Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Cracking network communication encryption.


0xKD's Avatar
Member
0 0

Can anybody help me figure out this homebrew encryption technique?

Observing the network communication, I see an encrypted content field. Only the content field of the HTTP request is encrypted, not the headers.

  • It is a stream cipher, varying length with no common/obvious multiple. (eg; 292, 1204, 7055, 9119)
  • Raw content is of the media type x-www-form-urlencoded, if the header is to be trusted.

Therefore, the content may be of the form var=something&var2=somethingelse

  • Absolutely not random, I see repeated patterns not only among several requests, but also some within the same request. All requests start of with the same series of characters, with just one or two changing.
  • Percentage of ASCII data/Total data in the encrypted content is around 57-62%
  • Running the data through ent, I get low-entropy suggesting results.

I assume no widely-used,well-established encryption algorithm does all of the above.

Sample encrypted content in ASCII(dots represent out-of-range):

oea..t~.@SRETLA.FVU@ey5..31'..O…rgBK.z5 0…@..cpSLs# …….0….tw.GWTrq .Z..C?…Z..C"…K.ehERB@.JV[KSAs'…….g.ej@_FF.GRZ@e~.B……:JsbRHTMG.Kes….q…..+.Z…rfEC.sc…..Ksb."..@.Bek…?K…rgA@……..@…;.t.iITPETBJ.GVVr`..A..cvTDD.sh…..O../…..r]cv…Ksw0….A.K…..A. ..

Equivalent hex:

6F 65 61 06 16 74 7E 1F 40 53 52 45 54 4C 41 1F 46 56 55 40 65 79 35 5C 16 00 33 31 27 15 1F 4F 1D 06 06 72 67 42 4B 2E 7A 35 20 30 04 18 12 40 10 00 63 70 53 4C 73 23 20 00 10 01 0C 1B 1D 0E 30 0A 16 1C 11 74 77 1F 47 57 54 72 71 20 1C 5A 12 09 43 3F 0C 1A 06 5A 16 16 43 22 09 15 0A 4B 17 65 68 45 52 42 40 00 4A 56 5B 4B 53 41 73 27 12 06 00 1D 10 1A 07 67 17 65 6A 40 5F 46 46 1F 47 52 5A 40 65 7E 12 42 1F 0C 02 1C 06 11 3A 4A 73 62 52 48 54 4D 47 16 4B 65 73 16 04 0D 00 71 00 0C 0D 11 00 2B 00 5A 12 17 17 72 66 45 43 17 73 63 07 17 13 1D 10 4B 73 62 0A 22 04 10 40 02 42 65 6B 17 1D 04 3F 4B 05 00 0F 72 67 41 40 2E 7F 02 02 1F 00 17 16 40 07 00 11 3B 01 74 7F 69 49 54 50 45 54 42 4A 1F 47 56 56 72 60 07 10 41 01 00 63 76 54 44 44 16 73 68 17 1D 12 1A 1B 4F 1F 09 2F 17 13 11 1F 2E 72 5D 63 76 11 0D 03 4B 73 77 30 17 16 07 1A 41 1D 4B 10 17 16 07 1A 41 1D 20 0D 16

The only response I get from the server(excluding headers) is 'OK'.

I also have the (ARM) binary of the application. After disassembling, the only function that has 'encryption' in it is this.

My ARM skills are weak, and If somebody can figure out what exactly the function does, it would be appreciated.

If you need more info/data, please mention.

(x/post from stackoverflow, my question is apparently 'too localized')


lolly's Avatar
Member
0 0

Never really messed with ARM before, but could you use Hex Rays to decompile it?

https://www.hex-rays.com/products/decompiler/compare_arm0.shtml

Might make your life a lot easier.

So the binary opens a connection with the server, sends some encrypted message, and then the server sends back 'OK'? Hmm sounds like you're trying to reverse a RAT haha


0xKD's Avatar
Member
0 0

It's an iOS game actually,

And no free/demo version for the decompiler, so it looks like that's not an option.