Skip to content

Instantly share code, notes, and snippets.

@denandz
Created September 3, 2019 11:31
Show Gist options
  • Save denandz/12347b374f537e717d8a58d14e92014b to your computer and use it in GitHub Desktop.
Save denandz/12347b374f537e717d8a58d14e92014b to your computer and use it in GitHub Desktop.
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
int32_t inc_s1(int32_t s){
uint32_t uVar1;
int32_t s1;
uVar1 = s / 0xd1a4 + (s >> 0x1f);
s1 = (s * 0x9c4e) + (uVar1 + (uVar1 >> 0x1f)) * -0x7fffffab;
if (s1 < 0) {
s1 = s1 + 0x7fffffab;
}
return s1;
}
int32_t inc_s2(int32_t s){
uint32_t uVar1;
int32_t s2;
uVar1 = s / 0xce26 + (s >> 0x1f);
s2 = s * 0x9ef4 + (uVar1 + (uVar1 >> 0x1f)) * -0x7fffff07;
if (s2 < 0) {
s2 = s2 + 0x7fffff07;
}
return s2;
}
double randES(int32_t s1, int32_t s2){
int32_t iVar1;
double dVar3;
s1 = inc_s1(s1);
s2 = inc_s2(s2);
iVar1 = s1 - s2;
if (iVar1 < 1) {
iVar1 = iVar1 + 0x7fffffaa;
}
dVar3 = iVar1 * 4.656613e-010;
return dVar3;
}
int main(int argc, char ** argv){
int32_t target_s1;
int32_t target_s2;
int32_t target_int;
if(argc < 3){
puts("Please run as: ./mssql_brute_math <random float> <next random float>");
return 1;
}
double target_1 = atof(argv[1]);
double target_2 = atof(argv[2]);
printf("[+] Target 1: %.17f Target 2: %.17f\n", target_1, target_2);
target_int = target_1 / 4.656613e-010;
printf("[+] Target 1 integer: %d\n", target_int);
target_s2 = 0x10932;
uint64_t i = 1;
while(1){
// figure out the next potential s1 and s2 parameter
target_s1 = target_int + target_s2;
if(target_s1 < 1){
target_s1 = target_s1 - 0x7fffffaa;
}
double candidate = randES(target_s1, target_s2);
printf("S1: %d, S2: %d, rand: %.17f\n", target_s1, target_s2, candidate);
if(candidate == target_2){
printf("[+] Found S1/S2 after %lu loops\n", i);
printf("[+] S1: %d S2: %d\n", target_s1, target_s2);
break;
}
// Didn't find it, increment S2
target_s2 = inc_s2(target_s2);
i++;
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment