Some Classes and Functions from 2012.09.09

[TheEmpty]

I'm working on it again, got a bit caught up in life. Need to readjust everything to the new offsets or find a way to make them adjust :/ then I'm back to trying to find out how to follow memory locations lol

[arteros]

Anyone knows where the send and receive functions are?

[m1m]

Anyone knows where the send and receive functions are?

it looks like there are a few different sends and receives being used (I haven't been digging into it for a few weeks - been busy) If I remember correctly, you can pretty easily find the calls for send and recv... but hooking in either of those will get you encrypted data.

The encryption itself looks like RC4, and both send and receive go through the same function to encrypt and decrypt, so hooking right at the start or end of the RC4 block will get you some plaintext and some ciphertext, depending on whether the data going through encryption is on the way in or out.

I have not yet had a chance to find a common point on the inbound or outbound traffic path that I can hook in order to capture plaintext; that's next on my list, but I just haven't had the free time. There have been a number of patches since I last looked at the code, so I'll need to do some extra work to find the RC4 function again as well... but when I do, I can post the offset here.

[m1m]

The last patch was a MAJOR change - it looks like they switched compilers (though I haven't confirmed yet). Most of the code is the same, but the registers have been switched around, and enough code has changed that most offsets have moved as well. It wasn't terribly hard to find the new functions and offsets, but it *was* annoying.

arteros (or anyone) - are you still pursuing this? I've gone through and located the RC4 block again if you're interested. Unfortunately, I still have not had the time (or maybe it's taking so much time because I lack the ability) to trace between the RC4 block and the actual send/receive functions... so I still don't have easy way to determine what's plaintext and what is ciphertext.

The RC4 algorithm is this:
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];

Here's the block, with my comments, that I *think* is RC4. If anyone sees error, please don't hold back - I'm still VERY new at this.

Code:

.text:00BCF700 ; =============== S U B R O U T I N E =======================================
.text:00BCF700
.text:00BCF700 ; Attributes: bp-based frame
.text:00BCF700
.text:00BCF700 run_rc4_sub_BCF700 proc near            ; CODE XREF: MsgConn_cpp_sub_BCBE80+66p
.text:00BCF700                                         ; MsgConn_cpp_sub_BCC290+167p
.text:00BCF700
.text:00BCF700 esi_temp_storage_var_8= dword ptr -8
.text:00BCF700 s_box_var_4     = dword ptr -4
.text:00BCF700 loop_counter_arg_0= dword ptr  8
.text:00BCF700 plaintext_arg_4 = dword ptr  0Ch
.text:00BCF700 some_array_maybe_sbox_arg_8= dword ptr  10h
.text:00BCF700
.text:00BCF700                 push    ebp
.text:00BCF701                 mov     ebp, esp        ; standard function header
.text:00BCF703                 sub     esp, 8
.text:00BCF706                 cmp     [ebp+loop_counter_arg_0], 0 ; check if length is 0
.text:00BCF70A                 push    esi             ; save esi
.text:00BCF70B                 mov     esi, ecx
.text:00BCF70D                 push    edi
.text:00BCF70E                 mov     eax, [esi]      ; eax = esi = i
.text:00BCF710                 mov     edi, [esi+4]    ; edi = esi + 4 = j
.text:00BCF713                 lea     edx, [esi+8]    ; edx = esi+8 = S[]
.text:00BCF716                 mov     [ebp+esi_temp_storage_var_8], esi
.text:00BCF719                 mov     [ebp+s_box_var_4], edx
.text:00BCF71C                 jbe     short loc_BCF772 ; clean up stack for return
.text:00BCF71E                 mov     esi, [ebp+some_array_maybe_sbox_arg_8]
.text:00BCF721                 sub     [ebp+plaintext_arg_4], esi
.text:00BCF724                 push    ebx
.text:00BCF725
.text:00BCF725 loc_BCF725:                             ; CODE XREF: run_rc4_sub_BCF700+6Cj
.text:00BCF725                 inc     eax             ; while(true)
.text:00BCF725                                         ; i=i+1 % 256
.text:00BCF726                 and     eax, 0FFh       ; |
.text:00BCF72B                 lea     esi, [esi+1]    ; j = (j+S[i]) % 256
.text:00BCF72E                 mov     bl, [edx+eax]   ; |
.text:00BCF731                 movzx   ecx, bl         ; |
.text:00BCF734                 add     edi, ecx        ; |
.text:00BCF736                 and     edi, 0FFh       ; |
.text:00BCF73C                 movzx   ecx, byte ptr [edx+edi] ; |
.text:00BCF740                 mov     [edx+eax], cl   ; swap(s[i], s[j])
.text:00BCF743                 mov     [edx+edi], bl   ; |
.text:00BCF746                 movzx   edx, byte ptr [edx+eax] ; |
.text:00BCF74A                 movzx   ecx, bl         ; |
.text:00BCF74D                 add     edx, ecx        ; t=(S[i]+S[j]) % 256
.text:00BCF74F                 mov     ecx, [ebp+s_box_var_4] ; | (set ecx=plaintext)
.text:00BCF752                 and     edx, 0FFh       ; |
.text:00BCF758                 movzx   ecx, byte ptr [edx+ecx] ; k = S[t]
.text:00BCF75C                 mov     edx, [ebp+plaintext_arg_4]
.text:00BCF75F                 xor     cl, [edx+esi-1] ; perform encryption. cl - plaintext
.text:00BCF763                 dec     [ebp+loop_counter_arg_0]
.text:00BCF766                 mov     edx, [ebp+s_box_var_4]
.text:00BCF769                 mov     [esi-1], cl     ; save ciphertext in esi-i (esi has already been inc'd)
.text:00BCF76C                 jnz     short loc_BCF725 ; while(true)
.text:00BCF76C                                         ; i=i+1 % 256
.text:00BCF76E                 mov     esi, [ebp+esi_temp_storage_var_8] ; restore ESI
.text:00BCF771                 pop     ebx             ; restore ebx
.text:00BCF772
.text:00BCF772 loc_BCF772:                             ; CODE XREF: run_rc4_sub_BCF700+1Cj
.text:00BCF772                 mov     [esi+4], edi    ; clean up stack for return
.text:00BCF775                 pop     edi
.text:00BCF776                 mov     [esi], eax
.text:00BCF778                 pop     esi
.text:00BCF779                 mov     esp, ebp
.text:00BCF77B                 pop     ebp
.text:00BCF77C                 retn    0Ch
.text:00BCF77C run_rc4_sub_BCF700 endp

I'd really like to try to reverse the protocol - I've never done protocol reversing, and it seems like an interesting challenge... however, without unencrypted traffic, I'm afraid I'm dead in the water.

[karnkore]

Anyone know anything about the red circles on the ground? like where they are stored etc?