Please help. I'm on NA. It's taking forever to find it myself.
Looking for Encryption function
07/31/2014 07:57
Shagswell#1
07/31/2014 11:23
darkstas#2
It'll be very good, If someone releases encryption function. Just encryption function, how to use it and decrypt I know, but reversing for it, here I don't have any experience :(
07/31/2014 15:29
nonowmana#3
Encrypt what ? Packets ?
07/31/2014 16:22
darkstas#4
YesQuote:
Encrypt what ? Packets ?
08/01/2014 21:34
Omdi#5
I am not sure but this could be the function :)
Code:
char __cdecl sub_D86780(int a1, int a2, __m64 *a3, int a4)
{
int v4; // edx@1
__m64 *v5; // esi@1
int v6; // eax@1
int v7; // ebx@1
int v8; // edi@2
int v9; // ebp@2
int v10; // ecx@3
int v11; // edx@3
int v17; // edx@6
int v18; // eax@6
int v19; // edx@6
unsigned __int64 v20; // mm0@6
int v21; // ecx@6
__m64 i; // mm2@6
int v23; // edx@7
int v24; // edx@7
int v25; // edx@8
int v26; // eax@8
int v27; // edx@8
int v28; // ecx@8
__m64 v29; // mm1@8
int v30; // edx@8
int v31; // eax@8
int v32; // edx@8
__m64 v33; // mm2@8
int v34; // ecx@8
__m64 v35; // mm1@8
int v36; // edx@8
int v37; // eax@8
int v38; // edx@8
__m64 v39; // mm2@8
int v40; // ecx@8
__m64 v41; // mm1@8
int v42; // edx@8
int v43; // eax@8
int v44; // edx@8
__m64 v45; // mm2@8
int v46; // ecx@8
__m64 v47; // mm1@8
int v48; // edx@8
int v49; // eax@8
int v50; // edx@8
__m64 v51; // mm2@8
int v52; // ecx@8
__m64 v53; // mm1@8
int v54; // edx@8
int v55; // eax@8
int v56; // edx@8
__m64 v57; // mm2@8
int v58; // ecx@8
__m64 v59; // mm1@8
int v60; // edx@8
int v61; // edx@8
__m64 v62; // mm2@8
__m64 v63; // mm1@8
int v64; // edx@12
int v65; // edx@12
int v66; // ecx@12
int v67; // ebp@12
int v68; // edx@12
int v69; // edx@12
int v70; // ecx@12
int v71; // ebp@12
int v72; // edx@12
int v73; // edx@12
int v74; // ecx@12
int v75; // ebp@12
int v76; // edx@12
int v77; // ebp@12
int v78; // edx@15
char v79; // cl@17
char v80; // dl@18
char v81; // dl@18
char *v83; // [sp+18h] [bp+8h]@2
char *v84; // [sp+1Ch] [bp+Ch]@11
int v85; // [sp+20h] [bp+10h]@4
v4 = a2;
v5 = a3;
v6 = 0;
v7 = 0;
if ( a2 )
{
LOBYTE(v7) = *(_BYTE *)(a1 + 4);
v8 = a1 + 8;
v9 = a4 - (_DWORD)a3;
v83 = (char *)a3 + a2;
LOBYTE(v6) = *(_BYTE *)a1 + 1;
if ( *(_DWORD *)(a1 + 264) == -1 )
{
v79 = *(_BYTE *)(v8 + v6);
do
{
LOBYTE(v7) = v79 + v7;
v80 = *(_BYTE *)(v8 + v7);
*(_BYTE *)(v8 + v7) = v79;
*(_BYTE *)(v8 + v6) = v80;
LOBYTE(v6) = v6 + 1;
v81 = LOBYTE(v5->m64_u64) ^ *(_BYTE *)(v8 + (unsigned __int8)(v79 + v80));
v5 = (__m64 *)((char *)v5 + 1);
v79 = *(_BYTE *)(v8 + v6);
*((_BYTE *)v5 + v9 - 1) = v81;
}
while ( (unsigned int)v5 < (unsigned int)v83 );
goto LABEL_19;
}
v10 = *(_DWORD *)(v8 + 4 * v6);
v11 = v4 & 0xFFFFFFFC;
if ( v11 )
{
v85 = a4 - (_DWORD)a3;
if ( !(v11 & 0xFFFFFFF8) )
goto LABEL_23;
_EBP = &dword_1845E70;
__asm { bt dword ptr [ebp+0], 1Ah }
if ( _CF )
{
v9 = v85;
*(_DWORD *)(a1 + 4) = (char *)a3 + (v11 & 0xFFFFFFF8) - 8;
LOBYTE(v7) = v10 + v7;
v17 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v17;
v18 = (unsigned __int8)(v6 + 1);
v19 = (unsigned __int8)(v10 + (_BYTE)v17);
v20 = a3->m64_u64;
v21 = *(_DWORD *)(v8 + 4 * v18);
for ( i = _mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v19)); ; i = _mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v24)) )
{
LOBYTE(v7) = v21 + v7;
v25 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v21;
*(_DWORD *)(v8 + 4 * v18) = v25;
v26 = (unsigned __int8)(v18 + 1);
v27 = (unsigned __int8)(v21 + (_BYTE)v25);
v28 = *(_DWORD *)(v8 + 4 * v26);
LOBYTE(v7) = v28 + v7;
v29 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v27)), 8u);
v30 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v28;
*(_DWORD *)(v8 + 4 * v26) = v30;
v31 = (unsigned __int8)(v26 + 1);
v32 = (unsigned __int8)(v28 + (_BYTE)v30);
v33 = _m_pxor(_m_pxor(i, (__m64)v20), v29);
v34 = *(_DWORD *)(v8 + 4 * v31);
LOBYTE(v7) = v34 + v7;
v35 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v32)), 0x10u);
v36 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v34;
*(_DWORD *)(v8 + 4 * v31) = v36;
v37 = (unsigned __int8)(v31 + 1);
v38 = (unsigned __int8)(v34 + (_BYTE)v36);
v39 = _m_pxor(v33, v35);
v40 = *(_DWORD *)(v8 + 4 * v37);
LOBYTE(v7) = v40 + v7;
v41 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v38)), 0x18u);
v42 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v40;
*(_DWORD *)(v8 + 4 * v37) = v42;
v43 = (unsigned __int8)(v37 + 1);
v44 = (unsigned __int8)(v40 + (_BYTE)v42);
v45 = _m_pxor(v39, v41);
v46 = *(_DWORD *)(v8 + 4 * v43);
LOBYTE(v7) = v46 + v7;
v47 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v44)), 0x20u);
v48 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v46;
*(_DWORD *)(v8 + 4 * v43) = v48;
v49 = (unsigned __int8)(v43 + 1);
v50 = (unsigned __int8)(v46 + (_BYTE)v48);
v51 = _m_pxor(v45, v47);
v52 = *(_DWORD *)(v8 + 4 * v49);
LOBYTE(v7) = v52 + v7;
v53 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v50)), 0x28u);
v54 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v52;
*(_DWORD *)(v8 + 4 * v49) = v54;
v55 = (unsigned __int8)(v49 + 1);
v56 = (unsigned __int8)(v52 + (_BYTE)v54);
v57 = _m_pxor(v51, v53);
v58 = *(_DWORD *)(v8 + 4 * v55);
LOBYTE(v7) = v58 + v7;
v59 = _m_psllq(_mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v56)), 0x30u);
v60 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v58;
*(_DWORD *)(v8 + 4 * v55) = v60;
v6 = (unsigned __int8)(v55 + 1);
v61 = (unsigned __int8)(v58 + (_BYTE)v60);
v62 = _m_pxor(v57, v59);
v10 = *(_DWORD *)(v8 + 4 * v6);
v63 = _mm_cvtsi32_si64(*(_DWORD *)(v8 + 4 * v61));
v7 = (unsigned __int8)v7;
_CF = (unsigned int)v5 < *(_DWORD *)(a1 + 4);
++v5;
if ( !_CF )
break;
LOBYTE(v7) = v10 + v7;
v23 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v23;
v18 = (unsigned __int8)(v6 + 1);
v24 = (unsigned __int8)(v10 + (_BYTE)v23);
v20 = v5->m64_u64;
*(unsigned __int64 *)((char *)&v5[-1].m64_u64 + v85) = (unsigned __int64)_m_pxor(v62, _m_psllq(v63, 0x38u));
v21 = *(_DWORD *)(v8 + 4 * v18);
}
*(unsigned __int64 *)((char *)&v5[-1].m64_u64 + v85) = (unsigned __int64)_m_pxor(v62, _m_psllq(v63, 0x38u));
_m_femms();
if ( (char *)v5 == v83 )
goto LABEL_19;
}
else
{
LABEL_23:
v84 = (char *)a3 + v11 - 4;
do
{
LOBYTE(v7) = v10 + v7;
v64 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v64;
LOBYTE(v6) = v6 + 1;
v65 = (unsigned __int8)(v10 + (_BYTE)v64);
v66 = *(_DWORD *)(v8 + 4 * v6);
v67 = *(_DWORD *)(v8 + 4 * v65);
LOBYTE(v7) = v66 + v7;
v68 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v66;
*(_DWORD *)(v8 + 4 * v6) = v68;
LOBYTE(v6) = v6 + 1;
v69 = (unsigned __int8)(v66 + (_BYTE)v68);
v67 = __ROR__(v67, 8);
v70 = *(_DWORD *)(v8 + 4 * v6);
v71 = *(_DWORD *)(v8 + 4 * v69) | v67;
LOBYTE(v7) = v70 + v7;
v72 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v70;
*(_DWORD *)(v8 + 4 * v6) = v72;
LOBYTE(v6) = v6 + 1;
v73 = (unsigned __int8)(v70 + (_BYTE)v72);
v71 = __ROR__(v71, 8);
v74 = *(_DWORD *)(v8 + 4 * v6);
v75 = *(_DWORD *)(v8 + 4 * v73) | v71;
LOBYTE(v7) = v74 + v7;
v76 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v74;
*(_DWORD *)(v8 + 4 * v6) = v76;
LOBYTE(v6) = v6 + 1;
v75 = __ROR__(v75, 8);
v77 = __ROR__(*(_DWORD *)(v8 + 4 * (unsigned __int8)(v74 + (_BYTE)v76)) | v75, 8);
_CF = (unsigned int)v5 < (unsigned int)v84;
*(_DWORD *)((char *)&v5->m64_u64 + v85) = LODWORD(v5->m64_u64) ^ v77;
v5 = (__m64 *)((char *)v5 + 4);
v10 = *(_DWORD *)(v8 + 4 * v6);
}
while ( _CF );
if ( (char *)v5 == v83 )
goto LABEL_19;
v9 = v85;
}
}
do
{
LOBYTE(v7) = v10 + v7;
v78 = *(_DWORD *)(v8 + 4 * v7);
*(_DWORD *)(v8 + 4 * v7) = v10;
*(_DWORD *)(v8 + 4 * v6) = v78;
LOBYTE(v6) = v6 + 1;
LOBYTE(v78) = LOBYTE(v5->m64_u64) ^ *(_DWORD *)(v8 + 4 * (unsigned __int8)(v10 + (_BYTE)v78));
v5 = (__m64 *)((char *)v5 + 1);
v10 = *(_DWORD *)(v8 + 4 * v6);
*((_BYTE *)v5 + v9 - 1) = v78;
}
while ( (unsigned int)v5 < (unsigned int)v83 );
LABEL_19:
LOBYTE(v6) = v6 - 1;
*(_DWORD *)(a1 + 4) = v7;
*(_BYTE *)a1 = v6;
}
return v6;
}
08/01/2014 22:35
mandark15#6
The code is kinda hard to follow... but how about the XoR Table?Quote:
Do you have the code for it also?
08/01/2014 23:37
Omdi#7
No but I am currently investigating how the xor table gets generated :)Quote:
Do you have the code for it also?
08/01/2014 23:46
mandark15#8
I see, from what I understand thought the first time it generates it increments by 1... then half way through the process it does something this is where I got lost. After that it continues incrementing the rest by 1.Quote:
And thank you for sharing the codes =)
08/02/2014 14:11
Omdi#9
I removed the unnecessary parts :)
EDIT:
Still need to figure out how the xor table gets generated :c
encryption.h
encryption.cpp
Code:
char __cdecl XORPacket(int xorTable, int bufSize, __m64 *buffer, int bufferTwo)
{
int buffSize_0; // edx@1
unsigned int buffer_0; // esi@1
int mostLikelyZero; // eax@1
int xorSecondOffset; // ebx@1
int xorThirdOffsetPtr; // edi@2
int bufferTwo_0; // ebp@2
int xorTableThirdOffset_0; // ecx@3
int someBitShiftingShitWithBufferSize; // edx@3
int v78; // edx@15
int bufferEnd; // [sp+18h] [bp+8h]@2
buffSize_0 = bufSize;
buffer_0 = (unsigned int)buffer;
mostLikelyZero = 0;
xorSecondOffset = 0;
if ( bufSize )
{
LOBYTE(xorSecondOffset) = *(_BYTE *)(xorTable + 4);
xorThirdOffsetPtr = xorTable + 8;
bufferTwo_0 = bufferTwo - (_DWORD)buffer;
bufferEnd = (int)((char *)buffer + bufSize);
LOBYTE(mostLikelyZero) = *(_BYTE *)xorTable + 1;
xorTableThirdOffset_0 = *(_DWORD *)(xorThirdOffsetPtr + 4 * mostLikelyZero);
someBitShiftingShitWithBufferSize = buffSize_0 & 0xFFFFFFFC;
do
{
LOBYTE(xorSecondOffset) = xorTableThirdOffset_0 + xorSecondOffset;
v78 = *(_DWORD *)(xorThirdOffsetPtr + 4 * xorSecondOffset);
*(_DWORD *)(xorThirdOffsetPtr + 4 * xorSecondOffset) = xorTableThirdOffset_0;
*(_DWORD *)(xorThirdOffsetPtr + 4 * mostLikelyZero) = v78;
LOBYTE(mostLikelyZero) = mostLikelyZero + 1;
LOBYTE(v78) = *(_BYTE *)buffer_0++ ^ *(_DWORD *)(xorThirdOffsetPtr
+ 4 * (unsigned __int8)(xorTableThirdOffset_0 + (_BYTE)v78));
xorTableThirdOffset_0 = *(_DWORD *)(xorThirdOffsetPtr + 4 * mostLikelyZero);
*(_BYTE *)(bufferTwo_0 + buffer_0 - 1) = v78;
}
while ( buffer_0 < bufferEnd );
LOBYTE(mostLikelyZero) = mostLikelyZero - 1;
*(_DWORD *)(xorTable + 4) = xorSecondOffset;
*(_BYTE *)xorTable = mostLikelyZero;
}
return mostLikelyZero;
}
Still need to figure out how the xor table gets generated :c
encryption.h
Code:
#pragma once
#include <stdint.h>
uint8_t xorTable[] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
0x4F, 0x00, 0x00, 0x00, 0x5B, 0x00, 0x00, 0x00,
0x57, 0x00, 0x00, 0x00, 0x5D, 0x00, 0x00, 0x00,
0x53, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00,
0xE6, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00,
0x69, 0x00, 0x00, 0x00, 0xF2, 0x00, 0x00, 0x00,
0x4E, 0x00, 0x00, 0x00, 0xE2, 0x00, 0x00, 0x00,
0x52, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00,
0x3A, 0x00, 0x00, 0x00, 0xCF, 0x00, 0x00, 0x00,
0x22, 0x00, 0x00, 0x00, 0xF5, 0x00, 0x00, 0x00,
0xD3, 0x00, 0x00, 0x00, 0x62, 0x00, 0x00, 0x00,
0x1C, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00,
0xB1, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00,
0xD5, 0x00, 0x00, 0x00, 0x7A, 0x00, 0x00, 0x00,
0xFA, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00,
0xA5, 0x00, 0x00, 0x00, 0xB4, 0x00, 0x00, 0x00,
0x30, 0x00, 0x00, 0x00, 0xF9, 0x00, 0x00, 0x00,
0x64, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00,
0x9C, 0x00, 0x00, 0x00, 0x51, 0x00, 0x00, 0x00,
0x0D, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x00, 0x00,
0x83, 0x00, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00,
0x32, 0x00, 0x00, 0x00, 0x9F, 0x00, 0x00, 0x00,
0x7E, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00,
0xC1, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00,
0xC3, 0x00, 0x00, 0x00, 0x6A, 0x00, 0x00, 0x00,
0x39, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00,
0xCC, 0x00, 0x00, 0x00, 0xB6, 0x00, 0x00, 0x00,
0x0A, 0x00, 0x00, 0x00, 0xCE, 0x00, 0x00, 0x00,
0xF1, 0x00, 0x00, 0x00, 0xB3, 0x00, 0x00, 0x00,
0x43, 0x00, 0x00, 0x00, 0xE1, 0x00, 0x00, 0x00,
0x7B, 0x00, 0x00, 0x00, 0xA2, 0x00, 0x00, 0x00,
0x3F, 0x00, 0x00, 0x00, 0xF3, 0x00, 0x00, 0x00,
0x55, 0x00, 0x00, 0x00, 0xC9, 0x00, 0x00, 0x00,
0x12, 0x00, 0x00, 0x00, 0xC5, 0x00, 0x00, 0x00,
0x58, 0x00, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00,
0x96, 0x00, 0x00, 0x00, 0xCD, 0x00, 0x00, 0x00,
0x71, 0x00, 0x00, 0x00, 0xFB, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00,
0x56, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x95, 0x00, 0x00, 0x00, 0x86, 0x00, 0x00, 0x00,
0xBF, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x00, 0x00,
0xEA, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00,
0x4B, 0x00, 0x00, 0x00, 0x6F, 0x00, 0x00, 0x00,
0xD2, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00,
0x68, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00,
0x80, 0x00, 0x00, 0x00, 0x3B, 0x00, 0x00, 0x00,
0x73, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
0x27, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00,
0x8D, 0x00, 0x00, 0x00, 0xE9, 0x00, 0x00, 0x00,
0x5A, 0x00, 0x00, 0x00, 0xDF, 0x00, 0x00, 0x00,
0xED, 0x00, 0x00, 0x00, 0xBC, 0x00, 0x00, 0x00,
0xC7, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00,
0x5C, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00,
0x8A, 0x00, 0x00, 0x00, 0x89, 0x00, 0x00, 0x00,
0xF8, 0x00, 0x00, 0x00, 0xAB, 0x00, 0x00, 0x00,
0x85, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
0xDE, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
0xA6, 0x00, 0x00, 0x00, 0x77, 0x00, 0x00, 0x00,
0x9E, 0x00, 0x00, 0x00, 0x54, 0x00, 0x00, 0x00,
0xDC, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00,
0x11, 0x00, 0x00, 0x00, 0x74, 0x00, 0x00, 0x00,
0xD4, 0x00, 0x00, 0x00, 0x8F, 0x00, 0x00, 0x00,
0xA7, 0x00, 0x00, 0x00, 0x7C, 0x00, 0x00, 0x00,
0x40, 0x00, 0x00, 0x00, 0xE7, 0x00, 0x00, 0x00,
0xB5, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00,
0xAA, 0x00, 0x00, 0x00, 0xD1, 0x00, 0x00, 0x00,
0x63, 0x00, 0x00, 0x00, 0xCA, 0x00, 0x00, 0x00,
0xDD, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
0xE0, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00,
0xE5, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00,
0x36, 0x00, 0x00, 0x00, 0x93, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00,
0x45, 0x00, 0x00, 0x00, 0xFE, 0x00, 0x00, 0x00,
0xA3, 0x00, 0x00, 0x00, 0xEE, 0x00, 0x00, 0x00,
0x97, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00,
0xDB, 0x00, 0x00, 0x00, 0x9A, 0x00, 0x00, 0x00,
0xBB, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x00, 0x00,
0xB9, 0x00, 0x00, 0x00, 0xEF, 0x00, 0x00, 0x00,
0x0B, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0xB2, 0x00, 0x00, 0x00,
0xB0, 0x00, 0x00, 0x00, 0xBE, 0x00, 0x00, 0x00,
0x6E, 0x00, 0x00, 0x00, 0xB7, 0x00, 0x00, 0x00,
0x98, 0x00, 0x00, 0x00, 0x5F, 0x00, 0x00, 0x00,
0x19, 0x00, 0x00, 0x00, 0xD8, 0x00, 0x00, 0x00,
0x4D, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x00, 0x00,
0xF0, 0x00, 0x00, 0x00, 0xE4, 0x00, 0x00, 0x00,
0x28, 0x00, 0x00, 0x00, 0x9B, 0x00, 0x00, 0x00,
0xA8, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
0xBA, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00,
0x13, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x87, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x00, 0x00,
0x78, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00,
0x26, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00,
0x82, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00,
0x49, 0x00, 0x00, 0x00, 0x7D, 0x00, 0x00, 0x00,
0x8B, 0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00,
0xD9, 0x00, 0x00, 0x00, 0xC6, 0x00, 0x00, 0x00,
0x4C, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00,
0xAC, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x00,
0x16, 0x00, 0x00, 0x00, 0xEB, 0x00, 0x00, 0x00,
0x8E, 0x00, 0x00, 0x00, 0xFC, 0x00, 0x00, 0x00,
0x91, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00,
0xD7, 0x00, 0x00, 0x00, 0xD0, 0x00, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00,
0x2C, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00,
0x90, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00,
0xB8, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x81, 0x00, 0x00, 0x00, 0xA1, 0x00, 0x00, 0x00,
0xBD, 0x00, 0x00, 0x00, 0xC8, 0x00, 0x00, 0x00,
0x1D, 0x00, 0x00, 0x00, 0xF6, 0x00, 0x00, 0x00,
0x79, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00,
0x84, 0x00, 0x00, 0x00, 0xC4, 0x00, 0x00, 0x00,
0xDA, 0x00, 0x00, 0x00, 0x92, 0x00, 0x00, 0x00,
0x2B, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00,
0x09, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00,
0x23, 0x00, 0x00, 0x00, 0xFD, 0x00, 0x00, 0x00,
0x25, 0x00, 0x00, 0x00, 0x9D, 0x00, 0x00, 0x00,
0x2F, 0x00, 0x00, 0x00, 0x1F, 0x00, 0x00, 0x00,
0x70, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00,
0x37, 0x00, 0x00, 0x00, 0x99, 0x00, 0x00, 0x00,
0xE3, 0x00, 0x00, 0x00, 0xF7, 0x00, 0x00, 0x00,
0x5E, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00,
0x6D, 0x00, 0x00, 0x00, 0x8C, 0x00, 0x00, 0x00,
0xA9, 0x00, 0x00, 0x00, 0xA0, 0x00, 0x00, 0x00,
0xD6, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xAE, 0x00, 0x00, 0x00
};
char __cdecl XORPacket(uint8_t *xorTable, int bufSize, uint8_t *buffer, uint8_t *bufferTwo);
Code:
#include "encryption.h"
char __cdecl XORPacket(uint8_t *xorTable, int bufSize, uint8_t *buffer, uint8_t *bufferTwo)
{
int buffSize_0; // edx@1
uint8_t *buffer_0; // esi@1
uint8_t mostLikelyZero; // eax@1
uint8_t xorSecondOffset; // ebx@1
uint8_t *xorThirdOffsetPtr; // edi@2
uint8_t *bufferTwo_0; // ebp@2
int xorTableThirdOffset_0; // ecx@3
int someBitShiftingShitWithBufferSize; // edx@3
int v78; // edx@15
uint8_t *bufferEnd; // [sp+18h] [bp+8h]@2
buffSize_0 = bufSize;
buffer_0 = buffer;
mostLikelyZero = 0;
xorSecondOffset = 0;
if (bufSize)
{
xorSecondOffset = *(uint8_t*)(xorTable + 4);
xorThirdOffsetPtr = xorTable + 8;
bufferTwo_0 = (uint8_t*)(((uint32_t)bufferTwo) - ((uint32_t)buffer));
bufferEnd = buffer + bufSize;
mostLikelyZero = *(uint8_t*)xorTable + 1;
xorTableThirdOffset_0 = *(uint32_t*)(xorThirdOffsetPtr + 4 * mostLikelyZero);
someBitShiftingShitWithBufferSize = buffSize_0 & 0xFFFFFFFC;
do
{
xorSecondOffset = xorTableThirdOffset_0 + xorSecondOffset;
v78 = *(uint32_t*)(xorThirdOffsetPtr + 4 * xorSecondOffset);
*(uint32_t*)(xorThirdOffsetPtr + 4 * xorSecondOffset) = xorTableThirdOffset_0;
*(uint32_t*)(xorThirdOffsetPtr + 4 * mostLikelyZero) = v78;
mostLikelyZero = mostLikelyZero + 1;
v78 = *(uint8_t*)buffer_0++ ^ *(uint32_t*)(xorThirdOffsetPtr
+ 4 * (unsigned __int8)(xorTableThirdOffset_0 + (uint8_t)v78));
xorTableThirdOffset_0 = *(uint32_t*)(xorThirdOffsetPtr + 4 * mostLikelyZero);
*(uint8_t*)(((uint32_t)bufferTwo_0) + ((uint32_t)buffer_0) - 1) = v78;
} while (buffer_0 < bufferEnd);
mostLikelyZero = mostLikelyZero - 1;
*(uint32_t*)(xorTable + 4) = xorSecondOffset;
*(uint8_t*)xorTable = mostLikelyZero;
}
return mostLikelyZero;
}
08/02/2014 22:04
Shagswell#10
Damn bro. You put in work. Thanks, man.
08/02/2014 22:20
Omdi#11
It's working fine, use it for a packet sniffer or whatever :)
I still don't get it how the xor table gets generated.
I guess it's related to the first packet sent by the server on connection (266 Bytes), but It looks like they are doing something with the received bytes before copying it to the xor table.
Need the detours library? - [Only registered and activated users can see links. Click Here To Register...]
I still don't get it how the xor table gets generated.
I guess it's related to the first packet sent by the server on connection (266 Bytes), but It looks like they are doing something with the received bytes before copying it to the xor table.
Need the detours library? - [Only registered and activated users can see links. Click Here To Register...]
Code:
#include <Windows.h>
#include "detours.h"
#include "encryption.h"
#pragma comment(lib, "detours.lib")
typedef bool(__cdecl *xorPacketType)(uint8_t*, int, uint8_t*, uint8_t*);
xorPacketType xorPacketOrig = nullptr;
bool __cdecl xorPacketHook(uint8_t *xorTab, int bufSize, uint8_t *buffer, uint8_t *bufferTwo)
{
//Actually I was testing if my cleaned up function is working and it is!
//You can use xorPacketOrig here as well if you want
//return xorPacketOrig(xorTab, bufSize, buffer, bufferTwo);
//Modify the buffer here!
return XORPacket(xorTab, bufSize, buffer, bufferTwo);
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
{
xorPacketOrig = (xorPacketType)DetourFunction((PBYTE)0x00D86780, (PBYTE)xorPacketHook);
MessageBoxA(0, "Hooked bra!", "", 0);
}
return true;
}
08/06/2014 14:29
darkstas#12
/delete/
10/05/2014 08:20
twilightsaga#13
what is the address of encryption function in current version?
11/06/2014 16:12
Omdi#14
XORPacket - Pattern:Quote:
Code:
55 53 56 57 8B 7C 24 14 8B 54 24 18
11/06/2014 21:52
Tension#15
I've got interested into AuraKingdom and i saw that the generation of the XorTable was not found so i've decided to look for it and i've found it. I'll just explain how the table gets generated and some other information.
Information:
Generation:
First of all the table is random which means you can decide how the table is generated (tested it by changing the salt and it worked).
I haven't took a deep look into the generation of the salt since you can decide by yourself how it gets generated.
Here is a code snippet how you could generate the Table:
A table with the salt like in the code would look like this:
I hope it's helpful, if you have questions feel free to ask me :)
Edit:
The first packet you receive is always the same.
But the packet you send the first time is always different, but i haven't figured out how it gets created yet.
Information:
- The table got a size of 0x100
- It gets generated in the same function as WSAConnect
- It uses a random salt from the client
- 2 Tables gets generated and both are exactly the same (i don't know why)
- The table get's encrypted and sent to the server
- The table changes in the Encryption function
Generation:
First of all the table is random which means you can decide how the table is generated (tested it by changing the salt and it worked).
I haven't took a deep look into the generation of the salt since you can decide by yourself how it gets generated.
Here is a code snippet how you could generate the Table:
Code:
#define TABLE_SIZE 0x100
#define SALT_SIZE 0x5
unsigned char TableSalt[SALT_SIZE] = { 0x13, 0x33, 0x33, 0x33, 0x37 };
void GenerateTable(int* table) {
unsigned char add_value = 0;
unsigned char old_value = 0;
for (int i = 0; i < TABLE_SIZE; i++) {
table[i] = i;
}
for (int i = 0; i < TABLE_SIZE; i++) {
add_value += TableSalt[i % 5] + table[i];
old_value = table[add_value];
table[add_value] = table[i];
table[i] = old_value;
}
}
Code:
0x00000024, 0x00000067, 0x000000C1, 0x000000D2, 0x000000FF, 0x00000041, 0x0000007A, 0x00000078, 0x000000EF, 0x00000043, 0x0000002E, 0x000000D8, 0x000000E0, 0x00000010, 0x00000006, 0x000000A3, 0x0000004E, 0x000000CE, 0x0000006C, 0x000000B5, 0x000000FC, 0x00000044, 0x0000008D, 0x0000002D, 0x00000083, 0x000000F5, 0x000000BB, 0x00000042, 0x0000008A, 0x000000A8, 0x0000003C, 0x0000004B, 0x0000002B, 0x000000DF, 0x00000011, 0x0000009E, 0x00000017, 0x0000007D, 0x0000003B, 0x000000E7, 0x000000CB, 0x00000077, 0x00000046, 0x00000059, 0x00000052, 0x00000021, 0x00000053, 0x00000036, 0x00000031, 0x00000000, 0x000000C4, 0x00000089, 0x000000FA, 0x000000C6, 0x000000B7, 0x000000C5, 0x00000069, 0x00000070, 0x00000090, 0x00000049, 0x000000BA, 0x00000055, 0x0000009B, 0x00000032, 0x00000019, 0x000000A6, 0x000000E8, 0x00000091, 0x0000007E, 0x00000051, 0x0000005B, 0x00000097, 0x000000BF, 0x00000094, 0x000000B8, 0x00000066, 0x000000B6, 0x00000018, 0x000000A0, 0x00000012, 0x00000057, 0x00000080, 0x0000009D, 0x00000015, 0x00000013, 0x000000C2, 0x000000F0, 0x000000AB, 0x0000009F, 0x0000008B, 0x000000BE, 0x000000CA, 0x000000F8, 0x000000D4, 0x000000E9, 0x0000008C, 0x000000C3, 0x00000038, 0x00000082, 0x000000B3, 0x000000D3, 0x000000FD, 0x0000005E, 0x00000068, 0x00000002, 0x000000ED, 0x0000005C, 0x00000073, 0x00000048, 0x000000A9, 0x00000063, 0x00000026, 0x0000001A, 0x000000FB, 0x0000000E, 0x000000A2, 0x0000001F, 0x00000092, 0x0000009A, 0x000000DB, 0x00000085, 0x000000BC, 0x00000086, 0x00000025, 0x0000007C, 0x00000095, 0x00000047, 0x0000000F, 0x0000001E, 0x000000AD, 0x000000F2, 0x00000022, 0x000000CF, 0x00000087, 0x00000027, 0x0000000B, 0x000000F7, 0x00000008, 0x00000039, 0x000000EC, 0x00000050, 0x000000F4, 0x00000054, 0x00000034, 0x000000DD, 0x000000B0, 0x000000F1, 0x000000AF, 0x0000000D, 0x00000007, 0x00000093, 0x00000030, 0x0000001C, 0x0000007B, 0x0000003A, 0x00000005, 0x00000037, 0x0000001D, 0x00000045, 0x00000004, 0x000000AA, 0x00000023, 0x000000D9, 0x00000029, 0x0000005A, 0x000000A5, 0x00000076, 0x000000A7, 0x000000F3, 0x0000000A, 0x00000081, 0x00000071, 0x00000058, 0x000000D0, 0x000000D1, 0x000000B9, 0x0000001B, 0x000000C9, 0x00000003, 0x0000008E, 0x00000096, 0x000000C8, 0x0000004C, 0x000000DE, 0x000000E1, 0x0000004D, 0x000000C7, 0x000000AC, 0x0000002F, 0x00000009, 0x0000004A, 0x0000006A, 0x00000056, 0x0000009C, 0x00000079, 0x000000DA, 0x00000020, 0x00000099, 0x00000061, 0x000000F9, 0x000000D6, 0x000000EA, 0x000000E5, 0x0000004F, 0x000000F6, 0x000000E2, 0x0000002A, 0x0000002C, 0x0000003E, 0x000000B1, 0x000000B2, 0x000000AE, 0x00000075, 0x0000006F, 0x00000060, 0x00000033, 0x000000A1, 0x00000040, 0x0000000C, 0x000000EE, 0x0000005D, 0x000000A4, 0x00000014, 0x000000D7, 0x000000CD, 0x00000064, 0x000000E6, 0x000000E3, 0x00000084, 0x0000003D, 0x0000003F, 0x000000C0, 0x00000028, 0x000000CC, 0x0000006D, 0x00000001, 0x00000074, 0x000000DC, 0x0000008F, 0x00000088, 0x00000035, 0x00000016, 0x000000EB, 0x0000007F, 0x00000065, 0x0000006E, 0x000000FE, 0x0000005F, 0x000000D5, 0x000000B4, 0x00000062, 0x0000006B, 0x00000098, 0x000000BD, 0x000000E4, 0x00000072
Edit:
The first packet you receive is always the same.
But the packet you send the first time is always different, but i haven't figured out how it gets created yet.