{"componentChunkName":"component---src-templates-post-template-js","path":"/windows-windbg-011-rc4-en","result":{"data":{"markdownRemark":{"id":"e0ecaf55-06a0-5e12-85bc-770a6ca52ad5","html":"
\n

This page has been machine-translated from the original page.

\n
\n

This time I wanted to implement the RC4 cipher in C and reverse-engineer it with WinDbg.

\n

At Harekaze mini CTF 2021, held on 2021/12/24, there was a Rev challenge that required identifying RC4 usage from static analysis alone. Unfortunately, I was unable to identify it from the decompiler output at the time.

\n

Reference: harekaze-mini-ctf-2021 Pack

\n

As a review exercise, I decided to implement RC4 myself and reverse-engineer it.

\n\n

Table of Contents

\n\n

What Is RC4 Encryption?

\n

RC4 is a type of stream cipher that was used in protocols such as WEP and SSL.

\n

It is now widely known to have vulnerabilities and its use is not recommended.

\n

Reference: RC4 - Wikipedia

\n

Stream Ciphers

\n

A stream cipher is a type of symmetric cipher (one that uses the same key for both encryption and decryption) that encrypts data sequentially, bit by bit or byte by byte.

\n

Block ciphers are another form of symmetric cipher and are frequently compared with stream ciphers.

\n

Reference: Practical Guide to Applied Cryptography

\n

RC4 Cipher

\n

Because RC4 is a stream cipher, it encrypts plaintext by XORing it with a generated pseudorandom sequence.

\n

The encryption flow with RC4 is roughly as follows:

\n\n

KSA

\n

In RC4, a predefined array S is initialized using the KSA (Key Scheduling Algorithm).

\n

The implementation follows the Wikipedia sample.

\n

Reference: RC4 - Wikipedia

\n
#define N 256\n\nvoid swap(unsigned char *a, unsigned char *b)\n{\n    int tmp = *a;\n    *a = *b;\n    *b = tmp;\n    return;\n}\n\nint KSA(char *key, unsigned char *S)\n{\n\n    // Initialize array S (S[0]=0, S[1]=1...S[255]=255)\n    for (int i = 0; i < N; i++) S[i] = i;\n    \n    // Generate the initial stream with KSA\n    int j = 0;\n    int len = strlen(key);\n    for (int i = 0; i < N; i++)\n    {\n        j = (j + S[i] + key[i % len]) % N;\n        swap(&S[i], &S[j]);\n    }\n\n    return 0;\n}
\n

As shown above, the initial stream is generated by KSA based on the input key.

\n

Generating the Key Stream and Encrypting with PRGA

\n

The steps from PRGA to encryption are implemented as follows:

\n\n

The implementation is very straightforward.

\n
int PRGA(unsigned char *S, char *text, unsigned char *encrypted_text)\n{\n\n    int i = 0;\n    int j = 0;\n    for (size_t n = 0, len = strlen(text); n < len; n++)\n    {\n        i = (i + 1) % N;\n        j = (j + S[i]) % N;\n        swap(&S[i], &S[j]);\n        int K = S[(S[i] + S[j]) % N];\n        encrypted_text[n] = K ^ text[n];\n    }\n\n    return 0;\n}
\n

This completes the RC4 encryption implementation.

\n

Decryption

\n

RC4 encrypts data using XOR with a pseudorandom sequence.

\n

Because the pseudorandom generation algorithm is deterministic, the same key always produces the same pseudorandom sequence.

\n

Therefore, you can decrypt ciphertext by XORing it again with the pseudorandom sequence generated from the same key that was used for encryption.

\n

Source Code

\n

The full source code is shown below.

\n

It is also available in the following repository.

\n

Reference: Try2WinDbg/rc4_encrypt.c

\n
#include <stdio.h>\n#include <string.h>\n#include <stdlib.h>\n\n#define N 256\n\nvoid swap(unsigned char *a, unsigned char *b)\n{\n    int tmp = *a;\n    *a = *b;\n    *b = tmp;\n    return;\n}\n\nint KSA(char *key, unsigned char *S)\n{\n\n    // Initialize array S (S[0]=0, S[1]=1...S[255]=255)\n    for (int i = 0; i < N; i++) S[i] = i;\n    \n    // Generate the initial stream with KSA\n    int j = 0;\n    int len = strlen(key);\n    for (int i = 0; i < N; i++)\n    {\n        j = (j + S[i] + key[i % len]) % N;\n        swap(&S[i], &S[j]);\n    }\n\n    return 0;\n}\n\nint PRGA(unsigned char *S, char *text, unsigned char *encrypted_text)\n{\n\n    int i = 0;\n    int j = 0;\n    for (size_t n = 0, len = strlen(text); n < len; n++)\n    {\n        i = (i + 1) % N;\n        j = (j + S[i]) % N;\n        swap(&S[i], &S[j]);\n        int K = S[(S[i] + S[j]) % N];\n        encrypted_text[n] = K ^ text[n];\n    }\n\n    return 0;\n}\n\nint RC4(char *key, char *text, unsigned char *encrypted_text)\n{\n\n    unsigned char S[N];\n\n    KSA(key, S);\n    PRGA(S, text, encrypted_text);\n    return 0;\n}\n\nint main(int argc, char *argv[])\n{\n    printf(\"RC4 module\\n\");\n\n    // Note: a short RC4 key is easily guessable; exercise caution in production use\n    char *key = \"testkey\";\n    char *text = \"this is test.\";\n\n    unsigned char *encrypted_text = malloc(sizeof(int) * strlen(text));\n    RC4(key, text, encrypted_text);\n\n    printf(\"This is encrypted text\\n\");\n    printf(\"==> \");\n    for (size_t i = 0, len = strlen(text); i < len; i++)\n    {\n        printf(\"%02hhX\", encrypted_text[i]);\n    }\n    printf(\"\\n\");\n\n    unsigned char *decrypted_text = malloc(sizeof(int) * strlen(encrypted_text));\n    RC4(key, encrypted_text, decrypted_text);\n\n    printf(\"This is decrypted text\\n\");\n    printf(\"==> \");\n    for (size_t i = 0, len = strlen(text); i < len; i++)\n    {\n        printf(\"%c\", decrypted_text[i]);\n    }\n\n    return 0;\n}
\n

Finally, let’s reverse-engineer this program.

\n

Reversing the RC4 Program

\n

First, I loaded the compiled binary into Ghidra for analysis.

\n

I will skip over the process of locating the main function.

\n

Decompiling the Calling Function

\n

Let’s start by looking at the RC4 calling function.

\n

In terms of the source code, this corresponds to the following section:

\n
int RC4(char *key, char *text, unsigned char *encrypted_text)\n{\n    unsigned char S[N];\n    KSA(key, S);\n    PRGA(S, text, encrypted_text);\n    return 0;\n}
\n

Looking at the decompiled output, something seems off:

\n
void __cdecl RC4(char *param_1,char *param_2,int param_3)\n{\n  uint uVar1;\n  undefined extraout_DL;\n  undefined in_stack_fffffef8;\n  \n  uVar1 = DAT_00471090 ^ (uint)&stack0xfffffffc;\n  thunk_FUN_004071b0(param_1,(int)&stack0xfffffef8);\n  thunk_FUN_00407260((int)&stack0xfffffef8,param_2,param_3);\n  thunk_FUN_00407648(uVar1 ^ (uint)&stack0xfffffffc,extraout_DL,in_stack_fffffef8);\n  return;\n}
\n

I renamed the functions and variables to make analysis easier:

\n
void __cdecl RC4(char *key,char *text,int encrypted_text)\n{\n  uint uVar1;\n  undefined extraout_DL;\n  undefined S;\n  \n  uVar1 = DAT_00471090 ^ (uint)&stack0xfffffffc;\n  KSA(key,(int)&stack0xfffffef8);\n  PRGA((int)&stack0xfffffef8,text,encrypted_text);\n  thunk_FUN_00407648(uVar1 ^ (uint)&stack0xfffffffc,extraout_DL,S);\n  return;\n}
\n

The following two lines do not appear in the source code and it’s unclear what they’re doing:

\n
uVar1 = DAT_00471090 ^ (uint)&stack0xfffffffc;\n/* ... (omitted) ... */\nthunk_FUN_00407648(uVar1 ^ (uint)&stack0xfffffffc,extraout_DL,S);
\n

So I analyzed this section using WinDbg’s TTD trace.

\n

Analyzing the TTD Trace

\n

I captured a TTD trace as usual.

\n

The trace file is available here:

\n

Reference: Try2WinDbg/rc4_encrypt.zip

\n

I loaded the trace file and set a breakpoint at the address corresponding to the uVar1 = DAT_00471090 ^ (uint)&stack0xfffffffc; instruction.

\n

\n \n \n \n \n \n \n \n \n

\n

__security_cookie is defined in the data section and is used to detect buffer overflows.

\n

Reference: ida - _securitycookie for function pointers in Windows 10

\n

It turns out those two mysterious lines implement the stack-cookie mechanism for detecting buffer overflows:

\n
uVar1 = DAT_00471090 ^ (uint)&stack0xfffffffc;\n/* ... (omitted) ... */\nthunk_FUN_00407648(uVar1 ^ (uint)&stack0xfffffffc,extraout_DL,S);
\n

That clears things up a bit. Let’s move on to analyzing KSA and PRGA.

\n

Decompiling the KSA Function

\n

Here is the result of decompiling the KSA function in Ghidra:

\n
undefined4 __cdecl KSA(char *param_1,int param_2)\n{\n  size_t sVar1;\n  uint local_10;\n  int local_c;\n  int local_8;\n  \n  for (local_c = 0; local_c < 0x100; local_c = local_c + 1) {\n    *(undefined *)(param_2 + local_c) = (undefined)local_c;\n  }\n  local_10 = 0;\n  sVar1 = _strlen(param_1);\n  for (local_8 = 0; local_8 < 0x100; local_8 = local_8 + 1) {\n    local_10 = *(byte *)(param_2 + local_8) + local_10 + (int)param_1[local_8 % (int)sVar1] &\n               0x800000ff;\n    if ((int)local_10 < 0) {\n      local_10 = (local_10 - 1 | 0xffffff00) + 1;\n    }\n    thunk_FUN_00867180((undefined *)(param_2 + local_8),(undefined *)(param_2 + local_10));\n  }\n  return 0;\n}
\n

This closely resembles the decompiled output of the binary from the Harekaze mini CTF 2021 Rev challenge.

\n

\n \n \n \n \n \n \n \n \n

\n

Reference: harekaze-mini-ctf-2021 Pack

\n

It’s frustrating to think that if I had caught this right away, I could have solved the challenge.

\n

Decompiling the PRGA Function

\n

Here is the decompiled output:

\n
undefined4 __cdecl PRGA(int param_1,char *param_2,int param_3)\n{\n  size_t sVar1;\n  uint local_10;\n  uint local_c;\n  uint local_8;\n  \n  local_8 = 0;\n  local_10 = 0;\n  local_c = 0;\n  sVar1 = _strlen(param_2);\n  for (; local_c < sVar1; local_c = local_c + 1) {\n    local_8 = local_8 + 1 & 0x800000ff;\n    if ((int)local_8 < 0) {\n      local_8 = (local_8 - 1 | 0xffffff00) + 1;\n    }\n    local_10 = *(byte *)(param_1 + local_8) + local_10 & 0x800000ff;\n    if ((int)local_10 < 0) {\n      local_10 = (local_10 - 1 | 0xffffff00) + 1;\n    }\n    thunk_FUN_00867180((undefined *)(param_1 + local_8),(undefined *)(param_1 + local_10));\n    *(byte *)(param_3 + local_c) =\n         param_2[local_c] ^\n         *(byte *)(param_1 +\n                  ((uint)*(byte *)(param_1 + local_8) + (uint)*(byte *)(param_1 + local_10) &\n                  0x800000ff));\n  }\n  return 0;\n}
\n

One interesting point is how (i + 1) % 256 in the source code appears differently in the decompiled output:

\n

Note: In C, + and & have the same operator precedence, so i + 1 is evaluated first.

\n
i = i + 1 & 0x800000ff;\nif ((int)i < 0) {\n\ti = (i - 1 | 0xffffff00) + 1;\n}
\n

I wrote a small script to verify, and confirmed that this expression produces exactly the same result as % 256:

\n
def mod256(n):\n    n = n & 0x800000ff\n    if n < 0:\n        n = (n - 1 | 0xffffff00)\n\n    return n\n\ndef main():\n    for i in range(250, 260):\n        print(mod256(i), end=\" \")\n    print(\"\")\n\n    return\n\nif __name__ == \"__main__\":\n    main()
\n

That’s an interesting find.

\n

In future reversing work, when I see this kind of decompiled pattern I can recognize it as a modulo operation.

\n

Addendum (2022/1/2)

\n

I initially assumed that all mod 256 code would produce the same output as shown above, but it turns out the output varies considerably depending on the compiler. Someone kindly pointed this out in a Twitter comment.

\n

\n \n \n \n \n \n \n \n \n

\n

Source: original comment

\n

Summary

\n

This time, as a review of Harekaze mini CTF 2021, I implemented RC4 encryption and reverse-engineered it.

\n

I made some new discoveries along the way, so it was well worth trying.

\n

References

\n","fields":{"slug":"/windows-windbg-011-rc4-en","tagSlugs":["/tag/win-dbg-en/","/tag/kernel-en/","/tag/reversing-en/","/tag/c-c-en/","/tag/english/"]},"frontmatter":{"date":"2022-01-01","description":"","tags":["WinDbg (en)","Kernel (en)","Reversing (en)","C/C++ (en)","English"],"title":"Implementing RC4 Encryption in C and Reversing It with Ghidra and WinDbg","socialImage":{"publicURL":"/static/9e4eb7f7f2e918b5a9b14499e1168fe7/windows-windbg-011-rc4.png"}}}},"pageContext":{"slug":"/windows-windbg-011-rc4-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}