From a51a99543f299c724bb425d6bc956ff64197ec5c Mon Sep 17 00:00:00 2001
From: lightbulblighter <59720715+lightbulblighter@users.noreply.github.com>
Date: Sun, 5 Jun 2022 01:21:16 -0700
Subject: [PATCH 1/2] add openssl verification (broken for now)

---
 PolygonClientUtilities/Config.h      |  4 +--
 PolygonClientUtilities/Crypt.cpp     | 53 ++++++++++++++++++++++++++++
 PolygonClientUtilities/Crypt.h       |  2 ++
 PolygonClientUtilities/StandardOut.h |  1 -
 PolygonClientUtilities/Util.cpp      | 21 ++++++-----
 PolygonClientUtilities/Util.h        |  2 +-
 6 files changed, 70 insertions(+), 13 deletions(-)

diff --git a/PolygonClientUtilities/Config.h b/PolygonClientUtilities/Config.h
index c1a0616..c7408e8 100644
--- a/PolygonClientUtilities/Config.h
+++ b/PolygonClientUtilities/Config.h
@@ -25,14 +25,14 @@
 #define ADDRESS_DATAMODEL__GETJOBID                0x005CACC0
 #define ADDRESS_STANDARDOUT__PRINT                 0x0059F340
 // #define ADDRESS_NETWORK__RAKNETADDRESSTOSTRING     0x004FC1A0
-#define ADDRESS_HTTP__TRUSTCHECK                   0x005A2680
 #define ADDRESS_CRYPT__VERIFYSIGNATUREBASE64       0x0079ECF0
 #define ADDRESS_SERVERREPLICATOR__SENDTOP          0x00506910
 #define ADDRESS_SERVERREPLICATOR__PROCESSPACKET    0x00507420
 #define ADDRESS_SERVERREPLICATOR__PROCESSTICKET    0x0
 #define ADDRESS_DATAMODEL__CREATEDATAMODEL         0x005DC150
 #define ADDRESS_GAME__CONSTRUCT                    0x0047DBF0
-#define ADDRESS_HTTP__HTTPGETPOSTWININET            0x006A9210
+#define ADDRESS_HTTP__HTTPGETPOSTWININET           0x006A9210
+#define ADDRESS_HTTP__TRUSTCHECK                   0x005A2680
 
 // MFC specific definitions
 #define CLASSLOCATION_CROBLOXAPP                   0x00BFF898
diff --git a/PolygonClientUtilities/Crypt.cpp b/PolygonClientUtilities/Crypt.cpp
index 250f08b..21c9903 100644
--- a/PolygonClientUtilities/Crypt.cpp
+++ b/PolygonClientUtilities/Crypt.cpp
@@ -36,5 +36,58 @@ void __fastcall Crypt__verifySignatureBase64_hook(HCRYPTPROV* _this, void*, int
     signatureBase64 = std::string(reinterpret_cast<const char*>(v21), a14);
 
     // Verify the signature
+    try
+    {
+        // Read public key
+        EVP_PKEY* key = NULL;
+        BIO* bio = BIO_new_mem_buf((void*)Util::publicKey.c_str(), Util::publicKey.length());
 
+        if (bio == NULL)
+        {
+            throw std::runtime_error("");
+        }
+
+        key = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
+        BIO_free(bio);
+
+        // Create context
+        EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(key, NULL);
+
+        if (!ctx)
+        {
+            throw std::runtime_error("");
+        }
+
+        if (EVP_PKEY_verify_init(ctx) <= 0)
+        {
+            throw std::runtime_error("");
+        }
+
+        if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
+        {
+            throw std::runtime_error("");
+        }
+
+        if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)
+        {
+            throw std::runtime_error("");
+        }
+
+        // Verify signature against the message
+        unsigned char* signature = Util::base64Decode(signatureBase64);
+        unsigned char* data = new unsigned char[message.length()];
+        
+        std::copy(message.begin(), message.end(), data);
+
+        int result = EVP_PKEY_verify(ctx, signature, strlen((char*)signature), data, strlen((char*)data));
+
+        if (result != 1)
+        {
+            // throw std::runtime_error("");
+        }
+    }
+    catch (...)
+    {
+        throw std::runtime_error("");
+    }
 }
\ No newline at end of file
diff --git a/PolygonClientUtilities/Crypt.h b/PolygonClientUtilities/Crypt.h
index 28ea772..2f00a83 100644
--- a/PolygonClientUtilities/Crypt.h
+++ b/PolygonClientUtilities/Crypt.h
@@ -2,7 +2,9 @@
 
 #include "Classes.h"
 #include <openssl/evp.h>
+#include <openssl/rsa.h>
 #include <openssl/pem.h>
+#include <openssl/bio.h>
 
 typedef void(__thiscall* Crypt__verifySignatureBase64_t)(HCRYPTPROV* _this, int a2, BYTE* pbData, int a4, int a5, int a6, DWORD dwDataLen, int a8, int a9, int a10, int a11, int a12, int a13, int a14, int a15);
 void __fastcall Crypt__verifySignatureBase64_hook(HCRYPTPROV* _this, void*, int a2, BYTE* pbData, int a4, int a5, int a6, DWORD dwDataLen, int a8, int a9, int a10, int a11, int a12, int a13, int a14, int a15);
diff --git a/PolygonClientUtilities/StandardOut.h b/PolygonClientUtilities/StandardOut.h
index 25dd601..afdbd79 100644
--- a/PolygonClientUtilities/StandardOut.h
+++ b/PolygonClientUtilities/StandardOut.h
@@ -1,7 +1,6 @@
 #pragma once
 
 #include "Classes.h"
-#include <string>
 
 void InitializeOutput();
 
diff --git a/PolygonClientUtilities/Util.cpp b/PolygonClientUtilities/Util.cpp
index c14d527..f676f9d 100644
--- a/PolygonClientUtilities/Util.cpp
+++ b/PolygonClientUtilities/Util.cpp
@@ -2,13 +2,13 @@
 #include "Util.h"
 #include <string_view>
 
-const std::string Util::publicKey = 
-        "-----BEGIN RSA PUBLIC KEY-----"
-        "BgIAAACkAABSU0ExAAQAAAEAAQABmKy9m0NxBRoXTuQPZU8BeM"
-        "fwBisHcYBy93KSlQB3emeiW/pEMj9YWn2k7JkHiqcjuH+XE5PW"
-        "K+q9s8oLQsnXTdTYa2l+1BhypP5jefgq0ZHITTIMBfE7rTI39p"
-        "pzs0ayXKINQMIsBzXaJm25v5gP+vlz4cupJPq+jy9De+kcyw=="
-        "-----END RSA PUBLIC KEY-----";
+const std::string Util::publicKey =
+    "-----BEGIN PUBLIC KEY-----\n"
+    "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLHOl7Qy+Pvvokqcvhc/n6D5i/\n"
+    "uW0m2jUHLMJADaJcskazc5r2NzKtO/EFDDJNyJHRKvh5Y/6kchjUfmlr2NRN18lC\n"
+    "C8qzveor1pMTl3+4I6eKB5nspH1aWD8yRPpbomd6dwCVknL3coBxBysG8Md4AU9l\n"
+    "D+ROFxoFcUObvayYAQIDAQAB\n"
+    "-----END PUBLIC KEY-----";
 
 const std::vector<std::string> Util::allowedHosts
 {
@@ -80,7 +80,7 @@ std::string Util::toLower(std::string s)
 }
 
 // https://stackoverflow.com/a/44562527
-std::vector<unsigned char> Util::base64Decode(const std::string_view data)
+unsigned char* Util::base64Decode(const std::string_view data)
 {
     // table from '+' to 'z'
     const uint8_t lookup[] = {
@@ -118,5 +118,8 @@ std::vector<unsigned char> Util::base64Decode(const std::string_view data)
         }
     }
 
-    return out;
+    unsigned char* blob = new unsigned char[out.size()];
+    std::copy(out.begin(), out.end(), blob);
+
+    return blob;
 }
\ No newline at end of file
diff --git a/PolygonClientUtilities/Util.h b/PolygonClientUtilities/Util.h
index 8b3833c..48e5ec8 100644
--- a/PolygonClientUtilities/Util.h
+++ b/PolygonClientUtilities/Util.h
@@ -13,5 +13,5 @@ public:
     static std::map<std::string, std::string> parseArgs(std::string args);
     static bool isASCII(const std::string& s);
     static std::string toLower(std::string s);
-    static std::vector<unsigned char> base64Decode(const std::string_view data);
+    static unsigned char* base64Decode(const std::string_view data);
 };
\ No newline at end of file

From 67b225414c2ac2b020259b48a1ce17f129226946 Mon Sep 17 00:00:00 2001
From: lightbulblighter <59720715+lightbulblighter@users.noreply.github.com>
Date: Sun, 5 Jun 2022 02:48:43 -0700
Subject: [PATCH 2/2] fix crypt memoryleak

---
 PolygonClientUtilities/Crypt.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/PolygonClientUtilities/Crypt.cpp b/PolygonClientUtilities/Crypt.cpp
index 21c9903..7478bf3 100644
--- a/PolygonClientUtilities/Crypt.cpp
+++ b/PolygonClientUtilities/Crypt.cpp
@@ -79,11 +79,19 @@ void __fastcall Crypt__verifySignatureBase64_hook(HCRYPTPROV* _this, void*, int
         
         std::copy(message.begin(), message.end(), data);
 
-        int result = EVP_PKEY_verify(ctx, signature, strlen((char*)signature), data, strlen((char*)data));
+        int result = EVP_PKEY_verify(ctx, signature, sizeof(signature), data, strlen((char*)data));
 
+        // Dispose objects
+        EVP_PKEY_free(key);
+        EVP_PKEY_CTX_free(ctx);
+
+        delete[] signature;
+        delete[] data;
+
+        // Check
         if (result != 1)
         {
-            // throw std::runtime_error("");
+            throw std::runtime_error("");
         }
     }
     catch (...)