[Ayuda] Encriptacion ARC4

Iniciado por manulaiko, 20 Marzo 2014, 15:13 PM

0 Miembros y 1 Visitante están viendo este tema.

manulaiko

Hola!!

Estoy intentando descifrar los paquetes de un juego (DarkOrbit), hasta el momento se que es ARC4 y poco más, he intentado buscar la clave pero no la encuentro.

Si alguien pudiera ayudarme se lo agradecería mucho.

Esto es lo que me ha parecido más importante:


public static function run(param1:_-fP) : void {
         var _loc10_:* = true;
         var _loc11_:* = false;
         var _loc3_:ByteArray = null;
         var _loc4_:BigInteger = null;
         var _loc5_:_-Tv = null;
         var _loc6_:BigInteger = null;
         var _loc7_:BigInteger = null;
         var _loc8_:ByteArray = null;
         var _loc2_:RSAKey = new RSAKey(new BigInteger("84c16e0a5860d56409207e6b542f168de24e434198e68b363dec817b77a594a17f968f177e871bfd626d139099cb3af0070cf2a03b46d1404503dc95d5a72f7c61e36b61967be50bd6bdf8d3376171b00fce65c521bc3267cdf7e6b0c3d725c9"),65537);
         try
         {
            _loc3_ = new ByteArray();
            _loc2_.verify(param1._-j1w,_loc3_,param1._-j1w.length);
            _loc3_.position = 0;
            _loc4_ = new BigInteger(_loc3_);


Os voy a dejar el link para descargar el archivo .as que me parece que son los más importante, y también el archivo .swf, el original esta ofuscado con un xor empezando por el bit 77 y aumentando 1 cada itineración, así que lo he deofuscado y ya lo puedes abrir con JPEXS, que en mi opinión es el mejor decompilador de swf.

Lista de paquetes: https://mega.co.nz/#!7gJS1LDA!LeOCrIoJ5OpEMMh-2dJiOt-IijxQxDHIq_zRKbXefUY
Archivo .swf: https://mega.co.nz/#!z8JlXTwA!aGPpfM4WNe4qFvAEEe977C5cjEpVH_ve--PHlBelhk4
Archivos .as: https://mega.co.nz/#!ut5AVQxb!5ziBTYQeoYaT_kv590bBPYh-Q3TRq3_9rrqcpb_5Wpg

Porfavor, necesito ayuda!
No hagaz que ezte pobre wannaber ce decilucione y ce zuicide

Nasty35

Deja la clase entera, del trozo de código que has puesto.
Me huele que la clave RC4 (ARC4) está cifrada con RSA...

manulaiko


package _-K2u
{
   import _-r1O._-53j;
   import _-sZ._-V25;
   import flash.utils.ByteArray;
   import com.hurlant.math.BigInteger;
   import net.bigpoint.darkorbit.net._-G2H;
   import com.hurlant.crypto.rsa.RSAKey;
   import _-sZ._-g1q;
   import flash.utils.IDataOutput;
   
   public class _-kh extends _-53j
   {
     
      {
         var _loc1_:* = true;
         var _loc2_:* = false;
      }
     
      public function _-kh() {
         var _loc1_:* = true;
         var _loc2_:* = false;
         if(_loc1_)
         {
            super();
         }
      }
     
      public static function run(param1:_-V25) : void {
         /*
          * Decompilation error
          * Code may be obfuscated
          * Error type: TranslateException
          */
         throw new IllegalOperationError("Not decompiled due to error");
      }
   }
}



Como estaba ofuscado lo he podido deobfuscar, el problema es que esta en PCode

trait method Qname(PackageNamespace("","7799"),"run") dispid 3
method
name null
param Qname(PackageNamespace("_-sZ"),"_-V25")
returns Qname(PackageNamespace("","7799"),"void")

body
maxstack 8
localcount 12
initscopedepth 4
maxscopedepth 7
try from ofs007a to ofs02bf target ofs02c3 type Qname(PackageNamespace("","7799"),"Error") name Qname(PackageNamespace("","7799"),"error")

code
pushfalse
pushtrue
swap
newfunction 48319
pop
jump ofs001a
swap
setlocal 8
coerce_a
nextvalue
setlocal 7
kill 4
setlocal 9
inclocal_i 5
bitnot
ofs001a:setlocal 10
setlocal 11
getlocal_0
pushscope
pushnull
coerce Qname(PackageNamespace("flash.utils"),"ByteArray")
setlocal_3
pushnull
coerce Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
setlocal 4
pushnull
coerce Qname(PackageNamespace("net.bigpoint.darkorbit.net"),"_-G2H")
setlocal 5
pushnull
coerce Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
setlocal 6
pushnull
coerce Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
setlocal 7
pushnull
coerce Qname(PackageNamespace("flash.utils"),"ByteArray")
setlocal 8
findpropstrict Qname(PackageNamespace("com.hurlant.crypto.rsa"),"RSAKey")
findpropstrict Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
pushstring "84c16e0a5860d56409207e6b542f168de24e434198e68b363dec817b77a594a17f968f177e871bfd626d139099cb3af0070cf2a03b46d1404503dc95d5a72f7c61e36b61967be50bd6bdf8d3376171b00fce65c521bc3267cdf7e6b0c3d725c9"
constructprop Qname(PackageNamespace("com.hurlant.math"),"BigInteger") 1
pushint 65537
getlocal 11
iftrue ofs0070
decrement_i
pushbyte 75
add_i
negate_i
pushbyte 22
subtract_i
pushbyte 66
multiply_i
pushbyte 94
multiply_i
ofs0070:constructprop Qname(PackageNamespace("com.hurlant.crypto.rsa"),"RSAKey") 2
coerce Qname(PackageNamespace("com.hurlant.crypto.rsa"),"RSAKey")
setlocal_2
ofs007a:findpropstrict Qname(PackageNamespace("flash.utils"),"ByteArray")
constructprop Qname(PackageNamespace("flash.utils"),"ByteArray") 0
coerce Qname(PackageNamespace("flash.utils"),"ByteArray")
setlocal_3
getlocal 11
not
iftrue ofs01cd
getlocal_2
getlocal_1
getproperty Qname(PackageNamespace("","7799"),"_-O3E")
getlocal_3
getlocal_1
getproperty Qname(PackageNamespace("","7799"),"_-O3E")
getproperty Qname(PackageNamespace("","7799"),"length")
callpropvoid Qname(PackageNamespace("","7799"),"verify") 3
getlocal 11
iffalse ofs01cd
getlocal 11
iftrue ofs01b7
getlocal 7
getlocal_3
getlocal_2
kill 7
kill 3
kill 2
setlocal_2
setlocal_3
setlocal 7
ofs00be:label
getlocal 5
callpropvoid Qname(PackageNamespace("","7799"),"_-vY") 0
getlocal 11
iffalse ofs0249
getlocal 10
not
iffalse ofs0179
getlocal 10
iffalse ofs025d
getlocal 7
getlocal 11
getlocal 7
kill 7
kill 11
kill 7
setlocal 7
setlocal 11
setlocal 7
ofs00ea:label
getlex Qname(StaticProtectedNs("_-r1O:_-53j"),"_-E3n")
callproperty Qname(PackageNamespace("","7799"),"_-Ct") 0
coerce Qname(PackageNamespace("net.bigpoint.darkorbit.net"),"_-G2H")
dup
setlocal 5
callproperty Qname(PackageNamespace("","7799"),"_-m1b") 0
coerce Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
setlocal 6
getlocal 11
iftrue ofs0207
getlocal 8
getlocal 8
getlocal_0
kill 8
kill 8
kill 0
setlocal_0
setlocal 8
setlocal 8
ofs011b:label
getlocal 5
getlocal 8
callpropvoid Qname(PackageNamespace("","7799"),"_-Kr") 1
getlocal 10
not
iffalse ofs02b9
getlocal 11
not
iftrue ofs029c
getlocal 10
iffalse ofs00be
getlocal_0
getlocal 7
getlocal_0
kill 0
kill 7
kill 0
setlocal_0
setlocal 7
setlocal_0
ofs0146:label
getlocal 7
callproperty Qname(PackageNamespace("","7799"),"toByteArray") 0
getlocal 8
pushbyte 0
getlocal 10
iffalse ofs0173
decrement_i
decrement_i
pushbyte 100
subtract_i
jump ofs016b
getglobalscope
convert_b
declocal_i 9
decrement
getlocal_2
kill 4
coerce_s
getlocal_0
greaterthan
ofs016b:pushbyte 82
subtract_i
pushbyte 11
subtract_i
increment_i
decrement_i
ofs0173:pushbyte 16
callpropvoid Qname(PackageNamespace("","7799"),"readBytes") 3
ofs0179:getlocal 11
iftrue ofs011b
getlocal 7
getlocal_3
getlocal 7
kill 7
kill 3
kill 7
setlocal 7
setlocal_3
setlocal 7
ofs018f:label
getlocal 5
getlex Qname(PackageNamespace("net.bigpoint.darkorbit.net"),"_-G2H")
getproperty Qname(PackageNamespace("","7799"),"_-jc")
callpropvoid Qname(PackageNamespace("","7799"),"_-b2U") 1
getlocal 11
not
iftrue ofs0242
getlocal 10
iffalse ofs0235
getlocal_2
getlocal_2
getlocal 7
kill 2
kill 2
kill 7
setlocal 7
setlocal_2
setlocal_2
ofs01b7:getlocal_3
pushbyte 0
getlocal 11
iftrue ofs01c9
pushbyte 66
subtract_i
pushbyte 116
subtract_i
decrement_i
negate_i
increment_i
ofs01c9:setproperty Qname(PackageNamespace("","7799"),"position")
ofs01cd:getlocal 10
iffalse ofs01e1
getlocal 4
getlocal_0
getlocal_3
kill 4
kill 0
kill 3
setlocal_3
setlocal_0
setlocal 4
ofs01e1:findpropstrict Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
getlocal_3
constructprop Qname(PackageNamespace("com.hurlant.math"),"BigInteger") 1
coerce Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
setlocal 4
getlocal 10
iffalse ofs00ea
getlocal_0
getlocal 8
getlocal 9
kill 0
kill 8
kill 9
setlocal 9
setlocal 8
setlocal_0
ofs0207:getlocal 4
getlocal 6
getlex Qname(PackageNamespace("_-sZ"),"_-g1q")
getproperty Qname(PackageNamespace("","7799"),"_-rf")
callproperty Qname(PackageNamespace("","7799"),"modPow") 2
coerce Qname(PackageNamespace("com.hurlant.math"),"BigInteger")
setlocal 7
getlocal 11
iftrue ofs027c
getlocal 8
getlocal 4
getlocal 10
kill 8
kill 4
kill 10
setlocal 10
setlocal 4
setlocal 8
ofs0235:getlocal 5
pushtrue
setproperty Qname(PackageNamespace("","7799"),"_-L1H")
getlocal 11
not
iftrue ofs02b9
ofs0242:getlocal 10
not
iffalse ofs0264
ofs0249:getlocal 11
iftrue ofs02b2
getlocal_3
getlocal_3
getlocal 5
kill 3
kill 3
kill 5
setlocal 5
setlocal_3
setlocal_3
ofs025d:getlocal 5
callpropvoid Qname(PackageNamespace("","7799"),"_-A2v") 0
ofs0264:getlocal 11
iftrue ofs018f
getlocal 11
getlocal 10
getlocal 8
kill 11
kill 10
kill 8
setlocal 8
setlocal 10
setlocal 11
ofs027c:findpropstrict Qname(PackageNamespace("flash.utils"),"ByteArray")
constructprop Qname(PackageNamespace("flash.utils"),"ByteArray") 0
coerce Qname(PackageNamespace("flash.utils"),"ByteArray")
jump ofs029a
greaterequals
bitnot
declocal 3
setlocal 4
declocal_i 6
setlocal_3
pushtrue
popscope
inclocal_i 6
ofs029a:setlocal 8
ofs029c:getlocal 10
iffalse ofs0146
getlocal_1
getlocal 7
getlocal 7
kill 1
kill 7
kill 7
setlocal 7
setlocal 7
setlocal_1
ofs02b2:getlocal 5
callpropvoid Qname(PackageNamespace("","7799"),"_-CW") 0
ofs02b9:getlocal 10
iffalse ofs02bf
ofs02bf:jump ofs02d2
ofs02c3:getlocal_0
pushscope
newcatch 0
dup
setlocal 9
dup
pushscope
swap
setslot 1
popscope
kill 9
ofs02d2:returnvoid
returnvoid
No hagaz que ezte pobre wannaber ce decilucione y ce zuicide