Segmentation Fault when cracking

[karunsiri]

A segmentation fault will occur when starting to crack the card with mfoc-hardnested. I notice from the README that this repo uses similar techniques from https://github.com/vk496/mfoc. The code from that repo also raises segmentation fault: 11, so I included the excerpt of the run output from the code from that repo at the end of this issue, too. In case it helps. It fails around Apply bit flip properties step.

Platform & OS: MacOS Catalina 10.15.5 CPU Intel i7-9750H Ram 16GB

Configure & build using:

autoreconf -is
./configure
make && sudo make install

./configure output

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... ./install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
./configure: line 2914: AX_CFLAGS_WARN_ALL: command not found
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking whether make supports nested variables... (cached) yes
checking for pkg-config... /usr/local/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libnfc >= 1.7.0... yes
checking for liblzma... yes
checking build system type... x86_64-apple-darwin19.5.0
checking host system type... x86_64-apple-darwin19.5.0
checking whether pthreads work with -pthread... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... -D_THREAD_SAFE
checking for PTHREAD_PRIO_INHERIT... yes
checking for log in -lm... yes
checking for inline... inline
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdbool.h that conforms to C99... yes
checking for _Bool... yes
checking for size_t... yes
checking for uint8_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint64_t... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible realloc... yes
checking for memset... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands

make output:

/Library/Developer/CommandLineTools/usr/bin/make  all-recursive
Making all in src
  CC       crapto1.o
  CC       crypto1.o
  CC       mfoc.o
  CC       mifare.o
  CC       nfc-utils.o
  CC       parity.o
  CC       hardnested/hardnested_cpu_dispatch.o
  CC       hardnested/hardnested_bruteforce.o
  CC       hardnested/tables.o
  CC       cmdhfmfhard.o
  CC       util.o
  CC       util_posix.o
  CC       ui.o
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mno-avx -mno-avx2 -mno-avx512f -c -o hardnested/hardnested_bf_core_SSE2.o hardnested/hardnested_bf_core_SSE2.c
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mavx -mno-avx2 -mno-avx512f -c -o hardnested/hardnested_bf_core_AVX.o hardnested/hardnested_bf_core_AVX.c
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mavx -mavx2 -mno-avx512f -c -o hardnested/hardnested_bf_core_AVX2.o hardnested/hardnested_bf_core_AVX2.c
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mavx -mavx2 -mavx512f -c -o hardnested/hardnested_bf_core_AVX512.o hardnested/hardnested_bf_core_AVX512.c
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mno-avx -mno-avx2 -mno-avx512f -c -o hardnested/hardnested_bitarray_core_SSE2.o hardnested/hardnested_bitarray_core_SSE2.c
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mavx -mno-avx2 -mno-avx512f -c -o hardnested/hardnested_bitarray_core_AVX.o hardnested/hardnested_bitarray_core_AVX.c
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mavx -mavx2 -mno-avx512f -c -o hardnested/hardnested_bitarray_core_AVX2.o hardnested/hardnested_bitarray_core_AVX2.c
gcc  -O3 -DX86_SIMD -std=c99 -mmmx -msse2 -mavx -mavx2 -mavx512f -c -o hardnested/hardnested_bitarray_core_AVX512.o hardnested/hardnested_bitarray_core_AVX512.c
  CCLD     mfoc-hardnested

---

mfoc run output from https://github.com/vk496/mfoc.

Sector 11 - Unknown Key A               Found   Key B: ffffffffffff
Sector 12 - Unknown Key A               Found   Key B: ffffffffffff
Sector 13 - Unknown Key A               Found   Key B: ffffffffffff
Sector 14 - Unknown Key A               Found   Key B: ffffffffffff
Sector 15 - Unknown Key A               Found   Key B: ffffffffffff

Using sector 15 as an exploit sector
Card is not vulnerable to nested attack

Using AVX2 SIMD core.

 time    | trg | #nonces | Activity                                                | expected to brute force
         |     |         |                                                         | #states         | time
-------------------------------------------------------------------------------------------------------------
       0 |  0? |       0 | Start using 12 threads and AVX2 SIMD core               |                 |
       0 |  0? |       0 | Brute force benchmark: 317 million (2^28.2) keys/s      | 140737488355328 |    5d
       0 |  0? |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |    5d
       4 |  0A |      18 | Apply bit flip properties                               |  54228122861568 |    2d          
zsh: segmentation fault  mfoc -O circle.card

[gelotus]

Do you have access to linux install on the same machine? Can you try to exec with linux on the same machine for understanding if it is a macos specific memory allocation problem?

[karunsiri]

Ah yes I do. I will try on the linux box and will report back again 👍

[monai]

I can confirm that it crashes on macOs and Linux.

Core file '/cores/core.9764' (x86_64) was loaded.
(lldb) bt
* thread #1, stop reason = signal SIGSTOP
  * frame #0: 0x00000001080331df mfoc-hardnested`next_state + 175
    frame #1: 0x00000001080330f8 mfoc-hardnested`bitarray_to_list + 136
    frame #2: 0x000000010802f6c0 mfoc-hardnested`add_bitflip_candidates + 256
    frame #3: 0x000000010802d5d1 mfoc-hardnested`mfnestedhard + 977
    frame #4: 0x00000001080251e0 mfoc-hardnested`main + 8544
    frame #5: 0x00007fff673accc9 libdyld.dylib`start + 1
(lldb) f
frame #0: 0x00000001080331df mfoc-hardnested`next_state + 175
mfoc-hardnested`next_state:
->  0x1080331df <+175>: cmp    dword ptr [rcx + 4*rsi], 0x0
    0x1080331e3 <+179>: mov    byte ptr [rbp - 0x21], al
    0x1080331e6 <+182>: jne    0x1080331f9               ; <+201>
    0x1080331ec <+188>: cmp    dword ptr [rbp - 0x14], 0x1000000

[mattiarainieri]

I have the same problem on rapsberry pi

[ld21]

I get a «killed» when using the software on Debian bullseye on a RPi 2:

time    | trg | #nonces | Activity                                                | expected to brute force          
         |     |         |                                                         | #states         | time           
-------------------------------------------------------------------------------------------------------------          
       0 |  1A |       0 | Start using 4 threads                                   |                 |          
       0 |  1A |       0 | Brute force benchmark: 15 million (2^23.9) keys/s       | 140737488355328 |  106d          
      39 |  1A |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |  106d          Killed