000\000\000\000\000\000\000"}, mbt = {abtKeyA = "\000\000\000\000\000", abtAccessBits = "\002\000\000", abtKeyB = "\000\000\000\000\000"}}, {
        mbm = {abtUID = "\000\000\000", btBCC = 0 '\000', btUnknown = 0 '\000', abtATQA = "\000", abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = '\000' <repeats 15 times>}, mbt = {abtKeyA = "\000\000\000\000\000", 
          abtAccessBits = "\000\000\000", abtKeyB = "\000\000\000\000\000"}} <repeats 252 times>}}}
finger_tag = {amb = {{mbm = {abtUID = "\000\000\000", btBCC = 0 '\000', btUnknown = 0 '\000', abtATQA = "\000", abtUnknown = "\000\000\000\000\000\000\000"}, mbd = {abtData = '\000' <repeats 15 times>}, mbt = {abtKeyA = "\000\000\000\000\000", 
        abtAccessBits = "\000\000\000", abtKeyB = "\000\000\000\000\000"}} <repeats 256 times>}}
finger_score = 0
finger_score_highest = 0
finger_index_highest = 2
pm3_full_set_log = {0, 0, 0, 0, 0}
pm3_log_multisect_auth = 0
pm3_ks2 = 0
pm3_ks3 = 4294967295
pm3_revstate = 0x0
pm3_revstate_multisect_auth = 0x0
pm3_lfsr = 0
pm3_plfsr = 0x7fffffff8f08 ""
pm3_log_multisect_decrypted = "\000\000\000"
pm3_log_multisect_verified = "\000\000\000"
i = 0
j = 0
k = 96
st = 4203646
numDefKeys = 9
current_default_keys = 0x110f260
(gdb) print ptr_trailer->abtAccessBits[action_byte]
Cannot access memory at address 0x8000ffff9fb9
(gdb) print ptr_trailer->abtAccessBits[result_byte]
Cannot access memory at address 0x8000ffff9fba
(gdb) print ptr_trailer->abtAccessBits
Cannot access memory at address 0x8000ffff9fb9
(gdb) print ptr_trailer
$1 = (mifare_classic_block_trailer *) 0x8000ffff9fb3
(gdb) print ptr_trailer->abt
abtAccessBits  abtKeyA        abtKeyB        
(gdb) print ptr_trailer->abtKeyA
Cannot access memory at address 0x8000ffff9fb3
@recolic
Copy link
Author

recolic commented Jun 5, 2019

Found the reason: The crntVerifTagType is 0x28, so it's not a valid IS_MIFARE_CLASSIC_1K or IS_MIFARE_CLASSIC_4K. Then get_trailer_block_for_sector returns 0xffffffff, then everything booms.

@recolic
Copy link
Author

recolic commented Jun 5, 2019

gdb trace shows that tag_recover_verify.type is set at line 1467: tag_recover_verify.type = ti.nti.nai.btSak. (0x28)

@recolic recolic changed the title Segmentation Fault Segmentation Fault: tag_recover_verify.type is 0x28 Jun 5, 2019
@recolic recolic changed the title Segmentation Fault: tag_recover_verify.type is 0x28 Segmentation Fault: SAK is 0x28 Jun 5, 2019
@recolic
Copy link
Author

recolic commented Jun 5, 2019
edited

No description provided.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@recolic