Follow us on Twitter!
Capitalism is an Island of wealth in a sea of poverty
Monday, April 21, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 28
Guests Online: 26
Members Online: 2

Registered Members: 82858
Newest Member: alexxkim
Latest Articles
View Thread

HellBound Hackers | Computer General | Cryptography

Author

Cracking network communication encryption.

0xKD
Member

Your avatar

Posts: 2
Location:
Joined: 17.03.13
Rank:
Apprentice
Posted on 17-03-13 03:36
Can anybody help me figure out this homebrew encryption technique?

Observing the network communication, I see an encrypted content field.
Only the content field of the HTTP request is encrypted, not the headers.

- It is a stream cipher, varying length with no common/obvious multiple. (eg; 292, 1204, 7055, 9119)
- Raw content is of the media type x-www-form-urlencoded, if the header is to be trusted.

Therefore, the content may be of the form var=something&var2=somethingelse

- Absolutely not random, I see repeated patterns not only among several requests, but also some within the same request. All requests start of with the same series of characters, with just one or two changing.
- Percentage of ASCII data/Total data in the encrypted content is around 57-62%
- Running the data through ent, I get low-entropy suggesting results.

I assume no widely-used,well-established encryption algorithm does all of the above.

Sample encrypted content in ASCII(dots represent out-of-range):

oea..t~.@SRETLA.FVU@ey5..31'..O...rgBK.z5 0...@..cpSLs# .......0....tw.GWTrq .Z..C?...Z..C"...K.ehERB@.JV[KSAs'.......g.ej@_FF.GRZ@e~.B......:JsbRHTMG.Kes....q.....+.Z...rfEC.sc.....Ksb."..@.Bek...?K...rgA@........@...;.t.iITPETBJ.GVVr`..A..cvTDD.sh.....O../.....r]cv...Ksw0....A.K.....A. ..


Equivalent hex:

6F 65 61 06 16 74 7E 1F 40 53 52 45 54 4C 41 1F 46 56 55 40 65 79 35 5C 16 00 33 31 27 15 1F 4F 1D 06 06 72 67 42 4B 2E 7A 35 20 30 04 18 12 40 10 00 63 70 53 4C 73 23 20 00 10 01 0C 1B 1D 0E 30 0A 16 1C 11 74 77 1F 47 57 54 72 71 20 1C 5A 12 09 43 3F 0C 1A 06 5A 16 16 43 22 09 15 0A 4B 17 65 68 45 52 42 40 00 4A 56 5B 4B 53 41 73 27 12 06 00 1D 10 1A 07 67 17 65 6A 40 5F 46 46 1F 47 52 5A 40 65 7E 12 42 1F 0C 02 1C 06 11 3A 4A 73 62 52 48 54 4D 47 16 4B 65 73 16 04 0D 00 71 00 0C 0D 11 00 2B 00 5A 12 17 17 72 66 45 43 17 73 63 07 17 13 1D 10 4B 73 62 0A 22 04 10 40 02 42 65 6B 17 1D 04 3F 4B 05 00 0F 72 67 41 40 2E 7F 02 02 1F 00 17 16 40 07 00 11 3B 01 74 7F 69 49 54 50 45 54 42 4A 1F 47 56 56 72 60 07 10 41 01 00 63 76 54 44 44 16 73 68 17 1D 12 1A 1B 4F 1F 09 2F 17 13 11 1F 2E 72 5D 63 76 11 0D 03 4B 73 77 30 17 16 07 1A 41 1D 4B 10 17 16 07 1A 41 1D 20 0D 16


The only response I get from the server(excluding headers) is 'OK'.

I also have the (ARM) binary of the application. After disassembling, the only function that has 'encryption' in it is this.

i.stack.imgur.com/NGftF.png

My ARM skills are weak, and If somebody can figure out what exactly the function does, it would be appreciated.

If you need more info/data, please mention.

(x/post from stackoverflow, my question is apparently 'too localized')
Author

RE: Cracking network communication encryption.

lolly
Member



Posts: 24
Location:
Joined: 02.08.12
Rank:
Wiseman
Warn Level: 30
Posted on 17-03-13 04:42
Never really messed with ARM before, but could you use Hex Rays to decompile it?

https://www.hex-rays.com/products/decompiler/compare_arm0.shtml

Might make your life a lot easier.

So the binary opens a connection with the server, sends some encrypted message, and then the server sends back 'OK'? Hmm sounds like you're trying to reverse a RAT haha
Author

RE: Cracking network communication encryption.

0xKD
Member

Your avatar

Posts: 2
Location:
Joined: 17.03.13
Rank:
Apprentice
Posted on 17-03-13 08:05
It's an iOS game actually,

And no free/demo version for the decompiler, so it looks like that's not an option.