add cursed m___a functions from puck, use it to validate

2024-11-21 15:05:41 +00:00 · 2022-12-29 00:40:31 +00:00 · 2022-12-29 00:40:31 +00:00 · 62e17a96f5
commit 62e17a96f5
parent 18f0d19e6b
2 changed files with 71 additions and 9 deletions
--- a/src/cursed.rs
+++ b/src/cursed.rs
@ -0,0 +1,52 @@
+pub fn m296a(a: &[u8], i: usize) -> bool {
+    (a[i / 8] >> (7 - (i * 8))) == 1
+}
+
+pub fn m295a(a: &[u8], i: usize, i2: usize) -> u32 {
+    let i = i as u32;
+    let i2 = i2 as u32;
+    let mut i3: u32 = (i as u32) & 7;
+    let mut i4: u32 = i3;
+    let mut i5: u32 = (i as u32) >> 3;
+    let mut i6: u32 = (1 << (8 - i3)) - 1;
+    let mut i7: u32 = 0;
+    let mut i8: u32 = 0;
+    while (i2 - i7) > 0 {
+        i8 |= (i6 & a[i5 as usize] as u32) << ((i4 + 24) - i7);
+        i7 += 8 - i4;
+        i6 = 255;
+        i4 = 0;
+        i5 += 1;
+    }
+
+    i8 >> (32 - i2)
+}
+
+pub fn m297a(a: &[u8], i: usize, i2: usize) -> String {
+    let mut sb = String::new();
+    let mut i = i as u32;
+    let mut i2 = i2 as u32;
+    let mut i3: u32 = i & 7;
+    let mut i4: u32 = i3;
+    let mut i5: u32 = i >> 3;
+    let mut i6: u32 = (1 << (8 - i3)) - 1;
+    let mut i7: u32 = 0;
+    let mut i8: u32 = 0;
+
+    while i2 > 0 {
+        if i7 >= 6 {
+            sb.push(((i8 >> 26) + 32) as u8 as char);
+            i8 <<= 6;
+            i7 -= 6;
+            i2 -= 1;
+        } else {
+            i8 |= (i6 & a[i5 as usize] as u32) << ((i4 + 24) - i7);
+            i7 += 8 - i4;
+            i6 = 255;
+            i4 = 0;
+            i5 += 1
+        }
+    }
+
+    sb
+}
--- a/src/main.rs
+++ b/src/main.rs
@ -3,6 +3,7 @@ use anyhow::anyhow;
 use rsa::BigUint;
 use std::fs;

+mod cursed;
 mod keys;

 fn base26_decode(input: &str) -> BigUint {
@ -56,21 +57,21 @@ fn main() -> anyhow::Result<()> {
    let iks = IssuerKeyStore::new();
    println!("[+] Loaded {} public keys!", iks.keys.len());
    println!("[+] Reading ticket.dat...");
-    let ticket = fs::read_to_string("./ticket.dat")?;
-    if ticket.len() < 16 {
+    let ticket_str = fs::read_to_string("./ticket.dat")?;
+    if ticket_str.len() < 16 {
        return Err(anyhow!("ticket too short"));
    }
-    if &ticket[0..2] != "06" {
+    if &ticket_str[0..2] != "06" {
        return Err(anyhow!(
            "ticket isn't a RSP6 ticket: magic was {}",
-            &ticket[0..2]
+            &ticket_str[0..2]
        ));
    }
-    let issuer_id = &ticket[13..15];
-    let ticket_reference = format!("{}{}", issuer_id, &ticket[2..11]);
+    let issuer_id = &ticket_str[13..15];
+    let ticket_reference = format!("{}{}", issuer_id, &ticket_str[2..11]);
    println!("[+] RSP6 ticket, reference {}", ticket_reference);
    println!("[+] Ticket issuer: {}", issuer_id);
-    let ticket = base26_decode(&ticket[15..]);
+    let ticket = base26_decode(&ticket_str[15..]);
    let keys = iks
        .keys
        .get(issuer_id)
@ -82,10 +83,19 @@ fn main() -> anyhow::Result<()> {
        let message = ticket.modpow(&exponent, &modulus).to_bytes_be();
        if let Some(unpadded) = strip_padding(&message) {
            println!("done! {:?}", unpadded);
+            let ticket_ref_inner = cursed::m297a(unpadded, 8, 9);
+            let extra_bit = cursed::m297a(unpadded, 62, 1);
+            let inner_data = format!("{}{}", ticket_ref_inner, extra_bit);
+            let outer_data = &ticket_str[2..12];
+            if inner_data != outer_data {
+                return Err(anyhow!("failed to validate inner and outer data"));
+            }
+            println!("[+] ticket validated!");
            return Ok(());
-        } else {
-            println!("failed decrypt: {:?}", message);
        }
+        /*else {
+            println!("failed decrypt: {:?}", message);
+        }*/
    }
    Err(anyhow!("no valid decryptions"))
 }