denandz/mssql_rand_brute.c Secret

## mssql_rand_brute.c
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int32_t inc_s1(int32_t s){
    uint32_t uVar1;
    int32_t s1;

    uVar1 = s / 0xd1a4 + (s >> 0x1f);
    s1 = (s * 0x9c4e) + (uVar1 + (uVar1 >> 0x1f)) * -0x7fffffab;
    if (s1 < 0) {
        s1 = s1 + 0x7fffffab;
    }

    return s1;
}

int32_t inc_s2(int32_t s){
    uint32_t uVar1;
    int32_t s2;

    uVar1 = s / 0xce26 + (s >> 0x1f);
    s2 = s * 0x9ef4 + (uVar1 + (uVar1 >> 0x1f)) * -0x7fffff07;
    if (s2 < 0) {
        s2 = s2 + 0x7fffff07;
    }

    return s2;
}

double randES(int32_t s1, int32_t s2){
    int32_t iVar1;
    double dVar3;

    s1 = inc_s1(s1);
    s2 = inc_s2(s2);

    iVar1 = s1 - s2;
    if (iVar1 < 1) {
        iVar1 = iVar1 + 0x7fffffaa;
    }
    dVar3 = iVar1 * 4.656613e-010;

    return dVar3;
}


int main(int argc, char ** argv){
    int32_t target_s1;
    int32_t target_s2;
    int32_t target_int;

    if(argc < 3){
        puts("Please run as: ./mssql_brute_math <random float> <next random float>");
        return 1;
    }

    double target_1 = atof(argv[1]);
    double target_2 = atof(argv[2]);
    printf("[+] Target 1: %.17f Target 2: %.17f\n", target_1, target_2);

    target_int = target_1 / 4.656613e-010;
    printf("[+] Target 1 integer: %d\n", target_int);

    target_s2 = 0x10932;

    uint64_t i = 1;
    while(1){
        // figure out the next potential s1 and s2 parameter
        target_s1 = target_int + target_s2;

        if(target_s1 < 1){
           target_s1 = target_s1 - 0x7fffffaa;
        }

        double candidate = randES(target_s1, target_s2);
        printf("S1: %d, S2: %d, rand: %.17f\n", target_s1, target_s2, candidate);
        if(candidate == target_2){
            printf("[+] Found S1/S2 after %lu loops\n", i);
            printf("[+] S1: %d S2: %d\n", target_s1, target_s2);
            break;
        }

        // Didn't find it, increment S2
        target_s2 = inc_s2(target_s2);
        i++;
    }

    return 0;
}
	#include <stdio.h>
	#include <stdint.h>
	#include <stdlib.h>

	int32_t inc_s1(int32_t s){
	uint32_t uVar1;
	int32_t s1;

	uVar1 = s / 0xd1a4 + (s >> 0x1f);
	s1 = (s * 0x9c4e) + (uVar1 + (uVar1 >> 0x1f)) * -0x7fffffab;
	if (s1 < 0) {
	s1 = s1 + 0x7fffffab;
	}

	return s1;
	}

	int32_t inc_s2(int32_t s){
	uint32_t uVar1;
	int32_t s2;

	uVar1 = s / 0xce26 + (s >> 0x1f);
	s2 = s * 0x9ef4 + (uVar1 + (uVar1 >> 0x1f)) * -0x7fffff07;
	if (s2 < 0) {
	s2 = s2 + 0x7fffff07;
	}

	return s2;
	}

	double randES(int32_t s1, int32_t s2){
	int32_t iVar1;
	double dVar3;

	s1 = inc_s1(s1);
	s2 = inc_s2(s2);

	iVar1 = s1 - s2;
	if (iVar1 < 1) {
	iVar1 = iVar1 + 0x7fffffaa;
	}
	dVar3 = iVar1 * 4.656613e-010;

	return dVar3;
	}


	int main(int argc, char ** argv){
	int32_t target_s1;
	int32_t target_s2;
	int32_t target_int;

	if(argc < 3){
	puts("Please run as: ./mssql_brute_math <random float> <next random float>");
	return 1;
	}

	double target_1 = atof(argv[1]);
	double target_2 = atof(argv[2]);
	printf("[+] Target 1: %.17f Target 2: %.17f\n", target_1, target_2);

	target_int = target_1 / 4.656613e-010;
	printf("[+] Target 1 integer: %d\n", target_int);

	target_s2 = 0x10932;

	uint64_t i = 1;
	while(1){
	// figure out the next potential s1 and s2 parameter
	target_s1 = target_int + target_s2;

	if(target_s1 < 1){
	target_s1 = target_s1 - 0x7fffffaa;
	}

	double candidate = randES(target_s1, target_s2);
	printf("S1: %d, S2: %d, rand: %.17f\n", target_s1, target_s2, candidate);
	if(candidate == target_2){
	printf("[+] Found S1/S2 after %lu loops\n", i);
	printf("[+] S1: %d S2: %d\n", target_s1, target_s2);
	break;
	}

	// Didn't find it, increment S2
	target_s2 = inc_s2(target_s2);
	i++;
	}

	return 0;
	}