ToxicMushroom/Dalamud
1
0
Fork 0
mirror of https://github.com/goatcorp/Dalamud.git synced 2026-01-03 14:23:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Recover the key from the time when the process was created

Browse source 
Thanks Wintermute!
This commit is contained in:
Mino 2020-03-25 16:11:58 +09:00
parent cd45ecd377
commit 16d806a2bb
4 changed files with 63 additions and 197 deletions
Download patch file Download diff file Expand all files Collapse all files

28
Dalamud.Bootstrap/Bootstrapper.cs
View file

@ -24,6 +24,13 @@ namespace Dalamud.Bootstrap
throw new NotImplementedException("TODO");
}
/// <summary>
///
/// </summary>
/// <param name="pid"></param>
/// <exception cref="BootstrapException">
/// Thrown when it could not relaunch FINAL FANTASY XIV or inject Dalamud.
/// </exception>
public void Relaunch(uint pid)
{
// TODO
@ -48,10 +55,11 @@ namespace Dalamud.Bootstrap
using var process = Process.Open(pid);
var commandLine = process.ReadCommandLine();
if (!EncodedArgument.Parse(commandLine[1], out var container))
{
// Recover the key
}
// TODO: check if contains arg[1]
if EncryptedArgument.Extract(commandLine[1], )
// TODO:
@ -67,6 +75,20 @@ namespace Dalamud.Bootstrap
process.Terminate();
}
private static uint RecoverKey(Process gameProcess)
{
var createdTime = gameProcess.GetCreationTime();
var currentDt = DateTime.Now;
var currentTick = Environment.TickCount;
var delta = currentDt - createdTime;
var createdTick = (uint)currentTick - (uint)delta.TotalMilliseconds;
// only the high nibble is used.
return createdTick & 0xFFFF_0000;
}
/// <summary>
/// Injects Dalamud into the process. See remarks for process state prerequisites.
/// </summary>

190
Dalamud.Bootstrap/SqexArg/EncodedArgument.cs
View file

@ -1,190 +0,0 @@
using System;
using System.Buffers;
using System.Buffers.Text;
using System.Runtime.InteropServices;
using System.Text;
using Dalamud.Bootstrap.Crypto;
namespace Dalamud.Bootstrap.SqexArg
{
internal sealed class EncodedArgument : IDisposable
{
private static char[] ChecksumTable = new char[]
{
'f', 'X', '1', 'p', 'G', 't', 'd', 'S',
'5', 'C', 'A', 'P', '4', '_', 'V', 'L'
};
/// <summary>
/// Denotes that no checksum is encoded.
/// </summary>
private const char NoChecksumMarker = '!';
/// <summary>
/// A data that is not encrypted.
/// </summary>
private IMemoryOwner<byte> m_data;
/// <summary>
/// Creates an object that can take (e.g. /T=1234)
/// </summary>
/// <param name="data">A data that is not encrypted.</param>
/// <remarks>
/// This takes the ownership of the data.
/// </remarks>
public EncodedArgument(IMemoryOwner<byte> data)
{
m_data = data;
}
public EncodedArgument(string argument)
{
var buffer = MemoryPool<byte>.Shared.Rent(Encoding.UTF8.GetByteCount(argument));
Encoding.UTF8.GetBytes(argument, buffer.Memory.Span);
m_data = buffer;
}
public void Dispose()
{
m_data?.Dispose();
m_data = null!;
}
/// <summary>
///
/// </summary>
/// <param name="argument"></param>
/// <returns></returns>
/// <exception cref="SqexArgException">
/// Thrown when the function could not parse the encoded argument.
/// Message property will carry additional information.
/// </exception>
public static EncodedArgument Parse(string argument)
{
// check if argument contains is large enough to contain start marker, checksum and end marker.
if (argument.Length < "//**sqex0003!**//".Length)
{
var exMessage = $"The string ({argument}) is too short to parse the encoded argument."
+ $" It should be atleast large enough to store the start marker,checksum and end marker..";
throw new SqexArgException(exMessage);
}
if (!argument.StartsWith("//**sqex0003") || !argument[13..].EndsWith("**//"))
{
var exMessage = $"The string ({argument}) doesn't look like the valid argument."
+ $" It should start with //**sqex0003 and end with **// string.";
throw new SqexArgException(exMessage);
}
// Extract the data
var checksum = argument[^5];
var encryptedData = DecodeUrlSafeBase64(argument.Substring(12, argument.Length - 1 - 12 - 4)); // //**sqex0003, checksum, **//
// Dedice a partial key from the checksum
var (partialKey, recoverStep) = RecoverKeyFragmentFromChecksum(checksum);
var decryptedData = MemoryPool<byte>.Shared.Rent(encryptedData.Length);
if (!RecoverKey(encryptedData, decryptedData.Memory.Span, partialKey, recoverStep))
{
// we need to free the memory to avoid a memory leak.
decryptedData.Dispose();
var exMessage = $"Could not find a valid key to decrypt the encoded argument.";
throw new SqexArgException(exMessage);
}
return new EncodedArgument(decryptedData);
}
private static bool RecoverKey(ReadOnlySpan<byte> encryptedData, Span<byte> decryptedData, uint partialKey, uint recoverStep)
{
Span<byte> keyBytes = stackalloc byte[8];
var keyCandicate = partialKey;
while (true)
{
CreateKey(keyBytes, keyCandicate);
var blowfish = new Blowfish(keyBytes);
blowfish.Decrypt(encryptedData, decryptedData);
// Check if the decrypted data looks valid
if (CheckDecryptedData(decryptedData))
{
return true;
}
// Try again with the next key.
try
{
keyCandicate = checked(keyCandicate + recoverStep);
}
catch (OverflowException)
{
// We've exhausted the key space and could not find a valid key.
return false;
}
}
}
/// <summary>
///
/// </summary>
/// <param name="decryptedData"></param>
/// <returns></returns>
private static bool CheckDecryptedData(ReadOnlySpan<byte> decryptedData)
{
// TODO
return false;
}
/// <summary>
/// Formats the key.
/// </summary>
/// <param name="key">A secret key.</param>
/// <param name="destination">A buffer where formatted key will be stored. This must be larger than 8 bytes.</param>
private static void CreateKey(uint key, Span<byte> destination)
{
if (!Utf8Formatter.TryFormat(key, destination, out var _, new StandardFormat('X', 8)))
{
var message = $"BUG: Could not create a key"; // This should not fail but..
throw new InvalidOperationException(message);
}
}
/// <summary>
/// Deduces a partial key from the checksum.
/// </summary>
/// <returns>
/// `partialKey` can be or'd (a | partialKey) to recover some bits from the key.
/// </returns>
/// <remarks>
/// The partialKey here is very useful because it can further reduce the number of possible key
/// from 0xFFFF to 0xFFF which is 16 times smaller. (and therefore we can initialize the blowfish 16 times less which is quite expensive to do so.)
/// </remarks>
private static (uint partialKey, uint step) RecoverKeyFragmentFromChecksum(char checksum)
{
return MemoryExtensions.IndexOf(ChecksumTable, checksum) switch
{
-1 => (0x0001_0000, 0x0001_0000), // This covers '!' as well (no checksum are encoded)
var index => ((uint) (index << 16), 0x0010_0000)
};
}
/// <summary>
/// Converts the url-safe variant of base64 string to bytes.
/// </summary>
/// <param name="payload">A url-safe variant of base64 string.</param>
private static byte[] DecodeUrlSafeBase64(string payload)
{
var base64Str = payload
.Replace('-', '+')
.Replace('_', '/');
return Convert.FromBase64String(base64Str);
}
}
}

18
Dalamud.Bootstrap/Windows/Process.cs
View file

@ -155,6 +155,24 @@ namespace Dalamud.Bootstrap
}
}
/// <summary>
/// Returns a time when the process was started.
/// </summary>
public DateTime GetCreationTime()
{
unsafe
{
FileTime creationTime, exitTime, kernelTime, userTime;
if (Win32.GetProcessTimes(m_handle, &creationTime, &exitTime, &kernelTime, &userTime))
{
ProcessException.ThrowLastOsError(GetPid());
}
return (DateTime)creationTime;
}
}
private string[] ParseCommandLine(ReadOnlySpan<byte> commandLine)
{
unsafe

24
Dalamud.Bootstrap/Windows/Win32.cs
View file

@ -32,16 +32,17 @@ namespace Dalamud.Bootstrap.Windows
[DllImport("kernel32", CallingConvention = CallingConvention.Winapi)]
public static extern uint GetProcessId(SafeProcessHandle hProcess);
[DllImport("kernel32", CallingConvention = CallingConvention.Winapi, SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool GetProcessTimes(SafeProcessHandle hProcess, FileTime* lpCreationTime, FileTime* lpExitTime, FileTime* lpKernelTime, FileTime* lpUserTime);
}
[StructLayout(LayoutKind.Sequential)]
internal partial struct NtStatus
internal struct NtStatus
{
public uint Value { get; }
}
internal partial struct NtStatus
{
public NtStatus(uint value)
{
Value = value;
@ -70,6 +71,21 @@ namespace Dalamud.Bootstrap.Windows
public override string ToString() => $"0x{Value:X8}";
}
[StructLayout(LayoutKind.Sequential)]
internal struct FileTime
{
public uint LowDateTime;
public uint HighDateTime;
public static explicit operator DateTime(FileTime value)
{
var time = ((long)value.HighDateTime << 32) | value.LowDateTime;
return DateTime.FromFileTime(time);
}
}
[StructLayout(LayoutKind.Sequential)]
internal struct UNICODE_STRING
{