Need help understanding XOR cipher

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite
1












I am trying to modify a save file for a game. I think it is using an XOR cipher to encrypt it. Looking though the disassembly I think I found the function that decrypts it. I ran the assembly through a decompiler to get a better grip on what is going on.



I am a C# programmer with some knowledge of C/C++. I generally understand what is accomplished by this code, but there are some details I don't understand.



int __fastcall DecryptBuffer(unsigned __int8 *a1, int a2, int a3, unsigned int a4, int a5)

unsigned __int8 *v5;
unsigned __int8 *v6;
int result;
int v8;

v5 = a1;
v6 = &a1[a2];
result = a5;
v8 = a5 - (_DWORD)v5;
while ( v5 != v6 )

result = *v5 ^ *(unsigned __int8 *)(a3 + (unsigned int)&v5[v8] % a4);
*v5++ = result;

return result;



It accepts as parameters:




  • a1 - a byte array


  • a2 - the length of the array


  • a3 - 0xB19D425B


  • a4 - 0x107


  • a5 - 0x00

First, I can't figure out the value of v8. I don't know what (_DWORD)v5 means, or why it is subtracted from zero.



Second, I don't know what (unsigned int)&v5[v8] is actually doing. I take it to mean it is looking up a byte somewhere in the array, but is it retrieving a single byte and casting to an uint, or four bytes?



Here is the disassembly:



sub_301E44
PUSH.W R4-R8,LR
MOV R4, R0
ADDS R6, R0, R1
LDR R0, [SP,#0x18+arg_0]
MOV R7, R2
MOV R8, R3
SUBS R5, R0, R4
loc_301E54
CMP R4, R6
BEQ locret_301E6C
ADDS R0, R5, R4
MOV R1, R8
BL.W __aeabi_uidivmod
LDRB R0, [R4]
LDRB R3, [R7,R1]
EORS R0, R3
STRB.W R0, [R4],#1
B loc_301E54
locret_301E6C
POP.W R4-R8,PC


This is the function that calls the above:



PUSH R0-R2,LR
MOVS R3, #0
LDR R2, =(dword_8749EF - 0x301E80)
STR R3, [SP,#0x10+var_10]
MOVW R3, #0x107
ADD R2, PC ; dword_8749EF
BL sub_301E44
ADD SP, SP, #0xC









share|improve this question









New contributor




Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    3
    down vote

    favorite
    1












    I am trying to modify a save file for a game. I think it is using an XOR cipher to encrypt it. Looking though the disassembly I think I found the function that decrypts it. I ran the assembly through a decompiler to get a better grip on what is going on.



    I am a C# programmer with some knowledge of C/C++. I generally understand what is accomplished by this code, but there are some details I don't understand.



    int __fastcall DecryptBuffer(unsigned __int8 *a1, int a2, int a3, unsigned int a4, int a5)

    unsigned __int8 *v5;
    unsigned __int8 *v6;
    int result;
    int v8;

    v5 = a1;
    v6 = &a1[a2];
    result = a5;
    v8 = a5 - (_DWORD)v5;
    while ( v5 != v6 )

    result = *v5 ^ *(unsigned __int8 *)(a3 + (unsigned int)&v5[v8] % a4);
    *v5++ = result;

    return result;



    It accepts as parameters:




    • a1 - a byte array


    • a2 - the length of the array


    • a3 - 0xB19D425B


    • a4 - 0x107


    • a5 - 0x00

    First, I can't figure out the value of v8. I don't know what (_DWORD)v5 means, or why it is subtracted from zero.



    Second, I don't know what (unsigned int)&v5[v8] is actually doing. I take it to mean it is looking up a byte somewhere in the array, but is it retrieving a single byte and casting to an uint, or four bytes?



    Here is the disassembly:



    sub_301E44
    PUSH.W R4-R8,LR
    MOV R4, R0
    ADDS R6, R0, R1
    LDR R0, [SP,#0x18+arg_0]
    MOV R7, R2
    MOV R8, R3
    SUBS R5, R0, R4
    loc_301E54
    CMP R4, R6
    BEQ locret_301E6C
    ADDS R0, R5, R4
    MOV R1, R8
    BL.W __aeabi_uidivmod
    LDRB R0, [R4]
    LDRB R3, [R7,R1]
    EORS R0, R3
    STRB.W R0, [R4],#1
    B loc_301E54
    locret_301E6C
    POP.W R4-R8,PC


    This is the function that calls the above:



    PUSH R0-R2,LR
    MOVS R3, #0
    LDR R2, =(dword_8749EF - 0x301E80)
    STR R3, [SP,#0x10+var_10]
    MOVW R3, #0x107
    ADD R2, PC ; dword_8749EF
    BL sub_301E44
    ADD SP, SP, #0xC









    share|improve this question









    New contributor




    Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      3
      down vote

      favorite
      1









      up vote
      3
      down vote

      favorite
      1






      1





      I am trying to modify a save file for a game. I think it is using an XOR cipher to encrypt it. Looking though the disassembly I think I found the function that decrypts it. I ran the assembly through a decompiler to get a better grip on what is going on.



      I am a C# programmer with some knowledge of C/C++. I generally understand what is accomplished by this code, but there are some details I don't understand.



      int __fastcall DecryptBuffer(unsigned __int8 *a1, int a2, int a3, unsigned int a4, int a5)

      unsigned __int8 *v5;
      unsigned __int8 *v6;
      int result;
      int v8;

      v5 = a1;
      v6 = &a1[a2];
      result = a5;
      v8 = a5 - (_DWORD)v5;
      while ( v5 != v6 )

      result = *v5 ^ *(unsigned __int8 *)(a3 + (unsigned int)&v5[v8] % a4);
      *v5++ = result;

      return result;



      It accepts as parameters:




      • a1 - a byte array


      • a2 - the length of the array


      • a3 - 0xB19D425B


      • a4 - 0x107


      • a5 - 0x00

      First, I can't figure out the value of v8. I don't know what (_DWORD)v5 means, or why it is subtracted from zero.



      Second, I don't know what (unsigned int)&v5[v8] is actually doing. I take it to mean it is looking up a byte somewhere in the array, but is it retrieving a single byte and casting to an uint, or four bytes?



      Here is the disassembly:



      sub_301E44
      PUSH.W R4-R8,LR
      MOV R4, R0
      ADDS R6, R0, R1
      LDR R0, [SP,#0x18+arg_0]
      MOV R7, R2
      MOV R8, R3
      SUBS R5, R0, R4
      loc_301E54
      CMP R4, R6
      BEQ locret_301E6C
      ADDS R0, R5, R4
      MOV R1, R8
      BL.W __aeabi_uidivmod
      LDRB R0, [R4]
      LDRB R3, [R7,R1]
      EORS R0, R3
      STRB.W R0, [R4],#1
      B loc_301E54
      locret_301E6C
      POP.W R4-R8,PC


      This is the function that calls the above:



      PUSH R0-R2,LR
      MOVS R3, #0
      LDR R2, =(dword_8749EF - 0x301E80)
      STR R3, [SP,#0x10+var_10]
      MOVW R3, #0x107
      ADD R2, PC ; dword_8749EF
      BL sub_301E44
      ADD SP, SP, #0xC









      share|improve this question









      New contributor




      Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I am trying to modify a save file for a game. I think it is using an XOR cipher to encrypt it. Looking though the disassembly I think I found the function that decrypts it. I ran the assembly through a decompiler to get a better grip on what is going on.



      I am a C# programmer with some knowledge of C/C++. I generally understand what is accomplished by this code, but there are some details I don't understand.



      int __fastcall DecryptBuffer(unsigned __int8 *a1, int a2, int a3, unsigned int a4, int a5)

      unsigned __int8 *v5;
      unsigned __int8 *v6;
      int result;
      int v8;

      v5 = a1;
      v6 = &a1[a2];
      result = a5;
      v8 = a5 - (_DWORD)v5;
      while ( v5 != v6 )

      result = *v5 ^ *(unsigned __int8 *)(a3 + (unsigned int)&v5[v8] % a4);
      *v5++ = result;

      return result;



      It accepts as parameters:




      • a1 - a byte array


      • a2 - the length of the array


      • a3 - 0xB19D425B


      • a4 - 0x107


      • a5 - 0x00

      First, I can't figure out the value of v8. I don't know what (_DWORD)v5 means, or why it is subtracted from zero.



      Second, I don't know what (unsigned int)&v5[v8] is actually doing. I take it to mean it is looking up a byte somewhere in the array, but is it retrieving a single byte and casting to an uint, or four bytes?



      Here is the disassembly:



      sub_301E44
      PUSH.W R4-R8,LR
      MOV R4, R0
      ADDS R6, R0, R1
      LDR R0, [SP,#0x18+arg_0]
      MOV R7, R2
      MOV R8, R3
      SUBS R5, R0, R4
      loc_301E54
      CMP R4, R6
      BEQ locret_301E6C
      ADDS R0, R5, R4
      MOV R1, R8
      BL.W __aeabi_uidivmod
      LDRB R0, [R4]
      LDRB R3, [R7,R1]
      EORS R0, R3
      STRB.W R0, [R4],#1
      B loc_301E54
      locret_301E6C
      POP.W R4-R8,PC


      This is the function that calls the above:



      PUSH R0-R2,LR
      MOVS R3, #0
      LDR R2, =(dword_8749EF - 0x301E80)
      STR R3, [SP,#0x10+var_10]
      MOVW R3, #0x107
      ADD R2, PC ; dword_8749EF
      BL sub_301E44
      ADD SP, SP, #0xC






      c++ arm






      share|improve this question









      New contributor




      Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited Oct 4 at 0:04





















      New contributor




      Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked Oct 3 at 19:32









      Chet

      1185




      1185




      New contributor




      Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Chet is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          (_DWORD)v5 is simply casting the __int8* pointer to _DWORD. Decompilations tend to be quite messy if you don't fix variable types, so let's ignore types for a moment.



          To understand the value of v8, substitute it into the expression bellow:
          &v5[a5 - v5_old]. We can also understand this as v5 + a5 - v5_old. v5 is being incremented with each iteration of the loop, so the above expression is basically the current index plus a5.



          The current index plus a5 modulo a4 (presumably the length of the buffer pointed to by a3) is then added to a3 and the corresponding byte is XOR'd to the byte currently pointed to by v5.



          Here's my take on the algorithm:



          void DecryptBuffer ( char *buffer, int buffer_len, char *key, int key_len, int key_start )

          int i;
          for ( i = 0; i < buffer_len; i++ )
          buffer [ i ] ^= key [ ( key_start + i ) % key_len ];



          Or in other words, XOR with the key repeating over and over.



          This is quite standard, so it's probably right, but it could be wrong—as I said, the decompilation is quite messy. If you want a sure answer, either clean it up by fixing variable types or post the disassembly as well.






          share|improve this answer




















          • Thanks so much, that works. I would never have realized that key was a pointer to an array (rather than just an integer) and that v8 was being used to determine how far into the buffer we were. I attached the disassembly for completeness.
            – Chet
            Oct 4 at 0:06










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "489"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Chet is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19524%2fneed-help-understanding-xor-cipher%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          3
          down vote



          accepted










          (_DWORD)v5 is simply casting the __int8* pointer to _DWORD. Decompilations tend to be quite messy if you don't fix variable types, so let's ignore types for a moment.



          To understand the value of v8, substitute it into the expression bellow:
          &v5[a5 - v5_old]. We can also understand this as v5 + a5 - v5_old. v5 is being incremented with each iteration of the loop, so the above expression is basically the current index plus a5.



          The current index plus a5 modulo a4 (presumably the length of the buffer pointed to by a3) is then added to a3 and the corresponding byte is XOR'd to the byte currently pointed to by v5.



          Here's my take on the algorithm:



          void DecryptBuffer ( char *buffer, int buffer_len, char *key, int key_len, int key_start )

          int i;
          for ( i = 0; i < buffer_len; i++ )
          buffer [ i ] ^= key [ ( key_start + i ) % key_len ];



          Or in other words, XOR with the key repeating over and over.



          This is quite standard, so it's probably right, but it could be wrong—as I said, the decompilation is quite messy. If you want a sure answer, either clean it up by fixing variable types or post the disassembly as well.






          share|improve this answer




















          • Thanks so much, that works. I would never have realized that key was a pointer to an array (rather than just an integer) and that v8 was being used to determine how far into the buffer we were. I attached the disassembly for completeness.
            – Chet
            Oct 4 at 0:06














          up vote
          3
          down vote



          accepted










          (_DWORD)v5 is simply casting the __int8* pointer to _DWORD. Decompilations tend to be quite messy if you don't fix variable types, so let's ignore types for a moment.



          To understand the value of v8, substitute it into the expression bellow:
          &v5[a5 - v5_old]. We can also understand this as v5 + a5 - v5_old. v5 is being incremented with each iteration of the loop, so the above expression is basically the current index plus a5.



          The current index plus a5 modulo a4 (presumably the length of the buffer pointed to by a3) is then added to a3 and the corresponding byte is XOR'd to the byte currently pointed to by v5.



          Here's my take on the algorithm:



          void DecryptBuffer ( char *buffer, int buffer_len, char *key, int key_len, int key_start )

          int i;
          for ( i = 0; i < buffer_len; i++ )
          buffer [ i ] ^= key [ ( key_start + i ) % key_len ];



          Or in other words, XOR with the key repeating over and over.



          This is quite standard, so it's probably right, but it could be wrong—as I said, the decompilation is quite messy. If you want a sure answer, either clean it up by fixing variable types or post the disassembly as well.






          share|improve this answer




















          • Thanks so much, that works. I would never have realized that key was a pointer to an array (rather than just an integer) and that v8 was being used to determine how far into the buffer we were. I attached the disassembly for completeness.
            – Chet
            Oct 4 at 0:06












          up vote
          3
          down vote



          accepted







          up vote
          3
          down vote



          accepted






          (_DWORD)v5 is simply casting the __int8* pointer to _DWORD. Decompilations tend to be quite messy if you don't fix variable types, so let's ignore types for a moment.



          To understand the value of v8, substitute it into the expression bellow:
          &v5[a5 - v5_old]. We can also understand this as v5 + a5 - v5_old. v5 is being incremented with each iteration of the loop, so the above expression is basically the current index plus a5.



          The current index plus a5 modulo a4 (presumably the length of the buffer pointed to by a3) is then added to a3 and the corresponding byte is XOR'd to the byte currently pointed to by v5.



          Here's my take on the algorithm:



          void DecryptBuffer ( char *buffer, int buffer_len, char *key, int key_len, int key_start )

          int i;
          for ( i = 0; i < buffer_len; i++ )
          buffer [ i ] ^= key [ ( key_start + i ) % key_len ];



          Or in other words, XOR with the key repeating over and over.



          This is quite standard, so it's probably right, but it could be wrong—as I said, the decompilation is quite messy. If you want a sure answer, either clean it up by fixing variable types or post the disassembly as well.






          share|improve this answer












          (_DWORD)v5 is simply casting the __int8* pointer to _DWORD. Decompilations tend to be quite messy if you don't fix variable types, so let's ignore types for a moment.



          To understand the value of v8, substitute it into the expression bellow:
          &v5[a5 - v5_old]. We can also understand this as v5 + a5 - v5_old. v5 is being incremented with each iteration of the loop, so the above expression is basically the current index plus a5.



          The current index plus a5 modulo a4 (presumably the length of the buffer pointed to by a3) is then added to a3 and the corresponding byte is XOR'd to the byte currently pointed to by v5.



          Here's my take on the algorithm:



          void DecryptBuffer ( char *buffer, int buffer_len, char *key, int key_len, int key_start )

          int i;
          for ( i = 0; i < buffer_len; i++ )
          buffer [ i ] ^= key [ ( key_start + i ) % key_len ];



          Or in other words, XOR with the key repeating over and over.



          This is quite standard, so it's probably right, but it could be wrong—as I said, the decompilation is quite messy. If you want a sure answer, either clean it up by fixing variable types or post the disassembly as well.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Oct 3 at 20:14









          user2347953

          1213




          1213











          • Thanks so much, that works. I would never have realized that key was a pointer to an array (rather than just an integer) and that v8 was being used to determine how far into the buffer we were. I attached the disassembly for completeness.
            – Chet
            Oct 4 at 0:06
















          • Thanks so much, that works. I would never have realized that key was a pointer to an array (rather than just an integer) and that v8 was being used to determine how far into the buffer we were. I attached the disassembly for completeness.
            – Chet
            Oct 4 at 0:06















          Thanks so much, that works. I would never have realized that key was a pointer to an array (rather than just an integer) and that v8 was being used to determine how far into the buffer we were. I attached the disassembly for completeness.
          – Chet
          Oct 4 at 0:06




          Thanks so much, that works. I would never have realized that key was a pointer to an array (rather than just an integer) and that v8 was being used to determine how far into the buffer we were. I attached the disassembly for completeness.
          – Chet
          Oct 4 at 0:06










          Chet is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          Chet is a new contributor. Be nice, and check out our Code of Conduct.












          Chet is a new contributor. Be nice, and check out our Code of Conduct.











          Chet is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f19524%2fneed-help-understanding-xor-cipher%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?