#!/usr/bin/env ruby

require 'cgi'
require 'socket'

seed = '31416406127362175889'
user = 'jmerchat'
hash = 'ugACQkL4CKlnCZo44zVHNQJYFid1giy1MBEME0pglhzgwxctODvJgOMrKZD6uDBO7%2F1BaiIfwR0h6vieLcMODxm5fd63M9gQhs%2BnEgWfuA%3D%3D'


def ciph2enc(str)
	CGI.escape [str].pack('m').chomp
end

def enc2ciph(str)
	CGI.unescape(str).unpack('m').first
end

def foobar(login = 'jj', mail = 'john@ofjj.net')
	hash = 'ugACQkL4CKlnCZo44zVHNQJYFid1giy1MBEME0pglhzgwxctODvJgOMrKZD6uDBO7%2F1BaiIfwR0h6vieLcMODxm5fd63M9gQhs%2BnEgWfuA%3D%3D'
	seed = '31416406127362175889'
	
	phpsessid = nil
	curseed = nil
	auth = enc2ciph hash
	
	TCPSocket.open('193.168.50.88', 80) { |s|
		s.write "GET /index.php HTTP/1.0\r\n\r\n"
		foo = s.read
		foo =~ /PHPSESSID=([a-zA-Z0-9]*)/
		phpsessid = $1
		foo =~ /rand" value="(.*)"/
		curseed = $1
	}
	
	dlt = eval(`./hcrc #{seed} #{curseed}`[/\[.*\]/])
	
	ct = enc2ciph hash
	dlt.length.times { |l| ct[l] ^= dlt[l] }

	auth = ciph2enc(ct)
	
	urlauth = "/index.php?user=jmerchat&auth=#{auth}"
p phpsessid, curseed, urlauth

	ans = TCPSocket.open('193.168.50.88', 80) { |s|
		s.write "GET #{urlauth} HTTP/1.0\r\n" <<
			"Cookie: PHPSESSID=#{phpsessid}\r\n" <<
			"\r\n"
		s.read
	}

	puts ans
	puts
	case ans
	when /authentif/
		puts "authentifie !"
		vn = TCPSocket.open('193.168.50.88', 80) { |s|
			s.write "GET /validnivo.php HTTP/1.0\r\n"    <<
				"Referer: #{urlauth}\r\n"            <<
				"Cookie: PHPSESSID=#{phpsessid}\r\n" <<
				"\r\n"
			s.read + s.read
		}
		puts vn
		puts

		return if vn !~ /POST/

		content = "pseudo=#{login}&email=#{mail}&Valider=Submit"
		
		vn = TCPSocket.open('193.168.50.88', 80) { |s|
			s.write "POST /validnivo.php HTTP/1.0\r\n"    <<
				"Referer: /validnivo.php\r\n"         <<
				"Cookie: PHPSESSID=#{phpsessid}\r\n"  <<
				"Content-type: application/x-www-form-urlencoded\r\n" <<
				"Content-length: #{content.length}\r\n" <<
				"\r\n" <<
				content
			s.read + s.read
		}
		puts vn
		puts
# <form method="POST" action="./validnivo.php">
#  <TR><TD CLASS="NOBORDER" COLSPAN="2">Entrez votre pseudo et votre e-mail</TD></TR>
#  <TR><TD CLASS="NOBORDER" COLSPAN="2">&nbsp;</TD></TR>
#  <TR><TD CLASS="NOBORDER">pseudo</TD><TD CLASS="NOBORDER"><input type="text" name="pseudo" value=""></TD></TR><br>
#  <TR><TD CLASS="NOBORDER">email</TD><TD CLASS="NOBORDER"><input type="text" name="email" value=""></TD></TR><br>
#  <TR><TD CLASS="NOBORDER">&nbsp;</TD><TD CLASS="NOBORDER" COLSPAN="2"><input type="submit" name="Valider"></TD></TR><br>
# </form>
	else
		return :foobar
	end
end

sleep 40 while foobar == :foobar

__END__

require '../libcrc'
CRCZ = CRC.calc_crc("\0" * 70, 70, 0xffffffff)

def getdeltax(wantedx)
	offset = 24

	wantedx ^= CRCZ
	bar = CRC.not wantedx
	(70 - offset - 4).times { bar = CRC.inv_iter_crc(0, bar) }
	bar = CRC.not bar

	str = "\0" * offset
	mod = CRC.solve(str, offset, 0xffffffff, bar)
	
	4.times { str << (mod & 0xff) ; mod >>= 8 }
	str
end

def getdiff(oldseed, newseed)
	dlt = ''
	newseed.length.times { |i|
		dlt << (newseed[i] ^ oldseed[i])
	}
	(70-newseed.length).times { dlt << 0 }
	dlt
end
	
#dlt = getdeltax(0)

oldcrc = '38a8c288'
newseed = '01110416078568246182'

#dlt = getdiff(seed, newseed)

#crcdiff = CRC.calc_crc(dlt, 70, 0xffffffff)
#dltcrc = '%x' % (crcdiff ^ CRCZ)

#dlt << 0
#dltcrc.length.times { |i| dlt << (oldcrc[i] ^ dltcrc[i]) }

#puts testreq(test)

passh = '81A8E60EBBA84D55DFADA361F73B0A8937F0B11A'.downcase
ostr = seed + ':' + user + ':' + passh
ostr += ':' + '%x' % CRC.calc_crc(ostr, ostr.length, 0xffffffff)
puts ostr

#passh[5] = 0xff
nstr = newseed + ':' + user + ':' + passh
nstr += ':' + '%x' % CRC.calc_crc(nstr, nstr.length, 0xffffffff)
#nstr[-1] = 0xff
puts nstr

dlt = ' ' * 79
nstr.length.times { |i| dlt[i] = (nstr[i] ^ ostr[i]) }
dlt[0] = 1
p dlt

test = enc2ciph hash
dlt.length.times { |i| test[i] ^= dlt[i] }

puts testreq(test)


__END__
test[-1] ^= 1
puts testreq(test)
test[-1] ^= 1

test[-1] ^= 3
puts testreq(test)
test[-1] ^= 3

test[-1] ^= 7
puts testreq(test)
test[-1] ^= 7


passh = 81A8E60EBBA84D55DFADA361F73B0A8937F0B11A

#newseed = ARGV.first

wantedcrc = CRC.calc_crc("\0" * 70, 70, 0xffffffff)

bar = CRC.not wantedcrc
(70 - 25).times { bar = CRC.inv_iter_crc(0, bar) }
bar = CRC.not bar

str = seed.unpack('C*').zip(newseed.unpack('C*')).map{ |a, b| a ^ b }.pack('C*') + "\0"

mod = CRC.solve(str, 21, 0xffffffff, bar)

4.times { str << (mod & 0xff) ; mod >>= 8 }

str += "\0" * (70-25)

strori = seed + ':' + user + ':' + '0'*40
strmod = strori.dup
strmod.length.times { |i| strmod[i] ^= str[i] }

#puts "crc of #{strori.inspect.ljust(82)}: %x" % CRC.calc_crc(strori, 70, 0xffffffff)
#puts "crc of #{strmod.inspect.ljust(82)}: %x" % CRC.calc_crc(strmod, 70, 0xffffffff)

#puts "url: index.php?user=#{user}&auth=" << ciph2enc(strmod)

rawstr = enc2ciph(hash)
p rawstr.length
70.times { |i| rawstr[i] ^= str[i] }
puts "url: index.php?user=#{user}&auth=" << ciph2enc(rawstr)
exit

require '/home/john/demange/libhttp.rb'
httpsv = HttpServer.new('193.168.50.88')

p = $httpsv.get('/', 'cookie' => 'PHPSESSID=bbba8289480c9d26234b817fea013de6')
p p.headers
puts p.content
p.content

p compvector(seed, seed)
p calcurl($delta, ciphered, user)
exit
loop do
	get_page =~ /rand" value="(.*)">/
	curseed = $1
	v = compvector(seed, curseed)
	print "%.8x\r" % v
	$stdout.flush
	if (v & 0xcccccccc).zero?
		p curseed
		p calcurl(delta(seed, curseed), ciphered, user)
	end
#	break
end
puts