Packet

12/19/2014 21:04 Tetkom#1
Hello,

since 4 weeks I'm trying to get the decryption of the packets and I failed to find it, this is why I ask here.
I tried it much times but I only got some useless funcs.
I found with CE one function but it don't seem like the decryption:
Arguments:
-PacketBytes
-PacketBytes
-unknown(4)

Code:[Hex-Rays]
Code:
char __thiscall decrypt(void *this /*esp?*/, int a2, int a3, signed int a4)
{
  int v4; // ebp@1
  unsigned int v5; // esi@1
  int v6; // eax@4
  int v7; // edi@5
  int v8; // ebx@5
  unsigned int v9; // ebp@5
  __int16 v10; // cx@7
  __int16 v11; // dx@7
  signed int v12; // edi@7
  __int16 v13; // si@7
  __int16 v14; // si@8
  int v15; // eax@8
  __int16 v16; // si@8
  __int16 v17; // dx@8
  __int16 v18; // dx@8
  __int16 v19; // si@8
  __int16 v20; // si@8
  __int16 v21; // dx@8
  __int16 v22; // dx@8
  __int16 v23; // si@8
  __int16 v24; // si@8
  __int16 v25; // dx@8
  __int16 v26; // dx@8
  __int16 v27; // si@8
  __int16 v28; // si@8
  __int16 v29; // dx@8
  __int16 v30; // dx@8
  __int16 v31; // si@8
  __int16 v32; // si@8
  __int16 v33; // dx@8
  __int16 v34; // dx@8
  __int16 v35; // si@8
  __int16 v36; // dx@8
  __int16 v37; // dx@8
  __int16 v38; // si@9
  int v39; // eax@9
  __int16 v40; // dx@9
  void *v42; // [sp+Ch] [bp-4h]@1
  int v43; // [sp+14h] [bp+4h]@7
  int v44; // [sp+18h] [bp+8h]@5
  int v45; // [sp+1Ch] [bp+Ch]@5

  v4 = a3;
  v5 = a4;
  v42 = this;
  if ( a2 != a3 && a4 > 0 )
    sub_EEEC3C();
  v6 = (int)((char *)v42 + 68);
  if ( a4 >= 4 )
  {
    v44 = a2;
    v7 = a2 - v4;
    v8 = v4 + 2;
    v45 = a2 - v4;
    v9 = v5 >> 2;
    while ( 1 )
    {
      v10 = *((_WORD *)v42 + 254);
      v11 = v10 ^ *(_WORD *)v44;
      v43 = (unsigned __int16)(v10 ^ *(_WORD *)(v7 + v8));
      v12 = 2;
      v13 = v43;
      do
      {
        v14 = __ROR__(v13 - *(_WORD *)(v6 - 2), v11 & 0xF);
        v15 = v6 - 8;
        v16 = v11 ^ v14;
        v17 = __ROR__(v11 - *(_WORD *)(v15 + 4), v16 & 0xF);
        v15 -= 6;
        v18 = v16 ^ v17;
        v19 = __ROR__(v16 - *(_WORD *)(v15 + 8), v18 & 0xF);
        v15 -= 6;
        v20 = v18 ^ v19;
        v21 = __ROR__(v18 - *(_WORD *)(v15 + 12), v20 & 0xF);
        v15 -= 2;
        v22 = v20 ^ v21;
        v23 = __ROR__(v20 - *(_WORD *)(v15 + 12), v22 & 0xF);
        v24 = v22 ^ v23;
        v25 = __ROR__(v22 - *(_WORD *)(v15 + 10), v24 & 0xF);
        v26 = v24 ^ v25;
        v27 = __ROR__(v24 - *(_WORD *)(v15 + 8), v26 & 0xF);
        v28 = v26 ^ v27;
        v29 = __ROR__(v26 - *(_WORD *)(v15 + 6), v28 & 0xF);
        v30 = v28 ^ v29;
        v31 = __ROR__(v28 - *(_WORD *)(v15 + 4), v30 & 0xF);
        v32 = v30 ^ v31;
        v33 = __ROR__(v30 - *(_WORD *)(v15 + 2), v32 & 0xF);
        v34 = v32 ^ v33;
        v35 = __ROR__(v32 - *(_WORD *)v15, v34 & 0xF);
        v13 = v34 ^ v35;
        v36 = v34 - *(_WORD *)(v15 - 2);
        v6 = v15 - 2;
        v37 = __ROR__(v36, v13 & 0xF);
        --v12;
        v11 = v13 ^ v37;
      }
      while ( v12 );
      v38 = v13 - *(_WORD *)(v6 - 2);
      v44 += 4;
      v39 = v6 - 2;
      v40 = v11 - *(_WORD *)(v39 - 2);
      v6 = v39 - 2;
      *(_WORD *)(v8 - 2) = v40;
      *(_WORD *)v8 = v38;
      v8 += 4;
      --v9;
      if ( !v9 )
        break;
      v7 = v45;
    }
  }
  return 1;
}
I went through recv func to this func.
Any suggestions to find the decryption/encryption of the packets?
12/20/2014 17:01 wurstbrot123#2
the this pointer is always in ecx, esp is the stack pointer.
To find encryption and decryption, you should be using Ollydbg.
Its much easyer
12/20/2014 17:36 Tetkom#3
Quote:
Originally Posted by wurstbrot123 View Post
the this pointer is always in ecx, esp is the stack pointer.
I never thought that it will be ecx.
And I forgot that it's a thiscall func :o

Quote:
Originally Posted by wurstbrot123 View Post
To find encryption and decryption, you should be using Ollydbg.
Its much easyer
I'm don't like ollydbg so much, so could you explain what you mean with it?
Cause I don't think that it's much easier like using CE/Veh-debugger.
12/20/2014 17:51 Mostey#4
Quote:
Originally Posted by Tetkom View Post
I never thought that it will be ecx.
And I forgot that it's a thiscall func :o


I'm don't like ollydbg so much, so could you explain what you mean with it?
Cause I don't think that it's much easier like using CE.
I don't think that the this pointer is always stored in ECX, the wiki only states that this behavior is valid as long as the used compiler was MSVC.

You can step through the code and see changes in the stack when using OllyDbg but you can't do this in IDA (if you don't use the debugger from IDA) because no runtime information are present. Therefore it may really be easier to just step through each instruction and see whether the buffer containing the data is encrypted or not. If it's encrypted, go back. Otherwise move on until you see the encrypted data.
12/20/2014 20:01 ​Tension#5
Could you probably post the ASM-Source?
12/20/2014 20:27 Tetkom#6
Quote:
Originally Posted by Mostey View Post
I don't think that the this pointer is always stored in ECX, the wiki only states that this behavior is valid as long as the used compiler was MSVC.

You can step through the code and see changes in the stack when using OllyDbg but you can't do this in IDA because no runtime information are present. Therefore it may really be easier to just step through each instruction and see whether the buffer containing the data is encrypted or not. If it's encrypted, go back. Otherwise move on until you see the encrypted data.
I'm reversing funcs with CE, so I used IDA to "decompile" the c code :p
The func I got through my work contains the encrypted packet as parameter


Quote:
Originally Posted by ​Tension View Post
Could you probably post the ASM-Source?