|
You last visited: Today at 17:00
Advertisement
Packet
Discussion on Packet within the General Coding forum part of the Coders Den category.
12/19/2014, 21:04
|
#1
|
elite*gold: 0 
Join Date: Dec 2014
Posts: 5
Received Thanks: 0
|
Packet
Hello,
since 4 weeks I'm trying to get the decryption of the packets and I failed to find it, this is why I ask here.
I tried it much times but I only got some useless funcs.
I found with CE one function but it don't seem like the decryption:
Arguments:
-PacketBytes
-PacketBytes
-unknown(4)
Code:[Hex-Rays]
Code:
char __thiscall decrypt(void *this /*esp?*/, int a2, int a3, signed int a4)
{
int v4; // ebp@1
unsigned int v5; // esi@1
int v6; // eax@4
int v7; // edi@5
int v8; // ebx@5
unsigned int v9; // ebp@5
__int16 v10; // cx@7
__int16 v11; // dx@7
signed int v12; // edi@7
__int16 v13; // si@7
__int16 v14; // si@8
int v15; // eax@8
__int16 v16; // si@8
__int16 v17; // dx@8
__int16 v18; // dx@8
__int16 v19; // si@8
__int16 v20; // si@8
__int16 v21; // dx@8
__int16 v22; // dx@8
__int16 v23; // si@8
__int16 v24; // si@8
__int16 v25; // dx@8
__int16 v26; // dx@8
__int16 v27; // si@8
__int16 v28; // si@8
__int16 v29; // dx@8
__int16 v30; // dx@8
__int16 v31; // si@8
__int16 v32; // si@8
__int16 v33; // dx@8
__int16 v34; // dx@8
__int16 v35; // si@8
__int16 v36; // dx@8
__int16 v37; // dx@8
__int16 v38; // si@9
int v39; // eax@9
__int16 v40; // dx@9
void *v42; // [sp+Ch] [bp-4h]@1
int v43; // [sp+14h] [bp+4h]@7
int v44; // [sp+18h] [bp+8h]@5
int v45; // [sp+1Ch] [bp+Ch]@5
v4 = a3;
v5 = a4;
v42 = this;
if ( a2 != a3 && a4 > 0 )
sub_EEEC3C();
v6 = (int)((char *)v42 + 68);
if ( a4 >= 4 )
{
v44 = a2;
v7 = a2 - v4;
v8 = v4 + 2;
v45 = a2 - v4;
v9 = v5 >> 2;
while ( 1 )
{
v10 = *((_WORD *)v42 + 254);
v11 = v10 ^ *(_WORD *)v44;
v43 = (unsigned __int16)(v10 ^ *(_WORD *)(v7 + v8));
v12 = 2;
v13 = v43;
do
{
v14 = __ROR__(v13 - *(_WORD *)(v6 - 2), v11 & 0xF);
v15 = v6 - 8;
v16 = v11 ^ v14;
v17 = __ROR__(v11 - *(_WORD *)(v15 + 4), v16 & 0xF);
v15 -= 6;
v18 = v16 ^ v17;
v19 = __ROR__(v16 - *(_WORD *)(v15 + 8), v18 & 0xF);
v15 -= 6;
v20 = v18 ^ v19;
v21 = __ROR__(v18 - *(_WORD *)(v15 + 12), v20 & 0xF);
v15 -= 2;
v22 = v20 ^ v21;
v23 = __ROR__(v20 - *(_WORD *)(v15 + 12), v22 & 0xF);
v24 = v22 ^ v23;
v25 = __ROR__(v22 - *(_WORD *)(v15 + 10), v24 & 0xF);
v26 = v24 ^ v25;
v27 = __ROR__(v24 - *(_WORD *)(v15 + 8), v26 & 0xF);
v28 = v26 ^ v27;
v29 = __ROR__(v26 - *(_WORD *)(v15 + 6), v28 & 0xF);
v30 = v28 ^ v29;
v31 = __ROR__(v28 - *(_WORD *)(v15 + 4), v30 & 0xF);
v32 = v30 ^ v31;
v33 = __ROR__(v30 - *(_WORD *)(v15 + 2), v32 & 0xF);
v34 = v32 ^ v33;
v35 = __ROR__(v32 - *(_WORD *)v15, v34 & 0xF);
v13 = v34 ^ v35;
v36 = v34 - *(_WORD *)(v15 - 2);
v6 = v15 - 2;
v37 = __ROR__(v36, v13 & 0xF);
--v12;
v11 = v13 ^ v37;
}
while ( v12 );
v38 = v13 - *(_WORD *)(v6 - 2);
v44 += 4;
v39 = v6 - 2;
v40 = v11 - *(_WORD *)(v39 - 2);
v6 = v39 - 2;
*(_WORD *)(v8 - 2) = v40;
*(_WORD *)v8 = v38;
v8 += 4;
--v9;
if ( !v9 )
break;
v7 = v45;
}
}
return 1;
}
I went through recv func to this func.
Any suggestions to find the decryption/encryption of the packets?
|
|
|
|
12/20/2014, 17:01
|
#2
|
elite*gold: 150
Join Date: Apr 2007
Posts: 2,372
Received Thanks: 6,628
|
the this pointer is always in ecx, esp is the stack pointer.
To find encryption and decryption, you should be using Ollydbg.
Its much easyer
|
|
|
|
|
12/20/2014, 17:36
|
#3
|
elite*gold: 0
Join Date: Dec 2014
Posts: 5
Received Thanks: 0
|
Quote:
Originally Posted by wurstbrot123
the this pointer is always in ecx, esp is the stack pointer.
|
I never thought that it will be ecx.
And I forgot that it's a thiscall func 
Quote:
Originally Posted by wurstbrot123
To find encryption and decryption, you should be using Ollydbg.
Its much easyer
|
I'm don't like ollydbg so much, so could you explain what you mean with it?
Cause I don't think that it's much easier like using CE/Veh-debugger.
|
|
|
|
|
12/20/2014, 17:51
|
#4
|
elite*gold: 1091
Join Date: Jun 2007
Posts: 19,836
Received Thanks: 7,180
|
Quote:
Originally Posted by Tetkom
I never thought that it will be ecx.
And I forgot that it's a thiscall func
I'm don't like ollydbg so much, so could you explain what you mean with it?
Cause I don't think that it's much easier like using CE. |
I don't think that the this pointer is always stored in ECX, the wiki only states that this behavior is valid as long as the used compiler was MSVC.
You can step through the code and see changes in the stack when using OllyDbg but you can't do this in IDA (if you don't use the debugger from IDA) because no runtime information are present. Therefore it may really be easier to just step through each instruction and see whether the buffer containing the data is encrypted or not. If it's encrypted, go back. Otherwise move on until you see the encrypted data.
|
|
|
|
|
12/20/2014, 20:01
|
#5
|
elite*gold: 110
Join Date: Jun 2013
Posts: 599
Received Thanks: 510
|
Could you probably post the ASM-Source?
|
|
|
|
|
12/20/2014, 20:27
|
#6
|
elite*gold: 0
Join Date: Dec 2014
Posts: 5
Received Thanks: 0
|
Quote:
Originally Posted by Mostey
I don't think that the this pointer is always stored in ECX, the wiki only states that this behavior is valid as long as the used compiler was MSVC.
You can step through the code and see changes in the stack when using OllyDbg but you can't do this in IDA because no runtime information are present. Therefore it may really be easier to just step through each instruction and see whether the buffer containing the data is encrypted or not. If it's encrypted, go back. Otherwise move on until you see the encrypted data.
|
I'm reversing funcs with CE, so I used IDA to "decompile" the c code 
The func I got through my work contains the encrypted packet as parameter
Quote:
Originally Posted by Tension
Could you probably post the ASM-Source?
|
Code:
___:00DD2940 push ecx
___:00DD2941 push ebp
___:00DD2942 mov ebp, [esp+8+arg_4]
___:00DD2946 push esi
___:00DD2947 mov esi, [esp+0Ch+arg_8]
___:00DD294B push edi
___:00DD294C mov edi, [esp+10h+arg_0]
___:00DD2950 mov [esp+10h+var_4], ecx
___:00DD2954 cmp edi, ebp
___:00DD2956 jz short loc_DD2967
___:00DD2958 test esi, esi
___:00DD295A jle short loc_DD2967
___:00DD295C push esi
___:00DD295D push edi
___:00DD295E push ebp
___:00DD295F call sub_EEEC3C
___:00DD2964 add esp, 0Ch
___:00DD2967
___:00DD2967 loc_DD2967: ; CODE XREF: sub_DD2940+16j
___:00DD2967 ; sub_DD2940+1Aj
___:00DD2967 mov eax, [esp+10h+var_4]
___:00DD296B add eax, 44h
___:00DD296E cmp esi, 4
___:00DD2971 jl loc_DD2B17
___:00DD2977 mov [esp+10h+arg_4], edi
___:00DD297B sub edi, ebp
___:00DD297D push ebx
___:00DD297E shr esi, 2
___:00DD2981 lea ebx, [ebp+2]
___:00DD2984 mov [esp+14h+arg_8], edi
___:00DD2988 mov ebp, esi
___:00DD298A jmp short loc_DD2994
___:00DD298A ; ---------------------------------------------------------------------------
___:00DD298C align 10h
___:00DD2990
___:00DD2990 loc_DD2990: ; CODE XREF: sub_DD2940+1D0j
___:00DD2990 mov edi, [esp+14h+arg_8]
___:00DD2994
___:00DD2994 loc_DD2994: ; CODE XREF: sub_DD2940+4Aj
___:00DD2994 mov ecx, [esp+14h+var_4]
___:00DD2998 movzx ecx, word ptr [ecx+1FCh]
___:00DD299F mov edx, [esp+14h+arg_4]
___:00DD29A3 mov dx, [edx]
___:00DD29A6 mov si, [edi+ebx]
___:00DD29AA xor dx, cx
___:00DD29AD xor si, cx
___:00DD29B0 movzx ecx, si
___:00DD29B3 movzx edx, dx
___:00DD29B6 mov [esp+14h+arg_0], ecx
___:00DD29BA mov edi, 2
___:00DD29BF mov si, cx
___:00DD29C2
___:00DD29C2 loc_DD29C2: ; CODE XREF: sub_DD2940+1AAj
___:00DD29C2 sub si, [eax-2]
___:00DD29C6 sub eax, 2
___:00DD29C9 mov ecx, edx
___:00DD29CB and ecx, 0Fh
___:00DD29CE ror si, cl
___:00DD29D1 sub eax, 2
___:00DD29D4 sub eax, 2
___:00DD29D7 sub eax, 2
___:00DD29DA xor si, dx
___:00DD29DD sub dx, [eax+4]
___:00DD29E1 movzx ecx, si
___:00DD29E4 mov [esp+14h+arg_0], ecx
___:00DD29E8 mov si, word ptr [esp+14h+arg_0]
___:00DD29ED and ecx, 0Fh
___:00DD29F0 ror dx, cl
___:00DD29F3 sub eax, 2
___:00DD29F6 sub eax, 2
___:00DD29F9 sub eax, 2
___:00DD29FC xor dx, si
___:00DD29FF sub si, [eax+8]
___:00DD2A03 movzx edx, dx
___:00DD2A06 mov ecx, edx
___:00DD2A08 and ecx, 0Fh
___:00DD2A0B ror si, cl
___:00DD2A0E sub eax, 2
___:00DD2A11 sub eax, 2
___:00DD2A14 sub eax, 2
___:00DD2A17 xor si, dx
___:00DD2A1A sub dx, [eax+0Ch]
___:00DD2A1E movzx ecx, si
___:00DD2A21 mov [esp+14h+arg_0], ecx
___:00DD2A25 mov si, word ptr [esp+14h+arg_0]
___:00DD2A2A and ecx, 0Fh
___:00DD2A2D ror dx, cl
___:00DD2A30 sub eax, 2
___:00DD2A33 xor dx, si
___:00DD2A36 sub si, [eax+0Ch]
___:00DD2A3A movzx edx, dx
___:00DD2A3D mov ecx, edx
___:00DD2A3F and ecx, 0Fh
___:00DD2A42 ror si, cl
___:00DD2A45 xor si, dx
___:00DD2A48 sub dx, [eax+0Ah]
___:00DD2A4C movzx ecx, si
___:00DD2A4F mov [esp+14h+arg_0], ecx
___:00DD2A53 mov si, word ptr [esp+14h+arg_0]
___:00DD2A58 and ecx, 0Fh
___:00DD2A5B ror dx, cl
___:00DD2A5E xor dx, si
___:00DD2A61 sub si, [eax+8]
___:00DD2A65 movzx edx, dx
___:00DD2A68 mov ecx, edx
___:00DD2A6A and ecx, 0Fh
___:00DD2A6D ror si, cl
___:00DD2A70 xor si, dx
___:00DD2A73 sub dx, [eax+6]
___:00DD2A77 movzx ecx, si
___:00DD2A7A mov [esp+14h+arg_0], ecx
___:00DD2A7E mov si, word ptr [esp+14h+arg_0]
___:00DD2A83 and ecx, 0Fh
___:00DD2A86 ror dx, cl
___:00DD2A89 xor dx, si
___:00DD2A8C sub si, [eax+4]
___:00DD2A90 movzx edx, dx
___:00DD2A93 mov ecx, edx
___:00DD2A95 and ecx, 0Fh
___:00DD2A98 ror si, cl
___:00DD2A9B xor si, dx
___:00DD2A9E sub dx, [eax+2]
___:00DD2AA2 movzx ecx, si
___:00DD2AA5 mov [esp+14h+arg_0], ecx
___:00DD2AA9 mov si, word ptr [esp+14h+arg_0]
___:00DD2AAE and ecx, 0Fh
___:00DD2AB1 ror dx, cl
___:00DD2AB4 xor dx, si
___:00DD2AB7 sub si, [eax]
___:00DD2ABA movzx edx, dx
___:00DD2ABD mov ecx, edx
___:00DD2ABF and ecx, 0Fh
___:00DD2AC2 ror si, cl
___:00DD2AC5 xor si, dx
___:00DD2AC8 sub dx, [eax-2]
___:00DD2ACC movzx ecx, si
___:00DD2ACF sub eax, 2
___:00DD2AD2 mov [esp+14h+arg_0], ecx
___:00DD2AD6 mov si, word ptr [esp+14h+arg_0]
___:00DD2ADB and ecx, 0Fh
___:00DD2ADE ror dx, cl
___:00DD2AE1 xor dx, si
___:00DD2AE4 sub edi, 1
___:00DD2AE7 movzx edx, dx
___:00DD2AEA jnz loc_DD29C2
___:00DD2AF0 sub si, [eax-2]
___:00DD2AF4 add [esp+14h+arg_4], 4
___:00DD2AF9 sub eax, 2
___:00DD2AFC sub dx, [eax-2]
___:00DD2B00 sub eax, 2
___:00DD2B03 mov [ebx-2], dx
___:00DD2B07 mov [ebx], si
___:00DD2B0A add ebx, 4
___:00DD2B0D sub ebp, 1
___:00DD2B10 jnz loc_DD2990
___:00DD2B16 pop ebx
___:00DD2B17
___:00DD2B17 loc_DD2B17: ; CODE XREF: sub_DD2940+31j
___:00DD2B17 pop edi
___:00DD2B18 pop esi
___:00DD2B19 mov al, 1
___:00DD2B1B pop ebp
___:00DD2B1C pop ecx
___:00DD2B1D retn 0Ch
___:00DD2B1D sub_DD2940 endp
|
|
|
|
All times are GMT +2. The time now is 17:00.
|
|
