Commit 7f9f02b5 authored by Sam Hocevar's avatar Sam Hocevar

* modules/demux/mp4/drms.c:

    + Merged redundant functions.
    + Unobfuscated and cleaned up many parts of the crypto code.
    + Added comments here and there.
parent 8cd77839
/***************************************************************************** /*****************************************************************************
* drms.c : DRMS * drms.c: DRMS
***************************************************************************** *****************************************************************************
* Copyright (C) 2004 VideoLAN * Copyright (C) 2004 VideoLAN
* $Id: drms.c,v 1.4 2004/01/09 17:29:17 jlj Exp $ * $Id: drms.c,v 1.5 2004/01/16 18:26:57 sam Exp $
* *
* Author: Jon Lech Johansen <jon-vl@nanocrew.net> * Authors: Jon Lech Johansen <jon-vl@nanocrew.net>
* Sam Hocevar <sam@zoy.org>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
...@@ -24,21 +25,28 @@ ...@@ -24,21 +25,28 @@
#include <stdlib.h> /* malloc(), free() */ #include <stdlib.h> /* malloc(), free() */
#ifdef WIN32 #ifdef WIN32
#include <io.h> # include <io.h>
#else #else
#include <stdio.h> # include <stdio.h>
#endif #endif
#include <vlc/vlc.h> #include <vlc/vlc.h>
#ifdef HAVE_ERRNO_H #ifdef HAVE_ERRNO_H
#include <errno.h> # include <errno.h>
#endif #endif
#ifdef WIN32 #ifdef WIN32
#include <tchar.h> # include <tchar.h>
#include <shlobj.h> # include <shlobj.h>
#include <windows.h> # include <windows.h>
#endif
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif #endif
#include "drms.h" #include "drms.h"
...@@ -46,1170 +54,1132 @@ ...@@ -46,1170 +54,1132 @@
#include "libmp4.h" #include "libmp4.h"
#define TAOS_INIT( tmp, i ) \ /*****************************************************************************
memset( tmp, 0, sizeof(tmp) ); \ * aes_s: AES keys structure
tmp[ i + 0 ] = 0x67452301; \ *****************************************************************************
tmp[ i + 1 ] = 0xEFCDAB89; \ * This structure stores a set of keys usable for encryption and decryption
tmp[ i + 2 ] = 0x98BADCFE; \ * with the AES/Rijndael algorithm.
tmp[ i + 3 ] = 0x10325476; *****************************************************************************/
struct aes_s
#define ROR( x, n ) (((x) << (32-(n))) | ((x) >> (n)))
static void init_ctx( uint32_t *p_ctx, uint32_t *p_input )
{ {
uint32_t i; uint32_t pp_enc_keys[ AES_KEY_COUNT + 1 ][ 4 ];
uint32_t p_tmp[ 6 ]; uint32_t pp_dec_keys[ AES_KEY_COUNT + 1 ][ 4 ];
};
p_ctx[ 0 ] = sizeof(*p_input);
memset( &p_ctx[ 1 + 4 ], 0, sizeof(*p_input) * 4 ); /*****************************************************************************
memcpy( &p_ctx[ 1 + 0 ], p_input, sizeof(*p_input) * 4 ); * md5_s: MD5 message structure
*****************************************************************************
* This structure stores the static information needed to compute an MD5
* hash. It has an extra data buffer to allow non-aligned writes.
*****************************************************************************/
struct md5_s
{
uint64_t i_bits; /* Total written bits */
uint32_t p_digest[4]; /* The MD5 digest */
uint32_t p_data[16]; /* Buffer to cache non-aligned writes */
};
p_tmp[ 0 ] = p_ctx[ 1 + 3 ]; /*****************************************************************************
* shuffle_s: shuffle structure
*****************************************************************************
* This structure stores the static information needed to shuffle data using
* a custom algorithm.
*****************************************************************************/
struct shuffle_s
{
uint32_t p_commands[ 20 ];
uint32_t p_bordel[ 16 ];
};
for( i = 0; i < sizeof(p_drms_tab1)/sizeof(p_drms_tab1[ 0 ]); i++ ) /*****************************************************************************
{ * drms_s: DRMS structure
p_tmp[ 0 ] = ROR( p_tmp[ 0 ], 8 ); *****************************************************************************
* This structure stores the static information needed to decrypt DRMS data.
*****************************************************************************/
struct drms_s
{
uint32_t i_user;
uint32_t i_key;
uint8_t *p_iviv;
uint8_t *p_name;
uint32_t i_name_len;
p_tmp[ 5 ] = p_drms_tab2[ (p_tmp[ 0 ] >> 24) & 0xFF ] uint32_t p_key[ 4 ];
^ ROR( p_drms_tab2[ (p_tmp[ 0 ] >> 16) & 0xFF ], 8 ) struct aes_s aes;
^ ROR( p_drms_tab2[ (p_tmp[ 0 ] >> 8) & 0xFF ], 16 )
^ ROR( p_drms_tab2[ p_tmp[ 0 ] & 0xFF ], 24 )
^ p_drms_tab1[ i ]
^ p_ctx[ 1 + ((i + 1) * 4) - 4 ];
p_ctx[ 1 + ((i + 1) * 4) + 0 ] = p_tmp[ 5 ]; char *psz_homedir;
p_tmp[ 5 ] ^= p_ctx[ 1 + ((i + 1) * 4) - 3 ]; };
p_ctx[ 1 + ((i + 1) * 4) + 1 ] = p_tmp[ 5 ];
p_tmp[ 5 ] ^= p_ctx[ 1 + ((i + 1) * 4) - 2 ];
p_ctx[ 1 + ((i + 1) * 4) + 2 ] = p_tmp[ 5 ];
p_tmp[ 5 ] ^= p_ctx[ 1 + ((i + 1) * 4) - 1 ];
p_ctx[ 1 + ((i + 1) * 4) + 3 ] = p_tmp[ 5 ];
p_tmp[ 0 ] = p_tmp[ 5 ]; /*****************************************************************************
} * Local prototypes
*****************************************************************************/
static void InitAES ( struct aes_s *, uint32_t * );
static void DecryptAES ( struct aes_s *, uint32_t *, const uint32_t * );
memcpy( &p_ctx[ 1 + 64 ], &p_ctx[ 1 ], sizeof(*p_ctx) * 4 ); static void InitMD5 ( struct md5_s * );
static void AddMD5 ( struct md5_s *, const uint8_t *, uint32_t );
static void AddNativeMD5 ( struct md5_s *, uint32_t *, uint32_t );
static void EndMD5 ( struct md5_s * );
static void Digest ( struct md5_s *, const uint32_t * );
for( i = 4; i < sizeof(p_drms_tab1); i++ ) static void InitShuffle ( struct shuffle_s *, uint32_t * );
{ static void DoShuffle ( struct shuffle_s *, uint8_t *, uint32_t );
p_tmp[ 2 ] = p_ctx[ 1 + 4 + (i - 4) ]; static void Bordelize ( uint32_t *, uint32_t );
p_tmp[ 0 ] = (((p_tmp[ 2 ] >> 7) & 0x01010101) * 27) static int GetSystemKey ( uint32_t * );
^ ((p_tmp[ 2 ] & 0xFF7F7F7F) << 1); static int WriteUserKey ( void *, uint32_t * );
p_tmp[ 1 ] = (((p_tmp[ 0 ] >> 7) & 0x01010101) * 27) static int ReadUserKey ( void *, uint32_t * );
^ ((p_tmp[ 0 ] & 0xFF7F7F7F) << 1); static int GetUserKey ( void *, uint32_t * );
p_tmp[ 4 ] = (((p_tmp[ 1 ] >> 7) & 0x01010101) * 27)
^ ((p_tmp[ 1 ] & 0xFF7F7F7F) << 1);
p_tmp[ 2 ] ^= p_tmp[ 4 ]; static int GetSCIData ( uint32_t **, uint32_t * );
static int HashSystemInfo ( struct md5_s * );
p_tmp[ 3 ] = ROR( p_tmp[ 1 ] ^ p_tmp[ 2 ], 16 ) /*****************************************************************************
^ ROR( p_tmp[ 0 ] ^ p_tmp[ 2 ], 8 ) * BlockXOR: XOR two 128 bit blocks
^ ROR( p_tmp[ 2 ], 24 ); *****************************************************************************/
static inline void BlockXOR( uint32_t *p_dest, uint32_t *p_s1, uint32_t *p_s2 )
{
uint32_t i;
p_ctx[ 1 + 4 + 64 + (i - 4) ] = p_tmp[ 3 ] ^ p_tmp[ 4 ] for( i = 0; i < 4; i++ )
^ p_tmp[ 1 ] ^ p_tmp[ 0 ]; {
p_dest[ i ] = p_s1[ i ] ^ p_s2[ i ];
} }
} }
static void ctx_xor( uint32_t *p_ctx, uint32_t *p_in, uint32_t *p_out, /*****************************************************************************
uint32_t p_table1[ 256 ], uint32_t p_table2[ 256 ] ) * drms_alloc: allocate a DRMS structure
*****************************************************************************/
void *drms_alloc( char *psz_homedir )
{ {
uint32_t i, x, y; struct drms_s *p_drms;
uint32_t p_tmp1[ 4 ];
uint32_t p_tmp2[ 4 ];
i = p_ctx[ 0 ] * 4;
p_tmp1[ 0 ] = p_ctx[ 1 + i + 24 ] ^ p_in[ 0 ];
p_tmp1[ 1 ] = p_ctx[ 1 + i + 25 ] ^ p_in[ 1 ];
p_tmp1[ 2 ] = p_ctx[ 1 + i + 26 ] ^ p_in[ 2 ];
p_tmp1[ 3 ] = p_ctx[ 1 + i + 27 ] ^ p_in[ 3 ];
i += 84;
#define XOR_ROR( p_table, p_tmp, i_ctx ) \ p_drms = malloc( sizeof(struct drms_s) );
p_table[ (p_tmp[ y > 2 ? y - 3 : y + 1 ] >> 24) & 0xFF ] \
^ ROR( p_table[ (p_tmp[ y > 1 ? y - 2 : y + 2 ] >> 16) & 0xFF ], 8 ) \
^ ROR( p_table[ (p_tmp[ y > 0 ? y - 1 : y + 3 ] >> 8) & 0xFF ], 16 ) \
^ ROR( p_table[ p_tmp[ y ] & 0xFF ], 24 ) \
^ p_ctx[ i_ctx ]
for( x = 0; x < 1; x++ ) if( p_drms == NULL )
{ {
memcpy( p_tmp2, p_tmp1, sizeof(p_tmp1) ); return NULL;
}
memset( p_drms, 0, sizeof(struct drms_s) );
for( y = 0; y < 4; y++ ) p_drms->psz_homedir = malloc( PATH_MAX );
if( p_drms->psz_homedir != NULL )
{ {
p_tmp1[ y ] = XOR_ROR( p_table1, p_tmp2, 1 + i - x + y ); strncpy( p_drms->psz_homedir, psz_homedir, PATH_MAX );
p_drms->psz_homedir[ PATH_MAX - 1 ] = '\0';
} }
else
{
free( (void *)p_drms );
p_drms = NULL;
} }
for( ; x < 9; x++ ) return (void *)p_drms;
{ }
memcpy( p_tmp2, p_tmp1, sizeof(p_tmp1) );
/*****************************************************************************
* drms_free: free a previously allocated DRMS structure
*****************************************************************************/
void drms_free( void *_p_drms )
{
struct drms_s *p_drms = (struct drms_s *)_p_drms;
for( y = 0; y < 4; y++ ) if( p_drms->p_name != NULL )
{ {
p_tmp1[ y ] = XOR_ROR( p_table1, p_tmp2, free( (void *)p_drms->p_name );
1 + i - x - ((x * 3) - y) );
} }
if( p_drms->p_iviv != NULL )
{
free( (void *)p_drms->p_iviv );
} }
for( y = 0; y < 4; y++ ) if( p_drms->psz_homedir != NULL )
{ {
p_out[ y ] = XOR_ROR( p_table2, p_tmp1, free( (void *)p_drms->psz_homedir );
1 + i - x - ((x * 3) - y) );
} }
#undef XOR_ROR free( p_drms );
} }
static void taos( uint32_t *p_buffer, uint32_t *p_input ) /*****************************************************************************
* drms_decrypt: unscramble a chunk of data
*****************************************************************************/
void drms_decrypt( void *_p_drms, uint32_t *p_buffer, uint32_t i_bytes )
{ {
uint32_t i; struct drms_s *p_drms = (struct drms_s *)_p_drms;
uint32_t x = 0; uint32_t p_key[ 4 ];
uint32_t p_tmp1[ 4 ]; uint32_t i_blocks, i;
uint32_t p_tmp2[ 4 ];
memcpy( p_tmp1, p_buffer, sizeof(p_tmp1) ); /* AES is a block cypher, round down the byte count */
i_blocks = i_bytes / 16;
i_bytes = i_blocks * 16;
p_tmp2[ 0 ] = ((~p_tmp1[ 1 ] & p_tmp1[ 3 ]) /* Initialise the key */
| (p_tmp1[ 2 ] & p_tmp1[ 1 ])) + p_input[ x ]; memcpy( p_key, p_drms->p_key, 4 * sizeof(uint32_t) );
p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp1[ 0 ] + p_drms_tab_taos[ x++ ];
for( i = 0; i < 4; i++ ) /* Unscramble */
for( i = i_blocks; i--; )
{ {
p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x19) uint32_t p_tmp[ 4 ];
| (p_tmp1[ 0 ] << 0x7)) + p_tmp1[ 1 ];
p_tmp2[ 1 ] = ((~p_tmp2[ 0 ] & p_tmp1[ 2 ])
| (p_tmp1[ 1 ] & p_tmp2[ 0 ])) + p_input[ x ];
p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x14) DecryptAES( &p_drms->aes, p_tmp, p_buffer );
| (p_tmp2[ 1 ] << 0xC)) + p_tmp2[ 0 ]; BlockXOR( p_tmp, p_key, p_tmp );
p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] & p_tmp1[ 1 ])
| (p_tmp1[ 3 ] & p_tmp2[ 0 ])) + p_input[ x ];
p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0xF) /* Use the previous scrambled data as the key for next block */
| (p_tmp2[ 1 ] << 0x11)) + p_tmp1[ 3 ]; memcpy( p_key, p_buffer, 4 * sizeof(uint32_t) );
p_tmp2[ 1 ] = ((~p_tmp1[ 2 ] & p_tmp2[ 0 ])
| (p_tmp1[ 3 ] & p_tmp1[ 2 ])) + p_input[ x ];
p_tmp2[ 2 ] = p_tmp2[ 1 ] + p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 1 ] = ((p_tmp2[ 2 ] << 0x16) /* Copy unscrambled data back to the buffer */
| (p_tmp2[ 2 ] >> 0xA)) + p_tmp1[ 2 ]; memcpy( p_buffer, p_tmp, 4 * sizeof(uint32_t) );
if( i == 3 )
{ p_buffer += 4;
p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] & p_tmp1[ 2 ])
| (p_tmp1[ 3 ] & p_tmp1[ 1 ])) + p_input[ 1 ];
}
else
{
p_tmp2[ 1 ] = ((~p_tmp1[ 1 ] & p_tmp1[ 3 ])
| (p_tmp1[ 2 ] & p_tmp1[ 1 ])) + p_input[ x ];
}
p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ];
} }
}
for( i = 0; i < 4; i++ ) /*****************************************************************************
* drms_init: initialise a DRMS structure
*****************************************************************************/
int drms_init( void *_p_drms, uint32_t i_type,
uint8_t *p_info, uint32_t i_len )
{
struct drms_s *p_drms = (struct drms_s *)_p_drms;
int i_ret = 0;
switch( i_type )
{ {
uint8_t p_table[ 4 ][ 4 ] = case FOURCC_user:
{ {
{ 6, 11, 0, 5 }, if( i_len < sizeof(p_drms->i_user) )
{ 10, 15, 4, 9 },
{ 14, 3, 8, 13 },
{ 2, 7, 12, 5 }
};
p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x1B)
| (p_tmp1[ 0 ] << 0x5)) + p_tmp1[ 1 ];
p_tmp2[ 1 ] = ((~p_tmp1[ 2 ] & p_tmp1[ 1 ])
| (p_tmp1[ 2 ] & p_tmp2[ 0 ]))
+ p_input[ p_table[ i ][ 0 ] ];
p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x17)
| (p_tmp2[ 1 ] << 0x9)) + p_tmp2[ 0 ];
p_tmp2[ 1 ] = ((~p_tmp1[ 1 ] & p_tmp2[ 0 ])
| (p_tmp1[ 3 ] & p_tmp1[ 1 ]))
+ p_input[ p_table[ i ][ 1 ] ];
p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0x12)
| (p_tmp2[ 1 ] << 0xE)) + p_tmp1[ 3 ];
p_tmp2[ 1 ] = ((~p_tmp2[ 0 ] & p_tmp1[ 3 ])
| (p_tmp1[ 2 ] & p_tmp2[ 0 ]))
+ p_input[ p_table[ i ][ 2 ] ];
p_tmp2[ 1 ] += p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 1 ] = ((p_tmp2[ 1 ] << 0x14)
| (p_tmp2[ 1 ] >> 0xC)) + p_tmp1[ 2 ];
if( i == 3 )
{
p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 2 ] ^ p_tmp1[ 1 ])
+ p_input[ p_table[ i ][ 3 ] ];
}
else
{ {
p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] & p_tmp1[ 2 ]) i_ret = -1;
| (p_tmp1[ 3 ] & p_tmp1[ 1 ])) break;
+ p_input[ p_table[ i ][ 3 ] ];
} }
p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ];
p_drms->i_user = U32_AT( p_info );
} }
break;
for( i = 0; i < 4; i++ ) case FOURCC_key:
{ {
uint8_t p_table[ 4 ][ 4 ] = if( i_len < sizeof(p_drms->i_key) )
{ {
{ 8, 11, 14, 1 }, i_ret = -1;
{ 4, 7, 10, 13 }, break;
{ 0, 3, 6, 9 }, }
{ 12, 15, 2, 0 }
};
p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x1C)
| (p_tmp1[ 0 ] << 0x4)) + p_tmp1[ 1 ];
p_tmp2[ 1 ] = (p_tmp1[ 2 ] ^ p_tmp1[ 1 ] ^ p_tmp2[ 0 ])
+ p_input[ p_table[ i ][ 0 ] ];
p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x15)
| (p_tmp2[ 1 ] << 0xB)) + p_tmp2[ 0 ];
p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 1 ] ^ p_tmp2[ 0 ])
+ p_input[ p_table[ i ][ 1 ] ];
p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0x10) p_drms->i_key = U32_AT( p_info );
| (p_tmp2[ 1 ] << 0x10)) + p_tmp1[ 3 ]; }
p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 2 ] ^ p_tmp2[ 0 ]) break;
+ p_input[ p_table[ i ][ 2 ] ];
p_tmp2[ 1 ] += p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 1 ] = ((p_tmp2[ 1 ] << 0x17) case FOURCC_iviv:
| (p_tmp2[ 1 ] >> 0x9)) + p_tmp1[ 2 ]; {
if( i == 3 ) if( i_len < sizeof(p_drms->p_key) )
{ {
p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] | p_tmp1[ 1 ]) ^ p_tmp1[ 2 ]) i_ret = -1;
+ p_input[ p_table[ i ][ 3 ] ]; break;
} }
else
p_drms->p_iviv = malloc( sizeof(p_drms->p_key) );
if( p_drms->p_iviv == NULL )
{ {
p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 2 ] ^ p_tmp1[ 1 ]) i_ret = -1;
+ p_input[ p_table[ i ][ 3 ] ]; break;
} }
p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ];
memcpy( p_drms->p_iviv, p_info, sizeof(p_drms->p_key) );
} }
break;
for( i = 0; i < 4; i++ ) case FOURCC_name:
{
uint8_t p_table[ 4 ][ 4 ] =
{ {
{ 7, 14, 5, 12 }, p_drms->i_name_len = strlen( p_info );
{ 3, 10, 1, 8 },
{ 15, 6, 13, 4 },
{ 11, 2, 9, 0 }
};
p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x1A) p_drms->p_name = malloc( p_drms->i_name_len );
| (p_tmp1[ 0 ] << 0x6)) + p_tmp1[ 1 ]; if( p_drms->p_name == NULL )
p_tmp2[ 1 ] = ((~p_tmp1[ 2 ] | p_tmp2[ 0 ]) ^ p_tmp1[ 1 ]) {
+ p_input[ p_table[ i ][ 0 ] ]; i_ret = -1;
p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ]; break;
}
p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x16)
| (p_tmp2[ 1 ] << 0xA)) + p_tmp2[ 0 ];
p_tmp2[ 1 ] = ((~p_tmp1[ 1 ] | p_tmp1[ 3 ]) ^ p_tmp2[ 0 ])
+ p_input[ p_table[ i ][ 1 ] ];
p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0x11) memcpy( p_drms->p_name, p_info, p_drms->i_name_len );
| (p_tmp2[ 1 ] << 0xF)) + p_tmp1[ 3 ]; }
p_tmp2[ 1 ] = ((~p_tmp2[ 0 ] | p_tmp1[ 2 ]) ^ p_tmp1[ 3 ]) break;
+ p_input[ p_table[ i ][ 2 ] ];
p_tmp2[ 1 ] += p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ];
p_tmp1[ 1 ] = ((p_tmp2[ 1 ] << 0x15) case FOURCC_priv:
| (p_tmp2[ 1 ] >> 0xB)) + p_tmp1[ 2 ]; {
uint32_t p_priv[ 64 ];
struct md5_s md5;
if( i < 3 ) if( i_len < 64 )
{ {
p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] | p_tmp1[ 1 ]) ^ p_tmp1[ 2 ]) i_ret = -1;
+ p_input[ p_table[ i ][ 3 ] ]; break;
p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ];
}
} }
p_buffer[ 0 ] += p_tmp2[ 0 ]; InitMD5( &md5 );
p_buffer[ 1 ] += p_tmp1[ 1 ]; AddMD5( &md5, p_drms->p_name, p_drms->i_name_len );
p_buffer[ 2 ] += p_tmp1[ 2 ]; AddMD5( &md5, p_drms->p_iviv, sizeof(p_drms->p_key) );
p_buffer[ 3 ] += p_tmp1[ 3 ]; EndMD5( &md5 );
}
static void taos_add1( uint32_t *p_buffer, if( GetUserKey( p_drms, p_drms->p_key ) )
uint8_t *p_in, uint32_t i_len ) {
{ i_ret = -1;
uint32_t i; break;
uint32_t x, y; }
uint32_t p_tmp[ 16 ];
uint32_t i_offset = 0;
x = p_buffer[ 6 ] & 63; InitAES( &p_drms->aes, p_drms->p_key );
y = 64 - x;
p_buffer[ 6 ] += i_len; memcpy( p_priv, p_info, 64 );
memcpy( p_drms->p_key, md5.p_digest, sizeof(p_drms->p_key) );
drms_decrypt( p_drms, p_priv, sizeof(p_priv) );
if( i_len < y ) InitAES( &p_drms->aes, p_priv + 6 );
{ memcpy( p_drms->p_key, p_priv + 12, sizeof(p_drms->p_key) );
memcpy( &((uint8_t *)p_buffer)[ 48 + x ], p_in, i_len );
}
else
{
if( x )
{
memcpy( &((uint8_t *)p_buffer)[ 48 + x ], p_in, y );
taos( &p_buffer[ 8 ], &p_buffer[ 12 ] );
i_offset = y;
i_len -= y;
}
if( i_len >= 64 ) free( (void *)p_drms->psz_homedir );
{ p_drms->psz_homedir = NULL;
for( i = 0; i < i_len / 64; i++ ) free( (void *)p_drms->p_name );
{ p_drms->p_name = NULL;
memcpy( p_tmp, &p_in[ i_offset ], sizeof(p_tmp) ); free( (void *)p_drms->p_iviv );
taos( &p_buffer[ 8 ], p_tmp ); p_drms->p_iviv = NULL;
i_offset += 64;
i_len -= 64;
} }
break;
} }
if( i_len ) return i_ret;
{
memcpy( &p_buffer[ 12 ], &p_in[ i_offset ], i_len );
}
}
} }
static void taos_end1( uint32_t *p_buffer, uint32_t *p_out ) /* The following functions are local */
/*****************************************************************************
* InitAES: initialise AES/Rijndael encryption/decryption tables
*****************************************************************************
* The Advanced Encryption Standard (AES) is described in RFC 3268
*****************************************************************************/
static void InitAES( struct aes_s *p_aes, uint32_t *p_key )
{ {
uint32_t x, y; uint32_t i, t, i_key, i_tmp;
x = p_buffer[ 6 ] & 63; memset( p_aes->pp_enc_keys[1], 0, 4 * sizeof(uint32_t) );
y = 63 - x; memcpy( p_aes->pp_enc_keys[0], p_key, 4 * sizeof(uint32_t) );
((uint8_t *)p_buffer)[ 48 + x++ ] = 128; /* Generate the key tables */
i_tmp = p_aes->pp_enc_keys[ 0 ][ 3 ];
if( y < 8 ) for( i_key = 0; i_key < AES_KEY_COUNT; i_key++ )
{ {
memset( &((uint8_t *)p_buffer)[ 48 + x ], 0, y ); uint32_t j;
taos( &p_buffer[ 8 ], &p_buffer[ 12 ] );
y = 64;
x = 0;
}
memset( &((uint8_t *)p_buffer)[ 48 + x ], 0, y ); i_tmp = AES_ROR( i_tmp, 8 );
p_buffer[ 26 ] = p_buffer[ 6 ] * 8; j = p_aes_table[ i_key ];
p_buffer[ 27 ] = p_buffer[ 6 ] >> 29;
taos( &p_buffer[ 8 ], &p_buffer[ 12 ] );
memcpy( p_out, &p_buffer[ 8 ], sizeof(*p_out) * 4 ); j ^= p_aes_encrypt[ (i_tmp >> 24) & 0xFF ]
} ^ AES_ROR( p_aes_encrypt[ (i_tmp >> 16) & 0xFF ], 8 )
^ AES_ROR( p_aes_encrypt[ (i_tmp >> 8) & 0xFF ], 16 )
static void taos_add2( uint32_t *p_buffer, uint8_t *p_in, uint32_t i_len ) ^ AES_ROR( p_aes_encrypt[ i_tmp & 0xFF ], 24 );
{
uint32_t i, x;
uint32_t p_tmp[ 16 ];
x = (p_buffer[ 0 ] / 8) & 63; j ^= p_aes->pp_enc_keys[ i_key ][ 0 ];
i = p_buffer[ 0 ] + i_len * 8; p_aes->pp_enc_keys[ i_key + 1 ][ 0 ] = j;
j ^= p_aes->pp_enc_keys[ i_key ][ 1 ];
p_aes->pp_enc_keys[ i_key + 1 ][ 1 ] = j;
j ^= p_aes->pp_enc_keys[ i_key ][ 2 ];
p_aes->pp_enc_keys[ i_key + 1 ][ 2 ] = j;
j ^= p_aes->pp_enc_keys[ i_key ][ 3 ];
p_aes->pp_enc_keys[ i_key + 1 ][ 3 ] = j;
if( i < p_buffer[ 0 ] ) i_tmp = j;
{
p_buffer[ 1 ] += 1;
} }
p_buffer[ 0 ] = i; memcpy( p_aes->pp_dec_keys[ 0 ],
p_buffer[ 1 ] += i_len >> 29; p_aes->pp_enc_keys[ 0 ], 4 * sizeof(uint32_t) );
for( i = 0; i < i_len; i++ ) for( i = 1; i < AES_KEY_COUNT; i++ )
{
for( t = 0; t < 4; t++ )
{ {
((uint8_t *)p_buffer)[ 24 + x++ ] = p_in[ i ]; uint32_t j, k, l, m, n;
if( x != 64 ) j = p_aes->pp_enc_keys[ i ][ t ];
continue;
k = (((j >> 7) & 0x01010101) * 27) ^ ((j & 0xFF7F7F7F) << 1);
l = (((k >> 7) & 0x01010101) * 27) ^ ((k & 0xFF7F7F7F) << 1);
m = (((l >> 7) & 0x01010101) * 27) ^ ((l & 0xFF7F7F7F) << 1);
j ^= m;
n = AES_ROR( l ^ j, 16 ) ^ AES_ROR( k ^ j, 8 ) ^ AES_ROR( j, 24 );
memcpy( p_tmp, &p_buffer[ 6 ], sizeof(p_tmp) ); p_aes->pp_dec_keys[ i ][ t ] = k ^ l ^ m ^ n;
taos( &p_buffer[ 2 ], p_tmp ); }
} }
} }
static void taos_add2e( uint32_t *p_buffer, uint32_t *p_in, uint32_t i_len ) /*****************************************************************************
* DecryptAES: decrypt an AES/Rijndael 128 bit block
*****************************************************************************/
static void DecryptAES( struct aes_s *p_aes,
uint32_t *p_dest, const uint32_t *p_src )
{ {
uint32_t i, x, y; uint32_t p_wtxt[ 4 ]; /* Working cyphertext */
uint32_t p_tmp[ 32 ]; uint32_t p_tmp[ 4 ];
uint32_t round, t;
if( i_len ) for( t = 0; t < 4; t++ )
{ {
for( x = i_len; x; x -= y ) /* FIXME: are there any endianness issues here? */
{ p_wtxt[ t ] = p_src[ t ] ^ p_aes->pp_enc_keys[ AES_KEY_COUNT ][ t ];
y = x > 32 ? 32 : x; }
for( i = 0; i < y; i++ ) /* Rounds 0 - 8 */
for( round = 0; round < (AES_KEY_COUNT - 1); round++ )
{
for( t = 0; t < 4; t++ )
{ {
p_tmp[ i ] = U32_AT(&p_in[ i ]); p_tmp[ t ] = AES_XOR_ROR( p_aes_itable, p_wtxt );
} }
for( t = 0; t < 4; t++ )
{
p_wtxt[ t ] = p_tmp[ t ]
^ p_aes->pp_dec_keys[ (AES_KEY_COUNT - 1) - round ][ t ];
} }
} }
taos_add2( p_buffer, (uint8_t *)p_tmp, i_len * sizeof(p_tmp[ 0 ]) ); /* Final round (9) */
for( t = 0; t < 4; t++ )
{
p_dest[ t ] = AES_XOR_ROR( p_aes_decrypt, p_wtxt );
p_dest[ t ] ^= p_aes->pp_dec_keys[ (AES_KEY_COUNT - 1) - round ][ t ];
}
} }
static void taos_end2( uint32_t *p_buffer ) /*****************************************************************************
* InitMD5: initialise an MD5 message
*****************************************************************************
* The MD5 message-digest algorithm is described in RFC 1321
*****************************************************************************/
static void InitMD5( struct md5_s *p_md5 )
{ {
uint32_t x; p_md5->p_digest[ 0 ] = 0x67452301;
uint32_t p_tmp[ 16 ]; p_md5->p_digest[ 1 ] = 0xEFCDAB89;
p_md5->p_digest[ 2 ] = 0x98BADCFE;
p_tmp[ 14 ] = p_buffer[ 0 ]; p_md5->p_digest[ 3 ] = 0x10325476;
p_tmp[ 15 ] = p_buffer[ 1 ];
x = (p_buffer[ 0 ] / 8) & 63; memset( p_md5->p_data, 0, 16 * sizeof(uint32_t) );
p_md5->i_bits = 0;
taos_add2( p_buffer, p_drms_tab_tend, 56 - x );
memcpy( p_tmp, &p_buffer[ 6 ], 56 );
taos( &p_buffer[ 2 ], p_tmp );
memcpy( &p_buffer[ 22 ], &p_buffer[ 2 ], sizeof(*p_buffer) * 4 );
} }
static void taos_add3( uint32_t *p_buffer, uint8_t *p_key, uint32_t i_len ) /*****************************************************************************
* AddMD5: add i_len bytes to an MD5 message
*****************************************************************************/
static void AddMD5( struct md5_s *p_md5, const uint8_t *p_src, uint32_t i_len )
{ {
uint32_t x, y; uint32_t i_current; /* Current bytes in the spare buffer */
uint32_t i = 0; uint32_t i_offset = 0;
x = (p_buffer[ 4 ] / 8) & 63;
p_buffer[ 4 ] += i_len * 8;
if( p_buffer[ 4 ] < i_len * 8 )
p_buffer[ 5 ] += 1;
p_buffer[ 5 ] += i_len >> 29; i_current = (p_md5->i_bits / 8) & 63;
y = 64 - x; p_md5->i_bits += 8 * i_len;
if( i_len >= y ) /* If we can complete our spare buffer to 64 bytes, do it and add the
* resulting buffer to the MD5 message */
if( i_len >= (64 - i_current) )
{ {
memcpy( &((uint8_t *)p_buffer)[ 24 + x ], p_key, y ); memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src,
taos( p_buffer, &p_buffer[ 6 ] ); (64 - i_current) );
Digest( p_md5, p_md5->p_data );
i = y; i_offset += (64 - i_current);
y += 63; i_len -= (64 - i_current);
i_current = 0;
if( y < i_len )
{
for( ; y < i_len; y += 64, i += 64 )
{
taos( p_buffer, (uint32_t *)&p_key[y - 63] );
} }
}
else /* Add as many entire 64 bytes blocks as we can to the MD5 message */
while( i_len >= 64 )
{ {
x = 0; uint32_t p_tmp[ 16 ];
} memcpy( p_tmp, p_src + i_offset, 16 * sizeof(uint32_t) );
Digest( p_md5, p_tmp );
i_offset += 64;
i_len -= 64;
} }
memcpy( &((uint8_t *)p_buffer)[ 24 + x ], &p_key[ i ], i_len - i ); /* Copy our remaining data to the message's spare buffer */
memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src + i_offset, i_len );
} }
static int taos_osi( uint32_t *p_buffer ) /*****************************************************************************
* AddNativeMD5: add i_len big-endian uin32_t to an MD5 message
*****************************************************************************
* FIXME: I don't really understand what this is supposed to do, especially
* with big values of i_len ...
*****************************************************************************/
static void AddNativeMD5( struct md5_s *p_md5, uint32_t *p_src, uint32_t i_len )
{ {
int i_ret = 0; uint32_t i, x, y;
/* XXX: it's 32, not 16! */
#ifdef WIN32 uint32_t p_tmp[ 32 ];
HKEY i_key;
uint32_t i;
DWORD i_size;
DWORD i_serial;
LPBYTE p_reg_buf;
static LPCTSTR p_reg_keys[ 3 ][ 2 ] =
{
{
_T("HARDWARE\\DESCRIPTION\\System"),
_T("SystemBiosVersion")
},
{
_T("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"),
_T("ProcessorNameString")
},
{
_T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion"),
_T("ProductId")
}
};
taos_add1( p_buffer, "cache-control", 13 );
taos_add1( p_buffer, "Ethernet", 8 );
GetVolumeInformation( _T("C:\\"), NULL, 0, &i_serial,
NULL, NULL, NULL, 0 );
taos_add1( p_buffer, (uint8_t *)&i_serial, 4 );
for( i = 0; i < sizeof(p_reg_keys)/sizeof(p_reg_keys[ 0 ]); i++ ) /* Convert big endian p_src to native-endian p_tmp */
{ for( x = i_len; x; x -= y )
if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, p_reg_keys[ i ][ 0 ],
0, KEY_READ, &i_key ) == ERROR_SUCCESS )
{
if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ],
NULL, NULL, NULL,
&i_size ) == ERROR_SUCCESS )
{ {
p_reg_buf = malloc( i_size ); /* XXX: this looks weird! */
y = x > 32 ? 32 : x;
if( p_reg_buf != NULL ) for( i = 0; i < y; i++ )
{
if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ],
NULL, NULL, p_reg_buf,
&i_size ) == ERROR_SUCCESS )
{ {
taos_add1( p_buffer, (uint8_t *)p_reg_buf, p_tmp[ i ] = U32_AT(p_src + i);
i_size );
}
free( p_reg_buf );
}
}
RegCloseKey( i_key );
} }
} }
#else AddMD5( p_md5, (uint8_t *)p_tmp, i_len * sizeof(uint32_t) );
i_ret = -1;
#endif
return( i_ret );
} }
static int get_sci_data( uint32_t **pp_sci, uint32_t *p_sci_size ) /*****************************************************************************
* EndMD5: finish an MD5 message
*****************************************************************************
* This function adds adequate padding to the end of the message, and appends
* the bit count so that we end at a block boundary.
*****************************************************************************/
static void EndMD5( struct md5_s *p_md5 )
{ {
int i_ret = -1; uint32_t i_current;
#ifdef WIN32
HANDLE i_file;
DWORD i_size, i_read;
TCHAR p_path[ PATH_MAX ];
TCHAR *p_filename = _T("\\Apple Computer\\iTunes\\SC Info\\SC Info.sidb");
typedef HRESULT (WINAPI *SHGETFOLDERPATH)( HWND, int, HANDLE, DWORD, i_current = (p_md5->i_bits / 8) & 63;
LPTSTR );
HINSTANCE shfolder_dll = NULL; /* Append 0x80 to our buffer. No boundary check because the temporary
SHGETFOLDERPATH dSHGetFolderPath = NULL; * buffer cannot be full, otherwise AddMD5 would have emptied it. */
((uint8_t *)p_md5->p_data)[ i_current++ ] = 0x80;
if( ( shfolder_dll = LoadLibrary( _T("SHFolder.dll") ) ) != NULL ) /* If less than 8 bytes are available at the end of the block, complete
* this 64 bytes block with zeros and add it to the message. We'll add
* our length at the end of the next block. */
if( i_current > 56 )
{ {
dSHGetFolderPath = memset( ((uint8_t *)p_md5->p_data) + i_current, 0, (64 - i_current) );
(SHGETFOLDERPATH)GetProcAddress( shfolder_dll, Digest( p_md5, p_md5->p_data );
#ifdef _UNICODE i_current = 0;
_T("SHGetFolderPathW") );
#else
_T("SHGetFolderPathA") );
#endif
} }
if( dSHGetFolderPath != NULL && /* Fill the unused space in our last block with zeroes and put the
SUCCEEDED( dSHGetFolderPath( NULL, CSIDL_COMMON_APPDATA, * message length at the end. */
NULL, 0, p_path ) ) ) memset( ((uint8_t *)p_md5->p_data) + i_current, 0, (56 - i_current) );
{ p_md5->p_data[ 14 ] = p_md5->i_bits & 0xffffffff;
_tcsncat( p_path, p_filename, min( _tcslen( p_filename ), p_md5->p_data[ 15 ] = (p_md5->i_bits >> 32);
(PATH_MAX-1) - _tcslen( p_path ) ) );
i_file = CreateFile( p_path, GENERIC_READ, 0, NULL, Digest( p_md5, p_md5->p_data );
OPEN_EXISTING, 0, NULL ); }
if( i_file != INVALID_HANDLE_VALUE )
{
i_size = GetFileSize( i_file, NULL );
if( i_size != INVALID_FILE_SIZE &&
i_size > (sizeof(*pp_sci[ 0 ]) * 22) )
{
*pp_sci = malloc( i_size * 2 );
if( *pp_sci != NULL )
{
if( ReadFile( i_file, *pp_sci, i_size, &i_read, NULL ) &&
i_read == i_size )
{
*p_sci_size = i_size;
i_ret = 0;
}
else
{
free( (void *)*pp_sci );
*pp_sci = NULL;
}
}
}
CloseHandle( i_file ); #define F1( x, y, z ) ((z) ^ ((x) & ((y) ^ (z))))
} #define F2( x, y, z ) F1((z), (x), (y))
} #define F3( x, y, z ) ((x) ^ (y) ^ (z))
#define F4( x, y, z ) ((y) ^ ((x) | ~(z)))
if( shfolder_dll != NULL ) #define MD5_DO( f, w, x, y, z, data, s ) \
{ ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
FreeLibrary( shfolder_dll );
}
#endif
return( i_ret ); /*****************************************************************************
* Digest: update the MD5 digest with 64 bytes of data
*****************************************************************************/
static void Digest( struct md5_s *p_md5, const uint32_t *p_input )
{
uint32_t a, b, c, d;
a = p_md5->p_digest[ 0 ];
b = p_md5->p_digest[ 1 ];
c = p_md5->p_digest[ 2 ];
d = p_md5->p_digest[ 3 ];
MD5_DO( F1, a, b, c, d, p_input[ 0 ] + 0xd76aa478, 7 );
MD5_DO( F1, d, a, b, c, p_input[ 1 ] + 0xe8c7b756, 12 );
MD5_DO( F1, c, d, a, b, p_input[ 2 ] + 0x242070db, 17 );
MD5_DO( F1, b, c, d, a, p_input[ 3 ] + 0xc1bdceee, 22 );
MD5_DO( F1, a, b, c, d, p_input[ 4 ] + 0xf57c0faf, 7 );
MD5_DO( F1, d, a, b, c, p_input[ 5 ] + 0x4787c62a, 12 );
MD5_DO( F1, c, d, a, b, p_input[ 6 ] + 0xa8304613, 17 );
MD5_DO( F1, b, c, d, a, p_input[ 7 ] + 0xfd469501, 22 );
MD5_DO( F1, a, b, c, d, p_input[ 8 ] + 0x698098d8, 7 );
MD5_DO( F1, d, a, b, c, p_input[ 9 ] + 0x8b44f7af, 12 );
MD5_DO( F1, c, d, a, b, p_input[ 10 ] + 0xffff5bb1, 17 );
MD5_DO( F1, b, c, d, a, p_input[ 11 ] + 0x895cd7be, 22 );
MD5_DO( F1, a, b, c, d, p_input[ 12 ] + 0x6b901122, 7 );
MD5_DO( F1, d, a, b, c, p_input[ 13 ] + 0xfd987193, 12 );
MD5_DO( F1, c, d, a, b, p_input[ 14 ] + 0xa679438e, 17 );
MD5_DO( F1, b, c, d, a, p_input[ 15 ] + 0x49b40821, 22 );
MD5_DO( F2, a, b, c, d, p_input[ 1 ] + 0xf61e2562, 5 );
MD5_DO( F2, d, a, b, c, p_input[ 6 ] + 0xc040b340, 9 );
MD5_DO( F2, c, d, a, b, p_input[ 11 ] + 0x265e5a51, 14 );
MD5_DO( F2, b, c, d, a, p_input[ 0 ] + 0xe9b6c7aa, 20 );
MD5_DO( F2, a, b, c, d, p_input[ 5 ] + 0xd62f105d, 5 );
MD5_DO( F2, d, a, b, c, p_input[ 10 ] + 0x02441453, 9 );
MD5_DO( F2, c, d, a, b, p_input[ 15 ] + 0xd8a1e681, 14 );
MD5_DO( F2, b, c, d, a, p_input[ 4 ] + 0xe7d3fbc8, 20 );
MD5_DO( F2, a, b, c, d, p_input[ 9 ] + 0x21e1cde6, 5 );
MD5_DO( F2, d, a, b, c, p_input[ 14 ] + 0xc33707d6, 9 );
MD5_DO( F2, c, d, a, b, p_input[ 3 ] + 0xf4d50d87, 14 );
MD5_DO( F2, b, c, d, a, p_input[ 8 ] + 0x455a14ed, 20 );
MD5_DO( F2, a, b, c, d, p_input[ 13 ] + 0xa9e3e905, 5 );
MD5_DO( F2, d, a, b, c, p_input[ 2 ] + 0xfcefa3f8, 9 );
MD5_DO( F2, c, d, a, b, p_input[ 7 ] + 0x676f02d9, 14 );
MD5_DO( F2, b, c, d, a, p_input[ 12 ] + 0x8d2a4c8a, 20 );
MD5_DO( F3, a, b, c, d, p_input[ 5 ] + 0xfffa3942, 4 );
MD5_DO( F3, d, a, b, c, p_input[ 8 ] + 0x8771f681, 11 );
MD5_DO( F3, c, d, a, b, p_input[ 11 ] + 0x6d9d6122, 16 );
MD5_DO( F3, b, c, d, a, p_input[ 14 ] + 0xfde5380c, 23 );
MD5_DO( F3, a, b, c, d, p_input[ 1 ] + 0xa4beea44, 4 );
MD5_DO( F3, d, a, b, c, p_input[ 4 ] + 0x4bdecfa9, 11 );
MD5_DO( F3, c, d, a, b, p_input[ 7 ] + 0xf6bb4b60, 16 );
MD5_DO( F3, b, c, d, a, p_input[ 10 ] + 0xbebfbc70, 23 );
MD5_DO( F3, a, b, c, d, p_input[ 13 ] + 0x289b7ec6, 4 );
MD5_DO( F3, d, a, b, c, p_input[ 0 ] + 0xeaa127fa, 11 );
MD5_DO( F3, c, d, a, b, p_input[ 3 ] + 0xd4ef3085, 16 );
MD5_DO( F3, b, c, d, a, p_input[ 6 ] + 0x04881d05, 23 );
MD5_DO( F3, a, b, c, d, p_input[ 9 ] + 0xd9d4d039, 4 );
MD5_DO( F3, d, a, b, c, p_input[ 12 ] + 0xe6db99e5, 11 );
MD5_DO( F3, c, d, a, b, p_input[ 15 ] + 0x1fa27cf8, 16 );
MD5_DO( F3, b, c, d, a, p_input[ 2 ] + 0xc4ac5665, 23 );
MD5_DO( F4, a, b, c, d, p_input[ 0 ] + 0xf4292244, 6 );
MD5_DO( F4, d, a, b, c, p_input[ 7 ] + 0x432aff97, 10 );
MD5_DO( F4, c, d, a, b, p_input[ 14 ] + 0xab9423a7, 15 );
MD5_DO( F4, b, c, d, a, p_input[ 5 ] + 0xfc93a039, 21 );
MD5_DO( F4, a, b, c, d, p_input[ 12 ] + 0x655b59c3, 6 );
MD5_DO( F4, d, a, b, c, p_input[ 3 ] + 0x8f0ccc92, 10 );
MD5_DO( F4, c, d, a, b, p_input[ 10 ] + 0xffeff47d, 15 );
MD5_DO( F4, b, c, d, a, p_input[ 1 ] + 0x85845dd1, 21 );
MD5_DO( F4, a, b, c, d, p_input[ 8 ] + 0x6fa87e4f, 6 );
MD5_DO( F4, d, a, b, c, p_input[ 15 ] + 0xfe2ce6e0, 10 );
MD5_DO( F4, c, d, a, b, p_input[ 6 ] + 0xa3014314, 15 );
MD5_DO( F4, b, c, d, a, p_input[ 13 ] + 0x4e0811a1, 21 );
MD5_DO( F4, a, b, c, d, p_input[ 4 ] + 0xf7537e82, 6 );
MD5_DO( F4, d, a, b, c, p_input[ 11 ] + 0xbd3af235, 10 );
MD5_DO( F4, c, d, a, b, p_input[ 2 ] + 0x2ad7d2bb, 15 );
MD5_DO( F4, b, c, d, a, p_input[ 9 ] + 0xeb86d391, 21 );
p_md5->p_digest[ 0 ] += a;
p_md5->p_digest[ 1 ] += b;
p_md5->p_digest[ 2 ] += c;
p_md5->p_digest[ 3 ] += d;
} }
static void acei_taxs( uint32_t *p_acei, uint32_t i_val ) /*****************************************************************************
* InitShuffle: initialise a shuffle structure
*****************************************************************************
* This function initialises tables in the p_shuffle structure that will be
* used later by DoShuffle. The only external parameter is p_sys_key.
*****************************************************************************/
static void InitShuffle( struct shuffle_s *p_shuffle, uint32_t *p_sys_key )
{ {
uint32_t i, x; uint32_t p_native_key[ 4 ];
uint32_t i, i_seed = 0x5476212A; /* *!vT */
i = (i_val / 16) & 15;
x = (~(i_val & 15)) & 15;
if( (i_val & 768) == 768 )
{
x = (~i) & 15;
i = i_val & 15;
p_acei[ 25 + i ] = p_acei[ 25 + ((16 - x) & 15) ] /* Store the system key in native endianness */
+ p_acei[ 25 + (15 - x) ]; for( i = 0; i < 4; i++ )
}
else if( (i_val & 512) == 512 )
{
p_acei[ 25 + i ] ^= p_drms_tab_xor[ 15 - i ][ x ];
}
else if( (i_val & 256) == 256 )
{
p_acei[ 25 + i ] -= p_drms_tab_sub[ 15 - i ][ x ];
}
else
{ {
p_acei[ 25 + i ] += p_drms_tab_add[ 15 - i ][ x ]; p_native_key[ i ] = U32_AT(p_sys_key + i);
} }
}
static void acei( uint32_t *p_acei, uint8_t *p_buffer, uint32_t i_len )
{
uint32_t i, x;
uint32_t p_tmp[ 26 ];
for( i = 5; i < 25; i++ ) /* Fill p_commands using the native key and our seed */
{ for( i = 0; i < 20; i++ )
if( p_acei[ i ] )
{ {
acei_taxs( p_acei, p_acei[ i ] ); struct md5_s md5;
} int32_t i_hash;
}
TAOS_INIT( p_tmp, 2 ); InitMD5( &md5 );
taos_add2e( p_tmp, &p_acei[ 25 ], sizeof(*p_acei) * 4 ); AddNativeMD5( &md5, p_native_key, 4 );
taos_end2( p_tmp ); AddNativeMD5( &md5, &i_seed, 1 );
EndMD5( &md5 );
x = i_len < 16 ? i_len : 16; i_seed++;
if( x > 0 ) i_hash = ((int32_t)U32_AT(md5.p_digest)) % 1024;
{
for( i = 0; i < x; i++ )
{
p_buffer[ i ] ^= ((uint8_t *)&p_tmp)[ 88 + i ];
}
}
}
static uint32_t ttov_calc( uint32_t *p_acei ) p_shuffle->p_commands[ i ] = i_hash < 0 ? i_hash * -1 : i_hash;
{ }
int32_t i_val;
uint32_t p_tmp[ 26 ];
TAOS_INIT( p_tmp, 2 ); /* Fill p_bordel with completely meaningless initial values.
taos_add2e( p_tmp, &p_acei[ 0 ], 4 ); * FIXME: check endianness issues. */
taos_add2e( p_tmp, &p_acei[ 4 ], 1 ); p_shuffle->p_bordel[ 0 ] = p_native_key[ 0 ];
taos_end2( p_tmp ); p_shuffle->p_bordel[ 1 ] = 0x68723876; /* v8rh */
p_shuffle->p_bordel[ 2 ] = 0x41617376; /* vsaA */
p_shuffle->p_bordel[ 3 ] = 0x4D4B4F76; /* voKM */
p_acei[ 4 ]++; p_shuffle->p_bordel[ 4 ] = p_native_key[ 1 ];
p_shuffle->p_bordel[ 5 ] = 0x48556646; /* FfUH */
p_shuffle->p_bordel[ 6 ] = 0x38393725; /* %798 */
p_shuffle->p_bordel[ 7 ] = 0x2E3B5B3D; /* =[;. */
i_val = ((int32_t)U32_AT(&p_tmp[ 22 ])) % 1024; p_shuffle->p_bordel[ 8 ] = p_native_key[ 2 ];
p_shuffle->p_bordel[ 9 ] = 0x37363866; /* f867 */
p_shuffle->p_bordel[ 10 ] = 0x30383637; /* 7680 */
p_shuffle->p_bordel[ 11 ] = 0x34333661; /* a634 */
return( i_val < 0 ? i_val * -1 : i_val ); p_shuffle->p_bordel[ 12 ] = p_native_key[ 3 ];
p_shuffle->p_bordel[ 13 ] = 0x37386162; /* ba87 */
p_shuffle->p_bordel[ 14 ] = 0x494F6E66; /* fnOI */
p_shuffle->p_bordel[ 15 ] = 0x2A282966; /* f)(* */
} }
static void acei_init( uint32_t *p_acei, uint32_t *p_sys_key ) /*****************************************************************************
* DoShuffle: shuffle i_len bytes of a buffer
*****************************************************************************
* This is so ugly and uses so many MD5 checksums that it is most certainly
* one-way, though why it needs to be so complicated is beyond me.
*****************************************************************************/
static void DoShuffle( struct shuffle_s *p_shuffle,
uint8_t *p_buffer, uint32_t i_len )
{ {
struct md5_s md5;
uint32_t i; uint32_t i;
for( i = 0; i < 4; i++ ) /* Randomize p_bordel and compute its MD5 checksum */
for( i = 0; i < 20; i++ )
{
if( p_shuffle->p_commands[ i ] )
{ {
p_acei[ i ] = U32_AT(&p_sys_key[ i ]); Bordelize( p_shuffle->p_bordel, p_shuffle->p_commands[ i ] );
}
} }
p_acei[ 4 ] = 0x5476212A; InitMD5( &md5 );
AddNativeMD5( &md5, p_shuffle->p_bordel, 16 );
EndMD5( &md5 );
for( i = 5; i < 25; i++ ) /* There are only 16 bytes in an MD5 hash */
if( i_len > 16 )
{ {
p_acei[ i ] = ttov_calc( p_acei ); i_len = 16;
} }
p_acei[ 25 + 0 ] = p_acei[ 0 ]; /* XOR our buffer with the computed checksum */
p_acei[ 25 + 1 ] = 0x68723876; for( i = 0; i < i_len; i++ )
p_acei[ 25 + 2 ] = 0x41617376; {
p_acei[ 25 + 3 ] = 0x4D4B4F76; p_buffer[ i ] ^= ((uint8_t *)&md5.p_digest)[ i ];
}
p_acei[ 25 + 4 ] = p_acei[ 1 ];
p_acei[ 25 + 5 ] = 0x48556646;
p_acei[ 25 + 6 ] = 0x38393725;
p_acei[ 25 + 7 ] = 0x2E3B5B3D;
p_acei[ 25 + 8 ] = p_acei[ 2 ];
p_acei[ 25 + 9 ] = 0x37363866;
p_acei[ 25 + 10 ] = 0x30383637;
p_acei[ 25 + 11 ] = 0x34333661;
p_acei[ 25 + 12 ] = p_acei[ 3 ];
p_acei[ 25 + 13 ] = 0x37386162;
p_acei[ 25 + 14 ] = 0x494F6E66;
p_acei[ 25 + 15 ] = 0x2A282966;
} }
static inline void block_xor( uint32_t *p_in, uint32_t *p_key, /*****************************************************************************
uint32_t *p_out ) * Bordelize: helper for DoShuffle
*****************************************************************************
* Using the MD5 hash of a string is probably not one-way enough. This
* function randomises p_bordel depending on the value of i_command to make
* things even more messy in p_bordel.
*****************************************************************************/
static void Bordelize( uint32_t *p_bordel, uint32_t i_command )
{ {
uint32_t i; uint32_t i, x;
for( i = 0; i < 4; i++ ) i = (i_command / 16) & 15;
x = (~(i_command & 15)) & 15;
if( (i_command & 768) == 768 )
{ {
p_out[ i ] = p_key[ i ] ^ p_in[ i ]; x = (~i) & 15;
i = i_command & 15;
p_bordel[ i ] = p_bordel[ ((16 - x) & 15) ] + p_bordel[ (15 - x) ];
}
else if( (i_command & 512) == 512 )
{
p_bordel[ i ] ^= p_shuffle_xor[ 15 - i ][ x ];
}
else if( (i_command & 256) == 256 )
{
p_bordel[ i ] -= p_shuffle_sub[ 15 - i ][ x ];
}
else
{
p_bordel[ i ] += p_shuffle_add[ 15 - i ][ x ];
} }
} }
static int get_sys_key( uint32_t *p_sys_key ) /*****************************************************************************
* GetSystemKey: get the system key
*****************************************************************************
* Compute the system key from various system information, see HashSystemInfo.
*****************************************************************************/
static int GetSystemKey( uint32_t *p_sys_key )
{ {
uint32_t p_tmp[ 128 ]; struct md5_s md5;
uint32_t p_tmp_key[ 4 ]; uint32_t p_tmp_key[ 4 ];
TAOS_INIT( p_tmp, 8 ); InitMD5( &md5 );
if( taos_osi( p_tmp ) ) if( HashSystemInfo( &md5 ) )
{ {
return( -1 ); return -1;
} }
taos_end1( p_tmp, p_tmp_key ); EndMD5( &md5 );
TAOS_INIT( p_tmp, 2 );
taos_add2( p_tmp, "YuaFlafu", 8 );
taos_add2( p_tmp, (uint8_t *)p_tmp_key, 6 );
taos_add2( p_tmp, (uint8_t *)p_tmp_key, 6 );
taos_add2( p_tmp, (uint8_t *)p_tmp_key, 6 );
taos_add2( p_tmp, "zPif98ga", 8 );
taos_end2( p_tmp );
memcpy( p_sys_key, &p_tmp[ 2 ], sizeof(*p_sys_key) * 4 );
return( 0 );
}
struct drms_s /* Write our digest to p_tmp_key */
{ memcpy( p_tmp_key, md5.p_digest, 4 * sizeof(uint32_t) );
uint32_t i_user;
uint32_t i_key;
uint8_t *p_iviv;
uint8_t *p_name;
uint32_t i_name_len;
uint32_t *p_tmp; InitMD5( &md5 );
uint32_t i_tmp_len; AddMD5( &md5, "YuaFlafu", 8 );
AddMD5( &md5, (uint8_t *)p_tmp_key, 6 );
AddMD5( &md5, (uint8_t *)p_tmp_key, 6 );
AddMD5( &md5, (uint8_t *)p_tmp_key, 6 );
AddMD5( &md5, "zPif98ga", 8 );
EndMD5( &md5 );
uint32_t p_key[ 4 ]; memcpy( p_sys_key, md5.p_digest, 4 * sizeof(uint32_t) );
uint32_t p_ctx[ 128 ];
char *psz_homedir; return 0;
}; }
#define P_DRMS ((struct drms_s *)p_drms) #ifdef WIN32
# define DRMS_DIRNAME "drms"
#else
# define DRMS_DIRNAME ".drms"
#endif
static int rw_user_key( void *p_drms, uint32_t i_rw, uint32_t *p_user_key ) /*****************************************************************************
* WriteUserKey: write the user key to hard disk
*****************************************************************************
* Write the user key to the hard disk so that it can be reused later or used
* on operating systems other than Win32.
*****************************************************************************/
static int WriteUserKey( void *_p_drms, uint32_t *p_user_key )
{ {
struct drms_s *p_drms = (struct drms_s *)_p_drms;
FILE *file; FILE *file;
int i_ret = -1; int i_ret = -1;
char sz_path[ PATH_MAX ]; char psz_path[ PATH_MAX ];
#define DRMS_PI_DIRNAME "drms" snprintf( psz_path, PATH_MAX - 1,
#ifdef WIN32 "%s/" DRMS_DIRNAME, p_drms->psz_homedir );
#define DRMS_DIRNAME DRMS_PI_DIRNAME
#if defined( HAVE_ERRNO_H )
# if defined( WIN32 )
if( !mkdir( psz_path ) || errno == EEXIST )
# else
if( !mkdir( psz_path, 0755 ) || errno == EEXIST )
# endif
#else #else
#define DRMS_DIRNAME "." DRMS_PI_DIRNAME if( !mkdir( psz_path ) )
#endif #endif
if( i_rw )
{ {
snprintf( sz_path, (sizeof(sz_path)/sizeof(sz_path[ 0 ])) - 1, snprintf( psz_path, PATH_MAX - 1, "%s/" DRMS_DIRNAME "/%08X.%03d",
"%s/" DRMS_DIRNAME "/%08X.%03d", P_DRMS->psz_homedir, p_drms->psz_homedir, p_drms->i_user, p_drms->i_key );
P_DRMS->i_user, P_DRMS->i_key );
file = fopen( sz_path, "r" ); file = fopen( psz_path, "w" );
if( file != NULL ) if( file != NULL )
{ {
i_ret = fread( p_user_key, sizeof(*p_user_key), i_ret = fwrite( p_user_key, sizeof(uint32_t),
4, file ) == 4 ? 0 : -1; 4, file ) == 4 ? 0 : -1;
fclose( file ); fclose( file );
} }
} }
else
{
snprintf( sz_path, (sizeof(sz_path)/sizeof(sz_path[ 0 ])) - 1,
"%s/" DRMS_DIRNAME, P_DRMS->psz_homedir );
#if defined( HAVE_ERRNO_H ) return i_ret;
# if defined( WIN32 ) }
if( !mkdir( sz_path ) || errno == EEXIST )
# else /*****************************************************************************
if( !mkdir( sz_path, 0755 ) || errno == EEXIST ) * ReadUserKey: read the user key from hard disk
# endif *****************************************************************************
#else * Retrieve the user key from the hard disk if available.
if( !mkdir( sz_path ) ) *****************************************************************************/
#endif static int ReadUserKey( void *_p_drms, uint32_t *p_user_key )
{ {
snprintf( sz_path, (sizeof(sz_path)/sizeof(sz_path[ 0 ])) - 1, struct drms_s *p_drms = (struct drms_s *)_p_drms;
"%s/" DRMS_DIRNAME "/%08X.%03d", P_DRMS->psz_homedir, FILE *file;
P_DRMS->i_user, P_DRMS->i_key ); int i_ret = -1;
char psz_path[ PATH_MAX ];
file = fopen( sz_path, "w" ); snprintf( psz_path, PATH_MAX - 1,
"%s/" DRMS_DIRNAME "/%08X.%03d", p_drms->psz_homedir,
p_drms->i_user, p_drms->i_key );
file = fopen( psz_path, "r" );
if( file != NULL ) if( file != NULL )
{ {
i_ret = fwrite( p_user_key, sizeof(*p_user_key), i_ret = fread( p_user_key, sizeof(uint32_t),
4, file ) == 4 ? 0 : -1; 4, file ) == 4 ? 0 : -1;
fclose( file ); fclose( file );
} }
}
}
return( i_ret ); return i_ret;
} }
static int get_user_key( void *p_drms, uint32_t *p_user_key ) /*****************************************************************************
* GetUserKey: get the user key
*****************************************************************************
* Retrieve the user key from the hard disk if available, otherwise generate
* it from the system key. If the key could be successfully generated, write
* it to the hard disk for future use.
*****************************************************************************/
static int GetUserKey( void *_p_drms, uint32_t *p_user_key )
{ {
struct drms_s *p_drms = (struct drms_s *)_p_drms;
struct aes_s aes;
struct shuffle_s shuffle;
uint32_t i, y; uint32_t i, y;
uint32_t *p_tmp; uint32_t *p_tmp;
uint32_t *p_cur_key; uint32_t *p_cur_key;
uint32_t p_acei[ 41 ];
uint32_t p_ctx[ 128 ];
uint32_t p_sys_key[ 4 ]; uint32_t p_sys_key[ 4 ];
uint32_t i_sci_size; uint32_t i_sci_size;
uint32_t *p_sci[ 2 ]; uint32_t *pp_sci[ 2 ];
int i_ret = -1; int i_ret = -1;
uint32_t p_sci_key[ 4 ] = uint32_t p_sci_key[ 4 ] =
{ {
0x6E66556D, 0x6E676F70, 0x67666461, 0x33373866 0x6e66556d, /* nfUm */
0x6e676f70, /* ngop */
0x67666461, /* gfda */
0x33373866 /* 378f */
}; };
if( !rw_user_key( p_drms, 1, p_user_key ) ) if( !ReadUserKey( p_drms, p_user_key ) )
{ {
return( 0 ); return 0;
} }
if( get_sys_key( p_sys_key ) ) if( GetSystemKey( p_sys_key ) )
{ {
return( -1 ); return -1;
} }
if( GetSCIData( pp_sci + 0, &i_sci_size ) )
if( get_sci_data( &p_sci[ 0 ], &i_sci_size ) )
{ {
return( -1 ); return -1;
} }
p_tmp = p_sci[ 0 ]; p_tmp = pp_sci[ 0 ];
p_sci[ 1 ] = (uint32_t *)(((uint8_t *)p_sci[ 0 ]) + i_sci_size); pp_sci[ 1 ] = (uint32_t *)(((uint8_t *)pp_sci[ 0 ]) + i_sci_size);
i_sci_size -= sizeof(*p_sci[ 0 ]); i_sci_size -= sizeof(*pp_sci[ 0 ]);
init_ctx( p_ctx, p_sys_key ); InitAES( &aes, p_sys_key );
for( i = 0, p_cur_key = p_sci_key; for( i = 0, p_cur_key = p_sci_key;
i < i_sci_size / sizeof(P_DRMS->p_key); i++ ) i < i_sci_size / sizeof(p_drms->p_key); i++ )
{ {
y = i * sizeof(*p_sci[ 0 ]); y = i * sizeof(*pp_sci[ 0 ]);
ctx_xor( p_ctx, p_sci[ 0 ] + y + 1, p_sci[ 1 ] + y + 1, DecryptAES( &aes, pp_sci[ 1 ] + y + 1, pp_sci[ 0 ] + y + 1 );
p_drms_tab3, p_drms_tab4 ); BlockXOR( pp_sci[ 1 ] + y + 1, p_cur_key, pp_sci[ 1 ] + y + 1 );
block_xor( p_sci[ 1 ] + y + 1, p_cur_key, p_sci[ 1 ] + y + 1 );
p_cur_key = p_sci[ 0 ] + y + 1; p_cur_key = pp_sci[ 0 ] + y + 1;
} }
acei_init( p_acei, p_sys_key ); /* Shuffle pp_sci[ 1 ] using a custom routine */
InitShuffle( &shuffle, p_sys_key );
for( i = 0; i < i_sci_size / sizeof(P_DRMS->p_key); i++ ) for( i = 0; i < i_sci_size / sizeof(p_drms->p_key); i++ )
{ {
y = i * sizeof(*p_sci[ 1 ]); y = i * sizeof(*pp_sci[ 1 ]);
acei( p_acei, (uint8_t *)(p_sci[ 1 ] + y + 1), DoShuffle( &shuffle, (uint8_t *)(pp_sci[ 1 ] + y + 1),
sizeof(P_DRMS->p_key) ); sizeof(p_drms->p_key) );
} }
y = 0; y = 0;
i = U32_AT( &p_sci[ 1 ][ 5 ] ); i = U32_AT( &pp_sci[ 1 ][ 5 ] );
i_sci_size -= 21 * sizeof(*p_sci[ 1 ]); i_sci_size -= 21 * sizeof(*pp_sci[ 1 ]);
p_sci[ 1 ] += 22; pp_sci[ 1 ] += 22;
p_sci[ 0 ] = NULL; pp_sci[ 0 ] = NULL;
while( i_sci_size > 0 && i > 0 ) while( i_sci_size > 0 && i > 0 )
{ {
if( p_sci[ 0 ] == NULL ) if( pp_sci[ 0 ] == NULL )
{ {
i_sci_size -= 18 * sizeof(*p_sci[ 1 ]); i_sci_size -= 18 * sizeof(*pp_sci[ 1 ]);
if( i_sci_size <= 0 ) if( i_sci_size <= 0 )
{ {
break; break;
} }
p_sci[ 0 ] = p_sci[ 1 ]; pp_sci[ 0 ] = pp_sci[ 1 ];
y = U32_AT( &p_sci[ 1 ][ 17 ] ); y = U32_AT( &pp_sci[ 1 ][ 17 ] );
p_sci[ 1 ] += 18; pp_sci[ 1 ] += 18;
} }
if( !y ) if( !y )
{ {
i--; i--;
p_sci[ 0 ] = NULL; pp_sci[ 0 ] = NULL;
continue; continue;
} }
if( U32_AT( &p_sci[ 0 ][ 0 ] ) == P_DRMS->i_user && if( U32_AT( &pp_sci[ 0 ][ 0 ] ) == p_drms->i_user &&
( i_sci_size >= ( i_sci_size >=
(sizeof(P_DRMS->p_key) + sizeof(p_sci[ 1 ][ 0 ]) ) ) && (sizeof(p_drms->p_key) + sizeof(pp_sci[ 1 ][ 0 ]) ) ) &&
( ( U32_AT( &p_sci[ 1 ][ 0 ] ) == P_DRMS->i_key ) || ( ( U32_AT( &pp_sci[ 1 ][ 0 ] ) == p_drms->i_key ) ||
( !P_DRMS->i_key ) || ( p_sci[ 1 ] == (p_sci[ 0 ] + 18) ) ) ) ( !p_drms->i_key ) || ( pp_sci[ 1 ] == (pp_sci[ 0 ] + 18) ) ) )
{ {
memcpy( p_user_key, &p_sci[ 1 ][ 1 ], sizeof(P_DRMS->p_key) ); memcpy( p_user_key, &pp_sci[ 1 ][ 1 ], sizeof(p_drms->p_key) );
rw_user_key( p_drms, 0, p_user_key ); WriteUserKey( p_drms, p_user_key );
i_ret = 0; i_ret = 0;
break; break;
} }
y--; y--;
p_sci[ 1 ] += 5; pp_sci[ 1 ] += 5;
i_sci_size -= 5 * sizeof(*p_sci[ 1 ]); i_sci_size -= 5 * sizeof(*pp_sci[ 1 ]);
} }
free( (void *)p_tmp ); free( (void *)p_tmp );
return( i_ret ); return i_ret;
} }
/*****************************************************************************
void *drms_alloc( char *psz_homedir ) * GetSCIData: get SCI data from "SC Info.sidb"
*****************************************************************************
* Read SCI data from "\Apple Computer\iTunes\SC Info\SC Info.sidb"
*****************************************************************************/
static int GetSCIData( uint32_t **pp_sci, uint32_t *p_sci_size )
{ {
struct drms_s *p_drms; int i_ret = -1;
p_drms = malloc( sizeof(struct drms_s) ); #ifdef WIN32
HANDLE i_file;
DWORD i_size, i_read;
TCHAR p_path[ PATH_MAX ];
TCHAR *p_filename = _T("\\Apple Computer\\iTunes\\SC Info\\SC Info.sidb");
if( p_drms != NULL ) typedef HRESULT (WINAPI *SHGETFOLDERPATH)( HWND, int, HANDLE, DWORD,
{ LPTSTR );
memset( p_drms, 0, sizeof(struct drms_s) );
HINSTANCE shfolder_dll = NULL;
SHGETFOLDERPATH dSHGetFolderPath = NULL;
p_drms->i_tmp_len = 1024; if( ( shfolder_dll = LoadLibrary( _T("SHFolder.dll") ) ) != NULL )
p_drms->p_tmp = malloc( p_drms->i_tmp_len );
if( p_drms->p_tmp == NULL )
{ {
free( (void *)p_drms ); dSHGetFolderPath =
p_drms = NULL; (SHGETFOLDERPATH)GetProcAddress( shfolder_dll,
#ifdef _UNICODE
_T("SHGetFolderPathW") );
#else
_T("SHGetFolderPathA") );
#endif
} }
p_drms->psz_homedir = malloc( PATH_MAX ); if( dSHGetFolderPath != NULL &&
if( p_drms->psz_homedir != NULL ) SUCCEEDED( dSHGetFolderPath( NULL, CSIDL_COMMON_APPDATA,
NULL, 0, p_path ) ) )
{ {
strncpy( p_drms->psz_homedir, psz_homedir, PATH_MAX ); _tcsncat( p_path, p_filename, min( _tcslen( p_filename ),
p_drms->psz_homedir[ PATH_MAX - 1 ] = '\0'; (PATH_MAX-1) - _tcslen( p_path ) ) );
i_file = CreateFile( p_path, GENERIC_READ, 0, NULL,
OPEN_EXISTING, 0, NULL );
if( i_file != INVALID_HANDLE_VALUE )
{
i_size = GetFileSize( i_file, NULL );
if( i_size != INVALID_FILE_SIZE &&
i_size > (sizeof(*pp_sci[ 0 ]) * 22) )
{
*pp_sci = malloc( i_size * 2 );
if( *pp_sci != NULL )
{
if( ReadFile( i_file, *pp_sci, i_size, &i_read, NULL ) &&
i_read == i_size )
{
*p_sci_size = i_size;
i_ret = 0;
} }
else else
{ {
free( (void *)p_drms->p_tmp ); free( (void *)*pp_sci );
free( (void *)p_drms ); *pp_sci = NULL;
p_drms = NULL;
} }
} }
return( (void *)p_drms );
}
void drms_free( void *p_drms )
{
if( P_DRMS->p_name != NULL )
{
free( (void *)P_DRMS->p_name );
} }
if( P_DRMS->p_iviv != NULL ) CloseHandle( i_file );
{
free( (void *)P_DRMS->p_iviv );
} }
if( P_DRMS->psz_homedir != NULL )
{
free( (void *)P_DRMS->psz_homedir );
} }
if( P_DRMS->p_tmp != NULL ) if( shfolder_dll != NULL )
{ {
free( (void *)P_DRMS->p_tmp ); FreeLibrary( shfolder_dll );
} }
#endif
free( p_drms ); return i_ret;
} }
void drms_decrypt( void *p_drms, uint32_t *p_buffer, uint32_t i_len ) /*****************************************************************************
* HashSystemInfo: add system information to an MD5 hash
*****************************************************************************
* This function adds the C: hard drive serial number, BIOS version, CPU type
* and Windows version to an MD5 hash.
*****************************************************************************/
static int HashSystemInfo( struct md5_s *p_md5 )
{ {
uint32_t i, x, y; int i_ret = 0;
uint32_t *p_cur_key = P_DRMS->p_key;
x = (i_len / sizeof(P_DRMS->p_key)) * sizeof(P_DRMS->p_key); #ifdef WIN32
HKEY i_key;
uint32_t i;
DWORD i_size;
DWORD i_serial;
LPBYTE p_reg_buf;
if( P_DRMS->i_tmp_len < x ) static LPCTSTR p_reg_keys[ 3 ][ 2 ] =
{ {
free( (void *)P_DRMS->p_tmp );
P_DRMS->i_tmp_len = x;
P_DRMS->p_tmp = malloc( P_DRMS->i_tmp_len );
}
if( P_DRMS->p_tmp != NULL )
{ {
memcpy( P_DRMS->p_tmp, p_buffer, x ); _T("HARDWARE\\DESCRIPTION\\System"),
_T("SystemBiosVersion")
},
for( i = 0, x /= sizeof(P_DRMS->p_key); i < x; i++ )
{ {
y = i * sizeof(*p_buffer); _T("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"),
_T("ProcessorNameString")
ctx_xor( P_DRMS->p_ctx, P_DRMS->p_tmp + y, p_buffer + y, },
p_drms_tab3, p_drms_tab4 );
block_xor( p_buffer + y, p_cur_key, p_buffer + y );
p_cur_key = P_DRMS->p_tmp + y;
}
}
}
int drms_init( void *p_drms, uint32_t i_type,
uint8_t *p_info, uint32_t i_len )
{
int i_ret = 0;
switch( i_type )
{
case FOURCC_user:
{
if( i_len < sizeof(P_DRMS->i_user) )
{ {
i_ret = -1; _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion"),
break; _T("ProductId")
}
P_DRMS->i_user = U32_AT( p_info );
} }
break; };
case FOURCC_key: AddMD5( p_md5, "cache-control", 13 );
{ AddMD5( p_md5, "Ethernet", 8 );
if( i_len < sizeof(P_DRMS->i_key) )
{
i_ret = -1;
break;
}
P_DRMS->i_key = U32_AT( p_info ); GetVolumeInformation( _T("C:\\"), NULL, 0, &i_serial,
} NULL, NULL, NULL, 0 );
break; AddMD5( p_md5, (uint8_t *)&i_serial, 4 );
case FOURCC_iviv: for( i = 0; i < sizeof(p_reg_keys)/sizeof(p_reg_keys[ 0 ]); i++ )
{ {
if( i_len < sizeof(P_DRMS->p_key) ) if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, p_reg_keys[ i ][ 0 ],
0, KEY_READ, &i_key ) != ERROR_SUCCESS )
{ {
i_ret = -1; continue;
break;
} }
P_DRMS->p_iviv = malloc( sizeof(P_DRMS->p_key) ); if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ],
if( P_DRMS->p_iviv == NULL ) NULL, NULL, NULL, &i_size ) != ERROR_SUCCESS )
{ {
i_ret = -1; RegCloseKey( i_key );
break; continue;
} }
memcpy( P_DRMS->p_iviv, p_info, sizeof(P_DRMS->p_key) ); p_reg_buf = malloc( i_size );
}
break;
case FOURCC_name: if( p_reg_buf != NULL )
{ {
P_DRMS->i_name_len = strlen( p_info ); if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ],
NULL, NULL, p_reg_buf,
P_DRMS->p_name = malloc( P_DRMS->i_name_len ); &i_size ) == ERROR_SUCCESS )
if( P_DRMS->p_name == NULL )
{ {
i_ret = -1; AddMD5( p_md5, (uint8_t *)p_reg_buf, i_size );
break;
} }
memcpy( P_DRMS->p_name, p_info, P_DRMS->i_name_len ); free( p_reg_buf );
} }
break;
case FOURCC_priv:
{
uint32_t i;
uint32_t p_priv[ 64 ];
uint32_t p_tmp[ 128 ];
if( i_len < 64 ) RegCloseKey( i_key );
{
i_ret = -1;
break;
} }
TAOS_INIT( p_tmp, 0 ); #else
taos_add3( p_tmp, P_DRMS->p_name, P_DRMS->i_name_len );
taos_add3( p_tmp, P_DRMS->p_iviv, sizeof(P_DRMS->p_key) );
memcpy( p_priv, &p_tmp[ 4 ], sizeof(p_priv[ 0 ]) * 2 );
i = (p_tmp[ 4 ] / 8) & 63;
i = i >= 56 ? 120 - i : 56 - i;
taos_add3( p_tmp, p_drms_tab_tend, i );
taos_add3( p_tmp, (uint8_t *)p_priv, sizeof(p_priv[ 0 ]) * 2 );
if( get_user_key( p_drms, P_DRMS->p_key ) )
{
i_ret = -1; i_ret = -1;
break; #endif
}
init_ctx( P_DRMS->p_ctx, P_DRMS->p_key );
memcpy( p_priv, p_info, 64 );
memcpy( P_DRMS->p_key, p_tmp, sizeof(P_DRMS->p_key) );
drms_decrypt( p_drms, p_priv, sizeof(p_priv) );
init_ctx( P_DRMS->p_ctx, &p_priv[ 6 ] );
memcpy( P_DRMS->p_key, &p_priv[ 12 ], sizeof(P_DRMS->p_key) );
free( (void *)P_DRMS->psz_homedir );
P_DRMS->psz_homedir = NULL;
free( (void *)P_DRMS->p_name );
P_DRMS->p_name = NULL;
free( (void *)P_DRMS->p_iviv );
P_DRMS->p_iviv = NULL;
}
break;
}
return( i_ret ); return i_ret;
} }
#undef P_DRMS
/***************************************************************************** /*****************************************************************************
* drmstables.h : DRMS tables * drmstables.h : AES/Rijndael block cipher and miscellaneous tables
***************************************************************************** *****************************************************************************
* Copyright (C) 2004 VideoLAN * Copyright (C) 2004 VideoLAN
* $Id: drmstables.h,v 1.1 2004/01/05 12:37:52 jlj Exp $ * $Id: drmstables.h,v 1.2 2004/01/16 18:26:57 sam Exp $
* *
* Author: Jon Lech Johansen <jon-vl@nanocrew.net> * Author: Jon Lech Johansen <jon-vl@nanocrew.net>
* *
...@@ -21,13 +21,23 @@ ...@@ -21,13 +21,23 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
*****************************************************************************/ *****************************************************************************/
static uint32_t p_drms_tab1[ 10 ] = #define AES_ROR( x, n ) (((x) << (32-(n))) | ((x) >> (n)))
#define AES_XOR_ROR( p_table, p_tmp ) \
( p_table[ (p_tmp[ t > 2 ? t - 3 : t + 1 ] >> 24) & 0xFF ] \
^ AES_ROR( p_table[ (p_tmp[ t > 1 ? t - 2 : t + 2 ] >> 16) & 0xFF ], 8 ) \
^ AES_ROR( p_table[ (p_tmp[ t > 0 ? t - 1 : t + 3 ] >> 8) & 0xFF ], 16 ) \
^ AES_ROR( p_table[ p_tmp[ t ] & 0xFF ], 24 ) )
#define AES_KEY_COUNT 10
static uint32_t p_aes_table[ AES_KEY_COUNT ] =
{ {
0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010, 0x00000020, 0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010, 0x00000020,
0x00000040, 0x00000080, 0x0000001B, 0x00000036 0x00000040, 0x00000080, 0x0000001B, 0x00000036
}; };
static uint32_t p_drms_tab2[ 256 ] = static uint32_t p_aes_encrypt[ 256 ] =
{ {
0x63000000, 0x7C000000, 0x77000000, 0x7B000000, 0xF2000000, 0x6B000000, 0x63000000, 0x7C000000, 0x77000000, 0x7B000000, 0xF2000000, 0x6B000000,
0x6F000000, 0xC5000000, 0x30000000, 0x01000000, 0x67000000, 0x2B000000, 0x6F000000, 0xC5000000, 0x30000000, 0x01000000, 0x67000000, 0x2B000000,
...@@ -74,7 +84,7 @@ static uint32_t p_drms_tab2[ 256 ] = ...@@ -74,7 +84,7 @@ static uint32_t p_drms_tab2[ 256 ] =
0xB0000000, 0x54000000, 0xBB000000, 0x16000000 0xB0000000, 0x54000000, 0xBB000000, 0x16000000
}; };
static uint32_t p_drms_tab3[ 256 ] = static uint32_t p_aes_itable[ 256 ] =
{ {
0x5150A7F4, 0x7E536541, 0x1AC3A417, 0x3A965E27, 0x3BCB6BAB, 0x1FF1459D, 0x5150A7F4, 0x7E536541, 0x1AC3A417, 0x3A965E27, 0x3BCB6BAB, 0x1FF1459D,
0xACAB58FA, 0x4B9303E3, 0x2055FA30, 0xADF66D76, 0x889176CC, 0xF5254C02, 0xACAB58FA, 0x4B9303E3, 0x2055FA30, 0xADF66D76, 0x889176CC, 0xF5254C02,
...@@ -121,7 +131,7 @@ static uint32_t p_drms_tab3[ 256 ] = ...@@ -121,7 +131,7 @@ static uint32_t p_drms_tab3[ 256 ] =
0x7B6184CB, 0xD570B632, 0x48745C6C, 0xD04257B8 0x7B6184CB, 0xD570B632, 0x48745C6C, 0xD04257B8
}; };
static uint32_t p_drms_tab4[ 256 ] = static uint32_t p_aes_decrypt[ 256 ] =
{ {
0x52000000, 0x09000000, 0x6A000000, 0xD5000000, 0x30000000, 0x36000000, 0x52000000, 0x09000000, 0x6A000000, 0xD5000000, 0x30000000, 0x36000000,
0xA5000000, 0x38000000, 0xBF000000, 0x40000000, 0xA3000000, 0x9E000000, 0xA5000000, 0x38000000, 0xBF000000, 0x40000000, 0xA3000000, 0x9E000000,
...@@ -168,36 +178,7 @@ static uint32_t p_drms_tab4[ 256 ] = ...@@ -168,36 +178,7 @@ static uint32_t p_drms_tab4[ 256 ] =
0x55000000, 0x21000000, 0x0C000000, 0x7D000000 0x55000000, 0x21000000, 0x0C000000, 0x7D000000
}; };
static int32_t p_drms_tab_taos[ 64 ] = static uint16_t p_shuffle_xor[ 16 ][ 16 ] =
{
-0x28955B88, -0x173848AA, +0x242070DB, -0x3E423112, -0x0A83F051,
+0x4787C62A, -0x57CFB9ED, -0x02B96AFF, +0x698098D8, -0x74BB0851,
-0x0000A44F, -0x76A32842, +0x6B901122, -0x02678E6D, -0x5986BC72,
+0x49B40821, -0x09E1DA9E, -0x3FBF4CC0, +0x265E5A51, -0x16493856,
-0x29D0EFA3, +0x02441453, -0x275E197F, -0x182C0438, +0x21E1CDE6,
-0x3CC8F82A, -0x0B2AF279, +0x455A14ED, -0x561C16FB, -0x03105C08,
+0x676F02D9, -0x72D5B376, -0x0005C6BE, -0x788E097F, +0x6D9D6122,
-0x021AC7F4, -0x5B4115BC, +0x4BDECFA9, -0x0944B4A0, -0x41404390,
+0x289B7EC6, -0x155ED806, -0x2B10CF7B, +0x04881D05, -0x262B2FC7,
-0x1924661B, +0x1FA27CF8, -0x3B53A99B, -0x0BD6DDBC, +0x432AFF97,
-0x546BDC59, -0x036C5FC7, +0x655B59C3, -0x70F3336E, -0x00100B83,
-0x7A7BA22F, +0x6FA87E4F, -0x01D31920, -0x5CFEBCEC, +0x4E0811A1,
-0x08AC817E, -0x42C50DCB, +0x2AD7D2BB, -0x14792C6F
};
static uint8_t p_drms_tab_tend[ 64 ] =
{
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
static uint16_t p_drms_tab_xor[ 16 ][ 16 ] =
{ {
{ {
0x00D1, 0x0315, 0x1A32, 0x19EC, 0x1BBB, 0x1D6F, 0x14FE, 0x0E9E, 0x00D1, 0x0315, 0x1A32, 0x19EC, 0x1BBB, 0x1D6F, 0x14FE, 0x0E9E,
...@@ -280,7 +261,7 @@ static uint16_t p_drms_tab_xor[ 16 ][ 16 ] = ...@@ -280,7 +261,7 @@ static uint16_t p_drms_tab_xor[ 16 ][ 16 ] =
} }
}; };
static uint16_t p_drms_tab_sub[ 16 ][ 16 ] = static uint16_t p_shuffle_sub[ 16 ][ 16 ] =
{ {
{ {
0x067A, 0x0C7D, 0x0B4F, 0x127D, 0x0BD6, 0x04AC, 0x16E0, 0x1730, 0x067A, 0x0C7D, 0x0B4F, 0x127D, 0x0BD6, 0x04AC, 0x16E0, 0x1730,
...@@ -363,7 +344,7 @@ static uint16_t p_drms_tab_sub[ 16 ][ 16 ] = ...@@ -363,7 +344,7 @@ static uint16_t p_drms_tab_sub[ 16 ][ 16 ] =
} }
}; };
static uint16_t p_drms_tab_add[ 16 ][ 16 ] = static uint16_t p_shuffle_add[ 16 ][ 16 ] =
{ {
{ {
0x0706, 0x175A, 0x0DEF, 0x1E72, 0x0297, 0x1B0E, 0x1D5A, 0x15B8, 0x0706, 0x175A, 0x0DEF, 0x1E72, 0x0297, 0x1B0E, 0x1D5A, 0x15B8,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment