Skip to content

Instantly share code, notes, and snippets.

@red0xff

red0xff/cictronehash_bruteforce.c

Last active November 19, 2018 22:28
Show Gist options
  • Save red0xff/1962e5cc6ed978c2339446b9ae8df580 to your computer and use it in GitHub Desktop.
Save red0xff/1962e5cc6ed978c2339446b9ae8df580 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cictronehash_bruteforce.c
// https://red0xff.blogspot.com/2018/11/ritsec-cictrohash-writeup.html
#include<stdint.h>
#include<stdio.h>
unsigned char state[8] = { 31, 56, 156, 167, 38, 240, 174, 248 };
unsigned char* w[2];
void reset()
{
for (int i = 0; i < 4; i++)
w[0][i] = state[i];
for (int i = 0; i < 4; i++)
w[1][i] = state[4+i];
}
int32_t hash(char a, char b, char c, char d)
{
w[0][0] ^= a;
w[0][1] ^= b;
w[0][2] ^= c;
w[0][3] ^= d;
f();
return (w[0][0]<<24) | (w[0][1] << 16) | (w[0][2] << 8) | w[0][3];
}
void f()
{
for (int i = 0; i < 50; i++)
myround();
}
void myround()
{
alpha();
beta();
mygamma();
sigma();
}
void alpha()
{
char* tmp = w[0];
w[0] = w[1];
w[1] = tmp;
}
void beta()
{
w[0][0] ^= w[1][3];
w[0][1] ^= w[1][2];
w[0][2] ^= w[1][1];
w[0][3] ^= w[1][0];
}
void mygamma()
{
char a, b, c, d, e, f, g, h;
a = w[0][0];
b = w[0][1];
c = w[0][2];
d = w[0][3];
e = w[1][0];
f = w[1][1];
g = w[1][2];
h = w[1][3];
w[0][0] = h;
w[0][1] = e;
w[0][2] = g;
w[0][3] = a;
w[1][0] = f;
w[1][1] = d;
w[1][2] = b;
w[1][3] = c;
}
void sigma()
{
w[0][0] = (w[0][0] << 1) | (w[0][0] >> 7);
w[1][0] = (w[1][0] << 1) | (w[1][0] >> 7);
w[0][2] = (w[0][2] << 1) | (w[0][2] >> 7);
w[1][2] = (w[1][2] << 1) | (w[1][2] >> 7);
w[0][1] = (w[0][1] >> 1) | (w[0][1] << 7);
w[1][1] = (w[1][1] >> 1) | (w[1][1] << 7);
w[0][3] = (w[0][3] >> 1) | (w[0][3] << 7);
w[1][3] = (w[1][3] >> 1) | (w[1][3] << 7);
}
int32_t values[500000];
FILE* output;
FILE* output2;
int main(int argc, char** argv)
{
if (argc != 3)
{
printf("[-] Usage : %s <first_4_bytes_of_second_string> <hash_of_both_strings>\n", argv[0]);
exit(1);
}
if (strlen(argv[1]) != 8)
{
puts("[-] First 4 bytes of second string must be a hex string of length 8\n");
exit(1);
}
char FIRST_4_CHARS[4];
*(unsigned int*) FIRST_4_CHARS = (unsigned int) strtol(argv[1], NULL, 16);
unsigned int HASH = strtol(argv[2], NULL, 16); // AS Hex
w[0] = malloc(4*sizeof(char));
w[1] = malloc(4*sizeof(char));
//output = fopen("out.hashes","w");
//output2 = fopen("out.hashes2", "w");
reset();
int i = 0;
int rounds = 0;
for (unsigned char a = 122; a != 32; a--)
{
for (unsigned char b = 122; b != 32; b--)
{
for (unsigned char c = 122; c != 32; c--)
{
for (unsigned char d = 122; d != 32; d--)
{
int32_t h = hash(a, b, c, d);
reset();
if (h == HASH)
{
printf("[+] first string = %c%c%c%c\n", a, b, c, d);
goto out;
}
}
}
}
}
out:
for (unsigned char a = 65; a != 127; a++)
{
for (unsigned char b = 65; b != 127; b++)
{
for (unsigned char c = 65; c != 127; c++)
{
for (unsigned char d = 65; d != 127; d++)
{
int32_t h = hash(FIRST_4_CHARS[3], FIRST_4_CHARS[2], FIRST_4_CHARS[1], FIRST_4_CHARS[0]);
h = hash(a, b, c, d);
reset();
//int32_t h = hash(0xde, 0xad, 0xbe, 0xef);
if (h == HASH)
{
printf("[+] second string = %c%c%c%c%c%c%c%c\n", FIRST_4_CHARS[3], FIRST_4_CHARS[2], FIRST_4_CHARS[1], FIRST_4_CHARS[0], a, b, c, d);
goto out2;
}
}
}
}
}
out2:
puts("[?] Exiting\n");
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment