[Asterisk-Users] Vonage ATA-186 password recovery

Scrotus Maximus mrscrotus at yahoo.com
Sat Aug 23 05:07:38 MST 2003 

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

#define ATA_MAGIC	"#ata"

unsigned char bcd_lookup[100] = {
  0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19,
  0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29,
  0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39,
  0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
0x48, 0x49,
  0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
0x58, 0x59,
  0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
0x68, 0x69,
  0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
0x78, 0x79,
  0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
0x88, 0x89,
  0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
0x98, 0x99,
};

typedef struct rc4Key
{
  unsigned char state[256];
  unsigned char x;
  unsigned char y;
} rc4Key;

#define swapByte(x,y) t = *(x); *(x) = *(y); *(y) = t

void rc4(rc4Key *key, unsigned char *buf)
{
  unsigned char x;
  unsigned char y;
  unsigned char *state;
  unsigned char xorIndex;
  int i;

  x = key->x;
  y = key->y;
  state = &key->state[0];

  for(i = 0; i < 4; i++)
    {
      x = (x + 1) & 0xFF;
      y = (state[x] + y) & 0xFF;

      {
	unsigned char t;
	t = state[x];
	state[x] = state[y];
	state[y] = t;
      }

      xorIndex = (state[x] + state[y]) & 0xFF;
      buf[i] ^= state[xorIndex];
    }
}

unsigned char bcdkey[3] = { 0, 0, 0 };

void rawKey(rc4Key *key)
{
  char seed[32];

  int j;
  unsigned char t;
  unsigned char index1;
  unsigned char index2;
  unsigned char* state;
     
  seed[0] = bcd_lookup[bcdkey[0]];
  seed[1] = bcd_lookup[bcdkey[1]];
  seed[2] = bcd_lookup[bcdkey[2]];
	  
  state = &key->state[0];
  for(j = 0; j < 256; j++)
    state[j] = j;
  key->x = 0;
  key->y = 0;
  index1 = 0;
  index2 = 0;
  for(j = 0; j < 256; j++)
    {
      index2 = (seed[index1] + state[j] + index2) &
0xFF;
      swapByte(&state[j], &state[index2]);
      index1 = (index1 + 1) % 3;
    }
}

int main(int argc, char **argv)
{
  FILE *ifp;
  unsigned char signature[4];

  if (argc != 2) {
    printf ("Usage: %s [encrypted file]\n", argv[0]);
    exit (-1);
  }

  ifp = fopen(argv[1], "rb");
  if (ifp == NULL) {
    printf("error: can't open %s for reading\n",
argv[1]);
    exit(1);
  }

  if (fread(signature, 1, 4, ifp) != 4) {
    printf("error: read error\n");
    exit(1);
  }

  {
    rc4Key key;
    unsigned char testbuf[5];

    while (1) {
      testbuf[0] = signature[0];
      testbuf[1] = signature[1];
      testbuf[2] = signature[2];
      testbuf[3] = signature[3];

      rawKey (&key);
      rc4 (&key, testbuf);
      if (testbuf[0] == '#' &&
	  testbuf[1] == 'a' &&
	  testbuf[2] == 't' &&
	  testbuf[3] == 'a')
	{
	  printf ("FOUND Key: %02d%02d%02d\n",
		  bcdkey[0], bcdkey[1], bcdkey[2]);
	  exit (0);
	}
	
      bcdkey[0]++;
      if (bcdkey[0] == 100) {
	bcdkey[0] = 0;
	bcdkey[1]++;
	if (bcdkey[1] == 100) {
	  bcdkey[1] = 0;
	  bcdkey[2]++;
	  if (bcdkey[2] == 100) {
	    printf ("No key found :(\n");
	    exit(0);
	  }
	}
      }
    }
  }
}



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

More information about the asterisk-users mailing list