ZTE F110 Algo free!!!

[Victor]

.... SAme algo as others... OLD X760

Code:

ROM:000EBA70 ; int __fastcall aflcMepCreatePassword1(unsigned __int8 *a1, int a2, unsigned __int8 *a3)
ROM:000EBA70 aflcMepCreatePassword1
ROM:000EBA70
ROM:000EBA70 var_18          = -0x18
ROM:000EBA70
ROM:000EBA70                 PUSH    {R3-R7,LR}
ROM:000EBA72                 MOVS    R6, #0
ROM:000EBA74                 MOVS    R5, R0
ROM:000EBA76                 CMP     R1, #1
ROM:000EBA78                 BNE     loc_EBA7E
ROM:000EBA7A                 MOVS    R7, #8
ROM:000EBA7C                 B       loc_EBA84
ROM:000EBA7E ; ---------------------------------------------------------------------------
ROM:000EBA7E
ROM:000EBA7E loc_EBA7E                               ; CODE XREF: aflcMepCreatePassword1+8j
ROM:000EBA7E                 CMP     R1, #2
ROM:000EBA80                 BNE     loc_EBA84
ROM:000EBA82                 MOVS    R7, #9
ROM:000EBA84
ROM:000EBA84 loc_EBA84                               ; CODE XREF: aflcMepCreatePassword1+Cj
ROM:000EBA84                                         ; aflcMepCreatePassword1+10j
ROM:000EBA84                 MOVS    R0, #0xC
ROM:000EBA86                 STR     R0, [R2]
ROM:000EBA88                 LDRB    R0, [R5,#0xE]
ROM:000EBA8A                 ADDS    R4, R2, #4
ROM:000EBA8C                 MULS    R0, R7
ROM:000EBA8E                 ADDS    R0, #6
ROM:000EBA90                 BLX     _rt_udiv10
ROM:000EBA94                 STRB    R1, [R4,#0xB]
ROM:000EBA96                 LDRB    R0, [R5,#0xD]
ROM:000EBA98                 MULS    R0, R7
ROM:000EBA9A                 ADDS    R0, #8
ROM:000EBA9C                 BLX     _rt_udiv10
ROM:000EBAA0                 STRB    R1, [R4,#0xA]
ROM:000EBAA2                 LDRB    R0, [R5,#0xC]
ROM:000EBAA4                 MULS    R0, R7
ROM:000EBAA6                 ADDS    R0, #8
ROM:000EBAA8                 BLX     _rt_udiv10
ROM:000EBAAC                 STRB    R1, [R4,#9]
ROM:000EBAAE                 LDRB    R0, [R5,#0xB]
ROM:000EBAB0                 MULS    R0, R7
ROM:000EBAB2                 ADDS    R0, #9
ROM:000EBAB4                 BLX     _rt_udiv10
ROM:000EBAB8                 STRB    R1, [R4,#8]
ROM:000EBABA                 LDRB    R0, [R5,#0xA]
ROM:000EBABC                 MULS    R0, R7
ROM:000EBABE                 ADDS    R0, #5
ROM:000EBAC0                 BLX     _rt_udiv10
ROM:000EBAC4                 STRB    R1, [R4,#7]
ROM:000EBAC6                 LDRB    R0, [R5,#9]
ROM:000EBAC8                 MULS    R0, R7
ROM:000EBACA                 BLX     _rt_udiv10
ROM:000EBACE                 STRB    R1, [R4,#6]
ROM:000EBAD0                 LDRB    R0, [R5,#8]
ROM:000EBAD2                 MULS    R0, R7
ROM:000EBAD4                 BLX     _rt_udiv10
ROM:000EBAD8                 STRB    R1, [R4,#5]
ROM:000EBADA                 LDRB    R0, [R5,#7]
ROM:000EBADC                 MULS    R0, R7
ROM:000EBADE                 BLX     _rt_udiv10
ROM:000EBAE2                 STRB    R1, [R4,#4]
ROM:000EBAE4                 LDRB    R0, [R5,#6]
ROM:000EBAE6                 MULS    R0, R7
ROM:000EBAE8                 BLX     _rt_udiv10
ROM:000EBAEC                 STRB    R1, [R4,#3]
ROM:000EBAEE                 LDRB    R0, [R5,#5]
ROM:000EBAF0                 MULS    R0, R7
ROM:000EBAF2                 BLX     _rt_udiv10
ROM:000EBAF6                 STRB    R1, [R4,#2]
ROM:000EBAF8                 LDRB    R0, [R5,#4]
ROM:000EBAFA                 MULS    R0, R7
ROM:000EBAFC                 BLX     _rt_udiv10
ROM:000EBB00                 STRB    R1, [R4,#1]
ROM:000EBB02                 LDRB    R0, [R5,#3]
ROM:000EBB04                 MULS    R0, R7
ROM:000EBB06                 BLX     _rt_udiv10
ROM:000EBB0A                 MOVS    R0, #0
ROM:000EBB0C                 MOVS    R7, #0xE
ROM:000EBB0E                 STRB    R1, [R4]
ROM:000EBB10
ROM:000EBB10 loc_EBB10                               ; CODE XREF: aflcMepCreatePassword1+AEj
ROM:000EBB10                 SUBS    R1, R7, R0
ROM:000EBB12                 LDRB    R1, [R5,R1]
ROM:000EBB14                 ADDS    R0, #1
ROM:000EBB16                 LSLS    R0, R0, #0x18
ROM:000EBB18                 LSRS    R0, R0, #0x18
ROM:000EBB1A                 ADDS    R6, R1, R6
ROM:000EBB1C                 CMP     R0, #0xC
ROM:000EBB1E                 BCC     loc_EBB10
ROM:000EBB20                 MOVS    R0, R6
ROM:000EBB22                 BLX     _rt_udiv10_0
ROM:000EBB26                 STR     R1, [SP,#0x18+var_18]
ROM:000EBB28                 MOVS    R6, #0
ROM:000EBB2A
ROM:000EBB2A loc_EBB2A                               ; CODE XREF: aflcMepCreatePassword1+D4j
ROM:000EBB2A                 SUBS    R0, R7, R6
ROM:000EBB2C                 LDRB    R0, [R5,R0]
ROM:000EBB2E                 LDR     R1, [SP,#0x18+var_18]
ROM:000EBB30                 MULS    R0, R1
ROM:000EBB32                 LDRB    R1, [R4,R6]
ROM:000EBB34                 ADDS    R0, R0, R1
ROM:000EBB36                 BLX     _rt_udiv10_0
ROM:000EBB3A                 STRB    R1, [R4,R6]
ROM:000EBB3C                 ADDS    R6, #1
ROM:000EBB3E                 LSLS    R6, R6, #0x18
ROM:000EBB40                 LSRS    R6, R6, #0x18
ROM:000EBB42                 CMP     R6, #0xC
ROM:000EBB44                 BCC     loc_EBB2A
ROM:000EBB46                 POP     {R3-R7,PC}
ROM:000EBB46 ; End of function aflcMepCreatePassword1
ROM:000EBB46

Code:

unsigned int __fastcall aflcMepCreatePassword1(unsigned __int8 *a1, int a2, unsigned __int8 *a3)
{
  signed int v3; // r7@0
  unsigned int v4; // r6@1
  unsigned __int8 *v6; // r4@5
  int v7; // r0@5
  int v8; // r1@6
  int v9; // r6@7
  unsigned int v10; // r0@8
  unsigned int result; // r0@8
  unsigned int v12; // r1@8
  unsigned int v13; // [sp+0h] [bp-18h]@7

  v4 = 0;
  if ( a2 == 1 )
  {
    v3 = 8;
  }
  else if ( a2 == 2 )
  {
    v3 = 9;
  }
  *(_DWORD *)a3 = 12;
  v6 = a3 + 4;
  a3[15] = ((unsigned int)a1[14] * v3 + 6) % 0xA;
  a3[14] = ((unsigned int)a1[13] * v3 + 8) % 0xA;
  a3[13] = ((unsigned int)a1[12] * v3 + 8) % 0xA;
  a3[12] = ((unsigned int)a1[11] * v3 + 9) % 0xA;
  a3[11] = ((unsigned int)a1[10] * v3 + 5) % 0xA;
  a3[10] = (unsigned int)a1[9] * v3 % 0xA;
  a3[9] = (unsigned int)a1[8] * v3 % 0xA;
  a3[8] = (unsigned int)a1[7] * v3 % 0xA;
  a3[7] = (unsigned int)a1[6] * v3 % 0xA;
  a3[6] = (unsigned int)a1[5] * v3 % 0xA;
  a3[5] = (unsigned int)a1[4] * v3 % 0xA;
  v7 = 0;
  a3[4] = (unsigned int)a1[3] * v3 % 0xA;
  do
  {
    v8 = a1[14 - v7];
    v7 = (v7 + 1) & 0xFF;
    v4 += v8;
  }
  while ( (unsigned int)v7 < 0xC );
  v13 = v4 % 0xA;
  v9 = 0;
  do
  {
    v10 = a1[14 - v9] * v13 + v6[v9];
    v12 = v10 % 0xA;
    result = v10 / 0xA;
    v6[v9] = v12;
    v9 = (v9 + 1) & 0xFF;
  }
  while ( (unsigned int)v9 < 0xC );
  return result;
}

[Skullbocks]

Please source code PHP to test NCK

Thanks!!

[Victor]

Quote:

Originally Posted by Skullbocks

Please source code PHP to test NCK

Thanks!!

What to test?
You not belive on algorithmic languages high level like c/c+, delphi...?
You belive on script languages like php?
... or not belive this algo works?

... or anyone to translate this for "my site"?


Absolutely non serious post. And this algo have php implementation in forum. Better is to use search button.

[Skullbocks]

Relax Mr moderator was just a comment and the forum is to share knowledge, that's all. regards

[Victor]

I just comment also ... as you see i not take action to post.

so? knowledge... you canot convert C/C++ pseudocode to php?

... or this is not knowledge?!?!?!?!?!?

i share with you (algo is already posted in php variant):

http://forum.gsmhosting.com/vbb/f83/...unlock-984385/

[NiRaV.SoN!]

F110 algo in PHP I converted when this post is posted by Victor
I only cant understand :

Code:

*(_DWORD *)a3 = 12;

[latigido922]

this is only:

MOVS R0, #0xC
->
a3= 12;

[Victor]

Quote:

Originally Posted by latigido922

this is only:

MOVS R0, #0xC
->
a3= 12;

Yes but here are pointer arithmetic (C/C++ specific). Just not needed in pc implementation.


... small optimized implementation;

Code:

Procedure aflcMepCreatePassword1(imei:pansichar; a2 : integer; Outdata: pansichar);
var
  v3 : word;
  v9,v4,v7,v13 : integer;
  a1,a3 : array [0..16] of byte;
  i: byte;
begin
  for i := 0 to 14 do a1[i]:= Byte(imei[i]) - $30;  {Convert from ascii to digits}
  if ( a2 = 1 ) then
  begin
    v3 := 8;
  end
  else  if ( a2 = 2 ) then
        begin
            v3 := 9;
        end;
  a3[15] := (a1[14] * v3 + 6) mod $A;
  a3[14] := (a1[13] * v3 + 8) mod $A;
  a3[13] := (a1[12] * v3 + 8) mod $A;
  a3[12] := (a1[11] * v3 + 9) mod $A;
  a3[11] := (a1[10] * v3 + 5) mod $A;
  a3[10] := (a1[09] * v3 + 0) mod $A;
  a3[09] := (a1[08] * v3 + 0) mod $A;
  a3[08] := (a1[07] * v3 + 0) mod $A;
  a3[07] := (a1[06] * v3 + 0) mod $A;
  a3[06] := (a1[05] * v3 + 0) mod $A;
  a3[05] := (a1[04] * v3 + 0) mod $A;
  a3[04] := (a1[03] * v3 + 0) mod $A;
  v7 := 0;
  v4 := 0;
  while ( v7 < $C ) do
  begin
    Inc(v4,a1[14 - v7]);
    inc(v7);
  end;
  v13 := v4 mod $A;
  v9 := 0;
  while ( v9 < $C ) do
  begin
    a3[v9+4] := ((a1[14 - v9] * v13 + a3[v9 + 4]) mod $A) + $30;
    inc(v9);
  end;
  a3[16]:=0; {Terminate string.}
  copymemory(outdata,@a3[4],13);
end;

[orbita]

Quote:

Originally Posted by NiRaV.SoN!

F110 algo in PHP I converted when this post is posted by Victor
I only cant understand :

Code:

*(_DWORD *)a3 = 12;

In ida pseudocode all is bytes.
So here a3 pointer will take Int32 length, meen 4 bytes = 0x0000000C.

But Victor explained more easy and better in code above

[Victor]

Quote:

Originally Posted by orbita

In ida pseudocode all is bytes.
So here a3 pointer will take Int32 length, meen 4 bytes = 0x0000000C.

But Victor explained more easy and better in code above

In IDA all is what set user.

[orbita]

Quote:

Originally Posted by Victor

In IDA all is what set user.

Posible my expresion is wrong, thanks for corection.
Exist any other source then binary file?

[dzunlocker]

Quote:

Originally Posted by orbita

In ida pseudocode all is bytes.
So here a3 pointer will take Int32 length, meen 4 bytes = 0x0000000C.

But Victor explained more easy and better in code above

- a3 is a pointer on a Double Word (4 bytes)
- the size (length) of a3 is OS/Platform dependent eg. for x64 will be 8 bytes not 4 bytes.

Regards

[Victor]

Why both talking big stupidityes?

os depended ... ida bytes etc....

test this code fragment and will see:

Code:

var
  Form1: TForm1;
  a: array [0..11] of byte = (0,0,0,0,$1,$2,$3,$4,0,0,0,0);
implementation

{$R *.dfm}

procedure TForm1.Button1Click(Sender: TObject);
var a: array [0..11] of byte;
    d: dword;
    w: word;
begin
    fillchar(a,sizeof(a),0);
    a[4]:=$1;
    a[5]:=$2;
    a[6]:=$3;
    a[7]:=$4;
    d:=DWORD((@a[4])^);
    w:=WORD((@a[4])^);
end;

a is array of bytes. d is DWORD, w is WORD...
trick is Type conversion from pointer ...

- pointer is 4 bytes
- dword is 4 bytes
- word is 2 bytes

which values will have D and W?

d = $04030201;
w = $0201;

.... here os depended is pc interpretation becouse is little endian X86 (this is platform depended) in ARM should be 0x01020304 for D and 0x0102 for W

what fifty cents what 8 bytes what ida bytes?!?!?!...

[Victor]

... i'm wrong also for endian! THIS IS COMPILER SPECIFIC!!! Delphi change endian C/C++ no.

[orbita]

Thanks victor , yes is like this..... and as usually your posts is very usefull.


@dzunlocker your explanation is extremly usefull, but not need to teach me what meen dword .

2.2.9 DWORD