C++

Forum

 
Get address of the function in memory

webprofusa (1)
hi, sorry for my english, i'm form russia) i have followind task:
Description:
An application that sends encrypted packets to an outside server (use WinSock function send()), and receive encrypted response from the server(use WinSock function recv). Encryption and decryption algorithm is not known.
Task
Get already decrypted packages, that come from external server
Solution
To decrypt the incoming packet, the application will need to decrypt it, logically, this function (decryption), to go almost immediately after the call to recv and have at least two arguments (a pointer to the data, and data size), I open this application in Ida Pro, I found the address of the function recv(), like this:
1
2
3
 
.idata:00B56834 ; int __stdcall recv(SOCKET s, char *buf, int len, int flags)
.idata:00B56834                 extrn __imp_recv:dword  ; CODE XREF: sub_549FA0+24<p
.idata:00B56834                                         ; sub_54A930+381<p ...

The function recv () calls in two locations: sub_549FA0 and sub_54A930. In a function sub_549FA0 function calls similar to the decryption function I have don't found =( In a function sub_54A930 I found following:
1
2
3
4
5
6
7
 
v32 = recv(*(_DWORD *)(v1 + 4), (char *)(*(_DWORD *)(v1 + 28) + *(_DWORD *)(v1 + 32)), len, 0);   
...... 
if ( !v57 || sub_548840(*(_DWORD *)(v1 + 28), *(_DWORD *)(v1 + 32)) )
 {
     .........
}
 ........

In my opinion sub_548840 is a function of decoding package, her the code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
char __cdecl sub_548840(int a1, signed int a2)
{
  signed int v2; // edi@1
  int v3; // eax@2
  char v4; // bl@2
  signed int v5; // ST0C_4@2
  int v6; // ecx@4
  int v7; // ebx@6
  __int64 v8; // qt0@6
  int v9; // esi@6
  char result; // al@8
  int v11; // [sp+4h] [bp-8h]@6
  int v12; // [sp+8h] [bp-4h]@7
  int v13; // [sp+18h] [bp+Ch]@2
 
  v2 = a2;
  if ( a2 < 1 )
  {
    result = 0;
  }
  else
  {
    v4 = *(_BYTE *)a1 & 0x80;
    v5 = a2;
    v13 = ((*(_BYTE *)a1 & 0x80) != 0) + 10;
    v3 = sub_5487F0(a1, v5);
    if ( v3 < 0 || v13 + v3 > v2 )
    {
      result = 0;
    }
    else
    {
      v6 = a1 + 3;
      if ( !v4 )
        v6 = a1 + 2;
      HIDWORD(v8) = (unsigned __int64)*(_BYTE *)v6 << 8 >> 32;
      LODWORD(v8) = *(_BYTE *)(v6 + 1) | (*(_BYTE *)v6 << 8);
      HIDWORD(v8) = (unsigned __int64)(v8 << 8) >> 32;
      LODWORD(v8) = *(_BYTE *)(v6 + 2) | ((_DWORD)v8 << 8);
      HIDWORD(v8) = (unsigned __int64)(v8 << 8) >> 32;
      LODWORD(v8) = *(_BYTE *)(v6 + 3) | ((_DWORD)v8 << 8);
      HIDWORD(v8) = (unsigned __int64)(v8 << 8) >> 32;
      LODWORD(v8) = *(_BYTE *)(v6 + 4) | ((_DWORD)v8 << 8);
      HIDWORD(v8) = (unsigned __int64)(v8 << 8) >> 32;
      LODWORD(v8) = *(_BYTE *)(v6 + 5) | ((_DWORD)v8 << 8);
      HIDWORD(v8) = (unsigned __int64)(v8 << 8) >> 32;
      LODWORD(v8) = *(_BYTE *)(v6 + 6) | ((_DWORD)v8 << 8);
      v9 = *(_BYTE *)(v6 + 7) | ((_DWORD)v8 << 8);
      v7 = (unsigned __int64)(v8 << 8) >> 32;
      sub_4B6F10(a1 + v13, v2 - v13, &v11, 7);
      result = v9 == v11 && v7 == v12;
    }
  }
  return result;
}

What is your opinion? I'm right?
left to do the following:
1) create a dll for the introduction of the investigational application
2) intercept the call to recv
3) receive encrypted packets from an external server
4) run the function sub_548840, her passed as a parameter a pointer to the data(from the 3) ) and their size (Question: Do I understand correctly the input parameters?)


Question:
1-3 is no problem, I already receive encrypted data from an external server, but how do I run the function sub_548840?
I know its address in an exe file, the address in memory will different, please help: how to find the function address in memory, if you know her address in the exe file?
Last edited on
Topic archived. No new replies allowed.