Revert "Rework XOR code to make more sense"

Brent Cook · Brent Cook · commit 16b5f40dae31 · 2016-11-20T19:09:45.000-06:00
This reverts commit 699a8e9.
diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb
@@ -673,12 +673,11 @@ def initialize(type = nil, method = nil)
   #
   def to_r
     raw = super
-    xor_key = ''
-    xor_key << (rand(254) + 1).chr
-    xor_key << (rand(254) + 1).chr
-    xor_key << (rand(254) + 1).chr
-    xor_key << (rand(254) + 1).chr
-    result = xor_key + xor_bytes(xor_key, raw)
+    xor_key = rand(254) + 1
+    xor_key |= (rand(254) + 1) << 8
+    xor_key |= (rand(254) + 1) << 16
+    xor_key |= (rand(254) + 1) << 24
+    result = [xor_key].pack('N') + xor_bytes(xor_key, raw)
     result
   end
 
@@ -689,7 +688,7 @@ def to_r
   # the TLV values.
   #
   def from_r(bytes)
-    xor_key = bytes[0,4]
+    xor_key = bytes[0,4].unpack('N')[0]
     super(xor_bytes(xor_key, bytes[4, bytes.length]))
   end
 
@@ -698,7 +697,7 @@ def from_r(bytes)
   #
   def xor_bytes(xor_key, bytes)
     result = ''
-    bytes.bytes.zip(xor_key.bytes.cycle).each do |b|
+    bytes.bytes.zip([xor_key].pack('V').bytes.cycle).each do |b|
       result << (b[0].ord ^ b[1].ord).chr
     end
     result
diff --git a/lib/rex/post/meterpreter/packet_parser.rb b/lib/rex/post/meterpreter/packet_parser.rb
@@ -57,7 +57,7 @@ def recv(sock)
       # payload length left to the number of bytes
       # specified in the length
       if (self.hdr_length_left == 0)
-        xor_key = raw[0, 4]
+        xor_key = raw[0, 4].unpack('N')[0]
         length_bytes = packet.xor_bytes(xor_key, raw[4, 4])
         # header size doesn't include the xor key, which is always tacked on the front
         self.payload_length_left = length_bytes.unpack("N")[0] - (HEADER_SIZE - 4)
