fix walking issue in 781 protocol

2025-12-22 17:17:12 +01:00 · 2019-11-11 19:17:21 +02:00
parent ba1409dbe6
commit 5535e50562
4 changed files with 70 additions and 29 deletions
--- a/src/protocol.cpp
+++ b/src/protocol.cpp
@@ -22,7 +22,6 @@
 #include "protocol.h"
 #include "outputmessage.h"
 #include "rsa.h"
-#include "xtea.h"

 extern RSA g_RSA;

@@ -62,27 +61,73 @@ OutputMessage_ptr Protocol::getOutputBuffer(int32_t size)

 void Protocol::XTEA_encrypt(OutputMessage& msg) const
 {
+	const uint32_t delta = 0x61C88647;
+
 	// The message must be a multiple of 8
-	size_t paddingBytes = msg.getLength() % 8u;
+	size_t paddingBytes = msg.getLength() % 8;
 	if (paddingBytes != 0) {
 		msg.addPaddingBytes(8 - paddingBytes);
 	}

 	uint8_t* buffer = msg.getOutputBuffer();
-	xtea::encrypt(buffer, msg.getLength(), key);
+	const size_t messageLength = msg.getLength();
+	size_t readPos = 0;
+	const uint32_t k[] = { key[0], key[1], key[2], key[3] };
+	while (readPos < messageLength) {
+		uint32_t v0;
+		memcpy(&v0, buffer + readPos, 4);
+		uint32_t v1;
+		memcpy(&v1, buffer + readPos + 4, 4);
+
+		uint32_t sum = 0;
+
+		for (int32_t i = 32; --i >= 0;) {
+			v0 += ((v1 << 4 ^ v1 >> 5) + v1) ^ (sum + k[sum & 3]);
+			sum -= delta;
+			v1 += ((v0 << 4 ^ v0 >> 5) + v0) ^ (sum + k[(sum >> 11) & 3]);
+		}
+
+		memcpy(buffer + readPos, &v0, 4);
+		readPos += 4;
+		memcpy(buffer + readPos, &v1, 4);
+		readPos += 4;
+	}
 }

 bool Protocol::XTEA_decrypt(NetworkMessage& msg) const
 {
-	if (((msg.getLength() - 6) & 7) != 0) {
+	if (((msg.getLength() - 2) & 7) != 0) {
 		return false;
 	}

-	uint8_t* buffer = msg.getBuffer() + msg.getBufferPosition();
-	xtea::decrypt(buffer, msg.getLength() - 6, key);
+	const uint32_t delta = 0x61C88647;

-	uint16_t innerLength = msg.get<uint16_t>();
-	if (innerLength + 8 > msg.getLength()) {
+	uint8_t* buffer = msg.getBuffer() + msg.getBufferPosition();
+	const size_t messageLength = (msg.getLength() - 2);
+	size_t readPos = 0;
+	const uint32_t k[] = { key[0], key[1], key[2], key[3] };
+	while (readPos < messageLength) {
+		uint32_t v0;
+		memcpy(&v0, buffer + readPos, 4);
+		uint32_t v1;
+		memcpy(&v1, buffer + readPos + 4, 4);
+
+		uint32_t sum = 0xC6EF3720;
+
+		for (int32_t i = 32; --i >= 0;) {
+			v1 -= ((v0 << 4 ^ v0 >> 5) + v0) ^ (sum + k[(sum >> 11) & 3]);
+			sum += delta;
+			v0 -= ((v1 << 4 ^ v1 >> 5) + v1) ^ (sum + k[sum & 3]);
+		}
+
+		memcpy(buffer + readPos, &v0, 4);
+		readPos += 4;
+		memcpy(buffer + readPos, &v1, 4);
+		readPos += 4;
+	}
+
+	int innerLength = msg.get<uint16_t>();
+	if (innerLength > msg.getLength() - 4) {
 		return false;
 	}

@@ -92,7 +137,7 @@ bool Protocol::XTEA_decrypt(NetworkMessage& msg) const

 bool Protocol::RSA_decrypt(NetworkMessage& msg)
 {
-	if ((msg.getLength() - msg.getBufferPosition()) < 128) {
+	if ((msg.getLength() - msg.getBufferPosition()) != 128) {
 		return false;
 	}

@@ -107,4 +152,4 @@ uint32_t Protocol::getIP() const
 	}

 	return 0;
-}
+}