#!/usr/bin/env python3
"""
Systematic test with proper understanding of the format
"""
import requests
import itertools

def lcg_step(seed):
    return (seed * 0x52c6425d + 0xcc52c) % (2**32)

def bytes_from_num(num):
    return [int(num >> 16), int((num >> 8) & 0xFF), int(num & 0xFF)]

def generate_keys(passcode):
    seed = passcode
    keys = []
    for _ in range(6):
        seed = lcg_step(seed)
        keys.append(seed % 0xffffff)
    return keys

def try_unlock(uid, username, auth_base, access_level, passcode):
    keys = generate_keys(passcode)
    key_bytes = []
    for key in keys[4:6]:
        key_bytes.extend(bytes_from_num(key))
    key_hex = ''.join(f'{b:02x}' for b in key_bytes)
    
    full_auth = auth_base + key_hex
    
    data = {
        'uid': uid,
        'username': username,
        'authorization_code': full_auth,
        'access_level': access_level
    }
    
    try:
        r = requests.post('http://154.57.164.61:31938/api', data=data, timeout=5)
        result = r.json()
        return result
    except Exception as e:
        return {'error': str(e)}

print("[*] Testing with correct format...")
print()

# Username WITHOUT padding (as per .strip("00"))
username = '74657074617374'  # "teptast"

# Try different sector data patterns and passcodes
patterns = {
    'zero': '00' * 16,
    'ones': 'ff' * 16,
    'uid': '04f6555b00000000000000000000',  # UID + zeros
}

print(f"[*] Username: {username} ('teptast')")
print(f"[*] UID: 04f6555b")
print()

# Test combinations
for auth_name, auth_val in patterns.items():
    for access_name, access_val in patterns.items():
        # Try a few passcodes
        for passcode in [0, 1, 1234, 0xDEAD, 0xBEEF]:
            result = try_unlock('04f6555b', username, auth_val, access_val, passcode)
            
            if result.get('flag') and len(result.get('flag', '')) > 5:
                print(f"\n{'='*70}")
                print(f"SUCCESS!")
                print(f"{'='*70}")
                print(f"UID: 04f6555b")
                print(f"Username: {username}")
                print(f"Auth pattern: {auth_name}")
                print(f"Access pattern: {access_name}")
                print(f"Passcode: {passcode} (0x{passcode:x})")
                print(f"Flag: {result['flag']}")
                print(f"{'='*70}")
                exit(0)

# If not found, try brute force passcode with all-zero sectors
print("[*] Brute forcing passcode (0-65535)...")
for passcode in range(65536):
    if passcode % 5000 == 0:
        print(f"    Progress: {passcode}/65536")
    
    result = try_unlock('04f6555b', username, '00' * 16, '00' * 16, passcode)
    if result.get('flag') and len(result.get('flag', '')) > 5:
        print(f"\n{'='*70}")
        print(f"SUCCESS! Passcode: {passcode} (0x{passcode:x})")
        print(f"Flag: {result['flag']}")
        print(f"{'='*70}")
        exit(0)

print("\n[*] No solution found. Need actual sector data from RFID card.")