# Reversing Zyxel VMG8823-B50B WPA algorithm generation for fun

`binwalk -e V513ABEJ2C1.bin`
`CMP    R5, 2LDREQ  R1, custom_key_lengthBEQ    loc_9DDCC`
`while (R7++ < strlen(serial)) {    *(serial_copy + R7) = *(serial + R7); }`
`for (int i = 0; i < strlen(serial_copy); i++} { if (serial_copy[i] - 0x61 <= 0x19 && serial_copy[i] - 0x61 >= 0) {   serial_copy[i] -= 0x20; }}`
`/* To make things easier... Assuming we've a random int value 7911 (0x1EE7), sprintf function will convert it into its decimal string representation which is "7911" and atoi will reconvert it into 7911 */sprintf(&buffer, "%d", serial_PSK_ra0_md5_digest[0] << 8 | serial_PSK_ra0_md5_digest[1]);base_index = atoi(&buffer);`
`int R9[65] // zero_one_array;int R1, R5, R6, R7;R1 = custom_key_length; // From aboveR7 = base_index;for (R5 = 0, R6 = 1; R5 < R1; R5++, R7 *= 2) {  R9[R5] = sub_9FE48(sub_9FF1C(base_index, R7 * 2), R7)}`
`zero_one_array = {0, 1, 1, 0, 0, 0, 0, 1, 0, 0}`
`haystack = “WXY125690IOSVWZ3478ABCDEFGHJKLMNPQRTUXY”;`
`char c;for (int i = 0; i < custom_key_length; i++) {  if (zero_one_array[i] == 1) {    c = sub_9FE20(serial_PSKra0_md5_digest[i], 26) + 65;  } else {    c = sub_9FE20(serial_PSKra0_md5_digest[i], 10) + 48;  }  // Continue after next snippet}`
`for (int j = 0; j < 12; j++) {  if (haystack[j + 3] == c) {    c = charset[sub_9FF1C(base_index + j, 0x18) + 0x36f];  }  // Otherwise c is not changed}key[i] = c;`
`zykgen -c S***Y********`

--

--

--

## More from Luciano Corsalini

Love podcasts or audiobooks? Learn on the go with our new app.