void Blowfish_Decrypt_Buffer(BlowfishContext *ctx, uint32_t *buffer, uint32_t length)
{
uint32_t *buf = (uint32_t *)buffer;
unsigned int i;
for (i=0;i<length; i+=8, buf+=2)
Blowfish_Decrypt(ctx, buf, buf+1);
}
int
decryption (char *key, unsigned char *decrypt_string, unsigned char *crypt64)
{
BLOWFISH_CTX ctx;
unsigned long message_left;
unsigned long message_right;
int block_len;
int n,i;
int keylen = strlen(key);
unsigned char ciphertext_buffer[TAILLE];
unsigned char *ciphertext_string = &ciphertext_buffer[0];
int ciphertext_len, ciphertext_len_sav;
ciphertext_len_sav = decode_base64( crypt64, ciphertext_string);
//ciphertext_len = strlen (ciphertext_string);
ciphertext_len = ciphertext_len_sav;
Blowfish_Init(&ctx, key, keylen);
while(ciphertext_len)
{
message_left = message_right = 0UL;
for (block_len = 0; block_len < 4; block_len++)
{
message_left = message_left << 8;
message_left += *ciphertext_string++;
if (ciphertext_len)
ciphertext_len--;
}
for (block_len = 0; block_len < 4; block_len++)
{
message_right = message_right << 8;
message_right += *ciphertext_string++;
if (ciphertext_len)
ciphertext_len--;
}
Blowfish_Decrypt(&ctx, &message_left, &message_right);
/* save the results of decryption */
*decrypt_string++ = (unsigned char)(message_left >> 24);
*decrypt_string++ = (unsigned char)(message_left >> 16);
*decrypt_string++ = (unsigned char)(message_left >> 8);
*decrypt_string++ = (unsigned char)message_left;
*decrypt_string++ = (unsigned char)(message_right >> 24);
*decrypt_string++ = (unsigned char)(message_right >> 16);
*decrypt_string++ = (unsigned char)(message_right >> 8);
*decrypt_string++ = (unsigned char)message_right;
}
return ciphertext_len;
}
static void paz_decrypt(DWORD *cipher, DWORD cipher_length, unsigned char *key, int key_len)
{
BLOWFISH_CTX ctx;
DWORD i;
Blowfish_Init(&ctx, key, key_len);
for (i = 0; i < cipher_length / 8; i++)
Blowfish_Decrypt(&ctx, &cipher[i * 2 + 0], &cipher[i * 2 + 1]);
}
static forceinline void Decrypt(_BLOWFISH_CTX *ctx,unsigned long *IV_L,unsigned long *IV_R,unsigned long *left,unsigned long *right)
{
unsigned long tl=*left;
unsigned long tr=*right;
Blowfish_Decrypt(ctx,left,right);
*left ^=*IV_L;
*right^=*IV_R;
*IV_L^=tl;
*IV_R^=tr;
};
int main(void) {
unsigned long L = 1, R = 2;
BLOWFISH_CTX ctx;
printf("%d\n", Blowfish_Test(&ctx));
Blowfish_Init (&ctx, (unsigned char*)"TESTKEY", 7);
Blowfish_Encrypt(&ctx, &L, &R);
printf("%08lX %08lX\n", L, R);
assert(L == 0xDF333FD2L && R == 0x30A71BB4L);
Blowfish_Decrypt(&ctx, &L, &R);
assert(L == 1 && R == 2);
}
int Blowfish_Test(BlowfishContext *ctx)
{
uint32_t L = 1, R = 2;
Blowfish_Init (ctx, (unsigned char*)"TESTKEY", 7);
Blowfish_Encrypt(ctx, &L, &R);
if (L != 0xDF333FD2L || R != 0x30A71BB4L)
return (-1);
Blowfish_Decrypt(ctx, &L, &R);
if (L != 1 || R != 2)
return (-1);
return (0);
}
static gpointer
parallel_blowfish(unsigned int start, unsigned int end, void *data, gint thread_number)
{
BLOWFISH_CTX ctx;
unsigned int i;
unsigned long L, R;
L = 0xBEBACAFE;
R = 0xDEADBEEF;
for (i = start; i <= end; i++) {
Blowfish_Init(&ctx, (unsigned char*)data, 65536);
Blowfish_Encrypt(&ctx, &L, &R);
Blowfish_Decrypt(&ctx, &L, &R);
}
return NULL;
}
int main() {
unsigned long L = 1, R = 2;
BLOWFISH_CTX ctx;
Blowfish_Init (&ctx, (unsigned char*)"TESTKEY", 7);
Blowfish_Encrypt(&ctx, &L, &R);
printf("%08lX %08lX\n", L, R);
if (L == 0xDF333FD2L && R == 0x30A71BB4L)
printf("Test encryption OK.\n");
else
printf("Test encryption failed.\n");
Blowfish_Decrypt(&ctx, &L, &R);
if (L == 1 && R == 2)
printf("Test decryption OK.\n");
else
printf("Test decryption failed.\n");
return 0;
}
static void BlowFishDecode(int len,BYTE *source,int len_key,BYTE* init)
{
BLOWFISH_CTX ctx;
unsigned long lvalue,rvalue;
int i;
Blowfish_Init(&ctx,init,len_key);
for (i=0; i < (len /8); i++)
{
lvalue = *source << 24 | *(source+1) << 16 | +*(source+2) << 8 | *(source+3);
rvalue = *(source+4) << 24 | *(source+5) << 16 | +*(source+6) << 8 | *(source+7);
Blowfish_Decrypt(&ctx,&lvalue,&rvalue);
WORD_WRITE(source,lvalue >> 16);
WORD_WRITE(source,lvalue & 0x0000ffff);
WORD_WRITE(source,rvalue >> 16);
WORD_WRITE(source,rvalue & 0x0000ffff);
}
}
/*--------------------------------------------------------------------------------*/
void ABlowfish::Decrypt(const uint8_t *src, uint8_t *dst, uint32_t& iv1, uint32_t& iv2)
{
BLOWFISH_CTX *ctx = (BLOWFISH_CTX *)GetContext();
uint32_t l, r, iv1_1 = iv1, iv2_1 = iv2;
// copy bytes into 2 32-bit variables
memcpy(&l, src, sizeof(l));
memcpy(&r, src + sizeof(l), sizeof(r));
// for little endian machines, swap bytes to make all data big-endian
if (!MachineIsBigEndian()) {
l = SwapBytes(l);
r = SwapBytes(r);
}
// return new initialisation vectors (for CBC mode)
iv1 = l;
iv2 = r;
// decrypt data
Blowfish_Decrypt(ctx, &l, &r);
// XOR in initialisation vectors (for CBC mode)
l ^= iv1_1;
r ^= iv2_1;
// zero local variables for security
iv1_1 = iv2_1 = 0;
// for little endian machines, swap bytes back to make all data little-endian
if (!MachineIsBigEndian()) {
l = SwapBytes(l);
r = SwapBytes(r);
}
// copy bytes to destination
memcpy(dst, &l, sizeof(l));
memcpy(dst + sizeof(l), &r, sizeof(r));
l = r = 0; // clear local variables to prevent security leaks
}
static forceinline void Decrypt(_BLOWFISH_CTX *ctx,unsigned long *IV_L,unsigned long *IV_R,unsigned long *left,unsigned long *right)
{
(void) IV_L; (void) IV_R;
Blowfish_Decrypt(ctx,left,right);
};
int pkg_load(const char* filename, char* key, int keyLen)
{
BLOWFISH_CTX userEnc;
BLOWFISH_CTX emuEnc;
FileInfo* fi;
int i;
int len;
FILE* f;
f = fopen(filename, "rb");
if (f == NULL) {
return 0;
}
fseek(f, 0, SEEK_END);
len = ftell(f);
fseek(f, 0, SEEK_SET);
if (len <= 0) {
fclose(f);
return 0;
}
pkg_buf = (char*)malloc(len);
len = fread(pkg_buf, 1, len, f);
if (len <= 0) {
free(pkg_buf);
pkg_buf = NULL;
fclose(f);
return 0;
}
fclose(f);
// Decrypt using private emulator key
Blowfish_Init(&emuEnc, (unsigned char*)AuthKey, (int)strlen(AuthKey));
for (i = 0; i < len; i += 8) {
unsigned long* l = (unsigned long*)(pkg_buf + i + 0);
unsigned long* r = (unsigned long*)(pkg_buf + i + 4);
Blowfish_Decrypt(&emuEnc, l, r);
}
// Decrypt using user key
if (keyLen > 0) {
Blowfish_Init(&userEnc, (unsigned char*)key, keyLen);
}
else {
unsigned char val = 0;
Blowfish_Init(&userEnc, &val, 1);
}
for (i = 0; i < len; i += 8) {
unsigned long* l = (unsigned long*)(pkg_buf + i + 0);
unsigned long* r = (unsigned long*)(pkg_buf + i + 4);
Blowfish_Decrypt(&userEnc, l, r);
}
// Unsalt data
for (i = 0; i < len - 8; i++) {
pkg_buf[i] ^= pkg_buf[len - 8 + (i & 7)];
}
if (memcmp(pkg_buf, PKG_HDR, PKG_HDR_SIZE) != 0) {
free(pkg_buf);
pkg_buf = NULL;
return 0;
}
fi = (FileInfo*)(pkg_buf + 16);
while (fi->offset != 0) {
printf("%d\t%d\t%s\n", fi->offset, fi->length, fi->path);
fi++;
}
return 1;
}
/* Parses packfile and writes out all files within it.
* Preserves directory structure.
*/
int unpack_file() {
check_handle();
printf("Packfile size: %d bytes (%d MB)\n", get_filesize(), get_filesize()/1024/1024);
uint32_t itemcount = get_itemcount();
printf("%d (0x%04x) items in packfile.\n\n", itemcount, itemcount);
packitem files[itemcount]; // list of file entries
// populate list of items
uint32_t i;
for(i=0; i<itemcount; ++i) {
packitem p;
fread(&p, sizeof(p), 1, packfile);
files[i] = p;
if(using_blowfish != 0) { // LZSS header in encrypted packfile is worthless, toss it out
files[i].start += 0x08;
files[i].length -= 0x08;
}
}
// write out each file
for(i=0; i<itemcount; ++i) {
fseek(packfile, files[i].start, SEEK_SET);
printf("[%4d] %08x .. %s\n", i + 1, files[i].start, files[i].name);
buff = (char*) malloc(sizeof(char) * files[i].length); // set buffer to size of file
size_t result = fread(buff, 1, files[i].length, packfile);
if(result != files[i].length) {
printf(" - WARNING: Expected %d bytes, only read %d bytes.\n", files[i].length, result);
}
if(using_blowfish != 0) { // decrypt if necessary
int half_block = sizeof(unsigned long);
int j;
unsigned long L, R;
for(j=0; j<result; j+=(2*half_block)) {
memcpy(&L, &buff[j], half_block);
memcpy(&R, &buff[j+half_block], half_block);
Blowfish_Decrypt(&cipher, &L, &R);
memcpy(&buff[j], &L, half_block);
memcpy(&buff[j+half_block], &R, half_block);
}
}
substitute_chars(files[i].name, '\\', '/'); // packfile uses \ for its path separator, change to /
char outputname[MAX_PATH + 1];
strncpy(outputname, outputfolder, MAX_PATH + 1);
strcat(outputname, "/");
strcat(outputname, files[i].name);
prepare_directory_tree(outputname);
printf(" - Writing to %s...\n", outputname);
outputfile = fopen(outputname, "wb");
if(outputfile == NULL) {
perror(" - ERROR: ");
}
fwrite(buff, 1, files[i].length, outputfile);
fclose(outputfile);
if(using_decompressor != 0) { // decompress output file if enabled
char command[MAX_PATH * 2 + 14];
strcpy(command, "LLZSS.exe ");
strncat(command, outputname, MAX_PATH + 1);
strcat(command, " ");
strncat(command, outputname, MAX_PATH + 1);
strcat(command, " -d");
printf(" - Decompressing %s...\n", outputname);
system(command);
}
free(buff);
}
return 0;
}
void NamedPipeThread(void* pParam)
{
HANDLE hFile=INVALID_HANDLE_VALUE;
char chBuf[BUFSIZE];
BOOL fSuccess;
DWORD cbRead, dwMode;
char szPipeName[MAX_PATH];
char szOutputBuffer[2 * MAX_PATH];
DWORD dwDataChunk1, dwDataChunk2;
char* lpszServer = (char*)pParam; // pParam is the name of the server to connect to
int i;
::ZeroMemory(szPipeName, MAX_PATH);
::ZeroMemory(szOutputBuffer, 2 * MAX_PATH);
int nError = 2;
if (stricmp(lpszServer, "\\\\localhost") == 0 || stricmp(lpszServer, "\\\\127.0.0.1") == 0)
{
_snprintf(szPipeName, MAX_PATH, PIPE_FORMAT, "\\\\.", szGUID);
while (nError == 2)
{
BOOL bPipe = WaitNamedPipe(szPipeName, 30000);
if (!bPipe)
{
// Error 2 means the pipe is not yet available, keep trying
nError = GetLastError();
Sleep(100);
}
else
nError = 0;
}
hFile = CreateFile(szPipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
while(GetLastError() == ERROR_PIPE_BUSY)
{
Sleep(100);
hFile = CreateFile(szPipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
}
if(hFile == INVALID_HANDLE_VALUE)
{
printf("CreateFile failed to create a new client-side pipe: error %d\n", GetLastError());
return;
}
}
else
{
_snprintf(szPipeName, MAX_PATH, PIPE_FORMAT, lpszServer, szGUID);
while (nError == 2)
{
BOOL bPipe = WaitNamedPipe(szPipeName, 30000);
if (!bPipe)
{
// Error 2 means the pipe is not yet available, keep trying
nError = GetLastError();
Sleep(100);
}
else
nError = 0;
}
hFile = CreateFile(szPipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if(hFile == INVALID_HANDLE_VALUE)
{
printf("CreateFile failed to create a new client-side pipe: error %d\n", GetLastError());
return;
}
}
do
{
dwMode = PIPE_READMODE_MESSAGE;
fSuccess = SetNamedPipeHandleState(hFile, &dwMode, NULL, NULL);
if (!fSuccess)
{
printf("SetNamedPipeHandleState failed, error %d\n", GetLastError());
return;
}
::ZeroMemory(chBuf, BUFSIZE);
fSuccess = ReadFile(hFile, chBuf, BUFSIZE, &cbRead, NULL);
if (!fSuccess)
{
printf("ReadFile failed with %d.\n", GetLastError());
break;
}
else
{
// Received a valid message - decode it
if (cbRead >= 3)
{
if (chBuf[0] == 0)
{
// Terminate the thread
// Need to connect once more here so that the target knows the message has been received and unblocks
CloseHandle(hFile);
hFile=INVALID_HANDLE_VALUE;
/*hFile = CreateFile(szPipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if(hFile == INVALID_HANDLE_VALUE)
{
printf("CreateFile failed to create a new client-side pipe: error %d\n", GetLastError());
return;
}*/
break;
}
else if (chBuf[0] == 2)
{
// This is hash data from the target
// Hash data will be 64 encrypted bytes followed by the user's name
// Store in an appropriate structure
USERINFO* pTemp;
BYTE cUserBlocks = chBuf[2];
if (lpUserInfoArray == NULL)
{
lpUserInfoArray = (USERINFO*)GlobalAlloc(GMEM_FIXED, sizeof(USERINFO));
nUserInfoArraySize = 1;
pTemp = lpUserInfoArray;
}
else
{
lpUserInfoArray = (USERINFO*)GlobalReAlloc((HGLOBAL)lpUserInfoArray, (nUserInfoArraySize + 1) * sizeof(USERINFO), GMEM_MOVEABLE);
int n = sizeof(USERINFO);
pTemp = lpUserInfoArray + nUserInfoArraySize; // (nUserInfoArraySize * sizeof(USERINFO));
++nUserInfoArraySize;
}
// Copy data to the structure
for (i = 0; i < 64; i++)
{
pTemp->cHash[i] = chBuf[i + 3];
}
// Decrypt user and hash data
/*char temp[400];
memset(temp, 0, 400);
memcpy(temp, &(chBuf[3]), 30);
printf("Message size: %d, raw data: %s\n",cUserBlocks, temp);*/
// User data
for (i = 0; i <= cUserBlocks; i++)
{
ConvertToBlowfishLongs(chBuf + (i * 8) + 67, &dwDataChunk1, &dwDataChunk2);
Blowfish_Decrypt(&ctx, &dwDataChunk1, &dwDataChunk2);
// Unicode pointer math - only increment by 1/2
memcpy(&(pTemp->wszUser[(i * 4)]), &dwDataChunk1, 4);
memcpy(&(pTemp->wszUser[(i * 4) + 2]), &dwDataChunk2, 4);
}
// Hash data
for (i = 0; i < 4; i++)
{
ConvertToBlowfishLongs(chBuf + (i * 8) + 3, &dwDataChunk1, &dwDataChunk2);
Blowfish_Decrypt(&ctx, &dwDataChunk1, &dwDataChunk2);
memcpy(pTemp->cHash + (i * 8), &dwDataChunk1, 4);
memcpy(pTemp->cHash + (i * 8) + 4, &dwDataChunk2, 4);
}
}
else if (chBuf[0] == 3)
{
// Status message - just print it out
printf("%ls\n", chBuf + 67/*267*/);
}
else
{
// Unknown message
printf("Invalid message received from target host: %d\n", chBuf[0]);
}
}
else
printf("Invalid data received (length was %d)\n", cbRead);
// Purge data from the pipe
CloseHandle(hFile);
hFile = CreateFile(szPipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
while(GetLastError() == ERROR_PIPE_BUSY)
{
Sleep(100);
if (!WaitNamedPipe(szPipeName, 20000))
{
printf("Timed out waiting to get our pipe back\n");
return;
}
hFile = CreateFile(szPipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
}
if(hFile == INVALID_HANDLE_VALUE)
{
printf("CreateFile failed to create a new client-side pipe: error %d\n", GetLastError());
return;
}
}
} while (1);
if (hFile != INVALID_HANDLE_VALUE)
CloseHandle(hFile);
return;
}
