From 0eb8050d6cc0904d9e8ed8cadac7d9696ddf6412 Mon Sep 17 00:00:00 2001
From: wiire-a <wi7ire@gmail.com>
Date: Wed, 20 Dec 2017 12:32:40 +0100
Subject: [PATCH] Reorganized auto mode logic

---
 src/pixiewps.c | 131 +++++++++++++++++++++++++------------------------
 src/pixiewps.h |  11 ++++-
 2 files changed, 76 insertions(+), 66 deletions(-)

diff --git a/src/pixiewps.c b/src/pixiewps.c
index aa93ee7..6995c01 100644
--- a/src/pixiewps.c
+++ b/src/pixiewps.c
@@ -864,7 +864,10 @@ usage_err:
 		goto usage_err;
 	}
 
+	DEBUG_PRINT("Debugging enabled");
+
 	if (wps->mode_auto) { /* Mode auto, order by probability */
+		DEBUG_PRINT("Mode is auto (no --mode specified)");
 		if (!memcmp(wps->pke, wps_rtl_pke, WPS_PKEY_LEN)) {
 			p_mode[0] = RTL819x;
 			p_mode[1] = NONE;
@@ -884,7 +887,6 @@ usage_err:
 		}
 	}
 
-	DEBUG_PRINT("Debugging enabled");
 	DEBUG_PRINT("Modes: %d (%s), %d (%s), %d (%s), %d (%s), %d (%s)",
 		p_mode[0], p_mode_name[p_mode[0]],
 		p_mode[1], p_mode_name[p_mode[1]],
@@ -1031,9 +1033,9 @@ usage_err:
 		}
 	}
 
-	/* E-S1 = E-S2 = 0 */
-	wps->e_s1 = calloc(WPS_SECRET_NONCE_LEN, 1); if (!wps->e_s1) goto memory_err;
-	wps->e_s2 = calloc(WPS_SECRET_NONCE_LEN, 1); if (!wps->e_s2) goto memory_err;
+	/* Allocating memory for E-S1 and E-S2 */
+	wps->e_s1 = malloc(WPS_SECRET_NONCE_LEN); if (!wps->e_s1) goto memory_err;
+	wps->e_s2 = malloc(WPS_SECRET_NONCE_LEN); if (!wps->e_s2) goto memory_err;
 
 	/* Allocating memory for digests */
 	wps->psk1 = malloc(WPS_HASH_LEN); if (!wps->psk1) goto memory_err;
@@ -1044,31 +1046,56 @@ usage_err:
 
 	uint_fast8_t k = 0;
 	uint_fast8_t found_p_mode = NONE;
-	uint32_t seed;
 
 	wps->nonce_seed = 0;
 	wps->s1_seed = 0;
 	wps->s2_seed = 0;
 
+	/* Attempt special cases first in auto mode */
+	if (wps->mode_auto) {
+
+		/* E-S1 = E-S2 = 0 */
+		if (memcmp(wps->pke, wps_rtl_pke, WPS_PKEY_LEN)) {
+			memset(wps->e_s1, 0, WPS_SECRET_NONCE_LEN);
+			memset(wps->e_s2, 0, WPS_SECRET_NONCE_LEN);
+			DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+			if (crack(wps, wps->pin) == PIN_FOUND) {
+				found_p_mode = RT;
+				DEBUG_PRINT("Pin found (%8s)", wps->pin);
+			}
+		}
+
+		/* E-S1 = E-S2 = N1 */
+		if (found_p_mode == NONE) {
+			memcpy(wps->e_s1, wps->e_nonce, WPS_SECRET_NONCE_LEN);
+			memcpy(wps->e_s2, wps->e_nonce, WPS_SECRET_NONCE_LEN);
+			DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+			if (crack(wps, wps->pin) == PIN_FOUND) {
+				found_p_mode = RTL819x;
+				DEBUG_PRINT("Pin found (%8s)", wps->pin);
+			}
+		}
+	}
+
 	/* Main loop */
-	while (!found_p_mode && k < MODE_LEN && p_mode[k] != NONE) {
+	while (found_p_mode == NONE && k < MODE_LEN && p_mode[k] != NONE) {
 
 		/* 1 */
 		if (p_mode[k] == RT) {
 
 			DEBUG_PRINT(" * Mode: %d (%s)", RT, p_mode_name[RT]);
-			DEBUG_PRINT("Trying with E-S1: ");
-			DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
-			DEBUG_PRINT("Trying with E-S2: ");
-			DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
 
-			uint_fast8_t r = crack(wps, wps->pin);
-			if (r == PIN_FOUND) {
-				found_p_mode = RT;
-				DEBUG_PRINT("Pin found (%8s)", wps->pin);
+			if (!wps->mode_auto) {
+				memset(wps->e_s1, 0, WPS_SECRET_NONCE_LEN);
+				memset(wps->e_s2, 0, WPS_SECRET_NONCE_LEN);
+				DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+				if (crack(wps, wps->pin) == PIN_FOUND) {
+					found_p_mode = RT;
+					DEBUG_PRINT("Pin found (%8s)", wps->pin);
+				}
 			}
 
-			if (!found_p_mode) {
+			if (found_p_mode == NONE) {
 				init_crack_jobs(wps, RT);
 				wps->nonce_seed = collect_crack_jobs();
 				if (wps->nonce_seed != 0) {
@@ -1089,17 +1116,15 @@ usage_err:
 					for (int i = 0; i < WPS_NONCE_LEN; i++)
 						wps->e_s2[i] = ralink_randbyte(&prng);
 
-					DEBUG_PRINT("Trying with E-S1: ");
-					DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
-					DEBUG_PRINT("Trying with E-S2: ");
-					DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
-
-					r = crack(wps, wps->pin);
-					if (r == PIN_FOUND) {
+					DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+					if (crack(wps, wps->pin) == PIN_FOUND) {
 						found_p_mode = RT;
 						DEBUG_PRINT("Pin found (%8s)", wps->pin);
 					}
 				}
+				else {
+					DEBUG_PRINT("Nonce doesn't appear to be generated by this mode, skipping...");
+				}
 			}
 
 		/* 2 */
@@ -1109,8 +1134,7 @@ usage_err:
 			DEBUG_PRINT(" * Mode: %d (%s)", ECOS_SIMPLE, p_mode_name[ECOS_SIMPLE]);
 
 			uint32_t known = wps->e_nonce[0] << 25; /* Reducing entropy from 32 to 25 bits */
-			uint32_t counter = 0;
-			seed = 0;
+			uint32_t seed, counter = 0;
 			while (counter < 0x02000000) {
 				int i;
 				seed = known | counter;
@@ -1133,14 +1157,8 @@ usage_err:
 			}
 
 			if (wps->s1_seed) { /* Seed found */
-
-				DEBUG_PRINT("Trying with E-S1: ");
-				DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
-				DEBUG_PRINT("Trying with E-S2: ");
-				DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
-
-				uint_fast8_t r = crack(wps, wps->pin);
-				if (r == PIN_FOUND) {
+				DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+				if (crack(wps, wps->pin) == PIN_FOUND) {
 					found_p_mode = ECOS_SIMPLE;
 					DEBUG_PRINT("Pin found (%8s)", wps->pin);
 				}
@@ -1155,19 +1173,14 @@ usage_err:
 
 			DEBUG_PRINT(" * Mode: %d (%s)", RTL819x, p_mode_name[RTL819x]);
 
-			/* E-S1 = E-S2 = E-Nonce - Best case scenario */
-			memcpy(wps->e_s1, wps->e_nonce, WPS_SECRET_NONCE_LEN);
-			memcpy(wps->e_s2, wps->e_nonce, WPS_SECRET_NONCE_LEN);
-
-			DEBUG_PRINT("Trying with E-S1: ");
-			DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
-			DEBUG_PRINT("Trying with E-S2: ");
-			DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
-
-			uint_fast8_t r = crack(wps, wps->pin);
-			if (r == PIN_FOUND) {
-				found_p_mode = RTL819x;
-				DEBUG_PRINT("Pin found (%8s)", wps->pin);
+			if (!wps->mode_auto) {
+				memcpy(wps->e_s1, wps->e_nonce, WPS_SECRET_NONCE_LEN);
+				memcpy(wps->e_s2, wps->e_nonce, WPS_SECRET_NONCE_LEN);
+				DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+				if (crack(wps, wps->pin) == PIN_FOUND) {
+					found_p_mode = RTL819x;
+					DEBUG_PRINT("Pin found (%8s)", wps->pin);
+				}
 			}
 
 			if (found_p_mode == NONE) {
@@ -1230,10 +1243,10 @@ usage_err:
 
 			DEBUG_PRINT(" * Mode: %d (%s)", ECOS_SIMPLEST, p_mode_name[ECOS_SIMPLEST]);
 
-			uint32_t index = 0;
+			uint32_t seed, index = 0;
 			do {
+				int i;
 				seed = index;
-				uint_fast8_t i;
 				for (i = 0; i < WPS_NONCE_LEN; i++) {
 					if (wps->e_nonce[i] != (uint8_t) ecos_rand_simplest(&seed))
 						break;
@@ -1256,14 +1269,8 @@ usage_err:
 			} while (index != 0xffffffff);
 
 			if (wps->nonce_seed) { /* Seed found */
-
-				DEBUG_PRINT("Trying with E-S1: ");
-				DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
-				DEBUG_PRINT("Trying with E-S2: ");
-				DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
-
-				uint_fast8_t r = crack(wps, wps->pin);
-				if (r == PIN_FOUND) {
+				DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+				if (crack(wps, wps->pin) == PIN_FOUND) {
 					found_p_mode = ECOS_SIMPLEST;
 					DEBUG_PRINT("Pin found (%8s)", wps->pin);
 				}
@@ -1278,10 +1285,10 @@ usage_err:
 
 			DEBUG_PRINT(" * Mode: %d (%s)", ECOS_KNUTH, p_mode_name[ECOS_KNUTH]);
 
-			uint32_t index = 0;
+			uint32_t seed, index = 0;
 			do {
+				int i;
 				seed = index;
-				uint_fast8_t i;
 				for (i = 0; i < WPS_NONCE_LEN; i++) {
 					if (wps->e_nonce[i] != (uint8_t) ecos_rand_knuth(&seed))
 						break;
@@ -1304,14 +1311,8 @@ usage_err:
 			} while (index != 0xffffffff);
 
 			if (wps->nonce_seed) { /* Seed found */
-
-				DEBUG_PRINT("Trying with E-S1: ");
-				DEBUG_PRINT_ARRAY(wps->e_s1, WPS_SECRET_NONCE_LEN);
-				DEBUG_PRINT("Trying with E-S2: ");
-				DEBUG_PRINT_ARRAY(wps->e_s2, WPS_SECRET_NONCE_LEN);
-
-				uint_fast8_t r = crack(wps, wps->pin);
-				if (r == PIN_FOUND) {
+				DEBUG_PRINT_ATTEMPT(wps->e_s1, wps->e_s2);
+				if (crack(wps, wps->pin) == PIN_FOUND) {
 					found_p_mode = ECOS_KNUTH;
 					DEBUG_PRINT("Pin found (%8s)", wps->pin);
 				}
diff --git a/src/pixiewps.h b/src/pixiewps.h
index eb27ca1..0f80e2b 100644
--- a/src/pixiewps.h
+++ b/src/pixiewps.h
@@ -49,12 +49,21 @@
 #endif
 
 #if defined(DEBUG)
-# define DEBUG_PRINT(fmt, args...) do { printf("\n [DEBUG] %s:%d:%s(): " fmt, \
+# define DEBUG_PRINT(fmt, args...) do { printf("\n [DEBUG] %s:%4d:%s(): " fmt, \
 	__FILE__, __LINE__, __func__, ##args); fflush(stdout); } while (0)
 # define DEBUG_PRINT_ARRAY(b, l) do { byte_array_print(b, l); fflush(stdout); } while (0)
+# define DEBUG_PRINT_ATTEMPT(s, z) \
+		do { \
+			printf("\n [DEBUG] %s:%4d:%s(): Trying with E-S1: ",  __FILE__, __LINE__, __func__); \
+			byte_array_print(s, WPS_SECRET_NONCE_LEN); \
+			printf("\n [DEBUG] %s:%4d:%s(): Trying with E-S1: ",  __FILE__, __LINE__, __func__); \
+			byte_array_print(z, WPS_SECRET_NONCE_LEN); \
+			fflush(stdout); \
+		} while (0)
 #else
 # define DEBUG_PRINT(fmt, args...) do {} while (0)
 # define DEBUG_PRINT_ARRAY(b, l) do {} while (0)
+# define DEBUG_PRINT_ATTEMPT(s, z) do {} while (0)
 #endif
 
 uint_fast8_t p_mode[MODE_LEN] = { 0 };