/***************************************************************************** * drms.c : DRMS ***************************************************************************** * Copyright (C) 2004 VideoLAN * $Id: drms.c,v 1.4 2004/01/09 17:29:17 jlj Exp $ * * Authors: Jon Lech Johansen * Sam Hocevar * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. *****************************************************************************/ #include /* malloc(), free() */ #ifdef WIN32 # include #else # include #endif #include #ifdef HAVE_ERRNO_H # include #endif #ifdef WIN32 # include # include # include #endif #include "drms.h" #include "drmstables.h" #include "libmp4.h" /***************************************************************************** * md5_s: MD5 message structure ***************************************************************************** * This structure stores the static information needed to compute an MD5 * hash. It has an extra data buffer to allow non-aligned writes. *****************************************************************************/ struct md5_s { uint64_t i_bits; /* Written bytes */ uint32_t p_digest[4]; /* The MD5 digest */ uint32_t p_data[16]; /* Buffer to cache non-aligned writes */ }; /***************************************************************************** * Local prototypes *****************************************************************************/ static void InitAES ( uint32_t *, uint32_t * ); static void DecryptAES ( const uint32_t *, uint32_t *, const uint32_t * ); /* TODO: unification of Add*MD5? of End*MD5? */ static void InitMD5 ( struct md5_s * ); static void DigestMD5 ( struct md5_s *, const uint32_t * ); static void Add1MD5 ( struct md5_s *, const uint8_t *, uint32_t ); static void End1MD5 ( struct md5_s *, uint32_t * ); static void Add2MD5 ( struct md5_s *, uint8_t *, uint32_t ); static void Add2eMD5 ( struct md5_s *, uint32_t *, uint32_t ); static void End2MD5 ( struct md5_s * ); static void Add3MD5 ( struct md5_s *, uint8_t *, uint32_t ); static int HashSystemInfo ( struct md5_s * ); static int GetSystemKey ( uint32_t * ); #define AES_ROR( x, n ) (((x) << (32-(n))) | ((x) >> (n))) /***************************************************************************** * InitAES: Initialize AES/Rijndael encryption/decryption tables *****************************************************************************/ static void InitAES( uint32_t *p_aes, uint32_t *p_key ) { uint32_t i, i_key, i_tmp; memset( p_aes + 4, 0, 4 * sizeof(uint32_t) ); memcpy( p_aes + 0, p_key, 4 * sizeof(uint32_t) ); i_tmp = p_aes[ 3 ]; for( i_key = 0; i_key < sizeof(p_drms_tab1) / sizeof(uint32_t) /* 10 */; i_key++ ) { uint32_t j; i_tmp = AES_ROR( i_tmp, 8 ); j = p_drms_tab1[ i_key ]; j ^= p_aes_encrypt[ (i_tmp >> 24) & 0xFF ] ^ AES_ROR( p_aes_encrypt[ (i_tmp >> 16) & 0xFF ], 8 ) ^ AES_ROR( p_aes_encrypt[ (i_tmp >> 8) & 0xFF ], 16 ) ^ AES_ROR( p_aes_encrypt[ i_tmp & 0xFF ], 24 ); j ^= p_aes[ ((i_key + 1) * 4) - 4 ]; p_aes[ ((i_key + 1) * 4) + 0 ] = j; j ^= p_aes[ ((i_key + 1) * 4) - 3 ]; p_aes[ ((i_key + 1) * 4) + 1 ] = j; j ^= p_aes[ ((i_key + 1) * 4) - 2 ]; p_aes[ ((i_key + 1) * 4) + 2 ] = j; j ^= p_aes[ ((i_key + 1) * 4) - 1 ]; p_aes[ ((i_key + 1) * 4) + 3 ] = j; i_tmp = j; } memcpy( p_aes + 64, p_aes, sizeof(uint32_t) * 4 ); for( i = 0; i < sizeof(p_drms_tab1) - 4; i++ ) { uint32_t j, k, l, m, n; j = p_aes[ 4 + i ]; k = (((j >> 7) & 0x01010101) * 27) ^ ((j & 0xFF7F7F7F) << 1); l = (((k >> 7) & 0x01010101) * 27) ^ ((k & 0xFF7F7F7F) << 1); m = (((l >> 7) & 0x01010101) * 27) ^ ((l & 0xFF7F7F7F) << 1); j ^= m; n = AES_ROR( l ^ j, 16 ) ^ AES_ROR( k ^ j, 8 ) ^ AES_ROR( j, 24 ); p_aes[ 64 + 4 + i ] = k ^ l ^ m ^ n; } } /***************************************************************************** * DecryptAES: decrypt an AES/Rijndael message *****************************************************************************/ static void DecryptAES( const uint32_t *p_aes, uint32_t *p_dest, const uint32_t *p_src ) { uint32_t p_wtxt[ 4 ]; /* Working cyphertext */ uint32_t p_tmp[ 4 ]; uint32_t round, t; /* FIXME: are there any endianness issues here? */ p_wtxt[ 0 ] = p_src[ 0 ] ^ p_aes[ 40 + 0 ]; p_wtxt[ 1 ] = p_src[ 1 ] ^ p_aes[ 40 + 1 ]; p_wtxt[ 2 ] = p_src[ 2 ] ^ p_aes[ 40 + 2 ]; p_wtxt[ 3 ] = p_src[ 3 ] ^ p_aes[ 40 + 3 ]; #define AES_XOR_ROR( p_table, p_tmp ) \ ( p_table[ (p_tmp[ t > 2 ? t - 3 : t + 1 ] >> 24) & 0xFF ] \ ^ AES_ROR( p_table[ (p_tmp[ t > 1 ? t - 2 : t + 2 ] >> 16) & 0xFF ], 8 ) \ ^ AES_ROR( p_table[ (p_tmp[ t > 0 ? t - 1 : t + 3 ] >> 8) & 0xFF ], 16 ) \ ^ AES_ROR( p_table[ p_tmp[ t ] & 0xFF ], 24 ) ) /* Rounds 0 - 8 */ for( round = 0; round < 9; round++ ) { for( t = 0; t < 4; t++ ) { p_tmp[ t ] = AES_XOR_ROR( p_aes_itable, p_wtxt ); } for( t = 0; t < 4; t++ ) { p_wtxt[ t ] = p_tmp[ t ] ^ p_aes[ 100 - 4 * round + t ]; } } /* Final round (9) */ for( t = 0; t < 4; t++ ) { p_dest[ t ] = AES_XOR_ROR( p_aes_decrypt, p_wtxt ); p_dest[ t ] ^= p_aes[ 100 - 4 * round + t ]; } #undef AES_XOR_ROR } /***************************************************************************** * InitMD5: Initialize an MD5 message ***************************************************************************** * The MD5 message-digest algorithm is described in RFC 1321 * (http://www.faqs.org/rfcs/rfc1321.html) *****************************************************************************/ static void InitMD5( struct md5_s *p_md5 ) { p_md5->p_digest[ 0 ] = 0x67452301; p_md5->p_digest[ 1 ] = 0xEFCDAB89; p_md5->p_digest[ 2 ] = 0x98BADCFE; p_md5->p_digest[ 3 ] = 0x10325476; memset( p_md5->p_data, 0, 16 * sizeof(uint32_t) ); p_md5->i_bits = 0; } #define F1( x, y, z ) ((z) ^ ((x) & ((y) ^ (z)))) #define F2( x, y, z ) F1((z), (x), (y)) #define F3( x, y, z ) ((x) ^ (y) ^ (z)) #define F4( x, y, z ) ((y) ^ ((x) | ~(z))) #define MD5_DO( f, w, x, y, z, data, s ) \ ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) /***************************************************************************** * DigestMD5: update the MD5 digest with 64 bytes of data *****************************************************************************/ static void DigestMD5( struct md5_s *p_md5, const uint32_t *p_input ) { uint32_t a, b, c, d; a = p_md5->p_digest[ 0 ]; b = p_md5->p_digest[ 1 ]; c = p_md5->p_digest[ 2 ]; d = p_md5->p_digest[ 3 ]; MD5_DO( F1, a, b, c, d, p_input[ 0 ] + 0xd76aa478, 7 ); MD5_DO( F1, d, a, b, c, p_input[ 1 ] + 0xe8c7b756, 12 ); MD5_DO( F1, c, d, a, b, p_input[ 2 ] + 0x242070db, 17 ); MD5_DO( F1, b, c, d, a, p_input[ 3 ] + 0xc1bdceee, 22 ); MD5_DO( F1, a, b, c, d, p_input[ 4 ] + 0xf57c0faf, 7 ); MD5_DO( F1, d, a, b, c, p_input[ 5 ] + 0x4787c62a, 12 ); MD5_DO( F1, c, d, a, b, p_input[ 6 ] + 0xa8304613, 17 ); MD5_DO( F1, b, c, d, a, p_input[ 7 ] + 0xfd469501, 22 ); MD5_DO( F1, a, b, c, d, p_input[ 8 ] + 0x698098d8, 7 ); MD5_DO( F1, d, a, b, c, p_input[ 9 ] + 0x8b44f7af, 12 ); MD5_DO( F1, c, d, a, b, p_input[ 10 ] + 0xffff5bb1, 17 ); MD5_DO( F1, b, c, d, a, p_input[ 11 ] + 0x895cd7be, 22 ); MD5_DO( F1, a, b, c, d, p_input[ 12 ] + 0x6b901122, 7 ); MD5_DO( F1, d, a, b, c, p_input[ 13 ] + 0xfd987193, 12 ); MD5_DO( F1, c, d, a, b, p_input[ 14 ] + 0xa679438e, 17 ); MD5_DO( F1, b, c, d, a, p_input[ 15 ] + 0x49b40821, 22 ); MD5_DO( F2, a, b, c, d, p_input[ 1 ] + 0xf61e2562, 5 ); MD5_DO( F2, d, a, b, c, p_input[ 6 ] + 0xc040b340, 9 ); MD5_DO( F2, c, d, a, b, p_input[ 11 ] + 0x265e5a51, 14 ); MD5_DO( F2, b, c, d, a, p_input[ 0 ] + 0xe9b6c7aa, 20 ); MD5_DO( F2, a, b, c, d, p_input[ 5 ] + 0xd62f105d, 5 ); MD5_DO( F2, d, a, b, c, p_input[ 10 ] + 0x02441453, 9 ); MD5_DO( F2, c, d, a, b, p_input[ 15 ] + 0xd8a1e681, 14 ); MD5_DO( F2, b, c, d, a, p_input[ 4 ] + 0xe7d3fbc8, 20 ); MD5_DO( F2, a, b, c, d, p_input[ 9 ] + 0x21e1cde6, 5 ); MD5_DO( F2, d, a, b, c, p_input[ 14 ] + 0xc33707d6, 9 ); MD5_DO( F2, c, d, a, b, p_input[ 3 ] + 0xf4d50d87, 14 ); MD5_DO( F2, b, c, d, a, p_input[ 8 ] + 0x455a14ed, 20 ); MD5_DO( F2, a, b, c, d, p_input[ 13 ] + 0xa9e3e905, 5 ); MD5_DO( F2, d, a, b, c, p_input[ 2 ] + 0xfcefa3f8, 9 ); MD5_DO( F2, c, d, a, b, p_input[ 7 ] + 0x676f02d9, 14 ); MD5_DO( F2, b, c, d, a, p_input[ 12 ] + 0x8d2a4c8a, 20 ); MD5_DO( F3, a, b, c, d, p_input[ 5 ] + 0xfffa3942, 4 ); MD5_DO( F3, d, a, b, c, p_input[ 8 ] + 0x8771f681, 11 ); MD5_DO( F3, c, d, a, b, p_input[ 11 ] + 0x6d9d6122, 16 ); MD5_DO( F3, b, c, d, a, p_input[ 14 ] + 0xfde5380c, 23 ); MD5_DO( F3, a, b, c, d, p_input[ 1 ] + 0xa4beea44, 4 ); MD5_DO( F3, d, a, b, c, p_input[ 4 ] + 0x4bdecfa9, 11 ); MD5_DO( F3, c, d, a, b, p_input[ 7 ] + 0xf6bb4b60, 16 ); MD5_DO( F3, b, c, d, a, p_input[ 10 ] + 0xbebfbc70, 23 ); MD5_DO( F3, a, b, c, d, p_input[ 13 ] + 0x289b7ec6, 4 ); MD5_DO( F3, d, a, b, c, p_input[ 0 ] + 0xeaa127fa, 11 ); MD5_DO( F3, c, d, a, b, p_input[ 3 ] + 0xd4ef3085, 16 ); MD5_DO( F3, b, c, d, a, p_input[ 6 ] + 0x04881d05, 23 ); MD5_DO( F3, a, b, c, d, p_input[ 9 ] + 0xd9d4d039, 4 ); MD5_DO( F3, d, a, b, c, p_input[ 12 ] + 0xe6db99e5, 11 ); MD5_DO( F3, c, d, a, b, p_input[ 15 ] + 0x1fa27cf8, 16 ); MD5_DO( F3, b, c, d, a, p_input[ 2 ] + 0xc4ac5665, 23 ); MD5_DO( F4, a, b, c, d, p_input[ 0 ] + 0xf4292244, 6 ); MD5_DO( F4, d, a, b, c, p_input[ 7 ] + 0x432aff97, 10 ); MD5_DO( F4, c, d, a, b, p_input[ 14 ] + 0xab9423a7, 15 ); MD5_DO( F4, b, c, d, a, p_input[ 5 ] + 0xfc93a039, 21 ); MD5_DO( F4, a, b, c, d, p_input[ 12 ] + 0x655b59c3, 6 ); MD5_DO( F4, d, a, b, c, p_input[ 3 ] + 0x8f0ccc92, 10 ); MD5_DO( F4, c, d, a, b, p_input[ 10 ] + 0xffeff47d, 15 ); MD5_DO( F4, b, c, d, a, p_input[ 1 ] + 0x85845dd1, 21 ); MD5_DO( F4, a, b, c, d, p_input[ 8 ] + 0x6fa87e4f, 6 ); MD5_DO( F4, d, a, b, c, p_input[ 15 ] + 0xfe2ce6e0, 10 ); MD5_DO( F4, c, d, a, b, p_input[ 6 ] + 0xa3014314, 15 ); MD5_DO( F4, b, c, d, a, p_input[ 13 ] + 0x4e0811a1, 21 ); MD5_DO( F4, a, b, c, d, p_input[ 4 ] + 0xf7537e82, 6 ); MD5_DO( F4, d, a, b, c, p_input[ 11 ] + 0xbd3af235, 10 ); MD5_DO( F4, c, d, a, b, p_input[ 2 ] + 0x2ad7d2bb, 15 ); MD5_DO( F4, b, c, d, a, p_input[ 9 ] + 0xeb86d391, 21 ); p_md5->p_digest[ 0 ] += a; p_md5->p_digest[ 1 ] += b; p_md5->p_digest[ 2 ] += c; p_md5->p_digest[ 3 ] += d; } /***************************************************************************** * AddMD5: add i_len bytes to an MD5 message *****************************************************************************/ static void AddMD5( struct md5_s *p_md5, const uint8_t *p_src, uint32_t i_len ) { /* Current bytes in buffer, bytes needed to complete a block */ uint32_t i_current, i_needed; uint32_t i_offset = 0; i_current = (p_md5->i_bits / 8) & 63; i_needed = 64 - i_current; p_md5->i_bits += 8 * i_len; /* If we do not have enough bytes, copy them in our buffer and return */ if( i_len < i_needed ) { memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src, i_len ); return; } /* If our spare buffer is not completely filled, fill it */ if( i_current ) { memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src, i_needed ); DigestMD5( p_md5, p_md5->p_data ); i_offset += i_needed; i_len -= i_needed; } /* Add entire 64 byte blocks to the MD5 message */ while( i_len >= 64 ) { uint32_t p_tmp[ 16 ]; memcpy( p_tmp, p_src + i_offset, 16 * sizeof(uint32_t) ); DigestMD5( p_md5, p_tmp ); i_offset += 64; i_len -= 64; } /* If we have data left, copy it in our spare buffer */ if( i_len ) { memcpy( p_md5->p_data, p_src + i_offset, i_len ); } } /***************************************************************************** * Add1MD5: add i_len bytes to an MD5 message *****************************************************************************/ static void Add1MD5( struct md5_s *p_md5, const uint8_t *p_src, uint32_t i_len ) { /* Current bytes in buffer, bytes needed to complete a block */ uint32_t i_current, i_needed; uint32_t i_offset = 0; i_current = (p_md5->i_bits / 8) & 63; i_needed = 64 - i_current; p_md5->i_bits += 8 * i_len; /* If we do not have enough bytes, copy them in our buffer and return */ if( i_len < i_needed ) { memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src, i_len ); return; } /* If our spare buffer is not completely filled, fill it */ if( i_current ) { memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_src, i_needed ); DigestMD5( p_md5, p_md5->p_data ); i_offset += i_needed; i_len -= i_needed; } /* Add entire 64 byte blocks to the MD5 message */ while( i_len >= 64 ) { uint32_t p_tmp[ 16 ]; memcpy( p_tmp, p_src + i_offset, 16 * sizeof(uint32_t) ); DigestMD5( p_md5, p_tmp ); i_offset += 64; i_len -= 64; } /* If we have data left, copy it in our spare buffer */ if( i_len ) { memcpy( p_md5->p_data, p_src + i_offset, i_len ); } } /***************************************************************************** * End1MD5: finish an MD5 message *****************************************************************************/ static void End1MD5( struct md5_s *p_md5, uint32_t *p_dest ) { uint32_t i_current, i_needed; i_current = (p_md5->i_bits / 8) & 63; i_needed = 64 - i_current; /* Append 0x80 to our buffer. No boundary check because the temporary * buffer cannot be full, otherwise Add1MD5 would have emptied it. */ ((uint8_t *)p_md5->p_data)[ i_current++ ] = 128; i_needed--; /* If less than 8 bytes are available at the end of the block, complete * this 64 bytes block with zeros and add it to the message. We'll add * our length at the end of the next block. */ if( i_needed < 8 ) { memset( ((uint8_t *)p_md5->p_data) + i_current, 0, i_needed ); DigestMD5( p_md5, p_md5->p_data ); i_needed = 64; i_current = 0; } /* Fill the unused space in our last block with zeroes and put the * message length at the end. */ memset( ((uint8_t *)p_md5->p_data) + i_current, 0, i_needed ); p_md5->p_data[ 14 ] = p_md5->i_bits & 0xffffffff; p_md5->p_data[ 15 ] = (p_md5->i_bits >> 32); DigestMD5( p_md5, p_md5->p_data ); /* Write our digest to p_dest */ memcpy( p_dest, p_md5->p_digest, sizeof(uint32_t) * 4 ); } /***************************************************************************** * Add2MD5: add i_len bytes to an MD5 message *****************************************************************************/ static void Add2MD5( struct md5_s *p_md5, uint8_t *p_src, uint32_t i_len ) { uint32_t i, x; x = (p_md5->i_bits / 8) & 63; p_md5->i_bits += 8 * i_len; for( i = 0; i < i_len; i++ ) { ((uint8_t *)p_md5->p_data)[ x++ ] = p_src[ i ]; if( x == 64 ) { uint32_t p_tmp[ 16 ]; memcpy( p_tmp, p_md5->p_data, 16 * sizeof(uint32_t) ); DigestMD5( p_md5, p_tmp ); } } } /***************************************************************************** * Add2eMD5: add i_len uin32_ts to an MD5 message *****************************************************************************/ static void Add2eMD5( struct md5_s *p_md5, uint32_t *p_src, uint32_t i_len ) { uint32_t i, x, y; /* XXX: it's 32, not 16! */ uint32_t p_tmp[ 32 ]; /* Convert big endian p_src to native-endian p_tmp */ for( x = i_len; x; x -= y ) { y = x > 32 ? 32 : x; for( i = 0; i < y; i++ ) { p_tmp[ i ] = U32_AT(p_src + i); } } Add2MD5( p_md5, (uint8_t *)p_tmp, i_len * sizeof(uint32_t) ); } /***************************************************************************** * End2MD5: finish an MD5 message *****************************************************************************/ static void End2MD5( struct md5_s *p_md5 ) { uint32_t i_current; uint32_t p_tmp[ 16 ]; i_current = (p_md5->i_bits / 8) & 63; p_tmp[ 14 ] = p_md5->i_bits & 0xffffffff; p_tmp[ 15 ] = (p_md5->i_bits >> 32); Add2MD5( p_md5, p_drms_tab_tend, 56 - i_current ); memcpy( p_tmp, p_md5->p_data, 56 ); DigestMD5( p_md5, p_tmp ); } /***************************************************************************** * Add3MD5: add i_len bytes to an MD5 message *****************************************************************************/ static void Add3MD5( struct md5_s *p_md5, uint8_t *p_key, uint32_t i_len ) { /* Current bytes in buffer, bytes needed to complete a block */ uint32_t i_current, i_needed; uint32_t i_offset = 0; i_current = (p_md5->i_bits / 8) & 63; i_needed = 64 - i_current; p_md5->i_bits += 8 * i_len; /* If we have enough data to fill a block, do it */ if( i_len >= i_needed ) { memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_key, i_needed ); DigestMD5( p_md5, p_md5->p_data ); i_offset += i_needed; i_current = 0; /* Send all the 64 bytes blocks we can */ while( i_offset + 64 <= i_len ) { DigestMD5( p_md5, (uint32_t *)(p_key + i_offset) ); i_offset += 64; } } memcpy( ((uint8_t *)p_md5->p_data) + i_current, p_key + i_offset, i_len - i_offset ); } /***************************************************************************** * HashSystemInfo: add system information to an MD5 hash ***************************************************************************** * This function adds the C: hard drive serial number, BIOS version, CPU type * and Windows version to an MD5 hash. *****************************************************************************/ static int HashSystemInfo( struct md5_s *p_md5 ) { int i_ret = 0; #ifdef WIN32 HKEY i_key; uint32_t i; DWORD i_size; DWORD i_serial; LPBYTE p_reg_buf; static LPCTSTR p_reg_keys[ 3 ][ 2 ] = { { _T("HARDWARE\\DESCRIPTION\\System"), _T("SystemBiosVersion") }, { _T("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"), _T("ProcessorNameString") }, { _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion"), _T("ProductId") } }; Add1MD5( p_md5, "cache-control", 13 ); Add1MD5( p_md5, "Ethernet", 8 ); GetVolumeInformation( _T("C:\\"), NULL, 0, &i_serial, NULL, NULL, NULL, 0 ); Add1MD5( p_md5, (uint8_t *)&i_serial, 4 ); for( i = 0; i < sizeof(p_reg_keys)/sizeof(p_reg_keys[ 0 ]); i++ ) { if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, p_reg_keys[ i ][ 0 ], 0, KEY_READ, &i_key ) != ERROR_SUCCESS ) { continue; } if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ], NULL, NULL, NULL, &i_size ) == ERROR_SUCCESS ) { p_reg_buf = malloc( i_size ); if( p_reg_buf != NULL ) { if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ], NULL, NULL, p_reg_buf, &i_size ) == ERROR_SUCCESS ) { Add1MD5( p_md5, (uint8_t *)p_reg_buf, i_size ); } free( p_reg_buf ); } } RegCloseKey( i_key ); } #else i_ret = -1; #endif return i_ret; } static int get_sci_data( uint32_t **pp_sci, uint32_t *p_sci_size ) { int i_ret = -1; #ifdef WIN32 HANDLE i_file; DWORD i_size, i_read; TCHAR p_path[ PATH_MAX ]; TCHAR *p_filename = _T("\\Apple Computer\\iTunes\\SC Info\\SC Info.sidb"); typedef HRESULT (WINAPI *SHGETFOLDERPATH)( HWND, int, HANDLE, DWORD, LPTSTR ); HINSTANCE shfolder_dll = NULL; SHGETFOLDERPATH dSHGetFolderPath = NULL; if( ( shfolder_dll = LoadLibrary( _T("SHFolder.dll") ) ) != NULL ) { dSHGetFolderPath = (SHGETFOLDERPATH)GetProcAddress( shfolder_dll, #ifdef _UNICODE _T("SHGetFolderPathW") ); #else _T("SHGetFolderPathA") ); #endif } if( dSHGetFolderPath != NULL && SUCCEEDED( dSHGetFolderPath( NULL, CSIDL_COMMON_APPDATA, NULL, 0, p_path ) ) ) { _tcsncat( p_path, p_filename, min( _tcslen( p_filename ), (PATH_MAX-1) - _tcslen( p_path ) ) ); i_file = CreateFile( p_path, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL ); if( i_file != INVALID_HANDLE_VALUE ) { i_size = GetFileSize( i_file, NULL ); if( i_size != INVALID_FILE_SIZE && i_size > (sizeof(*pp_sci[ 0 ]) * 22) ) { *pp_sci = malloc( i_size * 2 ); if( *pp_sci != NULL ) { if( ReadFile( i_file, *pp_sci, i_size, &i_read, NULL ) && i_read == i_size ) { *p_sci_size = i_size; i_ret = 0; } else { free( (void *)*pp_sci ); *pp_sci = NULL; } } } CloseHandle( i_file ); } } if( shfolder_dll != NULL ) { FreeLibrary( shfolder_dll ); } #endif return i_ret; } static void acei_taxs( uint32_t *p_acei, uint32_t i_val ) { uint32_t i, x; i = (i_val / 16) & 15; x = (~(i_val & 15)) & 15; if( (i_val & 768) == 768 ) { x = (~i) & 15; i = i_val & 15; p_acei[ 25 + i ] = p_acei[ 25 + ((16 - x) & 15) ] + p_acei[ 25 + (15 - x) ]; } else if( (i_val & 512) == 512 ) { p_acei[ 25 + i ] ^= p_drms_tab_xor[ 15 - i ][ x ]; } else if( (i_val & 256) == 256 ) { p_acei[ 25 + i ] -= p_drms_tab_sub[ 15 - i ][ x ]; } else { p_acei[ 25 + i ] += p_drms_tab_add[ 15 - i ][ x ]; } } static void acei( uint32_t *p_acei, uint8_t *p_buffer, uint32_t i_len ) { struct md5_s md5; uint32_t i, x; for( i = 5; i < 25; i++ ) { if( p_acei[ i ] ) { acei_taxs( p_acei, p_acei[ i ] ); } } InitMD5( &md5 ); Add2eMD5( &md5, p_acei + 25, 16 ); End2MD5( &md5 ); x = i_len < 16 ? i_len : 16; if( x > 0 ) { for( i = 0; i < x; i++ ) { p_buffer[ i ] ^= ((uint8_t *)&md5.p_digest)[ i ]; } } } static uint32_t ttov_calc( uint32_t *p_acei ) { struct md5_s md5; int32_t i_val; InitMD5( &md5 ); Add2eMD5( &md5, p_acei + 0, 4 ); Add2eMD5( &md5, p_acei + 4, 1 ); End2MD5( &md5 ); p_acei[ 4 ]++; i_val = ((int32_t)U32_AT(md5.p_digest)) % 1024; return i_val < 0 ? i_val * -1 : i_val; } static void acei_init( uint32_t *p_acei, uint32_t *p_sys_key ) { uint32_t i; for( i = 0; i < 4; i++ ) { p_acei[ i ] = U32_AT(p_sys_key + i); } p_acei[ 4 ] = 0x5476212A; for( i = 5; i < 25; i++ ) { p_acei[ i ] = ttov_calc( p_acei ); } p_acei[ 25 + 0 ] = p_acei[ 0 ]; p_acei[ 25 + 1 ] = 0x68723876; p_acei[ 25 + 2 ] = 0x41617376; p_acei[ 25 + 3 ] = 0x4D4B4F76; p_acei[ 25 + 4 ] = p_acei[ 1 ]; p_acei[ 25 + 5 ] = 0x48556646; p_acei[ 25 + 6 ] = 0x38393725; p_acei[ 25 + 7 ] = 0x2E3B5B3D; p_acei[ 25 + 8 ] = p_acei[ 2 ]; p_acei[ 25 + 9 ] = 0x37363866; p_acei[ 25 + 10 ] = 0x30383637; p_acei[ 25 + 11 ] = 0x34333661; p_acei[ 25 + 12 ] = p_acei[ 3 ]; p_acei[ 25 + 13 ] = 0x37386162; p_acei[ 25 + 14 ] = 0x494F6E66; p_acei[ 25 + 15 ] = 0x2A282966; } static inline void block_xor( uint32_t *p_key, uint32_t *p_dest, uint32_t *p_src ) { uint32_t i; for( i = 0; i < 4; i++ ) { p_dest[ i ] = p_key[ i ] ^ p_src[ i ]; } } /***************************************************************************** * GetSystemKey: get the system key ***************************************************************************** * Compute the system key from various system information, see HashSystemInfo. *****************************************************************************/ static int GetSystemKey( uint32_t *p_sys_key ) { struct md5_s md5; uint32_t p_tmp_key[ 4 ]; InitMD5( &md5 ); if( HashSystemInfo( &md5 ) ) { return -1; } End1MD5( &md5, p_tmp_key ); InitMD5( &md5 ); Add2MD5( &md5, "YuaFlafu", 8 ); Add2MD5( &md5, (uint8_t *)p_tmp_key, 6 ); Add2MD5( &md5, (uint8_t *)p_tmp_key, 6 ); Add2MD5( &md5, (uint8_t *)p_tmp_key, 6 ); Add2MD5( &md5, "zPif98ga", 8 ); End2MD5( &md5 ); memcpy( p_sys_key, md5.p_digest, sizeof(*p_sys_key) * 4 ); return 0; } struct drms_s { uint32_t i_user; uint32_t i_key; uint8_t *p_iviv; uint8_t *p_name; uint32_t i_name_len; uint32_t *p_tmp; uint32_t i_tmp_len; uint32_t p_key[ 4 ]; uint32_t p_aes[ 128 ]; char *psz_homedir; }; #define P_DRMS ((struct drms_s *)p_drms) static int rw_user_key( void *p_drms, uint32_t i_rw, uint32_t *p_user_key ) { FILE *file; int i_ret = -1; char sz_path[ PATH_MAX ]; #define DRMS_PI_DIRNAME "drms" #ifdef WIN32 #define DRMS_DIRNAME DRMS_PI_DIRNAME #else #define DRMS_DIRNAME "." DRMS_PI_DIRNAME #endif if( i_rw ) { snprintf( sz_path, (sizeof(sz_path)/sizeof(sz_path[ 0 ])) - 1, "%s/" DRMS_DIRNAME "/%08X.%03d", P_DRMS->psz_homedir, P_DRMS->i_user, P_DRMS->i_key ); file = fopen( sz_path, "r" ); if( file != NULL ) { i_ret = fread( p_user_key, sizeof(*p_user_key), 4, file ) == 4 ? 0 : -1; fclose( file ); } } else { snprintf( sz_path, (sizeof(sz_path)/sizeof(sz_path[ 0 ])) - 1, "%s/" DRMS_DIRNAME, P_DRMS->psz_homedir ); #if defined( HAVE_ERRNO_H ) # if defined( WIN32 ) if( !mkdir( sz_path ) || errno == EEXIST ) # else if( !mkdir( sz_path, 0755 ) || errno == EEXIST ) # endif #else if( !mkdir( sz_path ) ) #endif { snprintf( sz_path, (sizeof(sz_path)/sizeof(sz_path[ 0 ])) - 1, "%s/" DRMS_DIRNAME "/%08X.%03d", P_DRMS->psz_homedir, P_DRMS->i_user, P_DRMS->i_key ); file = fopen( sz_path, "w" ); if( file != NULL ) { i_ret = fwrite( p_user_key, sizeof(*p_user_key), 4, file ) == 4 ? 0 : -1; fclose( file ); } } } return i_ret; } static int get_user_key( void *p_drms, uint32_t *p_user_key ) { uint32_t i, y; uint32_t *p_tmp; uint32_t *p_cur_key; uint32_t p_acei[ 41 ]; uint32_t p_aes[ 128 ]; uint32_t p_sys_key[ 4 ]; uint32_t i_sci_size; uint32_t *p_sci[ 2 ]; int i_ret = -1; uint32_t p_sci_key[ 4 ] = { 0x6E66556D, 0x6E676F70, 0x67666461, 0x33373866 }; if( !rw_user_key( p_drms, 1, p_user_key ) ) { return 0; } if( GetSystemKey( p_sys_key ) ) { return -1; } if( get_sci_data( p_sci + 0, &i_sci_size ) ) { return -1; } p_tmp = p_sci[ 0 ]; p_sci[ 1 ] = (uint32_t *)(((uint8_t *)p_sci[ 0 ]) + i_sci_size); i_sci_size -= sizeof(*p_sci[ 0 ]); InitAES( p_aes, p_sys_key ); for( i = 0, p_cur_key = p_sci_key; i < i_sci_size / sizeof(P_DRMS->p_key); i++ ) { y = i * sizeof(*p_sci[ 0 ]); DecryptAES( p_aes, p_sci[ 1 ] + y + 1, p_sci[ 0 ] + y + 1 ); block_xor( p_cur_key, p_sci[ 1 ] + y + 1, p_sci[ 1 ] + y + 1 ); p_cur_key = p_sci[ 0 ] + y + 1; } acei_init( p_acei, p_sys_key ); for( i = 0; i < i_sci_size / sizeof(P_DRMS->p_key); i++ ) { y = i * sizeof(*p_sci[ 1 ]); acei( p_acei, (uint8_t *)(p_sci[ 1 ] + y + 1), sizeof(P_DRMS->p_key) ); } y = 0; i = U32_AT( &p_sci[ 1 ][ 5 ] ); i_sci_size -= 21 * sizeof(*p_sci[ 1 ]); p_sci[ 1 ] += 22; p_sci[ 0 ] = NULL; while( i_sci_size > 0 && i > 0 ) { if( p_sci[ 0 ] == NULL ) { i_sci_size -= 18 * sizeof(*p_sci[ 1 ]); if( i_sci_size <= 0 ) { break; } p_sci[ 0 ] = p_sci[ 1 ]; y = U32_AT( &p_sci[ 1 ][ 17 ] ); p_sci[ 1 ] += 18; } if( !y ) { i--; p_sci[ 0 ] = NULL; continue; } if( U32_AT( &p_sci[ 0 ][ 0 ] ) == P_DRMS->i_user && ( i_sci_size >= (sizeof(P_DRMS->p_key) + sizeof(p_sci[ 1 ][ 0 ]) ) ) && ( ( U32_AT( &p_sci[ 1 ][ 0 ] ) == P_DRMS->i_key ) || ( !P_DRMS->i_key ) || ( p_sci[ 1 ] == (p_sci[ 0 ] + 18) ) ) ) { memcpy( p_user_key, &p_sci[ 1 ][ 1 ], sizeof(P_DRMS->p_key) ); rw_user_key( p_drms, 0, p_user_key ); i_ret = 0; break; } y--; p_sci[ 1 ] += 5; i_sci_size -= 5 * sizeof(*p_sci[ 1 ]); } free( (void *)p_tmp ); return i_ret; } void *drms_alloc( char *psz_homedir ) { struct drms_s *p_drms; p_drms = malloc( sizeof(struct drms_s) ); if( p_drms == NULL ) { return NULL; } memset( p_drms, 0, sizeof(struct drms_s) ); p_drms->i_tmp_len = 1024; p_drms->p_tmp = malloc( p_drms->i_tmp_len ); if( p_drms->p_tmp == NULL ) { free( (void *)p_drms ); p_drms = NULL; } p_drms->psz_homedir = malloc( PATH_MAX ); if( p_drms->psz_homedir != NULL ) { strncpy( p_drms->psz_homedir, psz_homedir, PATH_MAX ); p_drms->psz_homedir[ PATH_MAX - 1 ] = '\0'; } else { free( (void *)p_drms->p_tmp ); free( (void *)p_drms ); p_drms = NULL; } return (void *)p_drms; } void drms_free( void *p_drms ) { if( P_DRMS->p_name != NULL ) { free( (void *)P_DRMS->p_name ); } if( P_DRMS->p_iviv != NULL ) { free( (void *)P_DRMS->p_iviv ); } if( P_DRMS->psz_homedir != NULL ) { free( (void *)P_DRMS->psz_homedir ); } if( P_DRMS->p_tmp != NULL ) { free( (void *)P_DRMS->p_tmp ); } free( p_drms ); } void drms_decrypt( void *p_drms, uint32_t *p_buffer, uint32_t i_len ) { uint32_t i, x, y; uint32_t *p_cur_key = P_DRMS->p_key; x = (i_len / sizeof(P_DRMS->p_key)) * sizeof(P_DRMS->p_key); if( P_DRMS->i_tmp_len < x ) { free( (void *)P_DRMS->p_tmp ); P_DRMS->i_tmp_len = x; P_DRMS->p_tmp = malloc( P_DRMS->i_tmp_len ); } if( P_DRMS->p_tmp != NULL ) { memcpy( P_DRMS->p_tmp, p_buffer, x ); for( i = 0, x /= sizeof(P_DRMS->p_key); i < x; i++ ) { y = i * sizeof(*p_buffer); DecryptAES( P_DRMS->p_aes, p_buffer + y, P_DRMS->p_tmp + y ); block_xor( p_cur_key, p_buffer + y, p_buffer + y ); p_cur_key = P_DRMS->p_tmp + y; } } } int drms_init( void *p_drms, uint32_t i_type, uint8_t *p_info, uint32_t i_len ) { int i_ret = 0; switch( i_type ) { case FOURCC_user: { if( i_len < sizeof(P_DRMS->i_user) ) { i_ret = -1; break; } P_DRMS->i_user = U32_AT( p_info ); } break; case FOURCC_key: { if( i_len < sizeof(P_DRMS->i_key) ) { i_ret = -1; break; } P_DRMS->i_key = U32_AT( p_info ); } break; case FOURCC_iviv: { if( i_len < sizeof(P_DRMS->p_key) ) { i_ret = -1; break; } P_DRMS->p_iviv = malloc( sizeof(P_DRMS->p_key) ); if( P_DRMS->p_iviv == NULL ) { i_ret = -1; break; } memcpy( P_DRMS->p_iviv, p_info, sizeof(P_DRMS->p_key) ); } break; case FOURCC_name: { P_DRMS->i_name_len = strlen( p_info ); P_DRMS->p_name = malloc( P_DRMS->i_name_len ); if( P_DRMS->p_name == NULL ) { i_ret = -1; break; } memcpy( P_DRMS->p_name, p_info, P_DRMS->i_name_len ); } break; case FOURCC_priv: { struct md5_s md5; uint32_t i; uint32_t p_priv[ 64 ]; if( i_len < 64 ) { i_ret = -1; break; } InitMD5( &md5 ); Add3MD5( &md5, P_DRMS->p_name, P_DRMS->i_name_len ); Add3MD5( &md5, P_DRMS->p_iviv, sizeof(P_DRMS->p_key) ); p_priv[ 0 ] = (md5.i_bits / 8) & 0xffffffff; p_priv[ 1 ] = (md5.i_bits / 8) >> 32; i = (md5.i_bits / 8) & 63; i = i >= 56 ? 120 - i : 56 - i; Add3MD5( &md5, p_drms_tab_tend, i ); Add3MD5( &md5, (uint8_t *)p_priv, 2 * sizeof(uint32_t) ); if( get_user_key( p_drms, P_DRMS->p_key ) ) { i_ret = -1; break; } InitAES( P_DRMS->p_aes, P_DRMS->p_key ); memcpy( p_priv, p_info, 64 ); memcpy( P_DRMS->p_key, md5.p_digest, sizeof(P_DRMS->p_key) ); drms_decrypt( p_drms, p_priv, sizeof(p_priv) ); InitAES( P_DRMS->p_aes, p_priv + 6 ); memcpy( P_DRMS->p_key, p_priv + 12, sizeof(P_DRMS->p_key) ); free( (void *)P_DRMS->psz_homedir ); P_DRMS->psz_homedir = NULL; free( (void *)P_DRMS->p_name ); P_DRMS->p_name = NULL; free( (void *)P_DRMS->p_iviv ); P_DRMS->p_iviv = NULL; } break; } return i_ret; } #undef P_DRMS