Is this a cryptographic function?

-4

I'm trying to reverse engineer some application that communicates with server and receives an authentication string. The string contains 80 hex characters. I suspect the program decrypts (?) the string here (main function)?

Main function:

Assembly: click

Ghidra decompiler:

ulonglong FUN_141aaf280(longlong *param_1)
 
{
  ulonglong uVar1;
  int iVar2;
  longlong lVar3;
 
  iVar2 = 0;
  uVar1 = FUN_140828df0(param_1);
  if (0 < (int)uVar1) {
    lVar3 = 8;
    do {
      uVar1 = isxdigit((ulonglong)*(ushort *)(lVar3 + *param_1));
      if ((int)uVar1 == 0) {
        return uVar1 & 0xffffffffffffff00;
      }
      iVar2 = iVar2 + 1;
      lVar3 = lVar3 + 2;
      uVar1 = FUN_140828df0(param_1);
    } while (iVar2 < (int)uVar1);
  }
  return CONCAT71((int7)(uVar1 >> 8),1);
}

FUN_140828df0: (method used in main)

Assembly: click

ulonglong FUN_140828df0(longlong *param_1)
 
{
  if (*param_1 != 0) {
    return (ulonglong)(*(int *)(*param_1 + 4) / 2 - 1);
  }
  return 0xffffffff;
}
c++
assembly
reverse-engineering
asked on Stack Overflow Dec 13, 2020 by StackOverflow

1 Answer

0

It looks like your decompiler is not doing a good job of inferring data structure formats. This could be better decompiled as

struct data_t {
    int         f1;
    int         f2;
    ushort      f3[MAXLEN];
};

ulonglong FUN_140828df0(struct data_t **param_1)
{
  if (*param_1 != 0) {
    // return (ulonglong)(*(int *)(*param_1 + 4) / 2 - 1);
    return (*param_1)->f2 / 2 - 1;
  }
  return 0xffffffff;
}

ulonglong FUN_141aaf280(struct data_t **param_1)

{
  ulonglong uVar1;
  int iVar2;
  // longlong lVar3;
  size_t index;

  iVar2 = 0;
  uVar1 = FUN_140828df0(param_1);
  if (0 < (int)uVar1) {
    // lVar3 = 8;
    index = 0;
    do {
      // uVar1 = isxdigit((ulonglong)*(ushort *)(lVar3 + *param_1));
      uVar1 = isxdigit((*param_1)->f3[index]);
      if ((int)uVar1 == 0) {
        return uVar1 & 0xffffffffffffff00;
      }
      iVar2 = iVar2 + 1;
      // lVar3 = lVar3 + 2;
      ++index;
      uVar1 = FUN_140828df0(param_1);
    } while (iVar2 < (int)uVar1);
  }
  return CONCAT71((int7)(uVar1 >> 8),1);
}

I've left the original decompiled code as comments followed by what I manually translated it as.

This looks more like scanning through a buffer for somethig, not any type of encryption.

answered on Stack Overflow Dec 13, 2020 by Chris Dodd

User contributions licensed under CC BY-SA 3.0