Initial commit

.gitignore

@@ -0,0 +1,9 @@
+# IDE files
+.classpath
+.project
+.settings/
+
+# Bins
+target/
+bin/
+uyamediustool.jar

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 hashsploit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,27 @@
+# UYA Medius Tool
+
+This tool can be used to manually encrypt/decrypt Ratchet & Clank 3: Up Your Arsenal
+medius network packets for the PlayStation 2.
+
+Ported over from the [original project](https://github.com/Dnawrkshp/uya-medius-encryption) in C#.
+
+## Usage
+
+CLI usage:
+
+```bash
+uyamediustool.jar <mode> -k [key] -m <message>
+```
+- **mode**: Can be `encrypt` or `decrypt`.
+- **key**: Is the 64 hexstring key. (optional).
+- **message**: Is whatever message you want to encrypt.
+
+You can use this tool via the command-line directly, for example:
+
+```bash
+java -jar uyamediustool.jar decrypt -k 60937E5CD170EF0B5E0DF26DD93D84F04723CEDA8946886A329C8BE407D82EFADB383517D488448D5CA6F5D5F0204DC7BF5100528CE0373B7FDE1AA379D59486 -p 871700cdebc0747f0f52caad4b42ae74300f7d67bcd64f3eb158ed62a087
+```
+
+## Contribution
+Huge thanks to [Dnawrkshp](https://github.com/Dnawrkshp) for reverse engineering the RC4 and RSA encryption.
+

pom.xml

@@ -0,0 +1,45 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>net.hashsploit.ps2</groupId>
+	<artifactId>uya-medius-tool</artifactId>
+	<version>0.1.0</version>
+	<name>UYA Medius Tool</name>
+	<description>UYA Medius encryption/decryption tool</description>
+	<build>
+		<sourceDirectory>src</sourceDirectory>
+		<resources>
+			<resource>
+				<filtering>true</filtering>
+				<directory>src/main/resources</directory>
+				<excludes>
+					<exclude>**/*.java</exclude>
+				</excludes>
+			</resource>
+		</resources>
+		<plugins>
+			<plugin>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.8.0</version>
+				<configuration>
+					<release>11</release>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+	<dependencies>
+		<!-- https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on -->
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcprov-jdk15on</artifactId>
+			<version>1.65</version>
+		</dependency>
+		<!-- https://mvnrepository.com/artifact/info.picocli/picocli -->
+		<dependency>
+			<groupId>info.picocli</groupId>
+			<artifactId>picocli</artifactId>
+			<version>4.2.0</version>
+		</dependency>
+	</dependencies>
+</project>

src/main/java/net/hashsploit/ps2/uya/medius/DecryptionResult.java

@@ -0,0 +1,33 @@
+package net.hashsploit.ps2.uya.medius;
+
+public class DecryptionResult {
+
+	private String id;
+	private byte[] sha1;
+	private byte[] data;
+	private short length;
+
+	public DecryptionResult(final String id, final byte[] sha1, final short length, final byte[] data) {
+		this.id = id;
+		this.sha1 = sha1;
+		this.length = length;
+		this.data = data;
+	}
+
+	public String getId() {
+		return id;
+	}
+
+	public byte[] getSHA1() {
+		return sha1;
+	}
+
+	public byte[] getData() {
+		return data;
+	}
+
+	public short getLength() {
+		return length;
+	}
+
+}

src/main/java/net/hashsploit/ps2/uya/medius/EncryptionResult.java

@@ -0,0 +1,21 @@
+package net.hashsploit.ps2.uya.medius;
+
+public class EncryptionResult {
+
+	private byte[] sha1;
+	private byte[] data;
+
+	public EncryptionResult(final byte[] messageBytes, final byte[] data) {
+		this.sha1 = messageBytes;
+		this.data = data;
+	}
+
+	public byte[] getSHA1() {
+		return sha1;
+	}
+
+	public byte[] getData() {
+		return data;
+	}
+
+}

src/main/java/net/hashsploit/ps2/uya/medius/Main.java

@@ -0,0 +1,16 @@
+package net.hashsploit.ps2.uya.medius;
+
+import picocli.CommandLine;
+import picocli.CommandLine.RunAll;
+
+public class Main {
+
+	public static void main(String[] args) {
+		CommandLine cmd = new CommandLine(new Options.ParentCommand());
+        cmd.setExecutionStrategy(new RunAll());
+        cmd.execute(args);
+
+        if (args.length == 0) { cmd.usage(System.out); }
+	}
+
+}

src/main/java/net/hashsploit/ps2/uya/medius/Options.java

@@ -0,0 +1,39 @@
+package net.hashsploit.ps2.uya.medius;
+
+import picocli.CommandLine.Command;
+import picocli.CommandLine.Option;
+
+public final class Options {
+
+	@Command(name=UYAMediusTool.NAME, version=UYAMediusTool.VERSION, subcommands = {DecryptOptions.class, EncryptOptions.class})
+    static class ParentCommand implements Runnable {
+        public void run() { }
+    }
+
+	@Command(name="decrypt", aliases = {"d", "dec"}, description="Set the tool to decryption mode.")
+	static class DecryptOptions implements Runnable {
+		@Option(names={"-k", "--key"}, description="Key as a hexstring (64 bytes).", arity="1", paramLabel="<key>", required = false)
+		public String key;
+		@Option(names={"-m", "--message", "-p", "--packet"}, description="Encrypted message as a hexstring.", arity="1", paramLabel="<message>", required = true)
+		public String message;
+
+		public void run() {
+			UYAMediusTool tool = new UYAMediusTool();
+			System.out.println("Decrypted message: " + tool.decryptMessage(key, message));
+		}
+	}
+
+	@Command(name="encrypt", aliases = {"e", "enc"}, description="Set the tool to encryption mode.")
+	static class EncryptOptions implements Runnable {
+		@Option(names={"-k", "--key"}, description="Key as a hexstring (64 bytes).", arity="1", paramLabel="<key>", required = false)
+		public String key;
+		@Option(names={"-m", "--message"}, description="Message as a hexstring to encrypt.", arity="1", paramLabel="<message>", required = true)
+		public String message;
+
+		public void run() {
+			UYAMediusTool tool = new UYAMediusTool();
+			System.out.println("Encrypted message: " + tool.encryptMessage(key, message));
+		}
+	}
+
+}

src/main/java/net/hashsploit/ps2/uya/medius/UYAMediusTool.java

@@ -0,0 +1,91 @@
+package net.hashsploit.ps2.uya.medius;
+
+import net.hashsploit.ps2.uya.medius.utils.RC4;
+import net.hashsploit.ps2.uya.medius.utils.Utils;
+
+public class UYAMediusTool {
+
+	public static final String NAME = "UYA Medius Tool";
+	public static final String VERSION = "0.1.0";
+
+	public UYAMediusTool() {
+
+	}
+
+	public EncryptionResult encryptMessage(String key, String message) {
+		if (key != null) {
+			return subEncryptMessage(key, message);
+		}
+
+		String[] keys = Utils.readFileAsLines("keys.txt");
+		for (int k = 0; k < keys.length; ++k) {
+			System.out.println(String.format("ENCRYPTING WITH KEY:{%s}", keys[k]));
+			System.out.println();
+			subEncryptMessage(keys[k], message);
+			System.out.println();
+			System.out.println();
+		}
+
+		return null;
+	}
+
+	private EncryptionResult subEncryptMessage(String key, String message) {
+		byte[] keyBytes = Utils.strToByteArray(key);
+		byte[] messageBytes = Utils.strToByteArray(message);
+		byte[] cipher = new byte[messageBytes.length];
+
+		RC4 packer = new RC4(keyBytes);
+
+		cipher = packer.encrypt(messageBytes);
+
+		System.out.println("SHA1:{Utils.BAToString(packer.Hash(messageBytes))} CIPHER:{Utils.BAToString(cipher)}");
+		System.out.println();
+
+		return new EncryptionResult(messageBytes, cipher);
+	}
+
+	public DecryptionResult decryptMessage(String key, String packet) {
+		if (key != null) {
+			return subDecryptPacket(key, packet);
+		}
+
+		String[] keys = Utils.readFileAsLines("keys.txt");
+
+		for (int k = 0; k < keys.length; ++k) {
+			System.out.println(String.format("DECRYPTING WITH KEY:{%s}", keys[k]));
+			System.out.println();
+			subDecryptPacket(keys[k], packet);
+			System.out.println();
+			System.out.println();
+		}
+
+		return null;
+	}
+
+	private DecryptionResult subDecryptPacket(String key, String packet) {
+		byte[] keyBytes = Utils.strToByteArray(key);
+		byte[] packetBytes = Utils.strToByteArray(packet);
+
+		RC4 packer = new RC4(keyBytes);
+
+		for (int i = 0; i < packetBytes.length;) {
+			byte id = packetBytes[i + 0];
+			short len = Utils.toInt16(packetBytes, i + 1);
+			byte[] hash = new byte[4];
+			byte[] buf = new byte[len];
+			System.arraycopy(packetBytes, i + 7, buf, 0, len);
+			System.arraycopy(packetBytes, i + 3, hash, 0, 4);
+			byte[] result = packer.decrypt(hash, buf);
+
+			System.out.println("ID:{id.ToString(\"X2\")} LEN:{len} SHA1:{Utils.BAToString(hash)} DATA:");
+			System.out.println(String.format("ID:%s LEN:%d SHA1:%s DATA:", Byte.toString(id), len, Utils.baToString(hash)));
+			Utils.fancyPrintBA(result);
+			System.out.println();
+
+			i += len + 7;
+		}
+
+		return null;
+	}
+
+}