Products > Programming
Need help with reversing an old auth algo
twizzter:
Trying to reverse an obsolete device's auth algorithm which transforms 7-byte words into 8-byte responses.
At first look it does not look like an advanced crypto - i can see some patterns.
I am able to send any challenge and look at the response.
- algo is not rolling - same word will always output same response
- since it runs on an old embedded PIC16 platform i assumed simple math and bitwise operations like and, or, xor, mod, bit shifting. Polynomials/CRC maybe?
- it looks like response consists of four "core" bytes (first+second and fifth+sixth), other four are derivatives from first by adding/subtracting values from input word
- i believe first byte of answer is generated from second, fourth and sixth byte of input
- input number order matters, for example 0102020 and 0201020 challenge will yield different output
What i tried already:
-simple add/multiply/xoring
-crcreveng - no champagne
-no matches on crccalc.com
Comm dump attached. Would appreciate any advice on tools/approaches regarding this riddle.
--- Code: ---challenge response
0 0 0 0 0 0 0 EA C6 EA C6 4C E6 4C E6
0 0 0 0 0 0 1 EA F3 EA F3 4C 76 4C 77
0 0 0 0 0 0 2 EA 1C EA 1C 4C 56 4C 58
0 0 0 0 0 0 3 EA 79 EA 79 4C E6 4C E9
0 0 0 0 0 0 4 EA 7A EA 7A 4C 36 4C 3A
0 0 0 0 0 0 5 EA F7 EA F7 4C C6 4C CB
0 0 0 0 0 0 6 EA C0 EA C0 4C 26 4C 2C
0 0 0 0 0 0 7 EA 3D EA 3D 4C B6 4C BD
0 0 0 0 0 0 8 EA BE EA BE 4C 06 4C 0E
0 0 0 0 0 0 9 EA 8B EA 8B 4C 56 4C 5F
0 0 0 0 0 0 A EA 54 EA 54 4C F6 4C 00
0 0 0 0 0 0 B EA 31 EA 31 4C 46 4C 51
0 0 0 0 0 0 C EA 92 EA 92 4C 16 4C 22
0 0 0 0 0 0 D EA 4F EA 4F 4C 26 4C 33
0 0 0 0 0 0 E EA 58 EA 58 4C C6 4C D4
0 0 0 0 0 0 F EA 55 EA 55 4C D6 4C E5
0 0 0 0 0 0 10 EA 56 EA 56 4C 66 4C 76
0 0 0 0 0 1 0 D3 86 D3 86 68 89 69 89
0 0 0 0 0 2 0 78 3D 78 3D D4 52 D6 52
0 0 0 0 0 3 0 41 37 41 37 40 E2 43 E2
0 0 0 0 0 4 0 56 39 56 39 EC 14 F0 14
0 0 0 0 0 5 0 DF 7F DF 7F E8 91 ED 91
0 0 0 0 0 6 0 64 DE 64 DE B4 FF BA FF
0 0 0 0 0 7 0 FD 63 FD 63 C0 26 C7 26
0 0 0 0 0 8 0 B2 90 B2 90 AC E3 B4 E3
0 0 0 0 0 9 0 3B DE 3B DE 08 12 11 12
0 0 0 0 0 A 0 80 47 80 47 74 A6 7E A6
0 0 0 0 0 B 0 A9 D1 A9 D1 20 F1 2B F1
0 0 0 0 0 C 0 1E E0 1E E0 CC 73 D8 73
0 0 0 0 0 D 0 87 3F 87 3F 48 5A 55 5A
0 0 0 0 0 E 0 2C CB 2C CB D4 C8 E2 C8
0 0 0 0 0 F 0 C5 E2 C5 E2 E0 D7 EF D7
0 0 0 0 0 10 0 9A 0E 9A 0E 4C B3 5C B3
0 0 0 0 1 0 0 EA F3 EA F3 4C 77 4C 76
0 0 0 0 2 0 0 EA 1C EA 1C 4C 58 4C 56
0 0 0 0 3 0 0 EA 79 EA 79 4C E9 4C E6
0 0 0 0 4 0 0 EA F7 EA F7 4C CB 4C C6
0 0 0 0 5 0 0 EA F7 EA F7 4C CB 4C C6
0 0 0 0 6 0 0 EA C0 EA C0 4C 2C 4C 26
0 0 0 0 7 0 0 EA 3D EA 3D 4C BD 4C B6
0 0 0 0 8 0 0 EA BE EA BE 4C 0E 4C 06
0 0 0 0 9 0 0 EA 8B EA 8B 4C 5F 4C 56
0 0 0 0 A 0 0 EA 54 EA 54 4C 00 4C F6
0 0 0 0 B 0 0 EA 31 EA 31 4C 51 4C 46
0 0 0 0 C 0 0 EA 92 EA 92 4C 22 4C 16
0 0 0 0 D 0 0 EA 4F EA 4F 4C 33 4C 26
0 0 0 0 E 0 0 EA 58 EA 58 4C D4 4C C6
0 0 0 0 F 0 0 EA 55 EA 55 4C E5 4C D6
0 0 0 0 10 0 0 EA 56 EA 56 4C 76 4C 66
0 0 0 1 0 0 0 D3 86 D3 86 69 89 68 89
0 0 0 2 0 0 0 78 3D 78 3D D6 52 D4 52
0 0 0 3 0 0 0 41 37 41 37 43 E2 40 E2
0 0 0 4 0 0 0 56 39 56 39 F0 14 EC 14
0 0 0 5 0 0 0 DF 7F DF 7F ED 91 E8 91
0 0 0 6 0 0 0 64 DE 64 DE BA FF B4 FF
0 0 0 7 0 0 0 FD 63 FD 63 C7 26 C0 26
0 0 0 8 0 0 0 B2 90 B2 90 B4 E3 AC E3
0 0 0 9 0 0 0 3B DE 3B DE 11 12 08 12
0 0 0 A 0 0 0 80 47 80 47 7E A6 74 A6
0 0 0 B 0 0 0 A9 D1 A9 D1 2B F1 20 F1
0 0 0 C 0 0 0 1E E0 1E E0 D8 73 CC 73
0 0 0 D 0 0 0 87 3F 87 3F 55 5A 48 5A
0 0 0 E 0 0 0 2C CB 2C CB E2 C8 D4 C8
0 0 0 F 0 0 0 C5 E2 C5 E2 EF D7 E0 D7
0 0 0 10 0 0 0 9A 0E 9A 0E 5C B3 4C B3
0 0 1 0 0 0 0 EA 2C EA 2D 4C 2D 4C 2D
0 0 2 0 0 0 0 EA E2 EA E4 4C B0 4C B0
0 0 3 0 0 0 0 EA A8 EA AB 4C D7 4C D7
0 0 4 0 0 0 0 EA FE EA 02 4C 3A 4C 3A
0 0 5 0 0 0 0 EA 24 EA 29 4C C1 4C C1
0 0 6 0 0 0 0 EA 3A EA 40 4C F4 4C F4
0 0 7 0 0 0 0 EA A0 EA A7 4C AB 4C AB
0 0 8 0 0 0 0 EA B6 EA BE 4C 5E 4C 5E
0 0 9 0 0 0 0 EA DC EA E5 4C 85 4C 85
0 0 A 0 0 0 0 EA 12 EA 1C 4C 68 4C 68
0 0 B 0 0 0 0 EA 18 EA 23 4C CF 4C CF
0 0 C 0 0 0 0 EA EE EA FA 4C 52 4C 52
0 0 D 0 0 0 0 EA 54 EA 61 4C 19 4C 19
0 0 E 0 0 0 0 EA 6A EA 78 4C 0C 4C 0C
0 0 F 0 0 0 0 EA 10 EA 1F 4C 23 4C 23
0 0 10 0 0 0 0 EA 26 EA 36 4C 56 4C 56
0 1 0 0 0 0 0 DC 83 DD 83 FB AA FB AA
0 2 0 0 0 0 0 E6 F2 E8 F2 62 5B 62 5B
0 3 0 0 0 0 0 68 1F 6B 1F 99 C2 99 C2
0 4 0 0 0 0 0 C2 4C C6 4C 70 0C 70 0C
0 5 0 0 0 0 0 74 59 79 59 BF CE BF CE
0 6 0 0 0 0 0 9E 5F A4 5F C6 7D C6 7D
0 7 0 0 0 0 0 60 20 67 20 6D 56 6D 56
0 8 0 0 0 0 0 7A 45 82 45 A4 1A A4 1A
0 9 0 0 0 0 0 2C B1 35 B1 33 94 33 94
0 A 0 0 0 0 0 F6 0D 00 0E FA FF FA FF
0 B 0 0 0 0 0 38 21 43 21 11 51 11 51
0 C 0 0 0 0 0 92 F4 9E F4 48 26 48 26
0 D 0 0 0 0 0 44 BF 51 BF 77 76 77 76
0 E 0 0 0 0 0 EE F0 FC F0 1E AF 1E AF
0 F 0 0 0 0 0 70 5A 7F 5A 65 BD 65 BD
0 10 0 0 0 0 0 CA F9 DA F9 5C 3D 5C 3D
1 0 0 0 0 0 0 EA 2D EA 2C 4C 2D 4C 2D
2 0 0 0 0 0 0 EA E4 EA E2 4C B0 4C B0
3 0 0 0 0 0 0 EA AB EA A8 4C D7 4C D7
4 0 0 0 0 0 0 EA 02 EA FE 4C 3A 4C 3A
5 0 0 0 0 0 0 EA 29 EA 24 4C C1 4C C1
6 0 0 0 0 0 0 EA 40 EA 3A 4C F4 4C F4
7 0 0 0 0 0 0 EA A7 EA A0 4C AB 4C AB
8 0 0 0 0 0 0 EA BE EA B6 4C 5E 4C 5E
9 0 0 0 0 0 0 EA E5 EA DC 4C 85 4C 85
A 0 0 0 0 0 0 EA 1C EA 12 4C 68 4C 68
B 0 0 0 0 0 0 EA 23 EA 18 4C CF 4C CF
C 0 0 0 0 0 0 EA FA EA EE 4C 52 4C 52
D 0 0 0 0 0 0 EA 61 EA 54 4C 19 4C 19
E 0 0 0 0 0 0 EA 78 EA 6A 4C 0C 4C 0C
F 0 0 0 0 0 0 EA 1F EA 10 4C 23 4C 23
10 0 0 0 0 0 0 EA 36 EA 26 4C 56 4C 56
1 1 1 1 1 1 1 EE 12 EF 12 2C 01 2C 01
2 2 2 2 2 2 2 82 20 84 20 54 1E 54 1E
3 3 3 3 3 3 3 B6 33 B9 33 C4 33 C4 33
4 4 4 4 4 4 4 5A 09 5E 09 94 27 94 27
5 5 5 5 5 5 5 BE 3C C3 3C D4 97 D4 97
6 6 6 6 6 6 6 B2 50 B8 50 DC BC DC BC
7 7 7 7 7 7 7 C6 10 CD 10 FC DF FC DF
8 8 8 8 8 8 8 4A B3 52 B3 2C 1C 2C 1C
9 9 9 9 9 9 9 0E 20 17 20 6C 63 6C 63
--- End code ---
ozcar:
If those challenges are “7-byte words”, why do you stop at 0x10?
In other words why no challenges like these say?
--- Code: ---0 0 0 0 0 0 11
0 0 0 0 0 0 20
0 0 0 0 0 0 FF
FF FF FF FF FF FF FF
--- End code ---
I think I’m missing something...
twizzter:
--- Quote from: ozcar on October 16, 2023, 10:24:37 am ---If those challenges are “7-byte words”, why do you stop at 0x10?
--- End quote ---
That simply was an initial data set i've managed to prepare so far, just to have some overview. Dumping all possible combinations would be a very time-consuming task.
ozcar:
Shifting a single bit through each position may give some clue:
--- Code: ---80 00 00 00 00 00 00
40 00 00 00 00 00 00
20 00 00 00 00 00 00
10 00 00 00 00 00 00
08 00 00 00 00 00 00
04 00 00 00 00 00 00
02 00 00 00 00 00 00
01 00 00 00 00 00 00
00 80 00 00 00 00 00
…
00 00 00 00 00 00 04
00 00 00 00 00 00 02
00 00 00 00 00 00 01
--- End code ---
Or maybe just add to the confusion.
AndyBeez:
Challenge "10" ?
Looking at your data I get what you are doing - 10 is a hex field ::)
I note repetition of bytes on the odd order challenges.
x 0 x 0 x 0 x is always EA xx EA xx 4C xx 4C xx
This might be revealing a bit mask.
A hashing function would not generate repetitions, unless it was broken.
I think you have to hack into the PICs program space.
Navigation
[0] Message Index
[#] Next page
Go to full version