; Masinka (Telinux Primux) Key Computing Utility
; The linux calling layer by Pasky <pasky@ucw.cz>,
;  original firmware hacking by Patrol <patrol@sinus.cz>,
;  the firmware is original.
;
; First look at the configuration section right below and adjust the vars.
; You must change at least the NVAL accordingly to your machine (it should
; print it when booting).
;
; Compile as:
; nasm -felf masinka.asm
; gcc -o masinka masinka.o
;
; Run as:
; ./masinka
;
; Have fun.
;
; Licence of the firmware is proprietary, thus you can look at the code etc
; only if you legally own the machine. All the cruft around is public domain.


;;;;; Configuration section

; these are the desired Software and Hardware levels.. these are assumably the
; max values, so....
%define SVAL	15
%define HVAL	0xf00f ; 61455

; you probably don't want to change this
%define PVAL	16

; serial number of your box
%define NVAL	9800417 ;<-- <insert your serial number here>!

;;;;; Configuration section end



section .rodata

fstring		db "[N%d] Option [P%d,H%d,S%d,K%d]", 0xa



section .text

	global main

	extern printf
	extern atoi


; the main function

main:


; reserve stack space for the stuff

sub esp, 0x14 ; less would be enough, perhaps?
mov ebp, esp


mov dword [ebp + 0xc], SVAL 	; 1		S
mov dword [ebp + 0x8], HVAL 	; f		H
mov dword [ebp + 0x4], PVAL 	; 10		P
mov dword [ebp], NVAL		; 958ae1	N


; go!

call f33fc			;00083583


; ax,dx holds the sweet stuff now, so just print it out...

push dx
push ax

push dword SVAL
push dword HVAL
push dword PVAL
push dword NVAL

push fstring

call printf


; say bye...

; this will probably segfault anywhere but on linux, but we've done
; the important work already anyway.
mov ebx, 0
mov eax, 1
int 0x80

retf







; here is the original firmware ripped off.. it contains some ugly hacks in
; order to avoid segfaults I got on rets. it's just supposed not to crash until
; the printf, who cares the stack is probably smashed to hell ;-)

; the instructions with offest near are the original ones


; first some utility routines ... basically mostly just arithmetic
; and bit shift operations upon dwords in 16bit environment


f17e:

push si				;0008017E
xchg ax,si			;0008017F
xchg ax,dx			;00080180
test ax,ax			;00080181
jz f17e_187			;00080183
mul bx				;00080185
jcxz f17e_18e			;00080187

f17e_187:
xchg ax,cx			;00080189
mul si				;0008018A
add ax,cx			;0008018C

f17e_18e:
xchg ax,si			;0008018E
mul bx				;0008018F
add dx,si			;00080191
pop si				;00080193
;retf				;00080194
jmp edi
jmp f33fc_3436


f262:

cmp cl,0x10			;00080262
jnc f262_277			;00080265
mov bx,ax			;00080267
shl ax,cl			;00080269
shl dx,cl			;0008026B
neg cl				;0008026D
add cl,0x10			;0008026F
shr bx,cl			;00080272
or dx,bx			;00080274
jmp edi
retf				;00080276

f262_277:
sub cl,0x10			;00080277
xchg ax,dx			;0008027A
xor ax,ax			;0008027B
shl dx,cl			;0008027D
jmp edi
retf				;0008027F


f280:

pop bx				;00080280
push cs				;00080281
push bx				;00080282
f280_283:
cmp cl,0x10			;00080283
jnc f280_298			;00080286
mov bx,dx			;00080288
shr ax,cl			;0008028A
sar dx,cl			;0008028C
neg cl				;0008028E
add cl,0x10			;00080290
shl bx,cl			;00080293
or ax,bx			;00080295
jmp edi
retf				;00080297

f280_298:
sub cl,0x10			;00080298
xchg ax,dx			;0008029B
cwd				;0008029C
sar ax,cl			;0008029D
jmp edi
retf				;0008029F


f2a0:

pop bx				;000802A0
push cs				;000802A1
push bx				;000802A2
cmp cl,0x10			;000802A3
jnc f2a0_2b8			;000802A6
mov bx,dx			;000802A8
shr ax,cl			;000802AA
shr dx,cl			;000802AC
neg cl				;000802AE
add cl,0x10			;000802B0
shl bx,cl			;000802B3
or ax,bx			;000802B5
jmp edi
retf				;000802B7

f2a0_2b8:
sub cl,0x10			;000802B8
xchg ax,dx			;000802BB
xor dx,dx			;000802BC
shr ax,cl			;000802BE
jmp edi
retf				;000802C0





; this is the main computation routine. most of the work here.



f33fc:

;enter 0x06,0x0			;000833FC

; say i'm a pig, the following is here instead of the enter and it
; actually works ;-)
sub ebp, 0x6
sub esp, 0x6

push si				;00083400
mov ax,[ebp+0x6]			;00083401
and ax,0xf			;00083404
mov [ebp-0x6],ax			;00083407
cwd				;0008340A
mov bx,[ebp+0xc]			;0008340B
push ax				;0008340E
push dx				;0008340F
push bx				;00083410
mov bx,[ebp+0xa]			;00083411
pop ax				;00083414
pop dx				;00083415
pop cx				;00083416
add bx,cx			;00083417
adc ax,dx			;00083419
push bx				;0008341B
push ax				;0008341C
mov ax,[ebp-0x6]			;0008341D
cwd				;00083420
push ax				;00083421
push dx				;00083422
mov dx,[ebp+0x10]		;00083423
mov ax,[ebp+0xe]			;00083426
pop bx				;00083429
pop cx				;0008342A
add ax,cx			;0008342B
adc dx,bx			;0008342D
pop cx				;0008342F
pop bx				;00083430
;call f17e			;00083431
mov edi, f33fc_3436
jmp f17e

f33fc_3436:
mov bx,[ebp+0xc]			;00083436
mov cx,[ebp+0xa]			;00083439
add cx,[ebp+0xe]			;0008343C
adc bx,[ebp+0x10]		;0008343F
add cx,[ebp+0x12]		;00083442
adc bx,[ebp+0x14]		;00083445
add cx,[ebp+0x6]			;00083448
adc bx,[ebp+0x8]			;0008344B
add cx,ax			;0008344E
adc bx,dx			;00083450
mov ax,[ebp-0x6]			;00083452
cwd				;00083455
mov si,[ebp+0x14]		;00083456
push cx				;00083459
push bx				;0008345A
mov bx,[ebp+0x12]		;0008345B
add bx,ax			;0008345E
adc si,dx			;00083460
mov ax,[ebp-0x6]			;00083462
cwd				;00083465
push bx				;00083466
push si				;00083467
push ax				;00083468
push dx				;00083469
mov dx,[ebp+0x8]			;0008346A
mov ax,[ebp+0x6]			;0008346D
pop bx				;00083470
pop cx				;00083471
add ax,cx			;00083472
adc dx,bx			;00083474
pop cx				;00083476
pop bx				;00083477

mov edi, f33fc_347d
jmp f17e
;call f17e			;00083478

f33fc_347d:
pop bx				;0008347D
pop cx				;0008347E
add cx,ax			;0008347F
adc bx,dx			;00083481
mov [ebp-0x2],bx			;00083483
mov [ebp-0x4],cx			;00083486
mov dx,[ebp-0x2]			;00083489
mov ax,[ebp-0x4]			;0008348C
mov cl,[ebp-0x6]			;0008348F

mov edi, c1
jmp f262
;call f262			;00083492

c1:
mov bx,[ebp-0x2]			;00083497
mov cx,[ebp-0x4]			;0008349A
add cx,ax			;0008349D
adc bx,dx			;0008349F
mov dx,[ebp+0xc]			;000834A1
mov ax,[ebp+0xa]			;000834A4
push cx				;000834A7
mov cl,0x7			;000834A8
push bx				;000834AA

mov edi, c2
jmp f262

;call f262			;000834AB

c2:
pop bx				;000834B0
pop cx				;000834B1
add cx,ax			;000834B2
adc bx,dx			;000834B4
mov dx,[ebp+0x14]		;000834B6
mov ax,[ebp+0x12]		;000834B9
push cx				;000834BC
mov cl,0xb			;000834BD
push bx				;000834BF

mov edi, c3
jmp f262

;call f262			;000834C0

c3:
pop bx				;000834C5
pop cx				;000834C6
add cx,ax			;000834C7
adc bx,dx			;000834C9
mov dx,[ebp+0x10]		;000834CB
mov ax,[ebp+0xe]			;000834CE
push cx				;000834D1
mov cl,0x11			;000834D2
push bx				;000834D4

mov edi, c4
jmp f262

;call f262			;000834D5

c4:
pop bx				;000834DA
pop cx				;000834DB
add cx,ax			;000834DC
adc bx,dx			;000834DE
mov [ebp-0x2],bx			;000834E0
mov [ebp-0x4],cx			;000834E3
mov dx,[ebp-0x2]			;000834E6
mov ax,[ebp-0x4]			;000834E9
mov cl,0xd			;000834EC

mov edi, c5
jmp f262

;call f262			;000834EE

c5:
push ax				;000834F3
push dx				;000834F4
mov dx,[ebp-0x2]			;000834F5
mov ax,[ebp-0x4]			;000834F8
mov cl,0xf			;000834FB

mov edi, d1
jmp f280_283

;call f280_283			;000834FD

d1:
pop bx				;00083502
pop cx				;00083503
add cx,ax			;00083504
adc bx,dx			;00083506
add [ebp-0x4],cx			;00083508
adc [ebp-0x2],bx			;0008350B
and word [ebp-0x4],byte -0x1	;0008350E
and word [ebp-0x2],0x7fff	;00083512
or word [ebp-0x4],byte +0x0	;00083517
or word [ebp-0x2],0x4000		;0008351B
mov dx,[ebp-0x2]			;00083520
mov ax,[ebp-0x4]			;00083523

;jmp short 0x3528		;00083526
pop si				;00083528

;leave				;00083529

;effectively leave ;-)
add esp, 0x6
add ebp, 0x6

retn ; 'tis a near call in ELF, buddy!
retf				;0008352A