From e5ae3e22b39f1ae3c2c305dc1f98ff3522ae095c Mon Sep 17 00:00:00 2001
From: AloneLiberty <111039319+AloneLiberty@users.noreply.github.com>
Date: Thu, 29 Jun 2023 11:24:13 +0300
Subject: [PATCH] NFC: Fix key invalidation logic (#2782)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* NFC: Fix key invalidation logic
* NFC: Fix crash in CLI with empty response
* Fix incorrect key conversions
* Proper call to nfc_util

Co-authored-by: あく <alleteam@gmail.com>
Co-authored-by: Astra <me@astrra.space>
---
 applications/main/nfc/nfc_cli.c |  4 ++++
 lib/nfc/nfc_worker.c            | 18 +++++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/applications/main/nfc/nfc_cli.c b/applications/main/nfc/nfc_cli.c
index 6e6e04ca9..0b7e75475 100644
--- a/applications/main/nfc/nfc_cli.c
+++ b/applications/main/nfc/nfc_cli.c
@@ -144,6 +144,10 @@ static void nfc_cli_apdu(Cli* cli, FuriString* args) {
                 break;
             }
             resp_size = (tx_rx.rx_bits / 8) * 2;
+            if(!resp_size) {
+                printf("No response\r\n");
+                break;
+            }
             resp_buffer = malloc(resp_size);
             uint8_to_hex_chars(tx_rx.rx_data, resp_buffer, resp_size);
             resp_buffer[resp_size] = 0;
diff --git a/lib/nfc/nfc_worker.c b/lib/nfc/nfc_worker.c
index a6bb93f59..a39531c8c 100644
--- a/lib/nfc/nfc_worker.c
+++ b/lib/nfc/nfc_worker.c
@@ -940,14 +940,14 @@ void nfc_worker_mf_classic_dict_attack(NfcWorker* nfc_worker) {
                     deactivated = true;
                 } else {
                     // If the key A is marked as found and matches the searching key, invalidate it
-                    uint8_t found_key[6];
-                    memcpy(found_key, data->block[i].value, 6);
+                    MfClassicSectorTrailer* sec_trailer =
+                        mf_classic_get_sector_trailer_by_sector(data, i);
 
                     uint8_t current_key[6];
-                    memcpy(current_key, &key, 6);
+                    nfc_util_num2bytes(key, 6, current_key);
 
                     if(mf_classic_is_key_found(data, i, MfClassicKeyA) &&
-                       memcmp(found_key, current_key, 6) == 0) {
+                       memcmp(sec_trailer->key_a, current_key, 6) == 0) {
                         mf_classic_set_key_not_found(data, i, MfClassicKeyA);
                         is_key_a_found = false;
                         FURI_LOG_D(TAG, "Key %dA not found in attack", i);
@@ -966,14 +966,14 @@ void nfc_worker_mf_classic_dict_attack(NfcWorker* nfc_worker) {
                     deactivated = true;
                 } else {
                     // If the key B is marked as found and matches the searching key, invalidate it
-                    uint8_t found_key[6];
-                    memcpy(found_key, data->block[i].value + 10, 6);
+                    MfClassicSectorTrailer* sec_trailer =
+                        mf_classic_get_sector_trailer_by_sector(data, i);
 
                     uint8_t current_key[6];
-                    memcpy(current_key, &key, 6);
+                    nfc_util_num2bytes(key, 6, current_key);
 
                     if(mf_classic_is_key_found(data, i, MfClassicKeyB) &&
-                       memcmp(found_key, current_key, 6) == 0) {
+                       memcmp(sec_trailer->key_b, current_key, 6) == 0) {
                         mf_classic_set_key_not_found(data, i, MfClassicKeyB);
                         is_key_b_found = false;
                         FURI_LOG_D(TAG, "Key %dB not found in attack", i);
@@ -989,7 +989,7 @@ void nfc_worker_mf_classic_dict_attack(NfcWorker* nfc_worker) {
                 }
                 if(nfc_worker->state != NfcWorkerStateMfClassicDictAttack) break;
             }
-            memcpy(&prev_key, &key, sizeof(key));
+            prev_key = key;
         }
         if(nfc_worker->state != NfcWorkerStateMfClassicDictAttack) break;
         mf_classic_read_sector(&tx_rx, data, i);