From 6f648b65563bd83f3ec2cd0fbc32795f2b7e46c9 Mon Sep 17 00:00:00 2001 From: Alex Page Date: Tue, 20 Jun 2023 22:09:31 -0400 Subject: [PATCH] Implement bink2002 --- .gitignore | 1 + Cargo.lock | 13 +-- Cargo.toml | 2 +- src/bink1998.rs | 15 ++- src/bink2002.rs | 300 ++++++++++++++++++++++++++++++++++++++++++++++++ src/cli.rs | 38 +++++- src/main.rs | 4 +- 7 files changed, 351 insertions(+), 22 deletions(-) create mode 100644 src/bink2002.rs diff --git a/.gitignore b/.gitignore index ea8c4bf..81cf465 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /target +/.vscode diff --git a/Cargo.lock b/Cargo.lock index e31da5f..574c80f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -229,9 +229,8 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" [[package]] name = "openssl" -version = "0.10.54" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69b3f656a17a6cbc115b5c7a40c616947d213ba182135b014d6051b73ab6f019" +version = "0.10.55" +source = "git+https://github.com/anpage/rust-openssl.git#a50639888f80f0a935ec621c328d761428aff32a" dependencies = [ "bitflags", "cfg-if", @@ -245,8 +244,7 @@ dependencies = [ [[package]] name = "openssl-macros" version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +source = "git+https://github.com/anpage/rust-openssl.git#a50639888f80f0a935ec621c328d761428aff32a" dependencies = [ "proc-macro2", "quote", @@ -255,9 +253,8 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.88" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2ce0f250f34a308dcfdbb351f511359857d4ed2134ba715a4eadd46e1ffd617" +version = "0.9.90" +source = "git+https://github.com/anpage/rust-openssl.git#a50639888f80f0a935ec621c328d761428aff32a" dependencies = [ "cc", "libc", diff --git a/Cargo.toml b/Cargo.toml index eb34eed..541817d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,5 +9,5 @@ edition = "2021" anyhow = "1.0.71" bitreader = "0.3.7" clap = { version = "4.3.4", features = ["derive"] } -openssl = "0.10.54" +openssl = { git = "https://github.com/anpage/rust-openssl.git" } serde_json = "1.0" diff --git a/src/bink1998.rs b/src/bink1998.rs index 16babb8..1098b55 100644 --- a/src/bink1998.rs +++ b/src/bink1998.rs @@ -6,12 +6,11 @@ use openssl::{ sha::sha1, }; -use crate::{ - key::{base24_decode, base24_encode}, - FIELD_BITS, FIELD_BYTES, -}; +use crate::key::{base24_decode, base24_encode}; -const SHA_MSG_LENGTH_XP: usize = 4 + 2 * FIELD_BYTES; +const FIELD_BITS: i32 = 384; +const FIELD_BYTES: usize = 48; +const SHA_MSG_LENGTH: usize = 4 + 2 * FIELD_BYTES; #[derive(Clone, Copy, Debug)] struct ProductKey { @@ -51,7 +50,7 @@ pub fn verify( p.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?; - let mut msg_buffer: [u8; SHA_MSG_LENGTH_XP] = [0; SHA_MSG_LENGTH_XP]; + let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH]; let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?; x_bin.reverse(); @@ -92,7 +91,7 @@ pub fn generate( let mut r = EcPoint::new(e_curve)?; // Generate a random number c consisting of 384 bits without any constraints. - c.rand(FIELD_BITS, MsbOption::MAYBE_ZERO, true)?; + c.rand(FIELD_BITS, MsbOption::MAYBE_ZERO, false)?; // Pick a random derivative of the base point on the elliptic curve. // R = cG; @@ -102,7 +101,7 @@ pub fn generate( // x = R.x; y = R.y; r.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?; - let mut msg_buffer: [u8; SHA_MSG_LENGTH_XP] = [0; SHA_MSG_LENGTH_XP]; + let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH]; let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?; x_bin.reverse(); diff --git a/src/bink2002.rs b/src/bink2002.rs new file mode 100644 index 0000000..2f83fca --- /dev/null +++ b/src/bink2002.rs @@ -0,0 +1,300 @@ +use anyhow::Result; +use bitreader::BitReader; +use openssl::{ + bn::{BigNum, BigNumContext, MsbOption}, + ec::{EcGroup, EcPoint}, + sha::sha1, +}; + +use crate::key::{base24_decode, base24_encode}; + +const FIELD_BITS: i32 = 512; +const FIELD_BYTES: usize = 64; +const SHA_MSG_LENGTH: usize = 3 + 2 * FIELD_BYTES; + +#[derive(Clone, Copy, Debug)] +struct ProductKey { + upgrade: bool, + channel_id: u32, + hash: u32, + signature: u64, + auth_info: u32, +} + +pub fn verify( + e_curve: &EcGroup, + base_point: &EcPoint, + public_key: &EcPoint, + cd_key: &str, +) -> Result { + let mut num_context = BigNumContext::new()?; + + let b_key = base24_decode(cd_key); + let product_key = unpack(&b_key)?; + + let p_data = product_key.channel_id << 1 | product_key.upgrade as u32; + + let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH]; + + msg_buffer[0x00] = 0x5D; + msg_buffer[0x01] = (p_data & 0x00FF) as u8; + msg_buffer[0x02] = ((p_data & 0xFF00) >> 8) as u8; + msg_buffer[0x03] = (product_key.hash & 0x000000FF) as u8; + msg_buffer[0x04] = ((product_key.hash & 0x0000FF00) >> 8) as u8; + msg_buffer[0x05] = ((product_key.hash & 0x00FF0000) >> 16) as u8; + msg_buffer[0x06] = ((product_key.hash & 0xFF000000) >> 24) as u8; + msg_buffer[0x07] = (product_key.auth_info & 0x00FF) as u8; + msg_buffer[0x08] = ((product_key.auth_info & 0xFF00) >> 8) as u8; + msg_buffer[0x09] = 0x00; + msg_buffer[0x0A] = 0x00; + + let msg_digest = sha1(&msg_buffer[..=0x0A]); + + let i_signature = next_sn_bits(by_dword(&msg_digest[4..8]) as u64, 30, 2) << 32 + | by_dword(&msg_digest[0..4]) as u64; + + let e = BigNum::from_slice(&i_signature.to_be_bytes())?; + let s = BigNum::from_slice(&product_key.signature.to_be_bytes())?; + + let mut x = BigNum::new()?; + let mut y = BigNum::new()?; + + let mut p = EcPoint::new(e_curve)?; + let mut t = EcPoint::new(e_curve)?; + + t.mul(e_curve, base_point, &s, &num_context)?; + p.mul(e_curve, public_key, &e, &num_context)?; + let p_2 = p.to_owned(e_curve)?; + + p.add(e_curve, &t, &p_2, &mut num_context)?; + let p_2 = p.to_owned(e_curve)?; + + p.mul(e_curve, &p_2, &s, &num_context)?; + + p.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?; + + let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?; + x_bin.reverse(); + let mut y_bin = y.to_vec_padded(FIELD_BYTES as i32)?; + y_bin.reverse(); + + msg_buffer[0x00] = 0x79; + msg_buffer[0x01] = (p_data & 0x00FF) as u8; + msg_buffer[0x02] = ((p_data & 0xFF00) >> 8) as u8; + + msg_buffer[3..3 + FIELD_BYTES].copy_from_slice(&x_bin); + msg_buffer[3 + FIELD_BYTES..3 + FIELD_BYTES * 2].copy_from_slice(&y_bin); + + let msg_digest = sha1(&msg_buffer); + + let hash: u32 = by_dword(&msg_digest[0..4]) & bitmask(31) as u32; + + Ok(hash == product_key.hash) +} + +pub fn generate( + e_curve: &EcGroup, + base_point: &EcPoint, + gen_order: &BigNum, + private_key: &BigNum, + p_channel_id: u32, + p_auth_info: u32, + p_upgrade: bool, +) -> Result { + let mut num_context = BigNumContext::new().unwrap(); + + let mut c = BigNum::new()?; + let mut x = BigNum::new()?; + let mut y = BigNum::new()?; + + let p_data = p_channel_id << 1 | p_upgrade as u32; + + let mut no_square = false; + let p_raw: Vec = loop { + let mut r = EcPoint::new(e_curve)?; + + c.rand(FIELD_BITS, MsbOption::MAYBE_ZERO, false)?; + + r.mul(e_curve, base_point, &c, &num_context)?; + + r.affine_coordinates(e_curve, &mut x, &mut y, &mut num_context)?; + + let mut msg_buffer: [u8; SHA_MSG_LENGTH] = [0; SHA_MSG_LENGTH]; + + let mut x_bin = x.to_vec_padded(FIELD_BYTES as i32)?; + x_bin.reverse(); + let mut y_bin = y.to_vec_padded(FIELD_BYTES as i32)?; + y_bin.reverse(); + + msg_buffer[0x00] = 0x79; + msg_buffer[0x01] = (p_data & 0x00FF) as u8; + msg_buffer[0x02] = ((p_data & 0xFF00) >> 8) as u8; + + msg_buffer[3..3 + FIELD_BYTES].copy_from_slice(&x_bin); + msg_buffer[3 + FIELD_BYTES..3 + FIELD_BYTES * 2].copy_from_slice(&y_bin); + + let msg_digest = sha1(&msg_buffer); + + let p_hash: u32 = by_dword(&msg_digest[0..4]) & bitmask(31) as u32; + + msg_buffer[0x00] = 0x5D; + msg_buffer[0x01] = (p_data & 0x00FF) as u8; + msg_buffer[0x02] = ((p_data & 0xFF00) >> 8) as u8; + msg_buffer[0x03] = (p_hash & 0x000000FF) as u8; + msg_buffer[0x04] = ((p_hash & 0x0000FF00) >> 8) as u8; + msg_buffer[0x05] = ((p_hash & 0x00FF0000) >> 16) as u8; + msg_buffer[0x06] = ((p_hash & 0xFF000000) >> 24) as u8; + msg_buffer[0x07] = (p_auth_info & 0x00FF) as u8; + msg_buffer[0x08] = ((p_auth_info & 0xFF00) >> 8) as u8; + msg_buffer[0x09] = 0x00; + msg_buffer[0x0A] = 0x00; + + let msg_digest = sha1(&msg_buffer[..=0x0A]); + + let i_signature = next_sn_bits(by_dword(&msg_digest[4..8]) as u64, 30, 2) << 32 + | by_dword(&msg_digest[0..4]) as u64; + + let mut e = BigNum::from_slice(&i_signature.to_be_bytes())?; + + let e_2 = e.to_owned()?; + e.mod_mul(&e_2, private_key, gen_order, &mut num_context)?; + + let mut s = e.to_owned()?; + + let s_2 = s.to_owned()?; + s.mod_sqr(&s_2, gen_order, &mut num_context)?; + + let c_2 = c.to_owned()?; + c.lshift(&c_2, 2)?; + + s = &s + &c; + + let s_2 = s.to_owned()?; + if s.mod_sqrt(&s_2, gen_order, &mut num_context).is_err() { + no_square = true; + }; + + let s_2 = s.to_owned()?; + s.mod_sub(&s_2, &e, gen_order, &mut num_context)?; + + if s.is_bit_set(0) { + s = &s + gen_order; + } + + let s_2 = s.to_owned()?; + s.rshift1(&s_2)?; + + let p_signature = u64::from_be_bytes(s.to_vec_padded(8)?.try_into().unwrap()); + + let product_key = ProductKey { + upgrade: p_upgrade, + channel_id: p_channel_id, + hash: p_hash, + signature: p_signature, + auth_info: p_auth_info, + }; + + if p_signature <= bitmask(62) && !no_square { + break pack(product_key); + } + + no_square = false; + }; + + Ok(base24_encode(&p_raw)) +} + +const SIGNATURE_LENGTH_BITS: u8 = 62; +const HASH_LENGTH_BITS: u8 = 31; +const CHANNEL_ID_LENGTH_BITS: u8 = 10; +const UPGRADE_LENGTH_BITS: u8 = 1; +const EVERYTHING_ELSE: u8 = + SIGNATURE_LENGTH_BITS + HASH_LENGTH_BITS + CHANNEL_ID_LENGTH_BITS + UPGRADE_LENGTH_BITS; + +fn unpack(p_raw: &[u8]) -> Result { + let mut reader = BitReader::new(p_raw); + let auth_info_length_bits = (p_raw.len() * 8) as u8 - EVERYTHING_ELSE; + + let p_auth_info = reader.read_u32(auth_info_length_bits)?; + let p_signature = reader.read_u64(SIGNATURE_LENGTH_BITS)?; + let p_hash = reader.read_u32(HASH_LENGTH_BITS)?; + let p_channel_id = reader.read_u32(CHANNEL_ID_LENGTH_BITS)?; + let p_upgrade = reader.read_bool()?; + + Ok(ProductKey { + upgrade: p_upgrade, + channel_id: p_channel_id, + hash: p_hash, + signature: p_signature, + auth_info: p_auth_info, + }) +} + +fn pack(p_key: ProductKey) -> Vec { + let mut p_raw: u128 = 0; + + p_raw |= (p_key.auth_info as u128) + << (SIGNATURE_LENGTH_BITS + + HASH_LENGTH_BITS + + CHANNEL_ID_LENGTH_BITS + + UPGRADE_LENGTH_BITS); + p_raw |= (p_key.signature as u128) + << (HASH_LENGTH_BITS + CHANNEL_ID_LENGTH_BITS + UPGRADE_LENGTH_BITS); + p_raw |= (p_key.hash as u128) << (CHANNEL_ID_LENGTH_BITS + UPGRADE_LENGTH_BITS); + p_raw |= (p_key.channel_id as u128) << UPGRADE_LENGTH_BITS; + p_raw |= p_key.upgrade as u128; + + p_raw + .to_be_bytes() + .into_iter() + .skip_while(|&x| x == 0) + .collect() +} + +fn bitmask(n: u64) -> u64 { + (1 << n) - 1 +} + +fn next_sn_bits(field: u64, n: u32, offset: u32) -> u64 { + (field >> offset) & ((1u64 << n) - 1) +} + +fn by_dword(n: &[u8]) -> u32 { + (n[0] as u32) | (n[1] as u32) << 8 | (n[2] as u32) << 16 | (n[3] as u32) << 24 +} + +#[cfg(test)] +mod tests { + use std::{fs::File, io::BufReader}; + + use serde_json::from_reader; + + use crate::crypto::initialize_elliptic_curve; + + #[test] + fn verify_test() { + // Example product key and its BINK ID + let product_key = "R882X-YRGC8-4KYTG-C3FCC-JCFDY"; + let bink_id = "54"; + + // Load keys.json + let path = "keys.json"; + let file = File::open(path).unwrap(); + let reader = BufReader::new(file); + let keys: serde_json::Value = from_reader(reader).unwrap(); + + let bink = &keys["BINK"][&bink_id]; + + let p = bink["p"].as_str().unwrap(); + let a = bink["a"].as_str().unwrap(); + let b = bink["b"].as_str().unwrap(); + let gx = bink["g"]["x"].as_str().unwrap(); + let gy = bink["g"]["y"].as_str().unwrap(); + let kx = bink["pub"]["x"].as_str().unwrap(); + let ky = bink["pub"]["y"].as_str().unwrap(); + + let (e_curve, gen_point, pub_point) = initialize_elliptic_curve(p, a, b, gx, gy, kx, ky); + + assert!(super::verify(&e_curve, &gen_point, &pub_point, product_key).unwrap()); + } +} diff --git a/src/cli.rs b/src/cli.rs index a5e57d3..ab0c8f6 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -5,10 +5,11 @@ use clap::Parser; use openssl::{ bn::{BigNum, MsbOption}, ec::{EcGroup, EcPoint}, + rand::rand_bytes, }; use serde_json::{from_reader, from_str}; -use crate::{bink1998, crypto::initialize_elliptic_curve}; +use crate::{bink1998, bink2002, crypto::initialize_elliptic_curve}; #[derive(Debug, Clone, Copy, PartialEq, Eq)] pub enum Mode { @@ -230,7 +231,40 @@ impl Cli { } fn bink2002(&mut self) -> Result<()> { - todo!() + let p_channel_id = self.options.channel_id; + + if self.options.verbose { + println!("> Channel ID: {p_channel_id:03}"); + } + + for _ in 0..self.options.num_keys { + let mut p_auth_info_bytes = [0_u8; 4]; + rand_bytes(&mut p_auth_info_bytes)?; + let p_auth_info = u32::from_ne_bytes(p_auth_info_bytes) & ((1 << 10) - 1); + + if self.options.verbose { + println!("> AuthInfo: {p_auth_info}"); + } + + let p_key = bink2002::generate( + &self.e_curve, + &self.gen_point, + &self.gen_order, + &self.private_key, + p_channel_id, + p_auth_info, + false, + )?; + Cli::print_key(&p_key); + println!("\n"); + + if bink2002::verify(&self.e_curve, &self.gen_point, &self.pub_point, &p_key)? { + self.count += 1; + } + } + + println!("Success count: {}/{}", self.count, self.options.num_keys); + Ok(()) } fn confirmation_id(&mut self) -> Result<()> { diff --git a/src/main.rs b/src/main.rs index df4c8e1..b8b51c4 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,13 +1,11 @@ use anyhow::Result; mod bink1998; +mod bink2002; mod cli; mod crypto; mod key; -pub const FIELD_BITS: i32 = 384; -pub const FIELD_BYTES: usize = 48; - fn main() -> Result<()> { cli::Cli::new()?.run() }