munjeni - demonstrate cccam protocol in php

1. <?php
2.  
3. /* CONFIGURATION HERE */
4. $HOST = "cccamhost.example.com";
5. $PORT = 4567;
6. $USR = "cccam_username";
7. $PASS = "cccam_password";
8.  
9. //==========================================================================================================
10.  
11. function hexToStr($hex)
12. {
13.     $string = "";
14.     for ($i=0; $i < strlen($hex)-1; $i+=2)
15.     {
16.         $string .= chr(hexdec($hex[$i].$hex[$i+1]));
17.     }
18.     return $string;
19. }
20.  
21. //==========================================================================================================
22.  
23. function strToHex($string)
24. {
25.     $hex_string = "";
26.     for ($i=0; $i < strlen($string); $i++)
27.     {
28.         $hex_string .= strtoupper(sprintf("%02x",ord($string[$i])));
29.     }
30.     return $hex_string;
31. }
32.  
33. //==========================================================================================================
34.  
35. function HexToBin($hexString)
36. {
37.     $hexLenght = strlen($hexString);
38.  
39.     if ($hexLenght % 2 != 0 || preg_match("/[^\da-fA-F]/", $hexString)) return $hexString;
40.     else
41.     {
42.         unset($binString);
43.         $binString = "";
44.         for ($x = 1; $x <= $hexLenght/2; $x++)
45.         {
46.             $binString .= chr(hexdec(substr($hexString,2 * $x - 2,2)));
47.         }        
48.         return $binString;
49.     }
50. }
51.  
52. //==========================================================================================================
53.  
54. function cc_crypt_swap(&$p1, &$p2) {
55.   $tmp = $p1;
56.   $p1 = $p2;
57.   $p2 = $tmp;
58. }
59.  
60. //==========================================================================================================
61.  
62. function initialize_encryption($keybin, $len) {
63.   global $keytable, $state, $counter, $sum;
64.  
65.     $i = 0;
66.     $j = 0;
67.  
68.     $key = array();
69.     $keytable = array();
70.  
71.   for ($i=0; $i<$len; $i++) $key[$i] = strToHex(substr($keybin, $i, 1));
72.     for ($i=0; $i<256; $i++) $keytable[$i] = $i;
73.  
74.     for ($i=0; $i<256; $i++) {
75.         $j += hexdec($key[$i % $len]) + $keytable[$i];
76.         $j &= 0xff;
77.         cc_crypt_swap($keytable[$i], $keytable[$j]);
78.     }
79.  
80.     $state = $key[0].$key[1].$key[2].$key[3].$key[4].$key[5].$key[6].$key[7];
81.     //echo "state = " . $state . "<br />\n";
82.     $counter = 0;
83.     $sum = 0;
84.    
85.     for ($i=0; $i<256; $i++) $keytable[$i] = sprintf("%02X", $keytable[$i] & 0xff);
86. }
87.  
88. //==========================================================================================================
89.  
90. function xorr($bufbin) {
91.   global $keytable, $state, $counter, $sum;
92.  
93.   $cccam = array("C","C","c","a","m");
94.   $buf = array();
95.   $out = "";
96.  
97.   for ($i=0; $i<strlen($bufbin); $i++) $buf[$i] = strToHex(substr($bufbin, $i, 1));
98.  
99.   for ($i=0; $i<8; $i++) {
100.     $buf[8 + $i] = sprintf("%02X", ($i * hexdec($buf[$i])) & 0xff);
101.     if ($i < 5) $buf[$i] = strToHex(HexToBin($buf[$i]) ^ $cccam[$i]);
102.   }
103.  
104.   for ($i=0; $i<count($buf); $i++) $out .= $buf[$i];
105.  
106.   return $out;
107. }
108.  
109. //==========================================================================================================
110.  
111. function encrypt($databin, $len) {
112.   global $keytable, $state, $counter, $sum;
113.  
114.   $out = "";
115.  
116.   for ($i=0; $i<$len; $i++) $data[$i] = strToHex(substr($databin, $i, 1));
117.  
118.   for ($i=0; $i<$len; $i++) {
119.     $counter = 0xff & ($counter+1);
120.     $sum += hexdec($keytable[$counter]);
121.     $sum &= 0xff;
122.    
123.     cc_crypt_swap($keytable[$counter], $keytable[$sum]);
124.  
125.     $z = $data[$i];
126.     $data[$i] = HexToBin($z) ^ HexToBin($keytable[ (hexdec($keytable[$counter]) + hexdec($keytable[$sum])) & 0xff ]);
127.     $data[$i] ^= HexToBin($state);
128.     $data[$i] =  strToHex($data[$i]);
129.     $state = strToHex(HexToBin($state) ^ HexToBin($z));
130.   }
131.  
132.   for ($i=0; $i<$len; $i++) $out .= $data[$i];
133.  
134.   return $out;
135. }
136.  
137. //==========================================================================================================
138.  
139. function decrypt($databin, $len) {
140.   global $keytable, $state, $counter, $sum;
141.  
142.   $out = "";
143.  
144.   for ($i=0; $i<$len; $i++) $data[$i] = strToHex(substr($databin, $i, 1));
145.  
146.   for ($i=0; $i<$len; $i++) {
147.     $counter = 0xff & ($counter+1);
148.     $sum += hexdec($keytable[$counter]);
149.     $sum &= 0xff;
150.    
151.     cc_crypt_swap($keytable[$counter], $keytable[$sum]);
152.  
153.     $z = $data[$i];
154.     $data[$i] = HexToBin($z) ^ HexToBin($keytable[ (hexdec($keytable[$counter]) + hexdec($keytable[$sum])) & 0xff ]);
155.     $data[$i] ^= HexToBin($state);
156.     $data[$i] =  strToHex($data[$i]);
157.     $z = $data[$i];
158.     $state = strToHex(HexToBin($state) ^ HexToBin($z));
159.   }
160.  
161.   for ($i=0; $i<$len; $i++) $out .= $data[$i];
162.  
163.   return $out;
164. }
165.  
166. //==========================================================================================================
167.  
168. function check_connect_checksum($databin, $length) {  
169.     $valid = false;
170.    
171.     $data = array();
172.    
173.     for ($i=0; $i<strlen($databin); $i++) $data[$i] = strToHex(substr($databin, $i, 1));  
174.  
175.     if ($length == 16) {  
176.         $sum1 = sprintf("%02X", (hexdec($data[0]) + hexdec($data[4]) + hexdec($data[8])) & 0xff);  
177.         $sum2 = sprintf("%02X", (hexdec($data[1]) + hexdec($data[5]) + hexdec($data[9])) & 0xff);  
178.         $sum3 = sprintf("%02X", (hexdec($data[2]) + hexdec($data[6]) + hexdec($data[10])) & 0xff);  
179.         $sum4 = sprintf("%02X", (hexdec($data[3]) + hexdec($data[7]) + hexdec($data[11])) & 0xff);  
180.  
181.         $valid = ( ($sum1 == $data[12])  
182.                 && ($sum2 == $data[13])  
183.                 && ($sum3 == $data[14])  
184.                 && ($sum4 == $data[15]) );  
185.     }  
186.  
187.     return $valid;  
188. }
189.  
190. //==========================================================================================================
191.  
192. $fp = @fsockopen($HOST, $PORT, $errno, $errstr, 10);
193. if (!$fp) {
194.   echo "$errstr ($errno)<br />\n";
195. } else {
196.   $server_packet_count = 0;
197.  
198.   $data = fread($fp, 256);
199.  
200.   //printf("Got packet %d from server with length of %d.<br />\n", $server_packet_count, strlen($data));
201.  
202.   if (trim($data != "")) {
203.     $packet_valid = check_connect_checksum($data, strlen($data));
204.     if (!$packet_valid) {
205.       echo "Checksum of connection packet is not valid!<br />\n";
206.     } else {
207.       //echo "got seed from server: " . strToHex($data) . "<br />\n";
208.       //echo "Checksum of connection packet is valid.<br />\n";
209.       $data = xorr($data);
210.       //echo "seed xor = $data<br />\n";
211.       $data = HexToBin($data);
212.       $enc_key = strtoupper(sha1($data));
213.       //echo "Using this encryption key: " . $enc_key . "<br />\n";
214.       $enc_key = HexToBin($enc_key);
215.  
216.       initialize_encryption($enc_key, strlen($enc_key));      
217.       $decrypt_seed = decrypt($data, strlen($data));
218.       //echo "decrypt = " . $decrypt_seed . "<br />\n";
219.       $decrypt_seed = HexToBin($decrypt_seed);
220.  
221.       initialize_encryption($decrypt_seed, strlen($decrypt_seed));
222.       $decrypt_hash = decrypt($enc_key, strlen($enc_key));
223.       //echo "decrypt hash = " . $decrypt_hash . "<br />\n";
224.       $decrypt_hash = HexToBin($decrypt_hash);
225.       $encrypt_hash = encrypt($decrypt_hash, strlen($decrypt_hash));
226.       //echo "encrypt hash = " . $encrypt_hash . "<br />\n";
227.       $encrypt_hash = HexToBin($encrypt_hash);
228.  
229.       if (strlen($USR) > 20 || strlen($USR) == 0) {
230.         echo "<h2 style='color: red'>Error: username too big or empty!</h2><br />\n";
231.       } else {
232.         $username = array();
233.         $user = "";
234.         for ($i=0; $i<20; $i++) $username[$i] = "00";
235.         for ($i=0; $i<strlen($USR); $i++) $username[$i] = strToHex(substr($USR, $i, 1));
236.         for ($i=0; $i<20; $i++) $user .= $username[$i];
237.         $user = HexToBin($user);
238.         $userenc = encrypt($user, strlen($user));
239.         //echo "user = $user<br />\n";
240.         $userenc = HexToBin($userenc);
241.         $password = encrypt($PASS, strlen($PASS));
242.         //echo "password = $password<br />\n";
243.         $password = HexToBin($password);
244.         $cccam = encrypt("CCcam" . "\x00", 6);
245.         //echo "cccam = $cccam<br />\n";
246.         $cccam = HexToBin($cccam);
247.          
248.         fwrite($fp, $encrypt_hash);
249.         fwrite($fp, $userenc);
250.         fwrite($fp, $cccam);
251.         $data = fread($fp, 256);
252.         if (trim($data) != "") {
253.           if (!strstr(HexToBin(decrypt($data, strlen($data))), "CCcam")) {
254.             echo "FTF this can not give string CCcam??? Anybody have idea where I missing this???<br />\n";
255.             echo "Probably I can not move further since decryption seed is not changed corectly and I can not send more commands???<br />\n";
256.             echo "Decription seed must give string CCcam but I can not get it now :( Login is cucced but no more commands after login :(<br />\n";
257.           }
258.           echo "<h2 style='color: green'>User: " . $user . " ( login succed! )</h2><br />\n";
259.         } else {
260.           echo "<h2 style='color: red'>User: " . $user . " ( login failed! )</h2><br />\n";
261.         }
262.  
263.         $server_packet_count++;
264.       }
265.  
266.       if ($fp) fclose($fp);
267.     }
268.   } else {
269.     echo "<h2 style='color: red'>Reaply null bytes!</h2><br />\n";
270.   }
271. }
272.  
273. ?>