I'm trying to reverse engineer some application that communicates with server and receives an authentication string. The string contains 80 hex characters. I suspect the program decrypts (?) the string here (main function)?
Main function:
Assembly: click
Ghidra decompiler:
ulonglong FUN_141aaf280(longlong *param_1)
{
ulonglong uVar1;
int iVar2;
longlong lVar3;
iVar2 = 0;
uVar1 = FUN_140828df0(param_1);
if (0 < (int)uVar1) {
lVar3 = 8;
do {
uVar1 = isxdigit((ulonglong)*(ushort *)(lVar3 + *param_1));
if ((int)uVar1 == 0) {
return uVar1 & 0xffffffffffffff00;
}
iVar2 = iVar2 + 1;
lVar3 = lVar3 + 2;
uVar1 = FUN_140828df0(param_1);
} while (iVar2 < (int)uVar1);
}
return CONCAT71((int7)(uVar1 >> 8),1);
}
FUN_140828df0: (method used in main)
Assembly: click
ulonglong FUN_140828df0(longlong *param_1)
{
if (*param_1 != 0) {
return (ulonglong)(*(int *)(*param_1 + 4) / 2 - 1);
}
return 0xffffffff;
}
It looks like your decompiler is not doing a good job of inferring data structure formats. This could be better decompiled as
struct data_t {
int f1;
int f2;
ushort f3[MAXLEN];
};
ulonglong FUN_140828df0(struct data_t **param_1)
{
if (*param_1 != 0) {
// return (ulonglong)(*(int *)(*param_1 + 4) / 2 - 1);
return (*param_1)->f2 / 2 - 1;
}
return 0xffffffff;
}
ulonglong FUN_141aaf280(struct data_t **param_1)
{
ulonglong uVar1;
int iVar2;
// longlong lVar3;
size_t index;
iVar2 = 0;
uVar1 = FUN_140828df0(param_1);
if (0 < (int)uVar1) {
// lVar3 = 8;
index = 0;
do {
// uVar1 = isxdigit((ulonglong)*(ushort *)(lVar3 + *param_1));
uVar1 = isxdigit((*param_1)->f3[index]);
if ((int)uVar1 == 0) {
return uVar1 & 0xffffffffffffff00;
}
iVar2 = iVar2 + 1;
// lVar3 = lVar3 + 2;
++index;
uVar1 = FUN_140828df0(param_1);
} while (iVar2 < (int)uVar1);
}
return CONCAT71((int7)(uVar1 >> 8),1);
}
I've left the original decompiled code as comments followed by what I manually translated it as.
This looks more like scanning through a buffer for somethig, not any type of encryption.
User contributions licensed under CC BY-SA 3.0