Help with Proxy RC4 Encryption

[maat7043]

So I have been working on coding my own Proxy in VB.Net because I am sitting at home bored, and I have made quite a bit of progress. I found a good package called WinPcap (Used by Wireshark) that comes with .dll's that are easily utilized.

Full VB.Net Wrapper for the Package is called PcapdotNet

1. I connected to my primary network adapter
2. I setup a Packet listener to capture all of the traffic on Port 2050 on that adapter
3. I setup a temporary dump to write the bytes for each packet to
4. I have them filtered between client and server packets

Now I can see all of the packets being sent to and from realm, but they are total gibberish. wtf do I do now lol? I know I have to Decrypt the packets and filter them to determine which packet is which, but I am a little bit confused by the keys.

I went ahead and wrote an RC4 Function that can handle the conversions back and forth, but I am a little bit confused by the keys in the parameters class.

Looking at the RealmRelay source it looks like there are two seperate keys:

Parameters.Class.asasm

Code:

 trait const QName(PackageNamespace("", "#0"), "RANDOM1") slotid 34 type QName(PackageNamespace("", "#0"), "String") value Utf8("311f80691451c71b09a13a2a6e") end
 trait const QName(PackageNamespace("", "#0"), "RANDOM2") slotid 35 type QName(PackageNamespace("", "#0"), "String") value Utf8("72c5583cafb6818995cbd74b80") end

Or even a third "Public Key" That is massive

Code:

    findproperty        QName(PackageNamespace("", "#0"), "_-1fg")
    pushstring          "-----BEGIN PUBLIC KEY-----\n"
    pushstring          "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCKFctVrhfF3m2Kes0FBL/JFeO"
    add
    pushstring          "cmNg9eJz8k/hQy1kadD+XFUpluRqa//Uxp2s9W2qE0EoUCu59ugcf/p7lGuL99Uo"
    add
    pushstring          "SGmQEynkBvZct+/M40L0E0rZ4BVgzLOJmIbXMp0J4PnPcb6VLZvxazGcmSfjauC7"
    add
    pushstring          "F3yWYqUbZd/HCBtawwIDAQAB\n"
    add
    pushstring          "-----END PUBLIC KEY-----"
    add
    initproperty        QName(PackageNamespace("", "#0"), "_-1fg")

[ossimc82]

"311f80691451c71b09a13a2a6e" is for my client the sendKey (the key that the client uses for encryption) and
"72c5583cafb6818995cbd74b80" is for my client the receiveKey (the key that the client uses for decryption) and the public key is for RSA Encryption (email and password)

[maat7043]

Thanks! I was confused by there being 3 different keys. I forgot to mention in my first post that the package works for C# as well for anyone else interested in a .Net proxy.

/solved