Can someone help me understand this function ?

[graphql]

Hi, can someone enlighten me on what's this function is doing :

 

Func _rc4($data, $key)
    Local $opcode = "0xC81001006A006A005356578B551031C989C84989D7F2AE484829C88945F085C00F84DC000000B90001000088C82C0188840DEFFEFFFFE2F38365F4008365FC00817DFC000100007D478B45FC31D2F775F0920345100FB6008B4DFC0FB68C0DF0FEFFFF01C80345F425FF0000008945F48B75FC8A8435F0FEFFFF8B7DF486843DF0FEFFFF888435F0FEFFFFFF45FCEBB08D9DF0FEFFFF31FF89FA39550C76638B85ECFEFFFF4025FF0000008985ECFEFFFF89D80385ECFEFFFF0FB6000385E8FEFFFF25FF0000008985E8FEFFFF89DE03B5ECFEFFFF8A0689DF03BDE8FEFFFF860788060FB60E0FB60701C181E1FF0000008A840DF0FEFFFF8B750801D6300642EB985F5E5BC9C21000"
    Local $codebuffer = DllStructCreate("byte[" & BinaryLen($opcode) & "]")
    DllStructSetData($codebuffer, 1, $opcode)
    Local $buffer = DllStructCreate("byte[" & BinaryLen($data) & "]")
    DllStructSetData($buffer, 1, $data)
    DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($codebuffer), "ptr", DllStructGetPtr($buffer), "int", BinaryLen($data), "str", $key, "int", 0)
    Local $ret = DllStructGetData($buffer, 1)
    $buffer = 0
    $codebuffer = 0
    Return $ret
EndFunc

 

[water]

Seems that's an encryption function using RC4 stream cipher.

[graphql]

@water i'm unable to figure out what function inside the dll is he calling

[Nine]

CallWindowProc but it doesn't make much sense in your function.

[graphql]

@Nine yh it says here CallWindowProc Passes message information to the specified window procedure.

•  

[graphql]

any idea about the encryption or format of the content of $opcode variable ?

[Nine]

Nope, but if you want to encrypt something in RC4, look at _Crypt_EncryptData in Crypt UDF.

[graphql]

i'm thinking $opcode contains the encryption function code, i may be wrong tho

[graphql]

anyone else has an idea ? 

[TheXman]

41 minutes ago, graphql said:

anyone else has an idea ? 

Why do you want to know?  Where did you find the function?  Was there any information about it where you pulled it from?

I doubt very many people who had/have the ability to read and interpret machine code even keep up with such a skill unless it is needed for everyday work.  Without throwing the code into some sort of disassembler, I seriously doubt that anyone could quickly say what exactly it is doing.  Furthermore, only a fool would even execute that snippet of machine code, outside of a sandbox, to even confirm whether it truly is what it appears to be.  I bet you tried to execute it, didn't you? 

If you are interested in RC4, then you have been given an alternative.  If you have some other reasons for wanting to know more about the function, maybe enlightening us on what those reasons are will help us to be able to help you.

Edited November 17, 2019 by TheXman

[graphql]

i haven't tried to execute it, there is not point in doing it anyway, there's no specific reason im a but intressted into that's all

 

[graphql]

a bit interested*

[TheXman]

2 hours ago, graphql said:

i haven't tried to execute it, there is not point in doing it anyway, there's no specific reason im a bit interested into that's all

Yes, I think we all understand that you are a bit interested in the function.  But the question is what about the function are you actually interested in?  Is it the RC4 cipher?  Is it the use of machine code?  Is it about some other aspect of the function?  Is it truly about "the encryption or format of the content of $opcode variable", as you suggested?  What is it about that function are you actually interested in?  Without a more specific question, you can't expect a more specific answer.

Edited November 17, 2019 by TheXman

[graphql]

Okey, fair enough thank you for responding.

what i understood that he allocates memory ( same as C-lang style) in form of a struct* for both of $codebuffer and $opcode here : 

Local $codebuffer = DllStructCreate("byte[" & BinaryLen($opcode) & "]")
 DllStructSetData($codebuffer, 1, $opcode)
 Local $buffer = DllStructCreate("byte[" & BinaryLen($data) & "]")
 DllStructSetData($buffer, 1, $data)

then makes the call to this dll using those struct pointers. now he's calling CallWindowProc and this procedure by it self passes data to another function / routine or what ever ($opcode im guessing ), it's in this part  ( DLLStructedGetPtr($codebuffer)

DllCall("user32.dll", "none", "CallWindowProc", "ptr", DllStructGetPtr($codebuffer), "ptr", DllStructGetPtr($buffer), "int", BinaryLen($data), "str", $key, "int", 0)

 then he passes the $buffer, $data and the $key as arguments to it. 

... "ptr", DllStructGetPtr($buffer), "int", BinaryLen($data), "str", $key, "int", 0)

so i was wondering if m i right ? is this possible ? to allocate a struct ( memory ) then put some binary data into it ( let's say binary data of sum function ) and simply passing it some params using the CallWindowProc function.

[TheXman]

1 hour ago, graphql said:

so i was wondering if m i right ? is this possible ? to allocate a struct ( memory ) then put some binary data into it ( let's say binary data of sum function ) and simply passing it some params using the CallWindowProc function.

I guess the answer to your question is yes.  One can put executable code into memory and execute it.  Of course that code would have to be executable, like a DLL with entry points to functions or some other executable machine code.  There are several UDFs, that I'm aware of, that use that technique.  One that comes to mind immediately is the JSON.au3 UDF.  There are even some UDFs that aid in allowing one to run code from memory.  If you want more information on that subject, I suggest you search the forum for it and study the relevant UDFs that you find.

I have no idea why the author of that function had to, or chose to, use CallWindowProc, in the User32,dll, to supposedly call a RC4 cipher routine.  Without digging into the snippet, using that particular function for that particular purpose makes no sense to me.

I hope that helps.