The last patch was a MAJOR change - it looks like they switched compilers (though I haven't confirmed yet). Most of the code is the same, but the registers have been switched around, and enough code has changed that most offsets have moved as well. It wasn't terribly hard to find the new functions and offsets, but it *was* annoying.
arteros (or anyone) - are you still pursuing this? I've gone through and located the RC4 block again if you're interested. Unfortunately, I still have not had the time (or maybe it's taking so much time because I lack the ability) to trace between the RC4 block and the actual send/receive functions... so I still don't have easy way to determine what's plaintext and what is ciphertext.
The RC4 algorithm is this:
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
Here's the block, with my comments, that I *think* is RC4. If anyone sees error, please don't hold back - I'm still VERY new at this.
Code:
.text:00BCF700 ; =============== S U B R O U T I N E =======================================
.text:00BCF700
.text:00BCF700 ; Attributes: bp-based frame
.text:00BCF700
.text:00BCF700 run_rc4_sub_BCF700 proc near ; CODE XREF: MsgConn_cpp_sub_BCBE80+66p
.text:00BCF700 ; MsgConn_cpp_sub_BCC290+167p
.text:00BCF700
.text:00BCF700 esi_temp_storage_var_8= dword ptr -8
.text:00BCF700 s_box_var_4 = dword ptr -4
.text:00BCF700 loop_counter_arg_0= dword ptr 8
.text:00BCF700 plaintext_arg_4 = dword ptr 0Ch
.text:00BCF700 some_array_maybe_sbox_arg_8= dword ptr 10h
.text:00BCF700
.text:00BCF700 push ebp
.text:00BCF701 mov ebp, esp ; standard function header
.text:00BCF703 sub esp, 8
.text:00BCF706 cmp [ebp+loop_counter_arg_0], 0 ; check if length is 0
.text:00BCF70A push esi ; save esi
.text:00BCF70B mov esi, ecx
.text:00BCF70D push edi
.text:00BCF70E mov eax, [esi] ; eax = esi = i
.text:00BCF710 mov edi, [esi+4] ; edi = esi + 4 = j
.text:00BCF713 lea edx, [esi+8] ; edx = esi+8 = S[]
.text:00BCF716 mov [ebp+esi_temp_storage_var_8], esi
.text:00BCF719 mov [ebp+s_box_var_4], edx
.text:00BCF71C jbe short loc_BCF772 ; clean up stack for return
.text:00BCF71E mov esi, [ebp+some_array_maybe_sbox_arg_8]
.text:00BCF721 sub [ebp+plaintext_arg_4], esi
.text:00BCF724 push ebx
.text:00BCF725
.text:00BCF725 loc_BCF725: ; CODE XREF: run_rc4_sub_BCF700+6Cj
.text:00BCF725 inc eax ; while(true)
.text:00BCF725 ; i=i+1 % 256
.text:00BCF726 and eax, 0FFh ; |
.text:00BCF72B lea esi, [esi+1] ; j = (j+S[i]) % 256
.text:00BCF72E mov bl, [edx+eax] ; |
.text:00BCF731 movzx ecx, bl ; |
.text:00BCF734 add edi, ecx ; |
.text:00BCF736 and edi, 0FFh ; |
.text:00BCF73C movzx ecx, byte ptr [edx+edi] ; |
.text:00BCF740 mov [edx+eax], cl ; swap(s[i], s[j])
.text:00BCF743 mov [edx+edi], bl ; |
.text:00BCF746 movzx edx, byte ptr [edx+eax] ; |
.text:00BCF74A movzx ecx, bl ; |
.text:00BCF74D add edx, ecx ; t=(S[i]+S[j]) % 256
.text:00BCF74F mov ecx, [ebp+s_box_var_4] ; | (set ecx=plaintext)
.text:00BCF752 and edx, 0FFh ; |
.text:00BCF758 movzx ecx, byte ptr [edx+ecx] ; k = S[t]
.text:00BCF75C mov edx, [ebp+plaintext_arg_4]
.text:00BCF75F xor cl, [edx+esi-1] ; perform encryption. cl - plaintext
.text:00BCF763 dec [ebp+loop_counter_arg_0]
.text:00BCF766 mov edx, [ebp+s_box_var_4]
.text:00BCF769 mov [esi-1], cl ; save ciphertext in esi-i (esi has already been inc'd)
.text:00BCF76C jnz short loc_BCF725 ; while(true)
.text:00BCF76C ; i=i+1 % 256
.text:00BCF76E mov esi, [ebp+esi_temp_storage_var_8] ; restore ESI
.text:00BCF771 pop ebx ; restore ebx
.text:00BCF772
.text:00BCF772 loc_BCF772: ; CODE XREF: run_rc4_sub_BCF700+1Cj
.text:00BCF772 mov [esi+4], edi ; clean up stack for return
.text:00BCF775 pop edi
.text:00BCF776 mov [esi], eax
.text:00BCF778 pop esi
.text:00BCF779 mov esp, ebp
.text:00BCF77B pop ebp
.text:00BCF77C retn 0Ch
.text:00BCF77C run_rc4_sub_BCF700 endp
I'd really like to try to reverse the protocol - I've never done protocol reversing, and it seems like an interesting challenge... however, without unencrypted traffic, I'm afraid I'm dead in the water.