CCcam in php

1. <?php
2.  
3. /* CONFIGURATION HERE */
4. $HOST = "cccamhost.example.com";
5. $PORT = 4567;
6. $USR = "cccam_username";
7. $PASS = "cccam_password";
8.  
9. //==========================================================================================================
10.  
11. function hexToStr($hex)
12. {
13. $string = "";
14. for ($i=0; $i < strlen($hex)-1; $i+=2)
15. {
16. $string .= chr(hexdec($hex[$i].$hex[$i+1]));
17. }
18. return $string;
19. }
20.  
21. //==========================================================================================================
22.  
23. function strToHex($string)
24. {
25. $hex_string = "";
26. for ($i=0; $i < strlen($string); $i++)
27. {
28. $hex_string .= strtoupper(sprintf("%02x",ord($string[$i])));
29. }
30. return $hex_string;
31. }
32.  
33. //==========================================================================================================
34.  
35. function HexToBin($hexString)
36. {
37. $hexLenght = strlen($hexString);
38.  
39. if ($hexLenght % 2 != 0 || preg_match("/[^\da-fA-F]/", $hexString)) return $hexString;
40. else
41. {
42. unset($binString);
43. $binString = "";
44. for ($x = 1; $x <= $hexLenght/2; $x++)
45. {
46. $binString .= chr(hexdec(substr($hexString,2 * $x - 2,2)));
47. }
48. return $binString;
49. }
50. }
51.  
52. //==========================================================================================================
53.  
54. function cc_crypt_swap(&$p1, &$p2) {
55. $tmp = $p1;
56. $p1 = $p2;
57. $p2 = $tmp;
58. }
59.  
60. //==========================================================================================================
61.  
62. function initialize_encryption($keybin, $len) {
63. global $keytable, $state, $counter, $sum;
64.  
65. $i = 0;
66. $j = 0;
67.  
68. $key = array();
69. $keytable = array();
70.  
71. for ($i=0; $i<$len; $i++) $key[$i] = strToHex(substr($keybin, $i, 1));
72. for ($i=0; $i<256; $i++) $keytable[$i] = $i;
73.  
74. for ($i=0; $i<256; $i++) {
75. $j += hexdec($key[$i % $len]) + $keytable[$i];
76. $j &= 0xff;
77. cc_crypt_swap($keytable[$i], $keytable[$j]);
78. }
79.  
80. $state = $key[0].$key[1].$key[2].$key[3].$key[4].$key[5].$key[6].$key[7];
81. //echo "state = " . $state . "<br />\n";
82. $counter = 0;
83. $sum = 0;
84.  
85. for ($i=0; $i<256; $i++) $keytable[$i] = sprintf("%02X", $keytable[$i] & 0xff);
86. }
87.  
88. //==========================================================================================================
89.  
90. function xorr($bufbin) {
91. global $keytable, $state, $counter, $sum;
92.  
93. $cccam = array("C","C","c","a","m");
94. $buf = array();
95. $out = "";
96.  
97. for ($i=0; $i<strlen($bufbin); $i++) $buf[$i] = strToHex(substr($bufbin, $i, 1));
98.  
99. for ($i=0; $i<8; $i++) {
100. $buf[8 + $i] = sprintf("%02X", ($i * hexdec($buf[$i])) & 0xff);
101. if ($i < 5) $buf[$i] = strToHex(HexToBin($buf[$i]) ^ $cccam[$i]);
102. }
103.  
104. for ($i=0; $i<count($buf); $i++) $out .= $buf[$i];
105.  
106. return $out;
107. }
108.  
109. //==========================================================================================================
110.  
111. function encrypt($databin, $len) {
112. global $keytable, $state, $counter, $sum;
113.  
114. $out = "";
115.  
116. for ($i=0; $i<$len; $i++) $data[$i] = strToHex(substr($databin, $i, 1));
117.  
118. for ($i=0; $i<$len; $i++) {
119. $counter = 0xff & ($counter+1);
120. $sum += hexdec($keytable[$counter]);
121. $sum &= 0xff;
122.  
123. cc_crypt_swap($keytable[$counter], $keytable[$sum]);
124.  
125. $z = $data[$i];
126. $data[$i] = HexToBin($z) ^ HexToBin($keytable[ (hexdec($keytable[$counter]) + hexdec($keytable[$sum])) & 0xff ]);
127. $data[$i] ^= HexToBin($state);
128. $data[$i] = strToHex($data[$i]);
129. $state = strToHex(HexToBin($state) ^ HexToBin($z));
130. }
131.  
132. for ($i=0; $i<$len; $i++) $out .= $data[$i];
133.  
134. return $out;
135. }
136.  
137. //==========================================================================================================
138.  
139. function decrypt($databin, $len) {
140. global $keytable, $state, $counter, $sum;
141.  
142. $out = "";
143.  
144. for ($i=0; $i<$len; $i++) $data[$i] = strToHex(substr($databin, $i, 1));
145.  
146. for ($i=0; $i<$len; $i++) {
147. $counter = 0xff & ($counter+1);
148. $sum += hexdec($keytable[$counter]);
149. $sum &= 0xff;
150.  
151. cc_crypt_swap($keytable[$counter], $keytable[$sum]);
152.  
153. $z = $data[$i];
154. $data[$i] = HexToBin($z) ^ HexToBin($keytable[ (hexdec($keytable[$counter]) + hexdec($keytable[$sum])) & 0xff ]);
155. $data[$i] ^= HexToBin($state);
156. $data[$i] = strToHex($data[$i]);
157. $z = $data[$i];
158. $state = strToHex(HexToBin($state) ^ HexToBin($z));
159. }
160.  
161. for ($i=0; $i<$len; $i++) $out .= $data[$i];
162.  
163. return $out;
164. }
165.  
166. //==========================================================================================================
167.  
168. function check_connect_checksum($databin, $length) {
169. $valid = false;
170.  
171. $data = array();
172.  
173. for ($i=0; $i<strlen($databin); $i++) $data[$i] = strToHex(substr($databin, $i, 1));
174.  
175. if ($length == 16) {
176. $sum1 = sprintf("%02X", (hexdec($data[0]) + hexdec($data[4]) + hexdec($data[8])) & 0xff);
177. $sum2 = sprintf("%02X", (hexdec($data[1]) + hexdec($data[5]) + hexdec($data[9])) & 0xff);
178. $sum3 = sprintf("%02X", (hexdec($data[2]) + hexdec($data[6]) + hexdec($data[10])) & 0xff);
179. $sum4 = sprintf("%02X", (hexdec($data[3]) + hexdec($data[7]) + hexdec($data[11])) & 0xff);
180.  
181. $valid = ( ($sum1 == $data[12])
182. && ($sum2 == $data[13])
183. && ($sum3 == $data[14])
184. && ($sum4 == $data[15]) );
185. }
186.  
187. return $valid;
188. }
189.  
190. //==========================================================================================================
191.  
192. $fp = @fsockopen($HOST, $PORT, $errno, $errstr, 10);
193. if (!$fp) {
194. echo "$errstr ($errno)<br />\n";
195. } else {
196. $server_packet_count = 0;
197.  
198. $data = fread($fp, 256);
199.  
200. //printf("Got packet %d from server with length of %d.<br />\n", $server_packet_count, strlen($data));
201.  
202. if (trim($data != "")) {
203. $packet_valid = check_connect_checksum($data, strlen($data));
204. if (!$packet_valid) {
205. echo "Checksum of connection packet is not valid!<br />\n";
206. } else {
207. //echo "got seed from server: " . strToHex($data) . "<br />\n";
208. //echo "Checksum of connection packet is valid.<br />\n";
209. $data = xorr($data);
210. //echo "seed xor = $data<br />\n";
211. $data = HexToBin($data);
212. $enc_key = strtoupper(sha1($data));
213. //echo "Using this encryption key: " . $enc_key . "<br />\n";
214. $enc_key = HexToBin($enc_key);
215.  
216. initialize_encryption($enc_key, strlen($enc_key));
217. $decrypt_seed = decrypt($data, strlen($data));
218. //echo "decrypt = " . $decrypt_seed . "<br />\n";
219. $decrypt_seed = HexToBin($decrypt_seed);
220.  
221. initialize_encryption($decrypt_seed, strlen($decrypt_seed));
222. $decrypt_hash = decrypt($enc_key, strlen($enc_key));
223. //echo "decrypt hash = " . $decrypt_hash . "<br />\n";
224. $decrypt_hash = HexToBin($decrypt_hash);
225. $encrypt_hash = encrypt($decrypt_hash, strlen($decrypt_hash));
226. //echo "encrypt hash = " . $encrypt_hash . "<br />\n";
227. $encrypt_hash = HexToBin($encrypt_hash);
228.  
229. if (strlen($USR) > 20 || strlen($USR) == 0) {
230. echo "<h2 style='color: red'>Error: username too big or empty!</h2><br />\n";
231. } else {
232. $username = array();
233. $user = "";
234. for ($i=0; $i<20; $i++) $username[$i] = "00";
235. for ($i=0; $i<strlen($USR); $i++) $username[$i] = strToHex(substr($USR, $i, 1));
236. for ($i=0; $i<20; $i++) $user .= $username[$i];
237. $user = HexToBin($user);
238. $userenc = encrypt($user, strlen($user));
239. //echo "user = $user<br />\n";
240. $userenc = HexToBin($userenc);
241. $password = encrypt($PASS, strlen($PASS));
242. //echo "password = $password<br />\n";
243. $password = HexToBin($password);
244. $cccam = encrypt("CCcam" . "\x00", 6);
245. //echo "cccam = $cccam<br />\n";
246. $cccam = HexToBin($cccam);
247.  
248. fwrite($fp, $encrypt_hash);
249. fwrite($fp, $userenc);
250. fwrite($fp, $cccam);
251. $data = fread($fp, 256);
252. if (trim($data) != "") {
253. if (!strstr(HexToBin(decrypt($data, strlen($data))), "CCcam")) {
254. echo "FTF this can not give string CCcam??? Anybody have idea where I missing this???<br />\n";
255. echo "Probably I can not move further since decryption seed is not changed corectly and I can not send more commands???<br />\n";
256. echo "Decription seed must give string CCcam but I can not get it now :( Login is cucced but no more commands after login :(<br />\n";
257. }
258. echo "<h2 style='color: green'>User: " . $user . " ( login succed! )</h2><br />\n";
259. } else {
260. echo "<h2 style='color: red'>User: " . $user . " ( login failed! )</h2><br />\n";
261. }
262.  
263. $server_packet_count++;
264. }
265.  
266. if ($fp) fclose($fp);
267. }
268. } else {
269. echo "<h2 style='color: red'>Reaply null bytes!</h2><br />\n";
270. }
271. }
272.  
273. ?>