Session *GetSessionFromHashTable(Packet *p)
{
Session *returned = NULL;
SFXHASH_NODE *hnode;
SessionHashKey sessionKey;
SFXHASH *table;
if (!GetSessionKey(p, &sessionKey))
return NULL;
if (sessionKey.proto == IPPROTO_TCP)
{
table = sessionHashTable;
}
else /* Implied IPPROTO_UDP */
{
table = udpSessionHashTable;
}
hnode = sfxhash_find_node(table, &sessionKey);
if (hnode && hnode->data)
{
/* This is a unique hnode, since the sfxhash finds the
* same key before returning this node.
*/
returned = (Session *)hnode->data;
}
return returned;
}
PSCryptor::PSCryptor (const char *password)
{
memset (fDerivedKey, 0, sizeof (fDerivedKey));
const char* salt = "Adobe Photoshop";
u_int iterations = 1000;
// We use the PKCS#5 PBKDF2 standard to create raw key bytes from a password string.
// PBKDF2 requires us to specify a salt value and an iteration count. These values must be consistent across
// all implementations of this code, even when it's ported to other operating systems.
// We choose "Adobe Photoshop" as the salt and 1000 iterations.
// We need to tell PBKDF2 how many bytes of key data to generate. Since we're going to use 3DES as the encryption
// algorithm, we choose 24 bytes (the size of a 3DES key). If we change the key algorithm in the future, we will
// also have to change this value as well.
// Call the pkcs5_pbkdf2 function taken from OpenBSD (public domain license) to perform the key byte generation
pkcs5_pbkdf2(password, (size_t)strlen(password), salt, (size_t)strlen(salt), fDerivedKey, kPBKDKeyLength, iterations );
#if _WIN32
fSessionKey = GetSessionKey (fDerivedKey);
#endif
}
int SendAuthentificationBlobLS(Host CurLS, char *User, char *Pass)
{
double PlatForm;
uchar AuthBlob[0xFFFF] = {0};
uchar MD5Result[MD5_DIGEST_LENGTH] = {0};
uchar SHAResult[32] = {0};
uchar SessionKey[SK_SZ] = {0};
uchar Modulus[MODULUS_SZ * 2] = {0};
uchar ivec[AES_BLOCK_SIZE] = {0};
uchar ecount_buf[AES_BLOCK_SIZE] = {0};
uint MiscDatas[0x05] = {0};
uchar *Browser;
uchar *Mark;
uchar *MarkObjL;
uint Idx, Size, Crc;
HttpsPacketHeader *HSHeader;
AES_KEY AesKey;
MD5_CTX Context;
RSA *Keys;
RSA *SkypeRSA;
ObjectDesc Obj2000, ObjSessionKey, ObjZBool1, ObjRequestCode, ObjZBool2, ObjUserName, ObjSharedSecret, ObjModulus, ObjPlatForm, ObjLang, ObjMiscDatas, ObjVer, ObjPubAddr;
printf("Generating RSA Keys Pair (Size = %d Bits)..\n", KEYSZ);
Keys = RSA_generate_key(KEYSZ * 2, RSA_F4, NULL, NULL);
if (Keys == NULL)
{
printf("Error generating Keys..\n\n");
return (0);
}
//printf("Modulus N..\n");
Idx = BN_bn2bin(Keys->n, Modulus);
//showmem(Modulus, MODULUS_SZ);
//printf("Modulus D\n");
Idx = BN_bn2bin(Keys->d, Modulus + Idx);
//showmem(Modulus + MODULUS_SZ, MODULUS_SZ);
//printf("\n");
Browser = AuthBlob;
HSHeader = (HttpsPacketHeader *)Browser;
memcpy_s(HSHeader->MAGIC, sizeof(HSHeader->MAGIC), HTTPS_HSR_MAGIC, strlen(HTTPS_HSR_MAGIC));
HSHeader->ResponseLen = htons(0xCD);
Browser += sizeof(HttpsPacketHeader);
*Browser++ = RAW_PARAMS;
*Browser++ = 0x03;
Obj2000.Family = OBJ_FAMILY_NBR;
Obj2000.Id = OBJ_ID_2000;
Obj2000.Value.Nbr = 0x2000;
WriteObject(&Browser, Obj2000);
GetSessionKey(SessionKey);
SpecialSHA(SessionKey, SK_SZ, SHAResult, 32);
AES_set_encrypt_key(SHAResult, 256, &AesKey);
SkypeRSA = RSA_new();
BN_hex2bn(&(SkypeRSA->n), SkypeModulus1536[1]);
BN_hex2bn(&(SkypeRSA->e), "10001");
RSA_public_encrypt(SK_SZ, SessionKey, SessionKey, SkypeRSA, RSA_NO_PADDING);
RSA_free(SkypeRSA);
ObjSessionKey.Family = OBJ_FAMILY_BLOB;
ObjSessionKey.Id = OBJ_ID_SK;
ObjSessionKey.Value.Memory.Memory = (uchar *)&SessionKey;
ObjSessionKey.Value.Memory.MsZ = SK_SZ;
WriteObject(&Browser, ObjSessionKey);
ObjZBool1.Family = OBJ_FAMILY_NBR;
ObjZBool1.Id = OBJ_ID_ZBOOL1;
ObjZBool1.Value.Nbr = 0x01;
WriteObject(&Browser, ObjZBool1);
Mark = Browser;
HSHeader = (HttpsPacketHeader *)Browser;
memcpy_s(HSHeader->MAGIC, sizeof(HSHeader->MAGIC), HTTPS_HSRR_MAGIC, strlen(HTTPS_HSRR_MAGIC));
HSHeader->ResponseLen = htons(0x00);
Browser += sizeof(HttpsPacketHeader);
MarkObjL = Browser;
*Browser++ = RAW_PARAMS;
*Browser++ = 0x04;
ObjRequestCode.Family = OBJ_FAMILY_NBR;
ObjRequestCode.Id = OBJ_ID_REQCODE;
ObjRequestCode.Value.Nbr = 0x1399;
WriteObject(&Browser, ObjRequestCode);
ObjZBool2.Family = OBJ_FAMILY_NBR;
ObjZBool2.Id = OBJ_ID_ZBOOL2;
ObjZBool2.Value.Nbr = 0x01;
WriteObject(&Browser, ObjZBool2);
ObjUserName.Family = OBJ_FAMILY_STRING;
ObjUserName.Id = OBJ_ID_USERNAME;
ObjUserName.Value.Memory.Memory = (uchar *)User;
ObjUserName.Value.Memory.MsZ = (uchar)strlen(User);
WriteObject(&Browser, ObjUserName);
MD5_Init(&Context);
MD5_Update(&Context, User, (ulong)strlen(User));
MD5_Update(&Context, CONCAT_SALT, (ulong)strlen(CONCAT_SALT));
MD5_Update(&Context, Pass, (ulong)strlen(Pass));
MD5_Final(MD5Result, &Context);
ObjSharedSecret.Family = OBJ_FAMILY_BLOB;
ObjSharedSecret.Id = OBJ_ID_USERPASS;
ObjSharedSecret.Value.Memory.Memory = (uchar *)MD5Result;
ObjSharedSecret.Value.Memory.MsZ = MD5_DIGEST_LENGTH;
WriteObject(&Browser, ObjSharedSecret);
*Browser++ = RAW_PARAMS;
*Browser++ = 0x06;
ObjModulus.Family = OBJ_FAMILY_BLOB;
ObjModulus.Id = OBJ_ID_MODULUS;
ObjModulus.Value.Memory.Memory = (uchar *)Modulus;
ObjModulus.Value.Memory.MsZ = MODULUS_SZ;
WriteObject(&Browser, ObjModulus);
PlatForm = PlatFormSpecific();
ObjPlatForm.Family = OBJ_FAMILY_TABLE;
ObjPlatForm.Id = OBJ_ID_PLATFORM;
memcpy_s(ObjPlatForm.Value.Table, sizeof(ObjPlatForm.Value.Table), (uchar *)&PlatForm, sizeof(ObjPlatForm.Value.Table));
WriteObject(&Browser, ObjPlatForm);
ObjLang.Family = OBJ_FAMILY_STRING;
ObjLang.Id = OBJ_ID_LANG;
ObjLang.Value.Memory.Memory = (uchar *)LANG_STR;
ObjLang.Value.Memory.MsZ = (uchar)strlen(LANG_STR);
WriteObject(&Browser, ObjLang);
FillMiscDatas(MiscDatas);
ObjMiscDatas.Family = OBJ_FAMILY_INTLIST;
ObjMiscDatas.Id = OBJ_ID_MISCD;
ObjMiscDatas.Value.Memory.Memory = (uchar *)MiscDatas;
ObjMiscDatas.Value.Memory.MsZ = 0x05;
WriteObject(&Browser, ObjMiscDatas);
ObjVer.Family = OBJ_FAMILY_STRING;
ObjVer.Id = OBJ_ID_VERSION;
ObjVer.Value.Memory.Memory = (uchar *)VER_STR;
ObjVer.Value.Memory.MsZ = (uchar)strlen(VER_STR);
WriteObject(&Browser, ObjVer);
ObjPubAddr.Family = OBJ_FAMILY_NBR;
ObjPubAddr.Id = OBJ_ID_PUBADDR;
ObjPubAddr.Value.Nbr = htonl(my_public_ip);
WriteObject(&Browser, ObjPubAddr);
Size = (uint)(Browser - MarkObjL);
HSHeader->ResponseLen = htons((ushort)Size + 0x02);
Idx = 0;
ZeroMemory(ivec, AES_BLOCK_SIZE);
ZeroMemory(ecount_buf, AES_BLOCK_SIZE);
AES_ctr128_encrypt(MarkObjL, MarkObjL, Size, &AesKey, ivec, ecount_buf, &Idx);
Crc = crc32(MarkObjL, Size, -1);
*Browser++ = *((uchar *)(&Crc) + 0);
*Browser++ = *((uchar *)(&Crc) + 1);
Size = (uint)(Browser - AuthBlob);
SuperWait = 1;
if (SendPacketTCP(LSSock, CurLS, AuthBlob, Size, HTTPS_PORT, &Connected))
printf("Auth Response Got..\n\n");
else
{
printf(":'(..\n");
return (-1);
}
/*unsigned char data[222] = {
0x17, 0x03, 0x01, 0x00, 0xD9, 0x73, 0xC4, 0x06, 0x08, 0xFF, 0x1F, 0xFE, 0xED, 0x64, 0xB8, 0x49,
0x4D, 0xD8, 0xBE, 0xCD, 0xC9, 0xEF, 0x63, 0x74, 0x6D, 0x7F, 0x1D, 0x9B, 0xE6, 0x91, 0xFC, 0x14,
0xC6, 0x01, 0xDD, 0x79, 0xD6, 0xEA, 0x3B, 0xB3, 0xB6, 0x20, 0x03, 0x5E, 0x05, 0xEB, 0xFC, 0xAA,
0x46, 0x35, 0x7B, 0xAF, 0x5A, 0x59, 0x01, 0xFA, 0xBB, 0xB6, 0x1F, 0x81, 0x6D, 0x34, 0x85, 0x39,
0x93, 0xBB, 0x9B, 0x5B, 0xCC, 0x21, 0xD4, 0xCC, 0x85, 0x39, 0x27, 0x62, 0x69, 0xBC, 0x05, 0x48,
0xF2, 0x19, 0x88, 0xD3, 0x86, 0xD3, 0x10, 0x0D, 0xE1, 0x36, 0x08, 0x14, 0xC9, 0xC3, 0x52, 0x8B,
0x86, 0x42, 0x8D, 0x1F, 0x25, 0x02, 0x2E, 0x82, 0x48, 0xDC, 0x0C, 0x5C, 0x66, 0x5E, 0x34, 0x1A,
0x00, 0x3B, 0x4F, 0x6D, 0x54, 0x2E, 0x02, 0x91, 0x3E, 0xE1, 0xD7, 0x47, 0xC9, 0x04, 0xA0, 0xB2,
0xBD, 0x60, 0x49, 0xE1, 0xB8, 0x79, 0xB3, 0x1A, 0xE5, 0x14, 0x12, 0xC8, 0x0C, 0x37, 0xB3, 0x23,
0x2E, 0xBD, 0xD7, 0x9F, 0x47, 0xA3, 0xE1, 0xAD, 0x21, 0xEF, 0xF0, 0x79, 0x7E, 0x72, 0x28, 0x29,
0xCA, 0xAF, 0x29, 0xDD, 0xE4, 0xDC, 0x2C, 0x9C, 0x52, 0x07, 0xC5, 0x33, 0x9D, 0x65, 0xE3, 0x06,
0x14, 0x12, 0xEA, 0xF7, 0x7F, 0x1B, 0x79, 0xA2, 0x65, 0xA2, 0x5C, 0x68, 0x74, 0x13, 0x97, 0x41,
0xFE, 0x83, 0x2B, 0x13, 0x56, 0x56, 0x57, 0x1F, 0xCC, 0x65, 0xA0, 0x46, 0xEA, 0x0C, 0x18, 0x8B,
0x59, 0x9C, 0xE1, 0x9E, 0x59, 0x68, 0x43, 0x94, 0x2D, 0x1E, 0xC3, 0x4F, 0x7F, 0x04
};
ZeroMemory(RecvBuffer, sizeof(RecvBuffer));
memcpy_s(RecvBuffer, sizeof(RecvBuffer), data, sizeof(data));*/
HSHeader = (HttpsPacketHeader *)RecvBuffer;
if (strncmp((const char *)HSHeader->MAGIC, HTTPS_HSRR_MAGIC, strlen(HTTPS_HSRR_MAGIC)))
{
printf("Bad Response..\n");
return (-1);
}
Idx = 0;
ZeroMemory(ivec, AES_BLOCK_SIZE);
ZeroMemory(ecount_buf, AES_BLOCK_SIZE);
ivec[3] = 0x01;
ivec[7] = 0x01;
AES_ctr128_encrypt(RecvBuffer + sizeof(HttpsPacketHeader), RecvBuffer + sizeof(HttpsPacketHeader), htons(HSHeader->ResponseLen) - 0x02, &AesKey, ivec, ecount_buf, &Idx);
printf("[UNCIPHERED]Auth Response..\n\n");
//showmem(RecvBuffer, RecvBufferSz);
//printf("\n\n");
uchar *Buffer;
uint BSize;
SResponse Response;
Buffer = RecvBuffer;
BSize = RecvBufferSz;
Response.Objs = NULL;
Response.NbObj = 0;
while (BSize)
{
MainArchResponseManager(&Buffer, &BSize, &Response);
Buffer += 2;
}
for (Idx = 0; Idx < Response.NbObj; Idx++)
{
switch (Response.Objs[Idx].Id)
{
case OBJ_ID_LOGINANSWER:
switch (Response.Objs[Idx].Value.Nbr)
{
case LOGIN_OK:
cprintf(FOREGROUND_BLUE, "Login Successful..\n");
GLoginD.RSAKeys = Keys;
break;
default :
cprintf(FOREGROUND_RED, "Login Failed.. Bad Credentials..\n");
ExitProcess(0);
break;
}
break;
case OBJ_ID_CIPHERDLOGD:
GLoginD.SignedCredentials.Memory = MemDup(Response.Objs[Idx].Value.Memory.Memory, Response.Objs[Idx].Value.Memory.MsZ);
GLoginD.SignedCredentials.MsZ = Response.Objs[Idx].Value.Memory.MsZ;
uchar *PostProcessed;
char *Key;
uint KeyIdx, PPsZ;
KeyIdx = htonl(*(uint *)Response.Objs[Idx].Value.Memory.Memory);
Response.Objs[Idx].Value.Memory.Memory += 4;
Response.Objs[Idx].Value.Memory.MsZ -= 4;
SkypeRSA = RSA_new();
Key = KeySelect(KeyIdx);
BN_hex2bn(&(SkypeRSA->n), Key);
BN_hex2bn(&(SkypeRSA->e), "10001");
PPsZ = RSA_public_decrypt(Response.Objs[Idx].Value.Memory.MsZ, Response.Objs[Idx].Value.Memory.Memory, Response.Objs[Idx].Value.Memory.Memory, SkypeRSA, RSA_NO_PADDING);
RSA_free(SkypeRSA);
PostProcessed = FinalizeLoginDatas(Response.Objs[Idx].Value.Memory.Memory, &PPsZ, NULL, 0);
Response.Objs[Idx].Value.Memory.Memory += PPsZ;
if (PostProcessed == NULL)
{
printf("Bad Datas Finalization..\n");
return (0);
}
//showmem(PostProcessed, PPsZ);
//printf("\n");
SResponse LoginDatas;
LoginDatas.Objs = NULL;
LoginDatas.NbObj = 0;
ManageObjects(&PostProcessed, PPsZ, &LoginDatas);
for (uint LdIdx = 0; LdIdx < LoginDatas.NbObj; LdIdx++)
{
switch (LoginDatas.Objs[LdIdx].Id)
{
case OBJ_ID_LDUSER:
GLoginD.User = LoginDatas.Objs[LdIdx].Value.Memory.Memory;
break;
case OBJ_ID_LDEXPIRY:
GLoginD.Expiry = LoginDatas.Objs[LdIdx].Value.Nbr;
break;
case OBJ_ID_LDMODULUS:
GLoginD.Modulus = LoginDatas.Objs[LdIdx].Value.Memory;
//showmem(LoginDatas.Objs[LdIdx].Value.Memory.Memory, LoginDatas.Objs[LdIdx].Value.Memory.MsZ);
//printf("\n\n");
break;
default :
printf("Non critical Object %d:%d..\n", LoginDatas.Objs[LdIdx].Family, LoginDatas.Objs[LdIdx].Id);
break;
}
}
cprintf(FOREGROUND_BLUE, "User <%s> Logged in.. Credentials Expiry : %d\n", GLoginD.User, GLoginD.Expiry);
cprintf(FOREGROUND_BLUE, "Login Data Saved..\n");
break;
default :
printf("Non critical Object %d:%d..\n", Response.Objs[Idx].Family, Response.Objs[Idx].Id);
break;
}
}
printf("\n\n");
return (1);
}
