X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=modules%2Fdemux%2Fmp4%2Fdrms.c;h=35d605729eeaca0ec7287d29e39a86084a448cbf;hb=3e258835cb95562a5a8ebbbb9f6c11e7b073a41b;hp=cf543d2d55e946dada0fc6a0f7a7824d8b961a7f;hpb=051ce627e6f3c469ecaf98676203dc8a59cc9e57;p=vlc diff --git a/modules/demux/mp4/drms.c b/modules/demux/mp4/drms.c index cf543d2d55..35d605729e 100644 --- a/modules/demux/mp4/drms.c +++ b/modules/demux/mp4/drms.c @@ -1,10 +1,11 @@ /***************************************************************************** - * drms.c : DRMS + * drms.c: DRMS ***************************************************************************** - * Copyright (C) 2004 VideoLAN - * $Id: drms.c,v 1.1 2004/01/05 12:37:52 jlj Exp $ + * Copyright (C) 2004 the VideoLAN team + * $Id$ * - * Author: Jon Lech Johansen + * Authors: Jon Lech Johansen + * Sam Hocevar * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -18,997 +19,1785 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA. + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston MA 02110-1301, USA. *****************************************************************************/ -#include /* malloc(), free() */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include "libmp4.h" +#include + +#ifdef WIN32 +# include +#else +# include +#endif -#include +#include #ifdef WIN32 -#include -#include -#include +# if !defined( UNDER_CE ) +# include +# endif +# include +# include +# include +#endif + +#ifdef HAVE_SYS_STAT_H +# include +#endif +#include + +/* In Solaris (and perhaps others) PATH_MAX is in limits.h. */ +#include + +#ifdef __APPLE__ +# include +# include +# include #endif #include "drms.h" #include "drmstables.h" -#define TAOS_INIT( tmp, i ) \ - memset( tmp, 0, sizeof(tmp) ); \ - tmp[ i + 0 ] = 0x67452301; \ - tmp[ i + 1 ] = 0xEFCDAB89; \ - tmp[ i + 2 ] = 0x98BADCFE; \ - tmp[ i + 3 ] = 0x10325476; +#if !defined( UNDER_CE ) +/***************************************************************************** + * aes_s: AES keys structure + ***************************************************************************** + * This structure stores a set of keys usable for encryption and decryption + * with the AES/Rijndael algorithm. + *****************************************************************************/ +struct aes_s +{ + uint32_t pp_enc_keys[ AES_KEY_COUNT + 1 ][ 4 ]; + uint32_t pp_dec_keys[ AES_KEY_COUNT + 1 ][ 4 ]; +}; -#define ROR( x, n ) (((x) << (32-(n))) | ((x) >> (n))) +#define Digest DigestMD5 -static void init_ctx( uint32_t *p_ctx, uint32_t *p_input ) +/***************************************************************************** + * shuffle_s: shuffle structure + ***************************************************************************** + * This structure stores the static information needed to shuffle data using + * a custom algorithm. + *****************************************************************************/ +struct shuffle_s { - uint32_t i; - uint32_t p_tmp[ 6 ]; - - p_ctx[ 0 ] = sizeof(*p_input); + uint32_t i_version; + uint32_t p_commands[ 20 ]; + uint32_t p_bordel[ 16 ]; +}; - memset( &p_ctx[ 1 + 4 ], 0, sizeof(*p_input) * 4 ); - memcpy( &p_ctx[ 1 + 0 ], p_input, sizeof(*p_input) * 4 ); +#define SWAP( a, b ) { (a) ^= (b); (b) ^= (a); (a) ^= (b); } - p_tmp[ 0 ] = p_ctx[ 1 + 3 ]; +/***************************************************************************** + * drms_s: DRMS structure + ***************************************************************************** + * This structure stores the static information needed to decrypt DRMS data. + *****************************************************************************/ +struct drms_s +{ + uint32_t i_user; + uint32_t i_key; + uint8_t p_iviv[ 16 ]; + uint8_t *p_name; - for( i = 0; i < sizeof(p_drms_tab1)/sizeof(p_drms_tab1[ 0 ]); i++ ) - { - p_tmp[ 0 ] = ROR( p_tmp[ 0 ], 8 ); + uint32_t p_key[ 4 ]; + struct aes_s aes; - p_tmp[ 5 ] = p_drms_tab2[ (p_tmp[ 0 ] >> 24) & 0xFF ] - ^ ROR( p_drms_tab2[ (p_tmp[ 0 ] >> 16) & 0xFF ], 8 ) - ^ ROR( p_drms_tab2[ (p_tmp[ 0 ] >> 8) & 0xFF ], 16 ) - ^ ROR( p_drms_tab2[ p_tmp[ 0 ] & 0xFF ], 24 ) - ^ p_drms_tab1[ i ] - ^ p_ctx[ 1 + ((i + 1) * 4) - 4 ]; + char psz_homedir[ PATH_MAX ]; +}; - p_ctx[ 1 + ((i + 1) * 4) + 0 ] = p_tmp[ 5 ]; - p_tmp[ 5 ] ^= p_ctx[ 1 + ((i + 1) * 4) - 3 ]; - p_ctx[ 1 + ((i + 1) * 4) + 1 ] = p_tmp[ 5 ]; - p_tmp[ 5 ] ^= p_ctx[ 1 + ((i + 1) * 4) - 2 ]; - p_ctx[ 1 + ((i + 1) * 4) + 2 ] = p_tmp[ 5 ]; - p_tmp[ 5 ] ^= p_ctx[ 1 + ((i + 1) * 4) - 1 ]; - p_ctx[ 1 + ((i + 1) * 4) + 3 ] = p_tmp[ 5 ]; +/***************************************************************************** + * Local prototypes + *****************************************************************************/ +static void InitAES ( struct aes_s *, uint32_t * ); +static void DecryptAES ( struct aes_s *, uint32_t *, const uint32_t * ); + +static void InitShuffle ( struct shuffle_s *, uint32_t *, uint32_t ); +static void DoShuffle ( struct shuffle_s *, uint32_t *, uint32_t ); + +static uint32_t FirstPass ( uint32_t * ); +static void SecondPass ( uint32_t *, uint32_t ); +static void ThirdPass ( uint32_t * ); +static void FourthPass ( uint32_t * ); +static void TinyShuffle1 ( uint32_t * ); +static void TinyShuffle2 ( uint32_t * ); +static void TinyShuffle3 ( uint32_t * ); +static void TinyShuffle4 ( uint32_t * ); +static void TinyShuffle5 ( uint32_t * ); +static void TinyShuffle6 ( uint32_t * ); +static void TinyShuffle7 ( uint32_t * ); +static void TinyShuffle8 ( uint32_t * ); +static void DoExtShuffle ( uint32_t * ); + +static int GetSystemKey ( uint32_t *, bool ); +static int WriteUserKey ( void *, uint32_t * ); +static int ReadUserKey ( void *, uint32_t * ); +static int GetUserKey ( void *, uint32_t * ); + +static int GetSCIData ( char *, uint32_t **, uint32_t * ); +static int HashSystemInfo ( uint32_t * ); +static int GetiPodID ( int64_t * ); + +#ifdef WORDS_BIGENDIAN +/***************************************************************************** + * Reverse: reverse byte order + *****************************************************************************/ +static inline void Reverse( uint32_t *p_buffer, int n ) +{ + int i; - p_tmp[ 0 ] = p_tmp[ 5 ]; + for( i = 0; i < n; i++ ) + { + p_buffer[ i ] = GetDWLE(&p_buffer[ i ]); } +} +# define REVERSE( p, n ) Reverse( p, n ) +#else +# define REVERSE( p, n ) +#endif - memcpy( &p_ctx[ 1 + 64 ], &p_ctx[ 1 ], sizeof(*p_ctx) * 4 ); +/***************************************************************************** + * BlockXOR: XOR two 128 bit blocks + *****************************************************************************/ +static inline void BlockXOR( uint32_t *p_dest, uint32_t *p_s1, uint32_t *p_s2 ) +{ + int i; - for( i = 4; i < sizeof(p_drms_tab1); i++ ) + for( i = 0; i < 4; i++ ) { - p_tmp[ 2 ] = p_ctx[ 1 + 4 + (i - 4) ]; + p_dest[ i ] = p_s1[ i ] ^ p_s2[ i ]; + } +} - p_tmp[ 0 ] = (((p_tmp[ 2 ] >> 7) & 0x01010101) * 27) - ^ ((p_tmp[ 2 ] & 0xFF7F7F7F) << 1); - p_tmp[ 1 ] = (((p_tmp[ 0 ] >> 7) & 0x01010101) * 27) - ^ ((p_tmp[ 0 ] & 0xFF7F7F7F) << 1); - p_tmp[ 4 ] = (((p_tmp[ 1 ] >> 7) & 0x01010101) * 27) - ^ ((p_tmp[ 1 ] & 0xFF7F7F7F) << 1); +/***************************************************************************** + * drms_alloc: allocate a DRMS structure + *****************************************************************************/ +void *drms_alloc( const char *psz_homedir ) +{ + struct drms_s *p_drms; - p_tmp[ 2 ] ^= p_tmp[ 4 ]; + p_drms = calloc( 1, sizeof(struct drms_s) ); + if( !p_drms ) + return NULL; - p_tmp[ 3 ] = ROR( p_tmp[ 1 ] ^ p_tmp[ 2 ], 16 ) - ^ ROR( p_tmp[ 0 ] ^ p_tmp[ 2 ], 8 ) - ^ ROR( p_tmp[ 2 ], 24 ); + strncpy( p_drms->psz_homedir, psz_homedir, PATH_MAX ); + p_drms->psz_homedir[ PATH_MAX - 1 ] = '\0'; - p_ctx[ 1 + 4 + 64 + (i - 4) ] = p_tmp[ 3 ] ^ p_tmp[ 4 ] - ^ p_tmp[ 1 ] ^ p_tmp[ 0 ]; - } + return (void *)p_drms; } -static void ctx_xor( uint32_t *p_ctx, uint32_t *p_in, uint32_t *p_out, - uint32_t p_table1[ 256 ], uint32_t p_table2[ 256 ] ) +/***************************************************************************** + * drms_free: free a previously allocated DRMS structure + *****************************************************************************/ +void drms_free( void *_p_drms ) { - uint32_t i, x, y; - uint32_t p_tmp1[ 4 ]; - uint32_t p_tmp2[ 4 ]; - - i = p_ctx[ 0 ] * 4; + struct drms_s *p_drms = (struct drms_s *)_p_drms; - p_tmp1[ 0 ] = p_ctx[ 1 + i + 24 ] ^ p_in[ 0 ]; - p_tmp1[ 1 ] = p_ctx[ 1 + i + 25 ] ^ p_in[ 1 ]; - p_tmp1[ 2 ] = p_ctx[ 1 + i + 26 ] ^ p_in[ 2 ]; - p_tmp1[ 3 ] = p_ctx[ 1 + i + 27 ] ^ p_in[ 3 ]; + free( (void *)p_drms->p_name ); + free( p_drms ); +} - i += 84; +/***************************************************************************** + * drms_decrypt: unscramble a chunk of data + *****************************************************************************/ +void drms_decrypt( void *_p_drms, uint32_t *p_buffer, uint32_t i_bytes, uint32_t *p_key ) +{ + struct drms_s *p_drms = (struct drms_s *)_p_drms; + uint32_t p_key_buf[ 4 ]; + unsigned int i_blocks; -#define XOR_ROR( p_table, p_tmp, i_ctx ) \ - p_table[ (p_tmp[ y > 2 ? y - 3 : y + 1 ] >> 24) & 0xFF ] \ - ^ ROR( p_table[ (p_tmp[ y > 1 ? y - 2 : y + 2 ] >> 16) & 0xFF ], 8 ) \ - ^ ROR( p_table[ (p_tmp[ y > 0 ? y - 1 : y + 3 ] >> 8) & 0xFF ], 16 ) \ - ^ ROR( p_table[ p_tmp[ y ] & 0xFF ], 24 ) \ - ^ p_ctx[ i_ctx ] + /* AES is a block cypher, round down the byte count */ + i_blocks = i_bytes / 16; + i_bytes = i_blocks * 16; - for( x = 0; x < 1; x++ ) + /* Initialise the key */ + if( !p_key ) { - memcpy( p_tmp2, p_tmp1, sizeof(p_tmp1) ); - - for( y = 0; y < 4; y++ ) - { - p_tmp1[ y ] = XOR_ROR( p_table1, p_tmp2, 1 + i - x + y ); - } + p_key = p_key_buf; + memcpy( p_key, p_drms->p_key, 16 ); } - for( ; x < 9; x++ ) + /* Unscramble */ + while( i_blocks-- ) { - memcpy( p_tmp2, p_tmp1, sizeof(p_tmp1) ); + uint32_t p_tmp[ 4 ]; - for( y = 0; y < 4; y++ ) - { - p_tmp1[ y ] = XOR_ROR( p_table1, p_tmp2, - 1 + i - x - ((x * 3) - y) ); - } - } + REVERSE( p_buffer, 4 ); + DecryptAES( &p_drms->aes, p_tmp, p_buffer ); + BlockXOR( p_tmp, p_key, p_tmp ); - for( y = 0; y < 4; y++ ) - { - p_out[ y ] = XOR_ROR( p_table2, p_tmp1, - 1 + i - x - ((x * 3) - y) ); - } + /* Use the previous scrambled data as the key for next block */ + memcpy( p_key, p_buffer, 16 ); + + /* Copy unscrambled data back to the buffer */ + memcpy( p_buffer, p_tmp, 16 ); + REVERSE( p_buffer, 4 ); -#undef XOR_ROR + p_buffer += 4; + } } -static void taos( uint32_t *p_buffer, uint32_t *p_input ) +/***************************************************************************** + * drms_get_p_key: copy the p_key into user buffer + ****************************************************************************/ +void drms_get_p_key( void *_p_drms, uint32_t *p_key ) { - uint32_t i; - uint32_t x = 0; - uint32_t p_tmp1[ 4 ]; - uint32_t p_tmp2[ 4 ]; + struct drms_s *p_drms = (struct drms_s *)_p_drms; - memcpy( p_tmp1, p_buffer, sizeof(p_tmp1) ); + memcpy( p_key, p_drms->p_key, 16 ); +} - p_tmp2[ 0 ] = ((~p_tmp1[ 1 ] & p_tmp1[ 3 ]) - | (p_tmp1[ 2 ] & p_tmp1[ 1 ])) + p_input[ x ]; - p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp1[ 0 ] + p_drms_tab_taos[ x++ ]; +/***************************************************************************** + * drms_init: initialise a DRMS structure + ***************************************************************************** + * Return values: + * 0: success + * -1: unimplemented + * -2: invalid argument + * -3: could not get system key + * -4: could not get SCI data + * -5: no user key found in SCI data + * -6: invalid user key + *****************************************************************************/ +int drms_init( void *_p_drms, uint32_t i_type, + uint8_t *p_info, uint32_t i_len ) +{ + struct drms_s *p_drms = (struct drms_s *)_p_drms; + int i_ret = 0; - for( i = 0; i < 4; i++ ) + switch( i_type ) { - p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x19) - | (p_tmp1[ 0 ] << 0x7)) + p_tmp1[ 1 ]; - p_tmp2[ 1 ] = ((~p_tmp2[ 0 ] & p_tmp1[ 2 ]) - | (p_tmp1[ 1 ] & p_tmp2[ 0 ])) + p_input[ x ]; - p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ]; + case FOURCC_user: + if( i_len < sizeof(p_drms->i_user) ) + { + i_ret = -2; + break; + } - p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x14) - | (p_tmp2[ 1 ] << 0xC)) + p_tmp2[ 0 ]; - p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] & p_tmp1[ 1 ]) - | (p_tmp1[ 3 ] & p_tmp2[ 0 ])) + p_input[ x ]; - p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ]; + p_drms->i_user = U32_AT( p_info ); + break; - p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0xF) - | (p_tmp2[ 1 ] << 0x11)) + p_tmp1[ 3 ]; - p_tmp2[ 1 ] = ((~p_tmp1[ 2 ] & p_tmp2[ 0 ]) - | (p_tmp1[ 3 ] & p_tmp1[ 2 ])) + p_input[ x ]; - p_tmp2[ 2 ] = p_tmp2[ 1 ] + p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ]; + case FOURCC_key: + if( i_len < sizeof(p_drms->i_key) ) + { + i_ret = -2; + break; + } - p_tmp1[ 1 ] = ((p_tmp2[ 2 ] << 0x16) - | (p_tmp2[ 2 ] >> 0xA)) + p_tmp1[ 2 ]; - if( i == 3 ) - { - p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] & p_tmp1[ 2 ]) - | (p_tmp1[ 3 ] & p_tmp1[ 1 ])) + p_input[ 1 ]; - } - else - { - p_tmp2[ 1 ] = ((~p_tmp1[ 1 ] & p_tmp1[ 3 ]) - | (p_tmp1[ 2 ] & p_tmp1[ 1 ])) + p_input[ x ]; - } - p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ]; - } + p_drms->i_key = U32_AT( p_info ); + break; - for( i = 0; i < 4; i++ ) - { - uint8_t p_table[ 4 ][ 4 ] = - { - { 6, 11, 0, 5 }, - { 10, 15, 4, 9 }, - { 14, 3, 8, 13 }, - { 2, 7, 12, 5 } - }; - - p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x1B) - | (p_tmp1[ 0 ] << 0x5)) + p_tmp1[ 1 ]; - p_tmp2[ 1 ] = ((~p_tmp1[ 2 ] & p_tmp1[ 1 ]) - | (p_tmp1[ 2 ] & p_tmp2[ 0 ])) - + p_input[ p_table[ i ][ 0 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ]; - - p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x17) - | (p_tmp2[ 1 ] << 0x9)) + p_tmp2[ 0 ]; - p_tmp2[ 1 ] = ((~p_tmp1[ 1 ] & p_tmp2[ 0 ]) - | (p_tmp1[ 3 ] & p_tmp1[ 1 ])) - + p_input[ p_table[ i ][ 1 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ]; - - p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0x12) - | (p_tmp2[ 1 ] << 0xE)) + p_tmp1[ 3 ]; - p_tmp2[ 1 ] = ((~p_tmp2[ 0 ] & p_tmp1[ 3 ]) - | (p_tmp1[ 2 ] & p_tmp2[ 0 ])) - + p_input[ p_table[ i ][ 2 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ]; - - p_tmp1[ 1 ] = ((p_tmp2[ 1 ] << 0x14) - | (p_tmp2[ 1 ] >> 0xC)) + p_tmp1[ 2 ]; - if( i == 3 ) - { - p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 2 ] ^ p_tmp1[ 1 ]) - + p_input[ p_table[ i ][ 3 ] ]; - } - else + case FOURCC_iviv: + if( i_len < sizeof(p_drms->p_key) ) + { + i_ret = -2; + break; + } + + memcpy( p_drms->p_iviv, p_info, 16 ); + break; + + case FOURCC_name: + p_drms->p_name = (uint8_t*) strdup( (char *)p_info ); + + if( p_drms->p_name == NULL ) + { + i_ret = -2; + } + break; + + case FOURCC_priv: { - p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] & p_tmp1[ 2 ]) - | (p_tmp1[ 3 ] & p_tmp1[ 1 ])) - + p_input[ p_table[ i ][ 3 ] ]; + uint32_t p_priv[ 64 ]; + struct md5_s md5; + + if( i_len < 64 ) + { + i_ret = -2; + break; + } + + InitMD5( &md5 ); + AddMD5( &md5, p_drms->p_name, strlen( (char *)p_drms->p_name ) ); + AddMD5( &md5, p_drms->p_iviv, 16 ); + EndMD5( &md5 ); + + if( p_drms->i_user == 0 && p_drms->i_key == 0 ) + { + static const char p_secret[] = "tr1-th3n.y00_by3"; + memcpy( p_drms->p_key, p_secret, 16 ); + REVERSE( p_drms->p_key, 4 ); + } + else + { + i_ret = GetUserKey( p_drms, p_drms->p_key ); + if( i_ret ) + { + break; + } + } + + InitAES( &p_drms->aes, p_drms->p_key ); + + memcpy( p_priv, p_info, 64 ); + memcpy( p_drms->p_key, md5.p_digest, 16 ); + drms_decrypt( p_drms, p_priv, 64, NULL ); + REVERSE( p_priv, 64 ); + + if( p_priv[ 0 ] != 0x6e757469 ) /* itun */ + { + i_ret = -6; + break; + } + + InitAES( &p_drms->aes, p_priv + 6 ); + memcpy( p_drms->p_key, p_priv + 12, 16 ); + + free( (void *)p_drms->p_name ); + p_drms->p_name = NULL; } - p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ]; + break; } - for( i = 0; i < 4; i++ ) + return i_ret; +} + +/* The following functions are local */ + +/***************************************************************************** + * InitAES: initialise AES/Rijndael encryption/decryption tables + ***************************************************************************** + * The Advanced Encryption Standard (AES) is described in RFC 3268 + *****************************************************************************/ +static void InitAES( struct aes_s *p_aes, uint32_t *p_key ) +{ + unsigned int i, t; + uint32_t i_key, i_seed; + + memset( p_aes->pp_enc_keys[1], 0, 16 ); + memcpy( p_aes->pp_enc_keys[0], p_key, 16 ); + + /* Generate the key tables */ + i_seed = p_aes->pp_enc_keys[ 0 ][ 3 ]; + + for( i_key = 0; i_key < AES_KEY_COUNT; i_key++ ) { - uint8_t p_table[ 4 ][ 4 ] = - { - { 8, 11, 14, 1 }, - { 4, 7, 10, 13 }, - { 0, 3, 6, 9 }, - { 12, 15, 2, 0 } - }; + uint32_t j; - p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x1C) - | (p_tmp1[ 0 ] << 0x4)) + p_tmp1[ 1 ]; - p_tmp2[ 1 ] = (p_tmp1[ 2 ] ^ p_tmp1[ 1 ] ^ p_tmp2[ 0 ]) - + p_input[ p_table[ i ][ 0 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ]; + i_seed = AES_ROR( i_seed, 8 ); - p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x15) - | (p_tmp2[ 1 ] << 0xB)) + p_tmp2[ 0 ]; - p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 1 ] ^ p_tmp2[ 0 ]) - + p_input[ p_table[ i ][ 1 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ]; + j = p_aes_table[ i_key ]; - p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0x10) - | (p_tmp2[ 1 ] << 0x10)) + p_tmp1[ 3 ]; - p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 2 ] ^ p_tmp2[ 0 ]) - + p_input[ p_table[ i ][ 2 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ]; + j ^= p_aes_encrypt[ (i_seed >> 24) & 0xff ] + ^ AES_ROR( p_aes_encrypt[ (i_seed >> 16) & 0xff ], 8 ) + ^ AES_ROR( p_aes_encrypt[ (i_seed >> 8) & 0xff ], 16 ) + ^ AES_ROR( p_aes_encrypt[ i_seed & 0xff ], 24 ); - p_tmp1[ 1 ] = ((p_tmp2[ 1 ] << 0x17) - | (p_tmp2[ 1 ] >> 0x9)) + p_tmp1[ 2 ]; - if( i == 3 ) - { - p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] | p_tmp1[ 1 ]) ^ p_tmp1[ 2 ]) - + p_input[ p_table[ i ][ 3 ] ]; - } - else - { - p_tmp2[ 1 ] = (p_tmp1[ 3 ] ^ p_tmp1[ 2 ] ^ p_tmp1[ 1 ]) - + p_input[ p_table[ i ][ 3 ] ]; - } - p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ]; + j ^= p_aes->pp_enc_keys[ i_key ][ 0 ]; + p_aes->pp_enc_keys[ i_key + 1 ][ 0 ] = j; + j ^= p_aes->pp_enc_keys[ i_key ][ 1 ]; + p_aes->pp_enc_keys[ i_key + 1 ][ 1 ] = j; + j ^= p_aes->pp_enc_keys[ i_key ][ 2 ]; + p_aes->pp_enc_keys[ i_key + 1 ][ 2 ] = j; + j ^= p_aes->pp_enc_keys[ i_key ][ 3 ]; + p_aes->pp_enc_keys[ i_key + 1 ][ 3 ] = j; + + i_seed = j; } - for( i = 0; i < 4; i++ ) + memcpy( p_aes->pp_dec_keys[ 0 ], + p_aes->pp_enc_keys[ 0 ], 16 ); + + for( i = 1; i < AES_KEY_COUNT; i++ ) { - uint8_t p_table[ 4 ][ 4 ] = + for( t = 0; t < 4; t++ ) { - { 7, 14, 5, 12 }, - { 3, 10, 1, 8 }, - { 15, 6, 13, 4 }, - { 11, 2, 9, 0 } - }; + uint32_t j, k, l, m, n; - p_tmp2[ 0 ] = ((p_tmp1[ 0 ] >> 0x1A) - | (p_tmp1[ 0 ] << 0x6)) + p_tmp1[ 1 ]; - p_tmp2[ 1 ] = ((~p_tmp1[ 2 ] | p_tmp2[ 0 ]) ^ p_tmp1[ 1 ]) - + p_input[ p_table[ i ][ 0 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 3 ] + p_drms_tab_taos[ x++ ]; + j = p_aes->pp_enc_keys[ i ][ t ]; - p_tmp1[ 3 ] = ((p_tmp2[ 1 ] >> 0x16) - | (p_tmp2[ 1 ] << 0xA)) + p_tmp2[ 0 ]; - p_tmp2[ 1 ] = ((~p_tmp1[ 1 ] | p_tmp1[ 3 ]) ^ p_tmp2[ 0 ]) - + p_input[ p_table[ i ][ 1 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 2 ] + p_drms_tab_taos[ x++ ]; + k = (((j >> 7) & 0x01010101) * 27) ^ ((j & 0xff7f7f7f) << 1); + l = (((k >> 7) & 0x01010101) * 27) ^ ((k & 0xff7f7f7f) << 1); + m = (((l >> 7) & 0x01010101) * 27) ^ ((l & 0xff7f7f7f) << 1); - p_tmp1[ 2 ] = ((p_tmp2[ 1 ] >> 0x11) - | (p_tmp2[ 1 ] << 0xF)) + p_tmp1[ 3 ]; - p_tmp2[ 1 ] = ((~p_tmp2[ 0 ] | p_tmp1[ 2 ]) ^ p_tmp1[ 3 ]) - + p_input[ p_table[ i ][ 2 ] ]; - p_tmp2[ 1 ] += p_tmp1[ 1 ] + p_drms_tab_taos[ x++ ]; + j ^= m; - p_tmp1[ 1 ] = ((p_tmp2[ 1 ] << 0x15) - | (p_tmp2[ 1 ] >> 0xB)) + p_tmp1[ 2 ]; + n = AES_ROR( l ^ j, 16 ) ^ AES_ROR( k ^ j, 8 ) ^ AES_ROR( j, 24 ); - if( i < 3 ) - { - p_tmp2[ 1 ] = ((~p_tmp1[ 3 ] | p_tmp1[ 1 ]) ^ p_tmp1[ 2 ]) - + p_input[ p_table[ i ][ 3 ] ]; - p_tmp1[ 0 ] = p_tmp2[ 0 ] + p_tmp2[ 1 ] + p_drms_tab_taos[ x++ ]; + p_aes->pp_dec_keys[ i ][ t ] = k ^ l ^ m ^ n; } } - - p_buffer[ 0 ] += p_tmp2[ 0 ]; - p_buffer[ 1 ] += p_tmp1[ 1 ]; - p_buffer[ 2 ] += p_tmp1[ 2 ]; - p_buffer[ 3 ] += p_tmp1[ 3 ]; } -static void taos_add1( uint32_t *p_buffer, - uint8_t *p_in, uint32_t i_len ) +/***************************************************************************** + * DecryptAES: decrypt an AES/Rijndael 128 bit block + *****************************************************************************/ +static void DecryptAES( struct aes_s *p_aes, + uint32_t *p_dest, const uint32_t *p_src ) { - uint32_t i; - uint32_t x, y; - uint32_t p_tmp[ 16 ]; - uint32_t i_offset = 0; - - x = p_buffer[ 6 ] & 63; - y = 64 - x; - - p_buffer[ 6 ] += i_len; + uint32_t p_wtxt[ 4 ]; /* Working cyphertext */ + uint32_t p_tmp[ 4 ]; + unsigned int i_round, t; - if( i_len < y ) + for( t = 0; t < 4; t++ ) { - memcpy( &((uint8_t *)p_buffer)[ 48 + x ], p_in, i_len ); + /* FIXME: are there any endianness issues here? */ + p_wtxt[ t ] = p_src[ t ] ^ p_aes->pp_enc_keys[ AES_KEY_COUNT ][ t ]; } - else + + /* Rounds 0 - 8 */ + for( i_round = 0; i_round < (AES_KEY_COUNT - 1); i_round++ ) { - if( x ) + for( t = 0; t < 4; t++ ) { - memcpy( &((uint8_t *)p_buffer)[ 48 + x ], p_in, y ); - taos( &p_buffer[ 8 ], &p_buffer[ 12 ] ); - i_offset = y; - i_len -= y; + p_tmp[ t ] = AES_XOR_ROR( p_aes_itable, p_wtxt ); } - if( i_len >= 64 ) + for( t = 0; t < 4; t++ ) { - for( i = 0; i < i_len / 64; i++ ) - { - memcpy( p_tmp, &p_in[ i_offset ], sizeof(p_tmp) ); - taos( &p_buffer[ 8 ], p_tmp ); - i_offset += 64; - i_len -= 64; - } + p_wtxt[ t ] = p_tmp[ t ] + ^ p_aes->pp_dec_keys[ (AES_KEY_COUNT - 1) - i_round ][ t ]; } + } - if( i_len ) - { - memcpy( &p_buffer[ 12 ], &p_in[ i_offset ], i_len ); - } + /* Final round (9) */ + for( t = 0; t < 4; t++ ) + { + p_dest[ t ] = AES_XOR_ROR( p_aes_decrypt, p_wtxt ); + p_dest[ t ] ^= p_aes->pp_dec_keys[ 0 ][ t ]; } } -static void taos_end1( uint32_t *p_buffer, uint32_t *p_out ) +/***************************************************************************** + * InitShuffle: initialise a shuffle structure + ***************************************************************************** + * This function initialises tables in the p_shuffle structure that will be + * used later by DoShuffle. The only external parameter is p_sys_key. + *****************************************************************************/ +static void InitShuffle( struct shuffle_s *p_shuffle, uint32_t *p_sys_key, + uint32_t i_version ) { - uint32_t x, y; + char p_secret1[] = "Tv!*"; + static const char p_secret2[] = "____v8rhvsaAvOKM____FfUH%798=[;." + "____f8677680a634____ba87fnOIf)(*"; + unsigned int i; - x = p_buffer[ 6 ] & 63; - y = 63 - x; + p_shuffle->i_version = i_version; - ((uint8_t *)p_buffer)[ 48 + x++ ] = 128; - - if( y < 8 ) + /* Fill p_commands using the key and a secret seed */ + for( i = 0; i < 20; i++ ) { - memset( &((uint8_t *)p_buffer)[ 48 + x ], 0, y ); - taos( &p_buffer[ 8 ], &p_buffer[ 12 ] ); - y = 64; - x = 0; - } + struct md5_s md5; + int32_t i_hash; + + InitMD5( &md5 ); + AddMD5( &md5, (const uint8_t *)p_sys_key, 16 ); + AddMD5( &md5, (const uint8_t *)p_secret1, 4 ); + EndMD5( &md5 ); - memset( &((uint8_t *)p_buffer)[ 48 + x ], 0, y ); + p_secret1[ 3 ]++; - p_buffer[ 26 ] = p_buffer[ 6 ] * 8; - p_buffer[ 27 ] = p_buffer[ 6 ] >> 29; - taos( &p_buffer[ 8 ], &p_buffer[ 12 ] ); + REVERSE( md5.p_digest, 1 ); + i_hash = ((int32_t)U32_AT(md5.p_digest)) % 1024; + + p_shuffle->p_commands[ i ] = i_hash < 0 ? i_hash * -1 : i_hash; + } - memcpy( p_out, &p_buffer[ 8 ], sizeof(*p_out) * 4 ); + /* Fill p_bordel with completely meaningless initial values. */ + memcpy( p_shuffle->p_bordel, p_secret2, 64 ); + for( i = 0; i < 4; i++ ) + { + p_shuffle->p_bordel[ 4 * i ] = U32_AT(p_sys_key + i); + REVERSE( p_shuffle->p_bordel + 4 * i + 1, 3 ); + } } -static void taos_add2( uint32_t *p_buffer, uint8_t *p_in, uint32_t i_len ) +/***************************************************************************** + * DoShuffle: shuffle buffer + ***************************************************************************** + * This is so ugly and uses so many MD5 checksums that it is most certainly + * one-way, though why it needs to be so complicated is beyond me. + *****************************************************************************/ +static void DoShuffle( struct shuffle_s *p_shuffle, + uint32_t *p_buffer, uint32_t i_size ) { - uint32_t i, x; - uint32_t p_tmp[ 16 ]; - - x = (p_buffer[ 0 ] / 8) & 63; - i = p_buffer[ 0 ] + i_len * 8; + struct md5_s md5; + uint32_t p_big_bordel[ 16 ]; + uint32_t *p_bordel = p_shuffle->p_bordel; + unsigned int i; - if( i < p_buffer[ 0 ] ) + static const uint32_t p_secret3[] = { - p_buffer[ 1 ] += 1; - } + 0xAAAAAAAA, 0x01757700, 0x00554580, 0x01724500, 0x00424580, + 0x01427700, 0x00000080, 0xC1D59D01, 0x80144981, 0x815C8901, + 0x80544981, 0x81D45D01, 0x00000080, 0x81A3BB03, 0x00A2AA82, + 0x01A3BB03, 0x0022A282, 0x813BA202, 0x00000080, 0x6D575737, + 0x4A5275A5, 0x6D525725, 0x4A5254A5, 0x6B725437, 0x00000080, + 0xD5DDB938, 0x5455A092, 0x5D95A013, 0x4415A192, 0xC5DD393A, + 0x00000080, 0x55555555 + }; + static const uint32_t i_secret3 = sizeof(p_secret3)/sizeof(p_secret3[0]); - p_buffer[ 0 ] = i; - p_buffer[ 1 ] += i_len >> 29; + static const char p_secret4[] = + "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq."; + static const uint32_t i_secret4 = sizeof(p_secret4)/sizeof(p_secret4[0]); /* It include the terminal '\0' */ - for( i = 0; i < i_len; i++ ) + /* Using the MD5 hash of a memory block is probably not one-way enough + * for the iTunes people. This function randomises p_bordel depending on + * the values in p_commands to make things even more messy in p_bordel. */ + for( i = 0; i < 20; i++ ) { - ((uint8_t *)p_buffer)[ 24 + x++ ] = p_in[ i ]; + uint8_t i_command, i_index; - if( x != 64 ) + if( !p_shuffle->p_commands[ i ] ) + { continue; + } + + i_command = (p_shuffle->p_commands[ i ] & 0x300) >> 8; + i_index = p_shuffle->p_commands[ i ] & 0xff; - memcpy( p_tmp, &p_buffer[ 6 ], sizeof(p_tmp) ); - taos( &p_buffer[ 2 ], p_tmp ); + switch( i_command ) + { + case 0x3: + p_bordel[ i_index & 0xf ] = p_bordel[ i_index >> 4 ] + + p_bordel[ ((i_index + 0x10) >> 4) & 0xf ]; + break; + case 0x2: + p_bordel[ i_index >> 4 ] ^= p_shuffle_xor[ 0xff - i_index ]; + break; + case 0x1: + p_bordel[ i_index >> 4 ] -= p_shuffle_sub[ 0xff - i_index ]; + break; + default: + p_bordel[ i_index >> 4 ] += p_shuffle_add[ 0xff - i_index ]; + break; + } } -} -static void taos_add2e( uint32_t *p_buffer, uint32_t *p_in, uint32_t i_len ) -{ - uint32_t i, x, y; - uint32_t p_tmp[ 32 ]; + if( p_shuffle->i_version == 0x01000300 ) + { + DoExtShuffle( p_bordel ); + } - if( i_len ) + /* Convert our newly randomised p_bordel to big endianness and take + * its MD5 hash. */ + InitMD5( &md5 ); + for( i = 0; i < 16; i++ ) { - for( x = i_len; x; x -= y ) - { - y = x > 32 ? 32 : x; + p_big_bordel[ i ] = U32_AT(p_bordel + i); + } + AddMD5( &md5, (const uint8_t *)p_big_bordel, 64 ); + if( p_shuffle->i_version == 0x01000300 ) + { + uint32_t p_tmp3[i_secret3]; + char p_tmp4[i_secret4]; - for( i = 0; i < y; i++ ) - { - p_tmp[ i ] = U32_AT(&p_in[ i ]); - } - } + memcpy( p_tmp3, p_secret3, sizeof(p_secret3) ); + REVERSE( p_tmp3, i_secret3 ); + +#define ROT13(c) (((c)>='A'&&(c)<='Z')?(((c)-'A'+13)%26)+'A':\ + ((c)>='a'&&(c)<='z')?(((c)-'a'+13)%26)+'a':c) + for( uint32_t i = 0; i < i_secret4; i++ ) + p_tmp4[i] = ROT13( p_secret4[i] ); +#undef ROT13 + + AddMD5( &md5, (const uint8_t *)p_tmp3, sizeof(p_secret3) ); + AddMD5( &md5, (const uint8_t *)p_tmp4, i_secret4 ); } + EndMD5( &md5 ); - taos_add2( p_buffer, (uint8_t *)p_tmp, i_len * sizeof(p_tmp[ 0 ]) ); + /* XOR our buffer with the computed checksum */ + for( i = 0; i < i_size; i++ ) + { + p_buffer[ i ] ^= md5.p_digest[ i ]; + } } -static void taos_end2( uint32_t *p_buffer ) +/***************************************************************************** + * DoExtShuffle: extended shuffle + ***************************************************************************** + * This is even uglier. + *****************************************************************************/ +static void DoExtShuffle( uint32_t * p_bordel ) { - uint32_t x; - uint32_t p_tmp[ 16 ]; + uint32_t i_ret; + + i_ret = FirstPass( p_bordel ); - p_tmp[ 14 ] = p_buffer[ 0 ]; - p_tmp[ 15 ] = p_buffer[ 1 ]; + SecondPass( p_bordel, i_ret ); - x = (p_buffer[ 0 ] / 8) & 63; + ThirdPass( p_bordel ); - taos_add2( p_buffer, p_drms_tab_tend, 56 - x ); - memcpy( p_tmp, &p_buffer[ 6 ], 56 ); - taos( &p_buffer[ 2 ], p_tmp ); - memcpy( &p_buffer[ 22 ], &p_buffer[ 2 ], sizeof(*p_buffer) * 4 ); + FourthPass( p_bordel ); } -static void taos_add3( uint32_t *p_buffer, uint8_t *p_key, uint32_t i_len ) +static uint32_t FirstPass( uint32_t * p_bordel ) { - uint32_t x, y; - uint32_t i = 0; - - x = (p_buffer[ 4 ] / 8) & 63; - p_buffer[ 4 ] += i_len * 8; + uint32_t i, i_cmd, i_ret = 5; - if( p_buffer[ 4 ] < i_len * 8 ) - p_buffer[ 5 ] += 1; + TinyShuffle1( p_bordel ); - p_buffer[ 5 ] += i_len >> 29; + for( ; ; ) + { + for( ; ; ) + { + p_bordel[ 1 ] += 0x10000000; + p_bordel[ 3 ] += 0x12777; - y = 64 - x; + if( (p_bordel[ 10 ] & 1) && i_ret ) + { + i_ret--; + p_bordel[ 1 ] -= p_bordel[ 2 ]; + p_bordel[ 11 ] += p_bordel[ 12 ]; + break; + } - if( i_len >= y ) - { - memcpy( &((uint8_t *)p_buffer)[ 24 + x ], p_key, y ); - taos( p_buffer, &p_buffer[ 6 ] ); + if( (p_bordel[ 1 ] + p_bordel[ 2 ]) >= 0x7D0 ) + { + switch( ((p_bordel[ 3 ] ^ 0x567F) >> 2) & 7 ) + { + case 0: + for( i = 0; i < 3; i++ ) + { + if( p_bordel[ i + 10 ] > 0x4E20 ) + { + p_bordel[ i + 1 ] += p_bordel[ i + 2 ]; + } + } + break; + case 4: + p_bordel[ 1 ] -= p_bordel[ 2 ]; + /* no break */ + case 3: + p_bordel[ 11 ] += p_bordel[ 12 ]; + break; + case 6: + p_bordel[ 3 ] ^= p_bordel[ 4 ]; + /* no break */ + case 8: + p_bordel[ 13 ] &= p_bordel[ 14 ]; + /* no break */ + case 1: + p_bordel[ 0 ] |= p_bordel[ 1 ]; + if( i_ret ) + { + return i_ret; + } + break; + } - i = y; - y += 63; + break; + } + } - if( y < i_len ) + for( i = 0, i_cmd = 0; i < 16; i++ ) { - for( ; y < i_len; y += 64, i += 64 ) + if( p_bordel[ i ] < p_bordel[ i_cmd ] ) { - taos( p_buffer, (uint32_t *)&p_key[y - 63] ); + i_cmd = i; } } + + if( i_ret && i_cmd != 5 ) + { + i_ret--; + } else { - x = 0; + if( i_cmd == 5 ) + { + p_bordel[ 8 ] &= p_bordel[ 6 ] >> 1; + p_bordel[ 3 ] <<= 1; + } + + for( i = 0; i < 3; i++ ) + { + p_bordel[ 11 ] += 1; + if( p_bordel[ 11 ] & 5 ) + { + p_bordel[ 8 ] += p_bordel[ 9 ]; + } + else if( i_ret ) + { + i_ret--; + i_cmd = 3; + goto break2; + } + } + + i_cmd = (p_bordel[ 15 ] + 0x93) >> 3; + if( p_bordel[ 15 ] & 0x100 ) + { + i_cmd ^= 0xDEAD; + } + } + + switch( i_cmd & 3 ) + { + case 0: + while( p_bordel[ 11 ] & 1 ) + { + p_bordel[ 11 ] >>= 1; + p_bordel[ 12 ] += 1; + } + /* no break */ + case 2: + p_bordel[ 14 ] -= 0x19FE; + break; + case 3: + if( i_ret ) + { + i_ret--; + p_bordel[ 5 ] += 5; + continue; + } + break; } + + i_cmd = ((p_bordel[ 3 ] + p_bordel[ 4 ] + 10) >> 1) - p_bordel[ 4 ]; + break; + } +break2: + + switch( i_cmd & 3 ) + { + case 0: + p_bordel[ 14 ] >>= 1; + break; + case 1: + p_bordel[ 5 ] <<= 2; + break; + case 2: + p_bordel[ 12 ] |= 5; + break; + case 3: + p_bordel[ 15 ] &= 0x55; + if( i_ret ) + { + p_bordel[ 2 ] &= 0xB62FC; + return i_ret; + } + break; } - memcpy( &((uint8_t *)p_buffer)[ 24 + x ], &p_key[ i ], i_len - i ); + TinyShuffle2( p_bordel ); + + return i_ret; } -static int taos_osi( uint32_t *p_buffer ) +static void SecondPass( uint32_t * p_bordel, uint32_t i_tmp ) { - int i_ret = 0; + uint32_t i, i_cmd, i_jc = 5; -#ifdef WIN32 - HKEY i_key; - uint32_t i; - DWORD i_size; - DWORD i_serial; - LPBYTE p_reg_buf; + TinyShuffle3( p_bordel ); - static LPCTSTR p_reg_keys[ 3 ][ 2 ] = + for( i = 0, i_cmd = 0; i < 16; i++ ) { + if( p_bordel[ i ] > p_bordel[ i_cmd ] ) { - _T("HARDWARE\\DESCRIPTION\\System"), - _T("SystemBiosVersion") - }, + i_cmd = i; + } + } - { - _T("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"), - _T("ProcessorNameString") - }, + switch( i_cmd ) + { + case 0: + if( p_bordel[ 1 ] < p_bordel[ 8 ] ) + { + p_bordel[ 5 ] += 1; + } + break; + case 4: + if( (p_bordel[ 9 ] & 0x7777) == 0x3333 ) + { + p_bordel[ 5 ] -= 1; + } + else + { + i_jc--; + if( p_bordel[ 1 ] < p_bordel[ 8 ] ) + { + p_bordel[ 5 ] += 1; + } + break; + } + /* no break */ + case 7: + p_bordel[ 2 ] -= 1; + p_bordel[ 1 ] -= p_bordel[ 5 ]; + for( i = 0; i < 3; i++ ) + { + switch( p_bordel[ 1 ] & 3 ) + { + case 0: + p_bordel[ 1 ] += 1; + /* no break */ + case 1: + p_bordel[ 3 ] -= 8; + break; + case 2: + p_bordel[ 13 ] &= 0xFEFEFEF7; + break; + case 3: + p_bordel[ 8 ] |= 0x80080011; + break; + } + } + return; + case 10: + p_bordel[ 4 ] -= 1; + p_bordel[ 5 ] += 1; + p_bordel[ 6 ] -= 1; + p_bordel[ 7 ] += 1; + break; + default: + p_bordel[ 15 ] ^= 0x18547EFF; + break; + } + for( i = 3; i--; ) + { + switch( ( p_bordel[ 12 ] + p_bordel[ 13 ] + p_bordel[ 6 ] ) % 5 ) { - _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion"), - _T("ProductId") + case 0: + p_bordel[ 12 ] -= 1; + /* no break */ + case 1: + p_bordel[ 12 ] -= 1; + p_bordel[ 13 ] += 1; + break; + case 2: + p_bordel[ 13 ] += 4; + /* no break */ + case 3: + p_bordel[ 12 ] -= 1; + break; + case 4: + i_jc--; + p_bordel[ 5 ] += 1; + p_bordel[ 6 ] -= 1; + p_bordel[ 7 ] += 1; + i = 3; /* Restart the whole loop */ + break; } - }; + } - taos_add1( p_buffer, "cache-control", 13 ); - taos_add1( p_buffer, "Ethernet", 8 ); + TinyShuffle4( p_bordel ); - GetVolumeInformation( _T("C:\\"), NULL, 0, &i_serial, - NULL, NULL, NULL, 0 ); - taos_add1( p_buffer, (uint8_t *)&i_serial, 4 ); - - for( i = 0; i < sizeof(p_reg_keys)/sizeof(p_reg_keys[ 0 ]); i++ ) + for( ; ; ) { - if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, p_reg_keys[ i ][ 0 ], - 0, KEY_READ, &i_key ) == ERROR_SUCCESS ) - { - if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ], - NULL, NULL, NULL, - &i_size ) == ERROR_SUCCESS ) - { - p_reg_buf = malloc( i_size ); + TinyShuffle5( p_bordel ); - if( p_reg_buf != NULL ) + switch( ( p_bordel[ 2 ] * 2 + 15 ) % 5 ) + { + case 0: + if( ( p_bordel[ 3 ] + i_tmp ) <= + ( p_bordel[ 1 ] + p_bordel[ 15 ] ) ) { - if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ], - NULL, NULL, p_reg_buf, - &i_size ) == ERROR_SUCCESS ) - { - taos_add1( p_buffer, (uint8_t *)p_reg_buf, - i_size ); - } - - free( p_reg_buf ); + p_bordel[ 3 ] += 1; } - } + break; + case 4: + p_bordel[ 10 ] -= 0x13; + break; + case 3: + p_bordel[ 5 ] >>= 2; + break; + } - RegCloseKey( i_key ); + if( !( p_bordel[ 2 ] & 1 ) || i_jc == 0 ) + { + break; } + + i_jc--; + p_bordel[ 2 ] += 0x13; + p_bordel[ 12 ] += 1; } -#else - i_ret = -1; -#endif + p_bordel[ 2 ] &= 0x10076000; +} + +static void ThirdPass( uint32_t * p_bordel ) +{ + uint32_t i_cmd; + + i_cmd = ((p_bordel[ 7 ] + p_bordel[ 14 ] + 10) >> 1) - p_bordel[ 14 ]; + i_cmd = i_cmd % 10; + + switch( i_cmd ) + { + case 0: + p_bordel[ 1 ] <<= 1; + p_bordel[ 2 ] <<= 2; + p_bordel[ 3 ] <<= 3; + break; + case 6: + p_bordel[ i_cmd + 3 ] &= 0x5EDE36B; + p_bordel[ 5 ] += p_bordel[ 8 ]; + p_bordel[ 4 ] += p_bordel[ 7 ]; + p_bordel[ 3 ] += p_bordel[ 6 ]; + p_bordel[ 2 ] += p_bordel[ 5 ]; + /* no break */ + case 2: + p_bordel[ 1 ] += p_bordel[ 4 ]; + p_bordel[ 0 ] += p_bordel[ 3 ]; + TinyShuffle6( p_bordel ); + return; /* jc = 4 */ + case 3: + if( (p_bordel[ 11 ] & p_bordel[ 2 ]) > 0x211B ) + { + p_bordel[ 6 ] += 1; + } + break; + case 4: + p_bordel[ 7 ] += 1; + /* no break */ + case 5: + p_bordel[ 9 ] ^= p_bordel[ 2 ]; + break; + case 7: + p_bordel[ 2 ] ^= (p_bordel[ 1 ] & p_bordel[ 13 ]); + break; + case 8: + p_bordel[ 0 ] -= p_bordel[ 11 ] & p_bordel[ 15 ]; + return; /* jc = 4 */ + case 9: + p_bordel[ 6 ] >>= (p_bordel[ 14 ] & 3); + break; + } + + SWAP( p_bordel[ 0 ], p_bordel[ 10 ] ); + + TinyShuffle6( p_bordel ); - return( i_ret ); + return; /* jc = 5 */ } -static int get_sci_data( uint32_t p_sci[ 11 ][ 4 ] ) +static void FourthPass( uint32_t * p_bordel ) { - int i_ret = -1; + uint32_t i, j; -#ifdef WIN32 - HANDLE i_file; - DWORD i_size, i_read; - TCHAR p_path[ MAX_PATH ]; - TCHAR *p_filename = _T("\\Apple Computer\\iTunes\\SC Info\\SC Info.sidb"); + TinyShuffle7( p_bordel ); - if( SUCCEEDED( SHGetFolderPath( NULL, CSIDL_COMMON_APPDATA, - NULL, 0, p_path ) ) ) + switch( p_bordel[ 5 ] % 5) { - _tcsncat( p_path, p_filename, min( _tcslen( p_filename ), - (MAX_PATH-1) - _tcslen( p_path ) ) ); - - i_file = CreateFile( p_path, GENERIC_READ, 0, NULL, - OPEN_EXISTING, 0, NULL ); - if( i_file != INVALID_HANDLE_VALUE ) - { - i_read = sizeof(p_sci[ 0 ]) * 11; - i_size = GetFileSize( i_file, NULL ); - if( i_size != INVALID_FILE_SIZE && i_size >= i_read ) + case 0: + p_bordel[ 0 ] += 1; + break; + case 2: + p_bordel[ 11 ] ^= (p_bordel[ 3 ] + p_bordel[ 6 ] + p_bordel[ 8 ]); + break; + case 3: + for( i = 4; i < 15 && (p_bordel[ i ] & 5) == 0; i++ ) { - i_size = SetFilePointer( i_file, 4, NULL, FILE_BEGIN ); - if( i_size != INVALID_SET_FILE_POINTER ) - { - if( ReadFile( i_file, p_sci, i_read, &i_size, NULL ) && - i_size == i_read ) - { - i_ret = 0; - } - } + SWAP( p_bordel[ i ], p_bordel[ 15 - i ] ); } + break; + case 4: + p_bordel[ 12 ] -= 1; + p_bordel[ 13 ] += 1; + p_bordel[ 2 ] -= 0x64; + p_bordel[ 3 ] += 0x64; + TinyShuffle8( p_bordel ); + return; + } - CloseHandle( i_file ); + for( i = 0, j = 0; i < 16; i++ ) + { + if( p_bordel[ i ] > p_bordel[ j ] ) + { + j = i; } } -#endif - return( i_ret ); + switch( p_bordel[ j ] % 100 ) + { + case 0: + SWAP( p_bordel[ 0 ], p_bordel[ j ] ); + break; + case 8: + p_bordel[ 1 ] >>= 1; + p_bordel[ 2 ] <<= 1; + p_bordel[ 14 ] >>= 3; + p_bordel[ 15 ] <<= 4; + break; + case 57: + p_bordel[ j ] += p_bordel[ 13 ]; + break; + case 76: + p_bordel[ 1 ] += 0x20E; + p_bordel[ 5 ] += 0x223D; + p_bordel[ 13 ] -= 0x576; + p_bordel[ 15 ] += 0x576; + return; + case 91: + p_bordel[ 2 ] -= 0x64; + p_bordel[ 3 ] += 0x64; + p_bordel[ 12 ] -= 1; + p_bordel[ 13 ] += 1; + break; + case 99: + p_bordel[ 0 ] += 1; + p_bordel[ j ] += p_bordel[ 13 ]; + break; + } + + TinyShuffle8( p_bordel ); } -static void acei_taxs( uint32_t *p_acei, uint32_t i_val ) +/***************************************************************************** + * TinyShuffle[12345678]: tiny shuffle subroutines + ***************************************************************************** + * These standalone functions are little helpers for the shuffling process. + *****************************************************************************/ +static void TinyShuffle1( uint32_t * p_bordel ) { - uint32_t i, x; - - i = (i_val / 16) & 15; - x = (~(i_val & 15)) & 15; - - if( (i_val & 768) == 768 ) - { - x = (~i) & 15; - i = i_val & 15; + uint32_t i_cmd = (p_bordel[ 5 ] + 10) >> 2; - p_acei[ 25 + i ] = p_acei[ 25 + ((16 - x) & 15) ] - + p_acei[ 25 + (15 - x) ]; - } - else if( (i_val & 512) == 512 ) - { - p_acei[ 25 + i ] ^= p_drms_tab_xor[ 15 - i ][ x ]; - } - else if( (i_val & 256) == 256 ) + if( p_bordel[ 5 ] > 0x7D0 ) { - p_acei[ 25 + i ] -= p_drms_tab_sub[ 15 - i ][ x ]; + i_cmd -= 0x305; } - else + + switch( i_cmd & 3 ) { - p_acei[ 25 + i ] += p_drms_tab_add[ 15 - i ][ x ]; + case 0: + p_bordel[ 5 ] += 5; + break; + case 1: + p_bordel[ 4 ] -= 1; + break; + case 2: + if( p_bordel[ 4 ] & 5 ) + { + p_bordel[ 1 ] ^= 0x4D; + } + /* no break */ + case 3: + p_bordel[ 12 ] += 5; + break; } } -static void acei( uint32_t *p_acei, uint8_t *p_buffer, uint32_t i_len ) +static void TinyShuffle2( uint32_t * p_bordel ) { - uint32_t i, x; - uint32_t p_tmp[ 26 ]; + uint32_t i, j; - for( i = 5; i < 25; i++ ) + for( i = 0, j = 0; i < 16; i++ ) { - if( p_acei[ i ] ) + if( (p_bordel[ i ] & 0x777) > (p_bordel[ j ] & 0x777) ) { - acei_taxs( p_acei, p_acei[ i ] ); + j = i; } } - TAOS_INIT( p_tmp, 2 ); - taos_add2e( p_tmp, &p_acei[ 25 ], sizeof(*p_acei) * 4 ); - taos_end2( p_tmp ); - - x = i_len < 16 ? i_len : 16; - - if( x > 0 ) + if( j > 5 ) { - for( i = 0; i < x; i++ ) + for( ; j < 15; j++ ) { - p_buffer[ i ] ^= ((uint8_t *)&p_tmp)[ 88 + i ]; + p_bordel[ j ] += p_bordel[ j + 1 ]; } } + else + { + p_bordel[ 2 ] &= 0xB62FC; + } } -static uint32_t ttov_calc( uint32_t *p_acei ) +static void TinyShuffle3( uint32_t * p_bordel ) { - int32_t i_val; - uint32_t p_tmp[ 26 ]; + uint32_t i_cmd = p_bordel[ 6 ] + 0x194B; + + if( p_bordel[ 6 ] > 0x2710 ) + { + i_cmd >>= 1; + } - TAOS_INIT( p_tmp, 2 ); - taos_add2e( p_tmp, &p_acei[ 0 ], 4 ); - taos_add2e( p_tmp, &p_acei[ 4 ], 1 ); - taos_end2( p_tmp ); + switch( i_cmd & 3 ) + { + case 1: + p_bordel[ 3 ] += 0x19FE; + break; + case 2: + p_bordel[ 7 ] -= p_bordel[ 3 ] >> 2; + /* no break */ + case 0: + p_bordel[ 5 ] ^= 0x248A; + break; + } +} - p_acei[ 4 ]++; +static void TinyShuffle4( uint32_t * p_bordel ) +{ + uint32_t i, j; - i_val = ((int32_t)U32_AT(&p_tmp[ 22 ])) % 1024; + for( i = 0, j = 0; i < 16; i++ ) + { + if( p_bordel[ i ] < p_bordel[ j ] ) + { + j = i; + } + } - return( i_val < 0 ? i_val * -1 : i_val ); + if( (p_bordel[ j ] % (j + 1)) > 10 ) + { + p_bordel[ 1 ] -= 1; + p_bordel[ 2 ] += 0x13; + p_bordel[ 12 ] += 1; + } } -static void acei_init( uint32_t *p_acei, uint32_t *p_sys_key ) +static void TinyShuffle5( uint32_t * p_bordel ) { uint32_t i; - for( i = 0; i < 4; i++ ) + p_bordel[ 2 ] &= 0x7F3F; + + for( i = 0; i < 5; i++ ) { - p_acei[ i ] = U32_AT(&p_sys_key[ i ]); + switch( ( p_bordel[ 2 ] + 10 + i ) % 5 ) + { + case 0: + p_bordel[ 12 ] &= p_bordel[ 2 ]; + /* no break */ + case 1: + p_bordel[ 3 ] ^= p_bordel[ 15 ]; + break; + case 2: + p_bordel[ 15 ] += 0x576; + /* no break */ + case 3: + p_bordel[ 7 ] -= 0x2D; + /* no break */ + case 4: + p_bordel[ 1 ] <<= 1; + break; + } } +} - p_acei[ 4 ] = 0x5476212A; +static void TinyShuffle6( uint32_t * p_bordel ) +{ + uint32_t i, j; - for( i = 5; i < 25; i++ ) + for( i = 0; i < 8; i++ ) { - p_acei[ i ] = ttov_calc( p_acei ); + j = p_bordel[ 3 ] & 0x7514 ? 5 : 7; + SWAP( p_bordel[ i ], p_bordel[ i + j ] ); } +} - p_acei[ 25 + 0 ] = p_acei[ 0 ]; - p_acei[ 25 + 1 ] = 0x68723876; - p_acei[ 25 + 2 ] = 0x41617376; - p_acei[ 25 + 3 ] = 0x4D4B4F76; +static void TinyShuffle7( uint32_t * p_bordel ) +{ + uint32_t i; - p_acei[ 25 + 4 ] = p_acei[ 1 ]; - p_acei[ 25 + 5 ] = 0x48556646; - p_acei[ 25 + 6 ] = 0x38393725; - p_acei[ 25 + 7 ] = 0x2E3B5B3D; + i = (((p_bordel[ 9 ] + p_bordel[ 15 ] + 12) >> 2) - p_bordel[ 4 ]) & 7; - p_acei[ 25 + 8 ] = p_acei[ 2 ]; - p_acei[ 25 + 9 ] = 0x37363866; - p_acei[ 25 + 10 ] = 0x30383637; - p_acei[ 25 + 11 ] = 0x34333661; + while( i-- ) + { + SWAP( p_bordel[ i ], p_bordel[ i + 3 ] ); + } - p_acei[ 25 + 12 ] = p_acei[ 3 ]; - p_acei[ 25 + 13 ] = 0x37386162; - p_acei[ 25 + 14 ] = 0x494F6E66; - p_acei[ 25 + 15 ] = 0x2A282966; + SWAP( p_bordel[ 1 ], p_bordel[ 10 ] ); } -static inline void block_xor( uint32_t *p_in, uint32_t *p_key, - uint32_t *p_out ) +static void TinyShuffle8( uint32_t * p_bordel ) { uint32_t i; - for( i = 0; i < 4; i++ ) + i = (p_bordel[ 0 ] & p_bordel[ 6 ]) & 0xF; + + switch( p_bordel[ i ] % 1000 ) { - p_out[ i ] = p_key[ i ] ^ p_in[ i ]; + case 7: + if( (p_bordel[ i ] & 0x777) > (p_bordel[ 7 ] & 0x5555) ) + { + p_bordel[ i ] ^= p_bordel[ 5 ] & p_bordel[ 3 ]; + } + break; + case 19: + p_bordel[ 15 ] &= 0x5555; + break; + case 93: + p_bordel[ i ] ^= p_bordel[ 15 ]; + break; + case 100: + SWAP( p_bordel[ 0 ], p_bordel[ 3 ] ); + SWAP( p_bordel[ 1 ], p_bordel[ 6 ] ); + SWAP( p_bordel[ 3 ], p_bordel[ 6 ] ); + SWAP( p_bordel[ 4 ], p_bordel[ 9 ] ); + SWAP( p_bordel[ 5 ], p_bordel[ 8 ] ); + SWAP( p_bordel[ 6 ], p_bordel[ 7 ] ); + SWAP( p_bordel[ 13 ], p_bordel[ 14 ] ); + break; + case 329: + p_bordel[ i ] += p_bordel[ 1 ] ^ 0x80080011; + p_bordel[ i ] += p_bordel[ 2 ] ^ 0xBEEFDEAD; + p_bordel[ i ] += p_bordel[ 3 ] ^ 0x8765F444; + p_bordel[ i ] += p_bordel[ 4 ] ^ 0x78145326; + break; + case 567: + p_bordel[ 12 ] -= p_bordel[ i ]; + p_bordel[ 13 ] += p_bordel[ i ]; + break; + case 612: + p_bordel[ i ] += p_bordel[ 1 ]; + p_bordel[ i ] -= p_bordel[ 7 ]; + p_bordel[ i ] -= p_bordel[ 8 ]; + p_bordel[ i ] += p_bordel[ 9 ]; + p_bordel[ i ] += p_bordel[ 13 ]; + break; + case 754: + i = __MIN( i, 12 ); + p_bordel[ i + 1 ] >>= 1; + p_bordel[ i + 2 ] <<= 4; + p_bordel[ i + 3 ] >>= 3; + break; + case 777: + p_bordel[ 1 ] += 0x20E; + p_bordel[ 5 ] += 0x223D; + p_bordel[ 13 ] -= 0x576; + p_bordel[ 15 ] += 0x576; + break; + case 981: + if( (p_bordel[ i ] ^ 0x8765F441) < 0x2710 ) + { + SWAP( p_bordel[ 0 ], p_bordel[ 1 ] ); + } + else + { + SWAP( p_bordel[ 1 ], p_bordel[ 11 ] ); + } + break; } } -int drms_get_sys_key( uint32_t *p_sys_key ) +/***************************************************************************** + * GetSystemKey: get the system key + ***************************************************************************** + * Compute the system key from various system information, see HashSystemInfo. + *****************************************************************************/ +static int GetSystemKey( uint32_t *p_sys_key, bool b_ipod ) { - uint32_t p_tmp[ 128 ]; - uint32_t p_tmp_key[ 4 ]; + static const char p_secret5[ 8 ] = "YuaFlafu"; + static const char p_secret6[ 8 ] = "zPif98ga"; + struct md5_s md5; + int64_t i_ipod_id; + uint32_t p_system_hash[ 4 ]; + + /* Compute the MD5 hash of our system info */ + if( ( !b_ipod && HashSystemInfo( p_system_hash ) ) || + ( b_ipod && GetiPodID( &i_ipod_id ) ) ) + { + return -1; + } - TAOS_INIT( p_tmp, 8 ); - if( taos_osi( p_tmp ) ) + /* Combine our system info hash with additional secret data. The resulting + * MD5 hash will be our system key. */ + InitMD5( &md5 ); + AddMD5( &md5, (const uint8_t*)p_secret5, 8 ); + + if( !b_ipod ) + { + AddMD5( &md5, (const uint8_t *)p_system_hash, 6 ); + AddMD5( &md5, (const uint8_t *)p_system_hash, 6 ); + AddMD5( &md5, (const uint8_t *)p_system_hash, 6 ); + AddMD5( &md5, (const uint8_t *)p_secret6, 8 ); + } + else { - return( -1 ); + i_ipod_id = U64_AT(&i_ipod_id); + AddMD5( &md5, (const uint8_t *)&i_ipod_id, sizeof(i_ipod_id) ); + AddMD5( &md5, (const uint8_t *)&i_ipod_id, sizeof(i_ipod_id) ); + AddMD5( &md5, (const uint8_t *)&i_ipod_id, sizeof(i_ipod_id) ); } - taos_end1( p_tmp, p_tmp_key ); - TAOS_INIT( p_tmp, 2 ); - taos_add2( p_tmp, "YuaFlafu", 8 ); - taos_add2( p_tmp, (uint8_t *)p_tmp_key, 6 ); - taos_add2( p_tmp, (uint8_t *)p_tmp_key, 6 ); - taos_add2( p_tmp, (uint8_t *)p_tmp_key, 6 ); - taos_add2( p_tmp, "zPif98ga", 8 ); - taos_end2( p_tmp ); + EndMD5( &md5 ); - memcpy( p_sys_key, &p_tmp[ 2 ], sizeof(*p_sys_key) * 4 ); + memcpy( p_sys_key, md5.p_digest, 16 ); - return( 0 ); + return 0; } -int drms_get_user_key( uint32_t *p_sys_key, uint32_t *p_user_key ) +#ifdef WIN32 +# define DRMS_DIRNAME "drms" +#else +# define DRMS_DIRNAME ".drms" +#endif + +/***************************************************************************** + * WriteUserKey: write the user key to hard disk + ***************************************************************************** + * Write the user key to the hard disk so that it can be reused later or used + * on operating systems other than Win32. + *****************************************************************************/ +static int WriteUserKey( void *_p_drms, uint32_t *p_user_key ) { - uint32_t i; - uint32_t p_tmp[ 4 ]; - uint32_t *p_cur_key; - uint32_t p_acei[ 41 ]; - uint32_t p_ctx[ 128 ]; - uint32_t p_sci[ 2 ][ 11 ][ 4 ]; + struct drms_s *p_drms = (struct drms_s *)_p_drms; + FILE *file; + int i_ret = -1; + char psz_path[ PATH_MAX ]; - uint32_t p_sci_key[ 4 ] = - { - 0x6E66556D, 0x6E676F70, 0x67666461, 0x33373866 - }; + snprintf( psz_path, PATH_MAX - 1, + "%s/" DRMS_DIRNAME, p_drms->psz_homedir ); - if( p_sys_key == NULL ) +#if defined( WIN32 ) + if( !mkdir( psz_path ) || errno == EEXIST ) +#else + if( !mkdir( psz_path, 0755 ) || errno == EEXIST ) +#endif { - if( drms_get_sys_key( p_tmp ) ) + snprintf( psz_path, PATH_MAX - 1, "%s/" DRMS_DIRNAME "/%08X.%03d", + p_drms->psz_homedir, p_drms->i_user, p_drms->i_key ); + + file = vlc_fopen( psz_path, "wb" ); + if( file != NULL ) { - return( -1 ); + i_ret = fwrite( p_user_key, sizeof(uint32_t), + 4, file ) == 4 ? 0 : -1; + fclose( file ); } + } + + return i_ret; +} + +/***************************************************************************** + * ReadUserKey: read the user key from hard disk + ***************************************************************************** + * Retrieve the user key from the hard disk if available. + *****************************************************************************/ +static int ReadUserKey( void *_p_drms, uint32_t *p_user_key ) +{ + struct drms_s *p_drms = (struct drms_s *)_p_drms; + FILE *file; + int i_ret = -1; + char psz_path[ PATH_MAX ]; - p_sys_key = p_tmp; + snprintf( psz_path, PATH_MAX - 1, + "%s/" DRMS_DIRNAME "/%08X.%03d", p_drms->psz_homedir, + p_drms->i_user, p_drms->i_key ); + + file = vlc_fopen( psz_path, "rb" ); + if( file != NULL ) + { + i_ret = fread( p_user_key, sizeof(uint32_t), + 4, file ) == 4 ? 0 : -1; + fclose( file ); } - if( get_sci_data( p_sci[ 0 ] ) ) + return i_ret; +} + +/***************************************************************************** + * GetUserKey: get the user key + ***************************************************************************** + * Retrieve the user key from the hard disk if available, otherwise generate + * it from the system key. If the key could be successfully generated, write + * it to the hard disk for future use. + *****************************************************************************/ +static int GetUserKey( void *_p_drms, uint32_t *p_user_key ) +{ + static const char p_secret7[] = "mUfnpognadfgf873"; + struct drms_s *p_drms = (struct drms_s *)_p_drms; + struct aes_s aes; + struct shuffle_s shuffle; + uint32_t i, y; + uint32_t *p_sci_data = NULL; + uint32_t i_user, i_key; + uint32_t p_sys_key[ 4 ]; + uint32_t i_sci_size = 0, i_blocks, i_remaining; + uint32_t *p_sci0, *p_sci1, *p_buffer; + uint32_t p_sci_key[ 4 ]; + char *psz_ipod; + int i_ret = -5; + + if( ReadUserKey( p_drms, p_user_key ) == 0 ) { - return( -1 ); + REVERSE( p_user_key, 4 ); + return 0; } - init_ctx( p_ctx, p_sys_key ); + psz_ipod = getenv( "IPOD" ); - for( i = 0, p_cur_key = p_sci_key; - i < sizeof(p_sci[ 0 ])/sizeof(p_sci[ 0 ][ 0 ]); i++ ) + if( GetSystemKey( p_sys_key, psz_ipod ? true : false ) ) { - ctx_xor( p_ctx, &p_sci[ 0 ][ i ][ 0 ], &p_sci[ 1 ][ i ][ 0 ], - p_drms_tab3, p_drms_tab4 ); - block_xor( &p_sci[ 1 ][ i ][ 0 ], p_cur_key, &p_sci[ 1 ][ i ][ 0 ] ); + return -3; + } - p_cur_key = &p_sci[ 0 ][ i ][ 0 ]; + if( GetSCIData( psz_ipod, &p_sci_data, &i_sci_size ) ) + { + return -4; } - acei_init( p_acei, p_sys_key ); + /* Phase 1: unscramble the SCI data using the system key and shuffle + * it using DoShuffle(). */ + + /* Skip the first 4 bytes (some sort of header). Decrypt the rest. */ + i_blocks = (i_sci_size - 4) / 16; + i_remaining = (i_sci_size - 4) - (i_blocks * 16); + p_buffer = p_sci_data + 1; + + /* Decrypt and shuffle our data at the same time */ + InitAES( &aes, p_sys_key ); + REVERSE( p_sys_key, 4 ); + REVERSE( p_sci_data, 1 ); + InitShuffle( &shuffle, p_sys_key, p_sci_data[ 0 ] ); - for( i = 0; i < sizeof(p_sci[ 1 ])/sizeof(p_sci[ 1 ][ 0 ]); i++ ) + memcpy( p_sci_key, p_secret7, 16 ); + REVERSE( p_sci_key, 4 ); + + while( i_blocks-- ) { - acei( p_acei, (uint8_t *)&p_sci[ 1 ][ i ][ 0 ], - sizeof(p_sci[ 1 ][ i ]) ); - } + uint32_t p_tmp[ 4 ]; - memcpy( p_user_key, &p_sci[ 1 ][ 10 ][ 0 ], sizeof(p_sci[ 1 ][ i ]) ); + REVERSE( p_buffer, 4 ); + DecryptAES( &aes, p_tmp, p_buffer ); + BlockXOR( p_tmp, p_sci_key, p_tmp ); - return( 0 ); -} + /* Use the previous scrambled data as the key for next block */ + memcpy( p_sci_key, p_buffer, 16 ); -struct drms_s -{ - uint8_t *p_iviv; - uint32_t i_iviv_len; - uint8_t *p_name; - uint32_t i_name_len; + /* Shuffle the decrypted data using a custom routine */ + DoShuffle( &shuffle, p_tmp, 4 ); - uint32_t *p_tmp; - uint32_t i_tmp_len; + /* Copy this block back to p_buffer */ + memcpy( p_buffer, p_tmp, 16 ); - uint32_t p_key[ 4 ]; - uint32_t p_ctx[ 128 ]; -}; + p_buffer += 4; + } -#define P_DRMS ((struct drms_s *)p_drms) + if( i_remaining >= 4 ) + { + REVERSE( p_buffer, i_remaining / 4 ); + DoShuffle( &shuffle, p_buffer, i_remaining / 4 ); + } -void *drms_alloc() -{ - struct drms_s *p_drms; + /* Phase 2: look for the user key in the generated data. I must admit I + * do not understand what is going on here, because it almost + * looks like we are browsing data that makes sense, even though + * the DoShuffle() part made it completely meaningless. */ - p_drms = malloc( sizeof(struct drms_s) ); + y = 0; + REVERSE( p_sci_data + 5, 1 ); + i = U32_AT( p_sci_data + 5 ); + i_sci_size -= 22 * sizeof(uint32_t); + p_sci1 = p_sci_data + 22; + p_sci0 = NULL; - if( p_drms != NULL ) + while( i_sci_size >= 20 && i > 0 ) { - memset( p_drms, 0, sizeof(struct drms_s) ); + if( p_sci0 == NULL ) + { + i_sci_size -= 18 * sizeof(uint32_t); + if( i_sci_size < 20 ) + { + break; + } + + p_sci0 = p_sci1; + REVERSE( p_sci1 + 17, 1 ); + y = U32_AT( p_sci1 + 17 ); + p_sci1 += 18; + } + + if( !y ) + { + i--; + p_sci0 = NULL; + continue; + } - p_drms->i_tmp_len = 1024; - p_drms->p_tmp = malloc( p_drms->i_tmp_len ); - if( p_drms->p_tmp == NULL ) + i_user = U32_AT( p_sci0 ); + i_key = U32_AT( p_sci1 ); + REVERSE( &i_user, 1 ); + REVERSE( &i_key, 1 ); + if( i_user == p_drms->i_user && ( ( i_key == p_drms->i_key ) || + ( !p_drms->i_key && ( p_sci1 == (p_sci0 + 18) ) ) ) ) { - free( (void *)p_drms ); - p_drms = NULL; + memcpy( p_user_key, p_sci1 + 1, 16 ); + REVERSE( p_sci1 + 1, 4 ); + WriteUserKey( p_drms, p_sci1 + 1 ); + i_ret = 0; + break; } + + y--; + p_sci1 += 5; + i_sci_size -= 5 * sizeof(uint32_t); } - return( (void *)p_drms ); + free( p_sci_data ); + + return i_ret; } -void drms_free( void *p_drms ) +/***************************************************************************** + * GetSCIData: get SCI data from "SC Info.sidb" + ***************************************************************************** + * Read SCI data from "\Apple Computer\iTunes\SC Info\SC Info.sidb" + *****************************************************************************/ +static int GetSCIData( char *psz_ipod, uint32_t **pp_sci, + uint32_t *pi_sci_size ) { - if( P_DRMS->p_name != NULL ) + FILE *file; + char *psz_path = NULL; + char p_tmp[ 4 * PATH_MAX ]; + int i_ret = -1; + + if( psz_ipod == NULL ) + { +#ifdef WIN32 + const char *SCIfile = + "\\Apple Computer\\iTunes\\SC Info\\SC Info.sidb"; + strncpy(p_tmp, config_GetConfDir(), sizeof(p_tmp -1)); + if( strlen( p_tmp ) + strlen( SCIfile ) >= PATH_MAX ) + return -1; + strcat(p_tmp, SCIfile); + p_tmp[sizeof( p_tmp ) - 1] = '\0'; + psz_path = p_tmp; +#endif + } + else { - free( (void *)P_DRMS->p_name ); +#define ISCINFO "iSCInfo" + if( strstr( psz_ipod, ISCINFO ) == NULL ) + { + snprintf( p_tmp, sizeof(p_tmp) - 1, + "%s/iPod_Control/iTunes/" ISCINFO "2", psz_ipod ); + psz_path = p_tmp; + } + else + { + psz_path = psz_ipod; + } } - if( P_DRMS->p_iviv != NULL ) + if( psz_path == NULL ) { - free( (void *)P_DRMS->p_iviv ); + return -1; } - if( P_DRMS->p_tmp != NULL ) + file = vlc_fopen( psz_path, "rb" ); + if( file != NULL ) { - free( (void *)P_DRMS->p_tmp ); + struct stat st; + + if( !fstat( fileno( file ), &st ) && st.st_size >= 4 ) + { + *pp_sci = malloc( st.st_size ); + if( *pp_sci != NULL ) + { + if( fread( *pp_sci, 1, st.st_size, + file ) == (size_t)st.st_size ) + { + *pi_sci_size = st.st_size; + i_ret = 0; + } + else + { + free( (void *)*pp_sci ); + *pp_sci = NULL; + } + } + } + + fclose( file ); } - free( p_drms ); + return i_ret; } -void drms_decrypt( void *p_drms, uint32_t *p_buffer, uint32_t i_len ) +/***************************************************************************** + * HashSystemInfo: hash system information + ***************************************************************************** + * This function computes the MD5 hash of the C: hard drive serial number, + * BIOS version, CPU type and Windows version. + *****************************************************************************/ +static int HashSystemInfo( uint32_t *p_system_hash ) { - uint32_t i, x, y; - uint32_t *p_cur_key = P_DRMS->p_key; + struct md5_s md5; + int i_ret = 0; - x = (i_len / sizeof(P_DRMS->p_key)) * sizeof(P_DRMS->p_key); +#ifdef WIN32 + HKEY i_key; + unsigned int i; + DWORD i_size; + DWORD i_serial; + LPBYTE p_reg_buf; - if( P_DRMS->i_tmp_len < x ) + static const LPCTSTR p_reg_keys[ 3 ][ 2 ] = { - free( (void *)P_DRMS->p_tmp ); - - P_DRMS->i_tmp_len = x; - P_DRMS->p_tmp = malloc( P_DRMS->i_tmp_len ); - } + { + _T("HARDWARE\\DESCRIPTION\\System"), + _T("SystemBiosVersion") + }, - if( P_DRMS->p_tmp != NULL ) - { - memcpy( P_DRMS->p_tmp, p_buffer, x ); + { + _T("HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"), + _T("ProcessorNameString") + }, - for( i = 0, x /= sizeof(P_DRMS->p_key); i < x; i++ ) { - y = i * sizeof(*p_buffer); + _T("SOFTWARE\\Microsoft\\Windows\\CurrentVersion"), + _T("ProductId") + } + }; - ctx_xor( P_DRMS->p_ctx, P_DRMS->p_tmp + y, p_buffer + y, - p_drms_tab3, p_drms_tab4 ); - block_xor( p_buffer + y, p_cur_key, p_buffer + y ); + InitMD5( &md5 ); - p_cur_key = P_DRMS->p_tmp + y; - } - } -} + AddMD5( &md5, "cache-control", 13 ); + AddMD5( &md5, "Ethernet", 8 ); -int drms_init( void *p_drms, uint32_t i_type, - uint8_t *p_info, uint32_t i_len ) -{ - int i_ret = 0; + GetVolumeInformation( _T("C:\\"), NULL, 0, &i_serial, + NULL, NULL, NULL, 0 ); + AddMD5( &md5, (const uint8_t *)&i_serial, 4 ); - switch( i_type ) + for( i = 0; i < sizeof(p_reg_keys) / sizeof(p_reg_keys[ 0 ]); i++ ) { - case DRMS_INIT_UKEY: + if( RegOpenKeyEx( HKEY_LOCAL_MACHINE, p_reg_keys[ i ][ 0 ], + 0, KEY_READ, &i_key ) != ERROR_SUCCESS ) { - if( i_len != sizeof(P_DRMS->p_key) ) - { - i_ret = -1; - break; - } - - init_ctx( P_DRMS->p_ctx, (uint32_t *)p_info ); + continue; } - break; - case DRMS_INIT_IVIV: + if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ], + NULL, NULL, NULL, &i_size ) != ERROR_SUCCESS ) { - if( i_len != sizeof(P_DRMS->p_key) ) - { - i_ret = -1; - break; - } - - P_DRMS->p_iviv = malloc( i_len ); - if( P_DRMS->p_iviv == NULL ) - { - i_ret = -1; - break; - } - - memcpy( P_DRMS->p_iviv, p_info, i_len ); - P_DRMS->i_iviv_len = i_len; + RegCloseKey( i_key ); + continue; } - break; - case DRMS_INIT_NAME: + p_reg_buf = malloc( i_size ); + + if( p_reg_buf != NULL ) { - P_DRMS->p_name = malloc( i_len ); - if( P_DRMS->p_name == NULL ) + if( RegQueryValueEx( i_key, p_reg_keys[ i ][ 1 ], + NULL, NULL, p_reg_buf, + &i_size ) == ERROR_SUCCESS ) { - i_ret = -1; - break; + AddMD5( &md5, (const uint8_t *)p_reg_buf, i_size ); } - memcpy( P_DRMS->p_name, p_info, i_len ); - P_DRMS->i_name_len = i_len; + free( p_reg_buf ); } - break; - case DRMS_INIT_PRIV: - { - uint32_t i; - uint32_t p_priv[ 64 ]; - uint32_t p_tmp[ 128 ]; + RegCloseKey( i_key ); + } - if( i_len < 64 ) +#else + InitMD5( &md5 ); + i_ret = -1; +#endif + + EndMD5( &md5 ); + memcpy( p_system_hash, md5.p_digest, 16 ); + + return i_ret; +} + +/***************************************************************************** + * GetiPodID: Get iPod ID + ***************************************************************************** + * This function gets the iPod ID. + *****************************************************************************/ +static int GetiPodID( int64_t *p_ipod_id ) +{ + int i_ret = -1; + +#define PROD_NAME "iPod" +#define VENDOR_NAME "Apple Computer, Inc." + + char *psz_ipod_id = getenv( "IPODID" ); + if( psz_ipod_id != NULL ) + { + *p_ipod_id = strtoll( psz_ipod_id, NULL, 16 ); + return 0; + } + +#ifdef __APPLE__ + CFTypeRef value; + mach_port_t port; + io_object_t device; + io_iterator_t iterator; + CFMutableDictionaryRef match_dic; + CFMutableDictionaryRef smatch_dic; + + if( IOMasterPort( MACH_PORT_NULL, &port ) == KERN_SUCCESS ) + { + smatch_dic = IOServiceMatching( "IOFireWireUnit" ); + match_dic = CFDictionaryCreateMutable( kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks ); + + if( smatch_dic != NULL && match_dic != NULL ) + { + CFDictionarySetValue( smatch_dic, + CFSTR("FireWire Vendor Name"), + CFSTR(VENDOR_NAME) ); + CFDictionarySetValue( smatch_dic, + CFSTR("FireWire Product Name"), + CFSTR(PROD_NAME) ); + + CFDictionarySetValue( match_dic, + CFSTR(kIOPropertyMatchKey), + smatch_dic ); + + if( IOServiceGetMatchingServices( port, match_dic, + &iterator ) == KERN_SUCCESS ) { - i_ret = -1; - break; - } + while( ( device = IOIteratorNext( iterator ) ) != 0 ) + { + value = IORegistryEntryCreateCFProperty( device, + CFSTR("GUID"), kCFAllocatorDefault, kNilOptions ); - TAOS_INIT( p_tmp, 0 ); - taos_add3( p_tmp, P_DRMS->p_name, P_DRMS->i_name_len ); - taos_add3( p_tmp, P_DRMS->p_iviv, P_DRMS->i_iviv_len ); - memcpy( p_priv, &p_tmp[ 4 ], sizeof(p_priv[ 0 ]) * 2 ); - i = (p_tmp[ 4 ] / 8) & 63; - i = i >= 56 ? 120 - i : 56 - i; - taos_add3( p_tmp, p_drms_tab_tend, i ); - taos_add3( p_tmp, (uint8_t *)p_priv, sizeof(p_priv[ 0 ]) * 2 ); + if( value != NULL ) + { + if( CFGetTypeID( value ) == CFNumberGetTypeID() ) + { + int64_t i_ipod_id; + CFNumberGetValue( (CFNumberRef)value, + kCFNumberLongLongType, + &i_ipod_id ); + *p_ipod_id = i_ipod_id; + i_ret = 0; + } + + CFRelease( value ); + } - memcpy( p_priv, p_info, 64 ); - memcpy( P_DRMS->p_key, p_tmp, sizeof(P_DRMS->p_key) ); - drms_decrypt( p_drms, p_priv, sizeof(p_priv) ); + IOObjectRelease( device ); - init_ctx( P_DRMS->p_ctx, &p_priv[ 6 ] ); - memcpy( P_DRMS->p_key, &p_priv[ 12 ], sizeof(P_DRMS->p_key) ); + if( !i_ret ) break; + } - free( (void *)P_DRMS->p_name ); - P_DRMS->p_name = NULL; - free( (void *)P_DRMS->p_iviv ); - P_DRMS->p_iviv = NULL; + IOObjectRelease( iterator ); + } + CFRelease( match_dic ); } - break; + + mach_port_deallocate( mach_task_self(), port ); } +#endif - return( i_ret ); + return i_ret; } -#undef P_DRMS +#else /* !defined( UNDER_CE ) */ + +void *drms_alloc( const char *psz_homedir ){ return NULL; } +void drms_free( void *a ){} +void drms_decrypt( void *a, uint32_t *b, uint32_t c, uint32_t *k ){} +void drms_get_p_key( void *p_drms, uint32_t *p_key ){} +int drms_init( void *a, uint32_t b, uint8_t *c, uint32_t d ){ return -1; } +#endif /* defined( UNDER_CE ) */