This question already has answers here:
How to make bit wise XOR in C
(7 answers)
Closed 5 years ago.
I am trying to implement a cryptographic algorithm in C. I have an unsigned char array;
unsigned char ciphertext[] = { 0xA5, 0xB2, 0x3C, 0xAB, 0x03, 0xF1, 0xD3, 0x1C, 0x7F, 0xAD, 0x37, 0xA8, 0x8C, 0x8B, 0xCD, 0x90, 0xD4, 0xC2, 0x30, 0xAB, 0xD2, 0x3F, 0x3D, 0xAF, 0x58, 0x94, 0x1F, 0x50, 0xAF, 0xA2, 0xCE, 0x01 };
I need to XOR the char array with all values from 1 to 256. How can I do it in C? Thank you in advance.
EDİT:
I want to XOR my char array with;
unsigned char [] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01};
unsigned char two = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02};
unsigned char three[] = { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03};
And so on... That is the reason why I can not xor through each elements. It would be something different.
Something like:
int i;
for (i = 0; i < length; i++) {
cryptotext[i] = ciphertext[i] ^ (i%256);
}
Note that you can use only one array if you don't want to keep you plain text:
ciphertext[i] ^= (i%256);
XOR performs the following operations. please see below.
x y XOR
------------
0 0 0
1 0 1
0 1 1
1 1 0
You can't xor the entire array in one piece. you need to loop through the array and transform it character by character.
perform loop through the array and perform the XOR Operation.
Related
I currently have this HID report descriptor:
static
unsigned char hid_report_descriptor[] __attribute__ ((aligned(64))) = {
0x05, 0x01, // Usage Page (Generic Desktop Ctrls)
0x09, 0x05, // Usage (Game Pad)
0xA1, 0x01, // Collection (Application)
0xA1, 0x00, // Collection (Physical)
0x85, 0x01, // Report ID (1)
0x05, 0x09, // Usage Page (Button)
0x19, 0x01, // Usage Minimum (0x01)
0x29, 0x10, // Usage Maximum (0x10)
0x15, 0x00, // Logical Minimum (0)
0x25, 0x01, // Logical Maximum (1)
0x95, 0x10, // Report Count (16)
0x75, 0x01, // Report Size (1)
0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0x05, 0x01, // Usage Page (Generic Desktop Ctrls)
0x09, 0x30, // Usage (X)
0x09, 0x31, // Usage (Y)
0x09, 0x32, // Usage (Z)
0x09, 0x33, // Usage (Rx)
0x15, 0x81, // Logical Minimum (-127)
0x25, 0x7F, // Logical Maximum (127)
0x75, 0x08, // Report Size (8)
0x95, 0x04, // Report Count (4)
0x81, 0x02, // Input (Data,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
0xC0, // End Collection
0xC0, // End Collection
};
It corresponds to this struct.
struct GamepadReport {
uint8_t report_id;
uint16_t buttons;
int8_t left_x;
int8_t left_y;
int8_t right_x;
int8_t right_y;
} __attribute__((packed));
I'm trying to add support for a single extra button that should serve as the "home" button (think of the X on an Xbox controller). This, in theory, should be done by changing the lines containing 0x29, 0x10 and 0x95, 0x10 to 0x29, 0x11 and 0x95, 0x11 respectively. However, doing so breaks the connection with the custom controller.
I cannot for the life of me figure out why this is and it makes absolutely zero sense to me. Can someone with more experience or knowledge about HID descriptors give me a hand?
In case anyone stumbles upon this or has a similar issue. You can't create a report count field on hid descriptors with numbers not divisible by 8 unless you add padding bits.
The solution was straightforward after reviewing the comments on my question and looking at similar issues online.
My gamepad report struct could only hold 16 bits. Even if I had a correctly defined hid descriptor, this would've prevented it from working. I changed my struct to the following.
struct GamepadReport {
uint8_t report_id;
uint32_t buttons;
int8_t left_x;
int8_t left_y;
int8_t right_x;
int8_t right_y;
} __attribute__((packed));
Modify your hid descriptor to contain the padding bits to the next number divisible by 8 that fits within your struct types. In this case, I need to fill 32 bits and I have 17 buttons. 32 - 17 means I need to add 15 padding bits.
0x75, 0xF, // Report Size (15) - PADDING BITS
0x95, 0x01, // Report Count (1)
0x81, 0x03, // Input (Const,Var,Abs,No Wrap,Linear,Preferred State,No Null Position)
So, I have been developing a code where some information should not be easily found if someone runs a strings command against the binary ie: strings a.out
If I try to use the following:
char array1[] = { 'd', 'd', 'd', 'd', '\0' };
then it works perfectly fine and it wouldn't be displayed if I run the strings command against the binary file.
However, I have a bigger list of text, which is converted to hex and if I try to use this list in the code below, after I compile the code, if I run a strings command against the binary, the list will be easily displayed in plain text.
unsigned char array1[] = {
0x64, 0x64, 0x64, 0x64, 0x20, 0x61, 0x61, 0x61, 0x61, 0x0a, 0x62, 0x62,
0x62, 0x62, 0x20, 0x63, 0x63, 0x63, 0x63, 0x64, 0x0a
};
My goal here is not to encrypt anything, but just try to avoid the content from being easily displayed if someone runs the strings command against the binary.
does anyone have any idea?
My idea is using float to store the value to used in initialization and converting the values to unsigned char at run time.
float array1_f[] = {
0x64, 0x64, 0x64, 0x64, 0x20, 0x61, 0x61, 0x61, 0x61, 0x0a, 0x62, 0x62,
0x62, 0x62, 0x20, 0x63, 0x63, 0x63, 0x63, 0x64, 0x0a
};
unsigned char array1[sizeof(array1_f) / sizeof(*array1_f)];
for (size_t i = 0; i < sizeof(array1) / sizeof(*array1); i++) {
array1[i] = (unsigned char)array1_f[i];
}
Floating-point values have a different representation compared to integers (for example, the value 0x64 (100) is represented as 0x42c80000 in IEEE-754 32-bit float), so it should be enough to hide your data from strings.
You could use a simplistic cipher in the source file and restore the string at runtime:
#define X(c) (0x60 ^ (c))
char array1[] = {
X('d'), X('d'), X('d'), X('d'), X(' '), X('a'), X('a'), X('a'),
X('a'), X('\n'), X('b'), X('b'), X('b'), X('b'), X(' '), X('c'),
X('c'), X('c'), X('c'), X('d'), X('\n')
};
void init_function(void) {
for (size_t i = 0; i < sizeof(array1); i++) {
array1[i] = X(array1[i]);
}
}
Even simpler if you don't mind the phrase appearing as clear text in the source file:
#include <stddef.h>
wchar_t array1_w[] = L"dddd aaaa\nbbbb ccccd\n";
char array1[sizeof(array1_w) / sizeof(*array1_w)];
void init_function(void) {
for (size_t i = 0; i < sizeof(array1); i++) {
array1[i] = (char)array1_w[i];
}
}
How can I get length of array which is array of unsigned char*?
This is my array:
unsigned char ot[] = { 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64, 0x0, 0x0, 0x0, 0x0, 0x0 };
I tried to use strlen() like this:
int length = strlen((char*) ot);
It returns me length of 11 till first 0x0, but what is my array changes to this? (check last element)
unsigned char ot[] = { 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64, 0x0, 0x0, 0x0, 0x0, 0xa1 };
Then I get still 11 elements, how can I get "real" length of whole array? Like what if there will be data after some 0x0 element.
For example for:
unsigned char* file_buffer = new unsigned char[BUFFER_SIZE];
fread(file_buffer,sizeof(unsigned char),BUFFER_SIZE,input_file)
What could be best solution? Because return value of fread() can vary, if I am reading last chunk of file, and what if in file will be 0x0 before some data?
How can I get length of array which is array of unsigned char* ?
According to the examples you gave you are attempting to retrieve the length of an array [] and not an array *. This can be achieved using the keyword sizeof (sizeof(ot)).
However when it comes to pointers (such as your unsigned char *), you will need to know the size beforehand as using sizeof over it would return the allocated size of the pointer itself and not the actual content size of this pointer.
unsigned char ot[] = {0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64, 0x0, 0x0, 0x0, 0x0, 0x0};
int _length = strlen((char *) ot);
printf("%d\n", _length); // 11
int length = sizeof(ot) / sizeof(unsigned char);
printf("%d\n", length); // 16
// reason behind strlen behaves like this
if (0x0 == '\0') {
printf("Yes\n");
}
strlen() returns string length when it finds null terminator which is '\0'. If you run the code, it will print Yes at the end, means 0x0 is actually equivalent to '\0' null terminator.
Use sizeof() to get the real length.
it seems this code make my display go crazy sometimes (but only sometimes). But when I remove dat=~dat; it seems to work fine.
why?
what I am trying to do here is just make the ascii letters be the oposite: so for example:
11001000 will be:
00110111
or
10101111 would be:
01010000
the reason for doing this is that i want to have one row (the active row) in the diplay window with black on white pixels instead of opostie like the rest of the display window.
Is there some other way I could do this? (invert the numbers)
FYI: I am programing in C. Atmel studio. atmega 4809, SSD1305z display, SPI-simular interface.
void displayinvertedString(char str[], uint8_t ypos,uint8_t xpos)
{
Set_Page_Address(ypos);
Set_Column_Address(xpos);
int len = strlen(str);
uint8_t dat;
int temp;
for (int e=0; e<len; e++)
{
dat = 0xff;
Write_Data(dat); //to get an extra space between the
// numbers/letters for
//making it easier to read the text on the display
temp = str[e];
temp=temp-0x20; // As the lookup table starts from Space(0x20)
for (int w=0; w<5; w++)
{
dat= OledFontTable[temp][w]; // Get the data to be displayed for LookUptable
dat =~ dat;
Write_Data(dat);
}
}
}
----------
static uint8_t OledFontTable[][FONT_SIZE]={
//static uint8_t OledFontTable[] = {
0x00, 0x00, 0x00, 0x00, 0x00, // space
0x00, 0x00, 0x2f, 0x00, 0x00, // !
0x00, 0x07, 0x00, 0x07, 0x00, // "
0x14, 0x7f, 0x14, 0x7f, 0x14, // #
0x24, 0x2a, 0x7f, 0x2a, 0x12, // $
0x23, 0x13, 0x08, 0x64, 0x62, // %
0x36, 0x49, 0x55, 0x22, 0x50, // &
ETC. Etc.
just more raw pixel data here. this part ends like this:
0x00, 0x00, 0xFF, 0x00, 0x00, // |
0x00, 0x82, 0x7C, 0x10, 0x00, // }
0x00, 0x06, 0x09, 0x09, 0x06 // ~ (Degrees)
};
void Write_Data(unsigned char Data)
{
PORTA.OUTCLR = PIN7_bm; //cs
PORTB.OUTSET = PIN2_bm; //dc
Write_Command(Data); //
}
void Write_Command(unsigned char data)
{
SPI0.DATA = data; // copy data to DATA register
while ((SPI0.INTFLAGS & SPI_RXCIF_bm) == 0) ; //wait
}
I have asked a bit about this before. but i thought i would look "cleaner" with a new tread since info was missing from the last one.
It turned out I needed to toggle the chip select (CS) so the clock did not get out of sync with time.
The clock sync drifted with time.
It was going crazy faster for the non inverted data for some reason. But with the normal data it happend after some time also.
Thank you for the answers.
I'm an ethical hacking student and have been given this as an exercise. I've been stuck on it for two days now.
We're writing a program that is purposely vulnerable to a "buffer overflow".
#include <stdio.h>
void badf(int n, char c, char* buffer)
{
char mycode[] = {
0xeb, 0x0f, 0xb8, 0x0b,
0x00, 0x00, 0x00, 0x8b,
0x1c, 0x24, 0x8d, 0x0c,
0x24, 0x31, 0xd2, 0xcd,
0x80, 0xe8, 0xec, 0xff,
0xff, 0xff, 0x2f, 0x62,
0x69, 0x6e, 0x2f, 0x6c,
0x73, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00
}; // 37 bytes
int i;
// Copy mycode array into buffer array
for (i=0; i<n; i++)
{
buffer[i]=mycode[i];
}
// Overwrite Base Pointer
buffer[37] = 0x00;
buffer[38] = 0x00;
buffer[39] = 0x00;
buffer[40] = 0x00;
// Overwrite Instruction Pointer
buffer[41] = 0x90;
buffer[42] = 0x83;
buffer[43] = 0x04;
buffer[44] = 0x08;
}
void f(int n, char c)
{
char buffer[37];
badf(n,c,buffer);
}
void test()
{
printf("test\n");
}
int main()
{
f(37,0x00);
return 0;
}
The mycode array contains "malicious" machine code (it actually just calls execv with /bin/ls). badf is the "vulnerable" function. At the moment you can see I'm overwriting the Base Pointer with 0x00s and the Instuction Pointer with 0x08048390 which is the address of the test() function. This works, 'test' is printed to the terminal.
Now my next exercise is to "use ddd to find the address of your code array and modify the C to write this address over the instruction pointer, as you did in the previous step".
What I don't understand, is how I can use ddd to find the address of my code array. I can easily find the address where the array is moved to BP:
0x08048260 <badf+12>: movb $0xeb,-0x29(%ebp)
0x08048264 <badf+16>: movb $0xf,-0x28(%ebp)
0x08048268 <badf+20>: movb $0xb8,-0x27(%ebp)
.....
Or where it is copied into the buffer array:
0x080482f4 <badf+160>: movl $0x0,-0x4(%ebp)
0x080482fb <badf+167>: jmp 0x8048316 <badf+194>
0x080482fd <badf+169>: mov -0x4(%ebp),%edx
0x08048300 <badf+172>: mov 0x10(%ebp),%eax
.....
But of course this is not what we're looking for.
How can I find the Instruction Pointer address to execute machine code that has been loaded in by writing it in the buffer array this way?
edit: ddd is the debugger we're using, also note we're working with a 32bit linux. The code is compiled with -fno-stack-operator flag, disabling the compilers auto-checks for buffer overflows.
Since you copy myCode into the buffer, you could simply use buffer itself:
Assuming a little-endian machine:
// Overwrite Instruction Pointer
buffer[41] = (char)(((uintptr_t)buffer) >> 0);
buffer[42] = (char)(((uintptr_t)buffer) >> 8);
buffer[43] = (char)(((uintptr_t)buffer) >> 16);
buffer[44] = (char)(((uintptr_t)buffer) >> 24);
I don't know how to do it with ddd, but you could modify badf to print mycode address by using a print statement like this:
printf("mycode address: %p", (void *) mycode);
See what that prints, and just write that to instruction pointer