Reversing R5C Password Encryption on 4294 client

05/28/2024 04:34 tkblackbelt#1
Hi Folks,

I've been teaching myself a bit of reverse engineering and been practicing on the conquer patch 4294 client. So far I've been able to reverse the packet encryption myself.

Currently I'm trying to reverse the Password Encryption used for the 1051 packet. From referencing other sources this is done using RC5?

I'm using Ghidra, x64dbg mostly. So far I've tried the following with no clear finds

- trying to trace back from when the send buffer is filled with the 1051 packet.
- found the address of the plaintext password in memory, traced read and write to that memory address and then debugged hits to try and find code that is reading, encrypting, and storing the value somewhere else.

I'm trying to learn so if anyone has any hints that would be great haha. One question I had was if the encryption is being done as characters are being entered? Or all at once when the login button is pressed.

Thanks!
05/28/2024 16:33 CptSky#2
You may be able to find the RC5 functions by looking for the well known constants like 0xB7E15163 and 0x9E3779B9, assuming that you knew to look for RC5 :P Otherwise, look for where the MsgAccount is created and in that callstack you will have the encryption call.
05/29/2024 05:37 tkblackbelt#3
Quote:
Originally Posted by CptSky View Post
You may be able to find the RC5 functions by looking for the well known constants like 0xB7E15163 and 0x9E3779B9, assuming that you knew to look for RC5 :P Otherwise, look for where the MsgAccount is created and in that callstack you will have the encryption call.
Thank you! I was able to find it. Did a scan for the (0x41B) 1051 and found a few methods that used the value. Then break pointed those and found one that hit when pressing the login button and then saw that it was building the login packet a expected. Then I just went up the call stack a bit and eventually found it.

I need to fully reverse it to get the keys and stuff and convert to Kotlin (language I'm working in these days). But here is the assembly+ raw decompiled code


Code:
                             *************************************************************
                             *                           FUNCTION                         
                             *************************************************************
                             undefined  __thiscall  PasswordEncryption (void *  this ,  u
                               assume FS_OFFSET = 0xffdff000
             undefined         AL:1           <RETURN>
             void *            ECX:4 (auto)   this
             uint *            Stack[0x4]:4   param_1                                 XREF[3]:     004f995b (R) , 
                                                                                                   004f9978 (W) , 
                                                                                                   004f99a7 (R W)   
             int *             Stack[0x8]:4   param_2                                 XREF[5]:     004f993f (R) , 
                                                                                                   004f9975 (W) , 
                                                                                                   004f998a (R) , 
                                                                                                   004f999b (R) , 
                                                                                                   004f99a0 (R W)   
             undefined4        Stack[-0x8]:4  local_8                                 XREF[2]:     004f995f (W) , 
                                                                                                   004f99b6 (R W)   
             undefined4        Stack[-0xc]:4  local_c                                 XREF[2]:     004f9949 (W) , 
                                                                                                   004f9964 (R)   
                             PasswordEncryption                              XREF[1]:     FUN_004daacc:004dab72 (c)   
        004f993a 55              PUSH       EBP
        004f993b 8b  ec           MOV        EBP ,ESP
        004f993d 51              PUSH       this
        004f993e 51              PUSH       this
        004f993f 8b  45  0c       MOV        EAX ,dword ptr [EBP  + param_2 ]
        004f9942 56              PUSH       ESI
        004f9943 99              CDQ
        004f9944 6a  08           PUSH       0x8
        004f9946 5e              POP        ESI
        004f9947 f7  fe           IDIV       ESI
        004f9949 89  4d  f8       MOV        dword ptr [EBP  + local_c ],this
        004f994c c1  e0  03       SHL        EAX ,0x3
        004f994f 85  c0           TEST       EAX ,EAX
        004f9951 7e  6a           JLE        LAB_004f99bd
        004f9953 99              CDQ
        004f9954 f7  fe           IDIV       ESI
        004f9956 85  c0           TEST       EAX ,EAX
        004f9958 7e  63           JLE        LAB_004f99bd
        004f995a 53              PUSH       EBX
        004f995b 8b  5d  08       MOV        EBX ,dword ptr [EBP  + param_1 ]
        004f995e 57              PUSH       EDI
        004f995f 89  45  fc       MOV        dword ptr [EBP  + local_8 ],EAX
        004f9962 eb  03           JMP        LAB_004f9967
                             LAB_004f9964                                    XREF[1]:     004f99b9 (j)   
        004f9964 8b  4d  f8       MOV        this ,dword ptr [EBP  + local_c ]
                             LAB_004f9967                                    XREF[1]:     004f9962 (j)   
        004f9967 8b  79  14       MOV        EDI ,dword ptr [this  + 0x14 ]
        004f996a 8b  33           MOV        ESI ,dword ptr [EBX ]
        004f996c 03  71  10       ADD        ESI ,dword ptr [this  + 0x10 ]
        004f996f 03  7b  04       ADD        EDI ,dword ptr [EBX  + 0x4 ]
        004f9972 83  c1  1c       ADD        this ,0x1c
        004f9975 89  4d  0c       MOV        dword ptr [EBP  + param_2 ],this
        004f9978 c7  45  08       MOV        dword ptr [EBP  + param_1 ],0xc
                 0c  00  00 
                 00
                             LAB_004f997f                                    XREF[1]:     004f99ac (j)   
        004f997f 8b  c7           MOV        EAX ,EDI
        004f9981 33  c6           XOR        EAX ,ESI
        004f9983 57              PUSH       EDI
        004f9984 50              PUSH       EAX
        004f9985 e8  38  00       CALL       FUN_004f99c2                                     uint FUN_004f99c2(uint param_1, 
                 00  00
        004f998a 8b  4d  0c       MOV        this ,dword ptr [EBP  + param_2 ]
        004f998d 03  41  fc       ADD        EAX ,dword ptr [this  + -0x4 ]
        004f9990 8b  f0           MOV        ESI ,EAX
        004f9992 56              PUSH       ESI
        004f9993 33  fe           XOR        EDI ,ESI
        004f9995 57              PUSH       EDI
        004f9996 e8  27  00       CALL       FUN_004f99c2                                     uint FUN_004f99c2(uint param_1, 
                 00  00
        004f999b 8b  4d  0c       MOV        this ,dword ptr [EBP  + param_2 ]
        004f999e 03  01           ADD        EAX ,dword ptr [this ]
        004f99a0 83  45  0c       ADD        dword ptr [EBP  + param_2 ],0x8
                 08
        004f99a4 83  c4  10       ADD        ESP ,0x10
        004f99a7 ff  4d  08       DEC        dword ptr [EBP  + param_1 ]
        004f99aa 8b  f8           MOV        EDI ,EAX
        004f99ac 75  d1           JNZ        LAB_004f997f
        004f99ae 89  33           MOV        dword ptr [EBX ],ESI
        004f99b0 89  7b  04       MOV        dword ptr [EBX  + 0x4 ],EDI
        004f99b3 83  c3  08       ADD        EBX ,0x8
        004f99b6 ff  4d  fc       DEC        dword ptr [EBP  + local_8 ]
        004f99b9 75  a9           JNZ        LAB_004f9964
        004f99bb 5f              POP        EDI
        004f99bc 5b              POP        EBX
                             LAB_004f99bd                                    XREF[2]:     004f9951 (j) ,  004f9958 (j)   
        004f99bd 5e              POP        ESI
        004f99be c9              LEAVE
        004f99bf c2  08  00       RET        0x8
Code:
void __thiscall PasswordEncryption(void *this,uint *param_1,int *param_2)

{
  uint *puVar1;
  uint uVar2;
  uint uVar3;
  int local_8;
  
  local_8 = (int)param_2 / 8 << 3;
  if ((0 < local_8) && (local_8 = local_8 / 8, puVar1 = param_1, 0 < local_8)) {
    do {
      uVar2 = *puVar1 + *(int *)((int)this + 0x10);
      uVar3 = *(int *)((int)this + 0x14) + puVar1[1];
      param_2 = (int *)((int)this + 0x1c);
      param_1 = (uint *)0xc;
      do {
        uVar2 = FUN_004f99c2(uVar3 ^ uVar2,(byte)uVar3);
        uVar2 = uVar2 + param_2[-1];
        uVar3 = FUN_004f99c2(uVar3 ^ uVar2,(byte)uVar2);
        uVar3 = uVar3 + *param_2;
        param_2 = param_2 + 2;
        param_1 = (uint *)((int)param_1 + -1);
      } while (param_1 != (uint *)0x0);
      *puVar1 = uVar2;
      puVar1[1] = uVar3;
      puVar1 = puVar1 + 2;
      local_8 = local_8 + -1;
    } while (local_8 != 0);
  }
  return;
}


uint __cdecl FUN_004f99c2(uint param_1,byte param_2)

{
  return param_1 >> (0x20 - (param_2 & 0x1f) & 0x1f) | param_1 << (param_2 & 0x1f);
}