If you run a packet sniffer on WPNP (WinMX Peer Network Protocol) packets, it will soon become apparent that these packets are not transmitted in cleartext. For instance, search terms cannot directly be found in the packet stream.

The reason for this is that the packets are encoded using a simple XOR based algorithm. It cannot really be called encryption, since there is no key except packet length.

The encoding algorithm in question first xors the first byte with the last, then repeatedly xors a byte with its preceding byte, moving from the next-to-first byte to the last one, one byte at a time. This is done five times. The procedure varies slightly the first time, where the first byte is not XORed with the last byte, but rather with the packet[1] length.

In C:

void encode(char * what, unsigned int length) {

        int counter, x;

        for (counter = 4; counter >= 0; counter--) {

                if (counter != 4) what[0] ^= what[length-1];
                else              what[0] ^= (char)(length);

                for (x = 1; x < (int)length; x++) what[x] ^= what[x-1];
        }
}
and (for the sake of completeness)
void decode(char * what, unsigned int length) {

        int counter, x;

        for (counter = 0; counter < 5; counter++) {

                for (x = length-1; x > 0; x--) what[x] ^= what[x-1];

                if (counter != 4) what[0] ^= what[length-1];
                else              what[0] ^= (char)length;
        }
}

[1] or packet data length for some WPNP packets. See WPNP: Packet Types for more information about that.

Log in or registerto write something here or to contact authors.