Jump to content

Can someone help me understand this function ?


graphql
 Share

Recommended Posts

Hi, can someone enlighten me on what's this function is doing :

 

Func _rc4($data, $key)
    Local $opcode = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000"
    Local $codebuffer = DllStructCreate("byte[" & BinaryLen($opcode) & "]")
    DllStructSetData($codebuffer, 1, $opcode)
    Local $buffer = DllStructCreate("byte[" & BinaryLen($data) & "]")
    DllStructSetData($buffer, 1, $data)
    DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($codebuffer), "ptr", DllStructGetPtr($buffer), "int", BinaryLen($data), "str", $key, "int", 0)
    Local $ret = DllStructGetData($buffer, 1)
    $buffer = 0
    $codebuffer = 0
    Return $ret
EndFunc

 

Link to comment
Share on other sites

Seems that's an encryption function using RC4 stream cipher.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

41 minutes ago, graphql said:

anyone else has an idea ? 

Why do you want to know?  Where did you find the function?  Was there any information about it where you pulled it from?

I doubt very many people who had/have the ability to read and interpret machine code even keep up with such a skill unless it is needed for everyday work.  Without throwing the code into some sort of disassembler, I seriously doubt that anyone could quickly say what exactly it is doing.  Furthermore, only a fool would even execute that snippet of machine code, outside of a sandbox, to even confirm whether it truly is what it appears to be.  I bet you tried to execute it, didn't you?  :muttley:

If you are interested in RC4, then you have been given an alternative.  If you have some other reasons for wanting to know more about the function, maybe enlightening us on what those reasons are will help us to be able to help you.

Edited by TheXman
Link to comment
Share on other sites

2 hours ago, graphql said:

i haven't tried to execute it, there is not point in doing it anyway, there's no specific reason im a bit interested into that's all

Yes, I think we all understand that you are a bit interested in the function.  But the question is what about the function are you actually interested in?  Is it the RC4 cipher?  Is it the use of machine code?  Is it about some other aspect of the function?  Is it truly about "the encryption or format of the content of $opcode variable", as you suggested?  What is it about that function are you actually interested in?  Without a more specific question, you can't expect a more specific answer.

Edited by TheXman
Link to comment
Share on other sites

Okey, fair enough thank you for responding.

what i understood that he allocates memory ( same as C-lang style) in form of a struct* for both of $codebuffer and $opcode here

Local $codebuffer = DllStructCreate("byte[" & BinaryLen($opcode) & "]")
 DllStructSetData($codebuffer, 1, $opcode)
 Local $buffer = DllStructCreate("byte[" & BinaryLen($data) & "]")
 DllStructSetData($buffer, 1, $data)

then makes the call to this dll using those struct pointers. now he's calling CallWindowProc and this procedure by it self passes data to another function / routine or what ever ($opcode im guessing ), it's in this part  ( DLLStructedGetPtr($codebuffer)

DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($codebuffer), "ptr", DllStructGetPtr($buffer), "int", BinaryLen($data), "str", $key, "int", 0)

 then he passes the $buffer, $data and the $key as arguments to it. 

... "ptr", DllStructGetPtr($buffer), "int", BinaryLen($data), "str", $key, "int", 0)

so i was wondering if m i right ? is this possible ? to allocate a struct ( memory ) then put some binary data into it ( let's say binary data of sum function ) and simply passing it some params using the CallWindowProc function.

Link to comment
Share on other sites

1 hour ago, graphql said:

so i was wondering if m i right ? is this possible ? to allocate a struct ( memory ) then put some binary data into it ( let's say binary data of sum function ) and simply passing it some params using the CallWindowProc function.

I guess the answer to your question is yes.  One can put executable code into memory and execute it.  Of course that code would have to be executable, like a DLL with entry points to functions or some other executable machine code.  There are several UDFs, that I'm aware of, that use that technique.  One that comes to mind immediately is the JSON.au3 UDF.  There are even some UDFs that aid in allowing one to run code from memory.  If you want more information on that subject, I suggest you search the forum for it and study the relevant UDFs that you find.

I have no idea why the author of that function had to, or chose to, use CallWindowProc, in the User32,dll, to supposedly call a RC4 cipher routine.  Without digging into the snippet, using that particular function for that particular purpose makes no sense to me.

I hope that helps.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...