-
-
Save Lorak-mmk/cb32699a5aeb3010e96eb53a89303cb0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#include <stdlib.h> | |
#include <stdint.h> | |
#include <string.h> | |
#include <unistd.h> | |
struct __attribute__((__packed__)) header_struct { | |
uint32_t MAGIC_NUMBER; | |
uint32_t file_length; | |
char original_filename[256]; | |
char encrypted_password[32]; | |
}; | |
int encrypted_functions[] = {2641436120, 975465081, 3639072764, 675281407, 513948138, 3031756428, 2926203943, 837877829, 1603594944, 2674519367, 14904615, 1904161682, 1309572624, | |
1994684315, 3910680652, 1536647422, 3918535801, 323721627, 3668362202, 3213866328, 794644938, 131977481, 2317446848, 2453208172, 85782959, 766000050, | |
3399236994, 1532102173, 1886368010, 3235867784, 643900750, 1717543307, 2343514176, 1149557049, 1073275240, 3257519993, 288790638, 1076794953, 4268601417, | |
3266887874, 3645237953, 1843745858, 1781056571, 1034680822, 104138810, 3295793340, 1465521029, 1224605082, 2530136465, 3983223631, 2841605508, | |
3444926664, 4149515519, 3780638026, 982363417, 174387901, 2539220994, 951286662, 157827293, 1468744899, 3883083532, 2194888239, 2152260906, 1994013429, | |
918382859, 811246267, 4291154621, 301503864, 947108398, 2366758585, 2815734210, 3121781063, 2301142496, 1256258315, 3298709743, 1798567309, 1164547884, | |
3454806340, 2625884970, 1454649368, 446660275, 1277510936, 4159153455, 10824485, 3750559173, 1686871593, 1418242110, 3044965063, 2723463997, 2550151912, | |
515181895, 2002464040, 1638838068, 1046903818, 2587864173, 4458591, 404174259, 308706747, 2172521490, 1298255283, 1275572871, 3137382528, 585406011, | |
1639641840, 2825155210}; | |
int decrypt_queue[4] = {0x62831853, 0x7179586, 0x27182818, 0x28459045}; | |
int unhexlified_pass_buffer[5]; | |
int password_global[8]; | |
void print_queue() { | |
printf("[generic] queue: %08X, %08X, %08X, %08X\n", decrypt_queue[0], decrypt_queue[1], decrypt_queue[2], decrypt_queue[3]); | |
} | |
void decrypt_very_easy(uint32_t param_1){ | |
uint32_t retval = param_1 ^ decrypt_queue[0]; | |
decrypt_queue[0] = decrypt_queue[1]; | |
decrypt_queue[1] = decrypt_queue[2]; | |
decrypt_queue[2] = decrypt_queue[3]; | |
decrypt_queue[3] = retval >> 6 | retval << 0x1a; | |
printf("[very easy] queue: %08X, %08X, %08X, %08X\n", decrypt_queue[0], decrypt_queue[1], decrypt_queue[2], decrypt_queue[3]); | |
return; | |
} | |
uint32_t decrypt_easy(uint32_t arg) { | |
uint32_t retval = arg ^ decrypt_queue[0]; | |
uint32_t tmp = decrypt_queue[2] * 0x2137 + retval; | |
decrypt_queue[0] = decrypt_queue[1]; | |
decrypt_queue[1] = decrypt_queue[2]; | |
decrypt_queue[2] = decrypt_queue[3]; | |
decrypt_queue[3] = tmp >> 6 | tmp * 0x4000000; | |
printf("[easy] queue: %08X, %08X, %08X, %08X\n", decrypt_queue[0], decrypt_queue[1], decrypt_queue[2], decrypt_queue[3]); | |
return retval; | |
} | |
uint32_t param_0x1030d7 = 0x2137; | |
uint32_t param_0x1030bd = 0x7a69; | |
uint32_t param_0x1030dc = 0x1234567; | |
uint32_t decrypt_hard(uint32_t arg) { | |
uint32_t retval = arg ^ decrypt_queue[0]; | |
uint32_t tmp = decrypt_queue[2] * param_0x1030d7 + retval; | |
decrypt_queue[0] = decrypt_queue[2] * param_0x1030bd + decrypt_queue[1]; | |
decrypt_queue[1] = decrypt_queue[2]; | |
decrypt_queue[2] = decrypt_queue[2] * param_0x1030dc + decrypt_queue[3]; | |
decrypt_queue[3] = tmp >> 6 | tmp * 0x4000000; | |
return retval; | |
} | |
void strange_function(struct header_struct* header) { | |
char status_key [256]; | |
char status_value [1032]; | |
char* orig_filename = header->original_filename; | |
char* enc_password = header->encrypted_password; | |
do { | |
decrypt_very_easy(*(uint32_t *)orig_filename); | |
orig_filename += 4; | |
} while (orig_filename != enc_password); | |
FILE *status_file = fopen("/proc/self/status","r"); | |
if(status_file == NULL) { | |
perror("status"); | |
exit(1); | |
} | |
int scanf_result; | |
while(1) { | |
scanf_result = fscanf(status_file,"%[^:]: %s ", status_key, status_value); | |
if (scanf_result == -1) { | |
scanf_result = fclose(status_file); | |
return; | |
} | |
if (scanf_result != 2) break; | |
size_t key_length = strlen(status_key); | |
if (((status_key[key_length + -3] == 'P') && (status_key[key_length + -2] == 'i')) && (status_key[key_length + -1] == 'd')) { | |
uint our_pid; | |
sscanf(status_value, "%u", &our_pid); | |
printf("our pid (%s): %u\n", status_key, our_pid); | |
decrypt_very_easy(our_pid); | |
} | |
} | |
fprintf(stderr,"%d? umm what?\n",(ulong)scanf_result); | |
exit(1); | |
} | |
int main(int argc,char **argv){ | |
int retval = 0; | |
if (argc < 2) { | |
printf("usage: %s <input filename> [<key>]\n",*argv); | |
return 0; | |
} | |
FILE *encrypted_file = fopen(argv[1], "rb"); | |
if (encrypted_file == NULL) { | |
perror("fopen"); | |
retval = 1; | |
goto cleanup_1; | |
} | |
struct header_struct file_header; | |
memset(&file_header, 0, sizeof(file_header)); | |
size_t read_chars = fread(&file_header,0x128,1,encrypted_file); | |
if(read_chars != 1) { | |
perror("fread"); | |
retval = 1; | |
goto cleanup_1; | |
} | |
if ((file_header.MAGIC_NUMBER != 0xb542020) && (file_header.MAGIC_NUMBER != 0x20200b54)) { | |
fwrite("unrecognized file\n",1,0x12,stderr); | |
retval = 1; | |
goto cleanup_1; | |
} | |
if (argc == 2) { | |
const char *mode_name = "easy"; | |
if (file_header.MAGIC_NUMBER != 0xb542020) { | |
mode_name = "hard"; | |
} | |
printf("%s mode file, original name %s\n", mode_name, file_header.original_filename); | |
retval = 0; | |
goto cleanup_1; | |
} | |
size_t key_len = strlen(argv[2]); | |
if(key_len != 0x40) { | |
fwrite("wrong key length\n",1,0x11,stderr); | |
retval = 1; | |
goto cleanup_1; | |
} | |
int* ptr = encrypted_functions; | |
for(int i = 0; i < 105; i++) { | |
encrypted_functions[i] = decrypt_easy(encrypted_functions[i]); | |
} | |
printf("decrypted functions\n"); | |
decrypt_queue[0] = getpid(); | |
decrypt_queue[1] = getppid(); | |
printf("after pid & ppid\n"); | |
print_queue(); | |
strange_function(&file_header); | |
printf("after strange function\n"); | |
print_queue(); | |
const char *pass = argv[2]; | |
char password_fragment [9]; | |
password_fragment[8] = 0; | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[0]; | |
sscanf(password_fragment,"%x", unhexlified_pass_buffer + 4); | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[1]; | |
sscanf(password_fragment,"%x", unhexlified_pass_buffer + 3); | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[2]; | |
sscanf(password_fragment,"%x", ¶m_0x1030d7); | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[3]; | |
sscanf(password_fragment,"%x", ¶m_0x1030bd); | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[4]; | |
sscanf(password_fragment,"%x", unhexlified_pass_buffer + 2); | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[5]; | |
sscanf(password_fragment,"%x", ¶m_0x1030dc); | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[6]; | |
sscanf(password_fragment,"%x", unhexlified_pass_buffer + 1); | |
*(uint64_t*)password_fragment = ((uint64_t*)pass)[7]; | |
sscanf(password_fragment,"%x", unhexlified_pass_buffer); | |
password_global[0] = decrypt_easy(unhexlified_pass_buffer[4]); | |
password_global[1] = decrypt_easy(unhexlified_pass_buffer[3]); | |
password_global[2] = decrypt_easy(param_0x1030d7); | |
password_global[3] = decrypt_easy(param_0x1030bd); | |
password_global[4] = decrypt_easy(unhexlified_pass_buffer[2]); | |
password_global[5] = decrypt_easy(param_0x1030dc); | |
password_global[6] = decrypt_easy(unhexlified_pass_buffer[1]); | |
password_global[7] = decrypt_easy(unhexlified_pass_buffer[0]); | |
int identical = memcmp(file_header.encrypted_password,password_global,0x20); | |
printf("pass from header:\n"); | |
for(int i = 0; i < 8; i++) { | |
printf("%08X ", ((int*)file_header.encrypted_password)[i]); | |
} | |
printf("our pass:\n"); | |
for(int i = 0; i < 8; i++) { | |
printf("%08X ", password_global[i]); | |
} | |
if(identical != 0) { | |
fwrite("wrong key\n",1,10,stderr); | |
retval = 1; | |
goto cleanup_1; | |
} | |
fwrite("OK, decrypting...\n",1,0x12,stderr); | |
FILE *decrypted_file = fopen(file_header.original_filename,"wb"); | |
if (decrypted_file == NULL) { | |
perror("open"); | |
retval = 1; | |
goto cleanup_2; | |
} | |
uint32_t current_data; | |
if (file_header.file_length != 0) { | |
for(int i = 0; i < file_header.file_length; i += 4) { | |
read_chars = fread(¤t_data,4,1,encrypted_file); | |
if (read_chars != 1) { | |
perror("fread"); | |
retval = 1; | |
goto cleanup_2; | |
} | |
if (file_header.MAGIC_NUMBER == 0xb542020) { | |
current_data = decrypt_easy(current_data); | |
} | |
else { | |
current_data = decrypt_hard(current_data); | |
} | |
int32_t remaining = file_header.file_length - i; | |
if (4 < remaining) { | |
remaining = 4; | |
} | |
read_chars = fwrite(¤t_data,(long)remaining,1,decrypted_file); | |
if (read_chars != 1) { | |
retval = 1; | |
goto cleanup_2; | |
} | |
} | |
} | |
cleanup_2: | |
fclose(decrypted_file); | |
cleanup_1: | |
fclose(encrypted_file); | |
return retval; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment