nitram2342 / bruteforce-crc Goto Github PK

Brute-forcing CRC parameters

Home Page: http://sitsec.net/blog/2012/02/10/brute-forcing-crc-parameters/

License: Boost Software License 1.0

C++ 92.69% Perl 2.00% Shell 0.22% CMake 1.95% Roff 3.13%

crc-calculation brute-force crc-16 crc-model crc bruteforce-crc crc-8 bruteforcer crc-algorithms probe-crc

bruteforce-crc's Introduction

These files are part of a CRC parameter brute-forcing tool. Please have a look at http://sitsec.net/blog/2012/02/10/brute-forcing-crc-parameters/

Author: Martin Schobert [email protected]

Licence

This code is published under the Boost Software Licence. http://www.boost.org/users/license.html

Dependencies

Cmake
Boost
- boost_program_options
- boost_system
- boost_regex
- boost_thread

$ sudo apt-get install cmake libboost-program-options-dev libboost-system-dev libboost-regex-dev
libboost-thread-dev libboost-test-dev libboost-filesystem-dev

Compile

> cmake .

Check for errors and install missing dependencies.

> make

Build bruteforce-crc and ./bin/test*

> make test

Run tests (can take a long time)

Install

in general, you may use the bruteforcer from the directory where you compiled the code. If you like to install the bruteforcer into your system, you may run the 'install' target:

> sudo make install

Run

Minimum input:

./bruteforce-crc --file [filename] --width [crc-width] --offs-crc [offset to start of crc] --start [start of data] --end [end of data]

Input file is an ASCII representation of a binary string, for example:

01101100100000111010000110001101011110000000001001111111010
00010000000011001011001001100110111111000001101000101000101
11010111001110001101101100101110111101101010010010011100111

If your input is hex-bytes, just use the Perl script "rewrite-as.pl" to convert your input into a format the bruteforcer expects, for example:

perl rewrite-as.pl bits test_hexbytes.txt > test_bitmsg.txt

Back to the example, in this example the CRC is 10 bits long and starts at bit 49:

[--------------------data-----------------------][---CRC--]
01101100100000111010000110001101011110000000001001111111010

The command line for this example would be:

./bruteforce-crc --verbose 1 --file data.txt --start 0 --end 49 --width 10 --offs-crc 49 --probe-initial true

Options List [* Required]:

  --file arg                   * File containing messages
  --width arg                  * CRC width
  --offs-crc arg               * CRC's offset
  --start arg                  * Calculate CRC from this offset
  --end arg                    * Calculate CRC up to this offset (not included)
  --output arg                 Output file for matched crc settings
  --verbose arg                Enable verbose output
  --poly arg                   Truncated polynomial (default: bruteforced)
  --poly-start arg             Start of polynomial search space (default: 0)
  --poly-end arg               End of polynomial search space (default (2^width - 1))
  --threads arg                Number of threads (default: 4)
  --initial arg                Set intial value (default: 0)
  --probe-initial arg          Bruteforce the intial, overrides initial (default: true)
  --final-xor arg              Final xor (default: 0)
  --probe-final-xor arg        Bruteforce the final-xor, overrides final-xor (default: false)
  --probe-reflected-input arg  Probe for reflect input (default: false)
  --probe-reflected-output arg Probe for reflect remainder output (default: false)

Credits

Martyn Pittuck (https://github.com/martynp) made a major rework of the code base and contributed a lot of code
Solomon Tan (https://github.com/solomonbstoner) fixed issues with reflection and improved example code generation

bruteforce-crc's People

Contributors

Stargazers

Watchers

Forkers

pmeshcher dipsec martynp ccatterina yongfu-li sitsec minkione iceman1001 musculuspectoralismajor solomonbstoner charmingdisorder walshgf

bruteforce-crc's Issues

Bug and conversion error when specifying `Initial`

Two issues regarding specifying initial. I have already fixed and verified the issue on my computer. Will create a PR soon.

When --initial is specified, a conversion error is thrown.

After fixing issue 1, --probe-initial should be set to false by default. By setting it to true by default, even when the user specifies --initial, the program does not register it and goes ahead with bruteforcing possible initial values.

Example Implementation does not include code for reversed output

The example implemented printed when --verbose true does not include the code for reversed output. The output reflection function had to be manually included.

// Function that reflects its argument
my_crc_basic::value_type my_crc_basic::reflect(value_type  x ) const {

  value_type        reflection = 0;
  value_type const  one = 1;
  
  for( std::size_t i = 0 ; i < width_ ; ++i, x >>= 1 ) {
    if ( x & one ) {
      reflection |= ( one << (width_ - 1u - i) );
    }
  }
  
  return reflection;
}

segmentation fault

hello

i have this data in a file called raw.txt

100100010101110000011010101100000001101011001001000110111101
100100010101110000011010101101000001101010011110111110011100
100100010101110000010000111100000001101001000110110001101100
100100010101110000000110111101000001100001000110011000000101

the first 52 bits are the data and the last 8 are the crc i believe

however running the command

./bruteforce-crc --width 8 --start 0 --end 52 --offs-crc 52 --file raw.txt

gives me a Segmentation fault

any idea what i'm doing wrong?
(be gentle i'm very new)

Extra byte output in `Example Implementation`

The code provided in the Example implementation output for found matches contains an extra last byte of the provided input bitstream (excluding the CRC).

For example, consider the bitstream generated below.

Its hex equivalent is shown below. The non-CRC portions are highlighted. Notice that the LSB on the right is 0x90.

However, the 0x90 is repeated in the example implementation in the output when --verbose true

Its a pretty inconsequential bug so I wasnt compelled to fix it. I might open a PR for this after my working hours

I don't know if this is because of ubuntu 20 incompatibility or someone if the tool is simply broken but if you run the example line:
./bruteforce-crc --file test.txt -width 10 --offs-crc 49 --start 0 --end 49

You will get:
Warning: input reflection only works if range start ... end is N * 8 bit with N > )
No model found.

The README instructions actually contain a typo: ./buteforce-crc etc etc etc

I hope that doesn't mean this tool wasn't actually tested. Hope this helps

Doesnt seem to work on Ubuntu 23

The file:

It seems like it reads the correct CRC from file (8D BB 3A 66) but when it starts up, it shows CRCs/s=5 briefly, then goes down to 0 in a second or two, then nothing happens after that and the screen shows as below.

Very strange. 5 crc/s also sounds really slow for my pc

Cheers!

file.txt

` sudo ./bruteforce-crc --verbose 1 --file file.txt --start 0 --end 1056 --width 32 --offs-crc 1056 --probe-initial true --threads 1
Extracted message with crc 8dbb3a66
Extracted 1 messages and CRC values
Brute Force CRC Settings

CRC Width : 32
Truncated Polynomial : 0x0 to 0x0
Truncated Polynomial : 0x0 to 0xffffffff
Initial value : 0x0 to 0xffffffff
final xor : 0x0
Probe reflect in : false
Probe reflect out : false
Feed type : auto
Permutation count : 18446744065119617025

Multithreaded CRC Brute Force Initiated

Number of threads : 1
Number of test vectors : 1

Testing Known CRC's for Length 32

Starting brute forcer over selected threads

Starting Thread 0, searching from 0 to ffffffff

time=198s CRCs/s=0 .42101e-17% (10 of 18446744T) time_to_go=5124095573644338 h`