My try to clone/patch Rockey4nd

by mardasmr Thu Feb 23, 2017 5:37 pm

Hi all,

I am trying to crack a victim which is protected by rockey4nd. Let me summarize what i did till now.
I dissassemblied and debugged the victim and ry.dll.
I found most of important points.
But I have only usbtrace log, no rockey4nd at hand. Thanks to a member of this site since he provided me full log instead of asking money for emulator.

But I noticed that without rockey4nd at hand it will be very hard to continue. So I decided to make a hardware replica of the dongle with atmel microcontroller based circuit which will provide usb interface.
It is a small circuit and very cheap Very Happy

(www113.zippyshare.com/v/JQ9LfzU6/file.html)

I did not have any idea about usb protocol, so I had to dig into it. And also it was my first time to use atmel microcontroller.
Using v-usb usb library, I started to determine usb descriptors and copied into microcontroller

Anyway, after about one week struggle I could heard of ding dong sound of the HID Dongle finally:)

Yes, victim is passing ry_find, ry_find_next and ry_open functions now.

I decided to work on an sample from rockey4nd sdk to understand the inner working of th ry.dll.

But there is a problem, usb communication between ry.dll and the dongle is encrypted while transmitting reports. I found two subroutines in the ry.dll

I will work on that of course, but you can say I am kinda newbie. Any help is greatly appreciated.

Is there anyone having any information on decrypting that communication? Any help or idea about how to continue?

No no, I have no money for dongle emulator, it is very fun for me Smile

(sorry for my terrible english)

by Key Dump Thu Feb 23, 2017 7:01 pm

Post log by usbtrace..
I can help for free..

by ovis25 Fri Feb 24, 2017 3:12 am

"I did not have any idea about usb protocol, so I had to dig into it. And also it was my first time to use atmel micro-controller.
Using v-usb usb library, I started to determine usb descriptors and copied into micro-controller"

You need reverse functions used in dongle.

by mardasmr Fri Feb 24, 2017 3:16 am

mistyping

by mardasmr Fri Feb 24, 2017 3:20 am

Key Dump wrote:Post log by usbtrace..
I can help for free..

I already got hid, p1 and p2 by debugging the victim.
What else could you tell me from full log?
Encryption procedure and how to reverse? That is what I need at this step.

I see that the victim forms URB buffer before send the dongle by calling rand and srand functions. So it sends different USB data for the same input data. How to reverse?

A sample request and response pair:

155	OUT	SET_REPORT	Report Type: Feature	Data	01 C2 C2 C2 C2 89 FB B6 76 C2 C2 C2 C2 C2 61 6D 8F 8A E9 8C 4F 30 81 E3
159	OUT	GET_REPORT	Report Type: Feature	Data	5A 00 00 00 00 8D DA A8 EE C2 C2 C2 C2 C2 61 6D 8F 8A E9 8C 4F 30 81 1B

by BfoX Fri Feb 24, 2017 3:30 am

P1 0x4B39
P2 0x74B4
P3 0x0000
P4 0x0000

HID 0x4F186A2C

in your case emulating the ry.dll is done

by mardasmr Fri Feb 24, 2017 3:54 am

BfoX wrote:P1 0x4B39
P2 0x74B4
P3 0x0000
P4 0x0000

HID 0x4F186A2C

in your case emulating the ry.dll is done

I already know you are the master BfoX, You extract the info from the log, I could only extract from the debug for the moment Sad

as can be seen in the screenshot. www7.zippyshare.com/v/ZidIWBp6/file.html

So encryption of the communication protocol is decryptable and you know the way.
And you don't share your knowledge for free, am I not rigth?

by ovis25 Fri Feb 24, 2017 6:41 am

inside information and algo few have and fewer or none will share.

But I see you understand RE so you can learn, just ask correct questions to guru's around here and maybe they will help you.

Check posts in forum and see what users came with solution and + good answers that's people you need ask!

by BfoX Fri Feb 24, 2017 6:51 am

> And you don't share your knowledge for free, am I not rigth?

you can't see knownledge inside your debugger? all packet is ciphered before send to dongle and deciphere after get it back.

just open your eye =)

or you want source code?

by turkuaz Fri Feb 24, 2017 9:55 am

by mardasmr Fri Feb 24, 2017 10:48 am

No thanks,
I have already found the encryption routine by debugging ry.dll and inspecting USB traces alive. And first byte of returning data must be equal 0x54.

I hope I am on the correct track.

Code:: Encrypt ; =============== S U B R O U T I N E ======================================= Encrypt Encrypt Encrypt ; HRESULT __stdcall Encrypt(PINFORMATIONCARD_CRYPTO_HANDLE hCrypto, BOOL fOAEP, DWORD cbInData, PBYTE pInData, DWORD *pcbOutData, PBYTE *ppOutData) Encrypt Encrypt proc near ; CODE XREF: featureGETandSET+51p Encrypt ; featureGETandSET+5Bp Encrypt ; featureGETandSET+117p Encrypt ; featureGETandSET+121p Encrypt Encrypt hCrypto = dword ptr 4 Encrypt fOAEP = dword ptr 8 Encrypt cbInData = dword ptr 0Ch Encrypt pInData = dword ptr 10h Encrypt pcbOutData = dword ptr 14h Encrypt ppOutData = dword ptr 18h Encrypt Encrypt mov edx, [esp+fOAEP] Encrypt+4 push ebx Encrypt+5 push ebp Encrypt+6 push esi Encrypt+7 push edi Encrypt+8 mov edi, [esp+10h+hCrypto] Encrypt+C mov ebp, edi Encrypt+E xor ecx, ecx Encrypt+10 sub ebp, edx Encrypt+12 Encrypt+12 loc_100083A2: ; CODE XREF: Encrypt+41j Encrypt+12 xor eax, eax Encrypt+14 Encrypt+14 loc_100083A4: ; CODE XREF: Encrypt+21j Encrypt+14 mov bl, cl Encrypt+16 or bl, al Encrypt+18 add bl, [eax+edi] Encrypt+1B inc eax Encrypt+1C add [edx], bl Encrypt+1E cmp eax, 8 Encrypt+21 jl short loc_100083A4 Encrypt+23 xor esi, esi Encrypt+25 Encrypt+25 loc_100083B5: ; CODE XREF: Encrypt+32j Encrypt+25 mov al, [esi+edi] Encrypt+28 dec al Encrypt+2A imul cl Encrypt+2C xor [edx], al Encrypt+2E inc esi Encrypt+2F cmp esi, 8 Encrypt+32 jl short loc_100083B5 Encrypt+34 mov al, [edx+ebp] Encrypt+37 shl al, cl Encrypt+39 inc ecx Encrypt+3A inc edx Encrypt+3B xor [edx-1], al Encrypt+3E cmp ecx, 8 Encrypt+41 jl short loc_100083A2 Encrypt+43 pop edi Encrypt+44 pop esi Encrypt+45 pop ebp Encrypt+46 pop ebx Encrypt+47 retn Encrypt+47 Encrypt endp

Code:: Encrypt_0 Encrypt_0 ; =============== S U B R O U T I N E ======================================= Encrypt_0 Encrypt_0 Encrypt_0 ; HRESULT __stdcall Encrypt_0(PINFORMATIONCARD_CRYPTO_HANDLE hCrypto, BOOL fOAEP, DWORD cbInData, PBYTE pInData, DWORD *pcbOutData, PBYTE *ppOutData) Encrypt_0 Encrypt_0 proc near ; CODE XREF: SubA+7Cp Encrypt_0 ; SubC+98p SubE+79p Encrypt_0 ; SubB+8Bp SubG+E0p Encrypt_0 ; SubD+9Cp SubL+10Ap Encrypt_0 ; sub_10001EF0+10Bp Encrypt_0 ; sub_10002030+FCp Encrypt_0 ; sub_10002180+FEp Encrypt_0 ; sub_100022D0+92p Encrypt_0 ; sub_10002390+98p Encrypt_0 ; sub_10002450+7Fp Encrypt_0 ; sub_10002500+98p Encrypt_0 ; sub_100025C0+AAp Encrypt_0 ; sub_10002690+72p Encrypt_0 ; sub_10002760+72p Encrypt_0 ; sub_10002810+72p Encrypt_0 ; sub_100028B0+72p Encrypt_0 ; sub_10002950+68p Encrypt_0 ; sub_100029F0+98p Encrypt_0 ; sub_10002AB0+AAp Encrypt_0 ; sub_10002B80+72p Encrypt_0 ; sub_10002C40+72p Encrypt_0 ; sub_10002D10+72p Encrypt_0 ; sub_10002DB0+CEp Encrypt_0 ; sub_10002EE0+C6p Encrypt_0 ; sub_10003000+79p Encrypt_0 ; sub_100030C0+EDp Encrypt_0 ; sub_10003270+DFp Encrypt_0 ; Sub_1+7Cp Encrypt_0 ; sub_10003460+B2p Encrypt_0 ; sub_10003570+B5p Encrypt_0 ; sub_10003680+B5p Encrypt_0 ; sub_10003790+B2p Encrypt_0 ; sub_100038A0+197p Encrypt_0 ; sub_100038A0+201p Encrypt_0 ; sub_100038A0+25Fp Encrypt_0 ; sub_10003B90+A3p Encrypt_0 ; sub_10003B90+FDp Encrypt_0 ; sub_10003CC0+ECp Encrypt_0 ; sub_10003CC0+156p Encrypt_0 ; sub_10003CC0+1BCp Encrypt_0 ; sub_10003F70+B2p Encrypt_0 ; sub_10003F70+10Cp Encrypt_0 ; checkValidDongle_A+74p Encrypt_0 ; sub_100041F0+9Dp Encrypt_0 ; sub_100042C0+B4p Encrypt_0 ; sub_100043B0+113p Encrypt_0 ; SubK+113p SubJ+137p Encrypt_0 ; SubJ+1A9p SubJ+209p Encrypt_0 ; SubI+B2p SubI+10Cp Encrypt_0 ; SubH+A3p SubH+FDp Encrypt_0 ; Dongle1+C3p Encrypt_0 ; Dongle2+79p Encrypt_0 Encrypt_0 hCrypto = dword ptr 4 Encrypt_0 fOAEP = dword ptr 8 Encrypt_0 cbInData = dword ptr 0Ch Encrypt_0 pInData = dword ptr 10h Encrypt_0 pcbOutData = dword ptr 14h Encrypt_0 ppOutData = dword ptr 18h Encrypt_0 Encrypt_0 xor al, al Encrypt_0+2 xor ecx, ecx Encrypt_0+4 Encrypt_0+4 loc_10001824: ; CODE XREF: Encrypt_0+Ej Encrypt_0+4 mov dl, byte ptr [esp+ecx+hCrypto+1] Encrypt_0+8 xor al, dl Encrypt_0+A inc ecx Encrypt_0+B cmp ecx, 5 Encrypt_0+E jl short loc_10001824 Encrypt_0+10 xor ecx, ecx Encrypt_0+12 Encrypt_0+12 loc_10001832: ; CODE XREF: Encrypt_0+1Cj Encrypt_0+12 mov dl, byte ptr [esp+ecx+fOAEP+2] Encrypt_0+16 xor al, dl Encrypt_0+18 inc ecx Encrypt_0+19 cmp ecx, 12h Encrypt_0+1C jl short loc_10001832 Encrypt_0+1E retn Encrypt_0+1E Encrypt_0 endp ; sp-analysis failed Encrypt_0+1E Encrypt_0+1E ; ---------------------------------------------------------------------------

Code:: featureGETandSET featureGETandSET ; =============== S U B R O U T I N E ======================================= featureGETandSET featureGETandSET featureGETandSET featureGETandSET proc near ; CODE XREF: SubA+90p featureGETandSET ; SubC+ACp featureGETandSET ; SubE+8Dp featureGETandSET ; SubB+9Fp featureGETandSET ; SubG+F4p featureGETandSET ; SubD+B0p featureGETandSET ; SubL+11Ep featureGETandSET ; sub_10001EF0+11Fp featureGETandSET ; sub_10002030+110p featureGETandSET ; sub_10002180+112p featureGETandSET ; sub_100022D0+A6p featureGETandSET ; sub_10002390+ACp featureGETandSET ; sub_10002450+93p featureGETandSET ; sub_10002500+ACp featureGETandSET ; sub_100025C0+BEp featureGETandSET ; sub_10002690+86p featureGETandSET ; sub_10002760+86p featureGETandSET ; sub_10002810+86p featureGETandSET ; sub_100028B0+86p featureGETandSET ; sub_10002950+7Cp featureGETandSET ; sub_100029F0+ACp featureGETandSET ; sub_10002AB0+BEp featureGETandSET ; sub_10002B80+86p featureGETandSET ; sub_10002C40+86p featureGETandSET ; sub_10002D10+86p featureGETandSET ; sub_10002DB0+E2p featureGETandSET ; sub_10002EE0+DAp featureGETandSET ; sub_10003000+8Dp featureGETandSET ; sub_100030C0+105p featureGETandSET ; sub_10003270+10Bp featureGETandSET ; Sub_1+90p featureGETandSET ; sub_10003460+CAp featureGETandSET ; sub_10003570+CDp featureGETandSET ; sub_10003680+CDp featureGETandSET ; sub_10003790+CAp featureGETandSET ; sub_100038A0+1B2p featureGETandSET ; sub_100038A0+21Cp featureGETandSET ; sub_100038A0+27Ap featureGETandSET ; sub_10003B90+BBp featureGETandSET ; sub_10003B90+115p featureGETandSET ; sub_10003CC0+107p featureGETandSET ; sub_10003CC0+171p featureGETandSET ; sub_10003CC0+1D0p featureGETandSET ; sub_10003F70+CAp featureGETandSET ; sub_10003F70+124p featureGETandSET ; checkValidDongle_A+88p featureGETandSET ; sub_100041F0+B1p featureGETandSET ; sub_100042C0+CCp featureGETandSET ; sub_100043B0+12Ep featureGETandSET ; SubK+12Ep featureGETandSET ; SubJ+152p featureGETandSET ; SubJ+1C4p featureGETandSET ; SubJ+224p featureGETandSET ; SubI+CAp featureGETandSET ; SubI+124p featureGETandSET ; SubH+BBp featureGETandSET ; SubH+115p featureGETandSET ; Dongle1+DBp featureGETandSET ; Dongle2+8Dp featureGETandSET featureGETandSET buffer = byte ptr -80h featureGETandSET arg_0 = dword ptr 4 featureGETandSET arg_4 = dword ptr 8 featureGETandSET arg_8 = dword ptr 0Ch featureGETandSET featureGETandSET sub esp, 80h featureGETandSET+6 push ebx ; ppOutData featureGETandSET+7 mov ebx, [esp+84h+arg_4] featureGETandSET+E push ebp ; pcbOutData featureGETandSET+F push esi ; pInData featureGETandSET+10 mov al, [ebx+1] featureGETandSET+13 mov esi, [esp+8Ch+arg_0] featureGETandSET+1A cmp al, 81h featureGETandSET+1C push edi ; cbInData featureGETandSET+1D jnz short loc_10001222 featureGETandSET+1F push esi featureGETandSET+20 lea eax, [esp+94h+buffer] featureGETandSET+24 push offset aSetpassword2Ha ; "SETPASSWORD 2,handle %4x" featureGETandSET+29 push eax ; char * featureGETandSET+2A call _sprintf featureGETandSET+2F add esp, 0Ch featureGETandSET+32 featureGETandSET+32 loc_10001222: ; CODE XREF: featureGETandSET+1Dj featureGETandSET+32 lea eax, [esi+esi*2] featureGETandSET+35 shl eax, 4 featureGETandSET+38 add eax, esi featureGETandSET+3A lea esi, [eax+eax*2] featureGETandSET+3D shl esi, 1 featureGETandSET+3F mov eax, dword_1001529E[esi] featureGETandSET+45 test eax, eax featureGETandSET+47 jz short hid_setfeature featureGETandSET+49 lea ecx, [ebx+2] featureGETandSET+4C lea edi, [ebx+11h] featureGETandSET+4F push ecx ; fOAEP featureGETandSET+50 push edi ; hCrypto featureGETandSET+51 call Encrypt featureGETandSET+56 lea edx, [ebx+9] featureGETandSET+59 push edx ; fOAEP featureGETandSET+5A push edi ; hCrypto featureGETandSET+5B call Encrypt featureGETandSET+60 add esp, 10h featureGETandSET+63 featureGETandSET+63 hid_setfeature: ; CODE XREF: featureGETandSET+47j featureGETandSET+63 mov eax, table[esi] featureGETandSET+69 push ebx featureGETandSET+6A push eax featureGETandSET+6B mov edi, 1 featureGETandSET+70 call HidD_SetFeature_0 featureGETandSET+75 mov ebp, ds:Sleep featureGETandSET+7B add esp, 8 featureGETandSET+7E test eax, eax featureGETandSET+80 jz short loc_100012A4 featureGETandSET+82 featureGETandSET+82 loc_10001272: ; CODE XREF: featureGETandSET+B2j featureGETandSET+82 cmp edi, 4 featureGETandSET+85 jge loc_10001325 featureGETandSET+8B push 64h ; dwMilliseconds featureGETandSET+8D call ebp ; Sleep featureGETandSET+8F push edi featureGETandSET+90 lea ecx, [esp+14h] featureGETandSET+94 push offset aWritereportD ; "WriteReport %d" featureGETandSET+99 push ecx ; char * featureGETandSET+9A call _sprintf featureGETandSET+9F mov edx, table[esi] featureGETandSET+A5 push ebx featureGETandSET+A6 push edx featureGETandSET+A7 inc edi featureGETandSET+A8 call HidD_SetFeature_0 featureGETandSET+AD add esp, 14h featureGETandSET+B0 test eax, eax featureGETandSET+B2 jnz short loc_10001272 featureGETandSET+B4 featureGETandSET+B4 loc_100012A4: ; CODE XREF: featureGETandSET+80j featureGETandSET+B4 mov ebx, [esp+9Ch] featureGETandSET+BB mov eax, table[esi] featureGETandSET+C1 push ebx featureGETandSET+C2 push eax featureGETandSET+C3 mov edi, 1 featureGETandSET+C8 call HidD_GetFeature_0 featureGETandSET+CD add esp, 8 featureGETandSET+D0 test eax, eax featureGETandSET+D2 jz short loc_100012F5 featureGETandSET+D4 featureGETandSET+D4 loc_100012C4: ; CODE XREF: featureGETandSET+103j featureGETandSET+D4 cmp edi, 4 featureGETandSET+D7 jge short loc_10001325 featureGETandSET+D9 push 0C8h ; dwMilliseconds featureGETandSET+DE call ebp ; Sleep featureGETandSET+E0 push edi featureGETandSET+E1 lea ecx, [esp+14h] featureGETandSET+E5 push offset aReadreportD ; "ReadReport %d" featureGETandSET+EA push ecx ; char * featureGETandSET+EB call _sprintf featureGETandSET+F0 mov edx, table[esi] featureGETandSET+F6 push ebx featureGETandSET+F7 push edx featureGETandSET+F8 inc edi featureGETandSET+F9 call HidD_GetFeature_0 featureGETandSET+FE add esp, 14h featureGETandSET+101 test eax, eax featureGETandSET+103 jnz short loc_100012C4 featureGETandSET+105 featureGETandSET+105 loc_100012F5: ; CODE XREF: featureGETandSET+D2j featureGETandSET+105 mov eax, dword_1001529E[esi] featureGETandSET+10B test eax, eax featureGETandSET+10D jz short loc_10001319 featureGETandSET+10F lea eax, [ebx+9] featureGETandSET+112 lea esi, [ebx+11h] featureGETandSET+115 push eax ; fOAEP featureGETandSET+116 push esi ; hCrypto featureGETandSET+117 call Encrypt featureGETandSET+11C lea ecx, [ebx+2] featureGETandSET+11F push ecx ; fOAEP featureGETandSET+120 push esi ; hCrypto featureGETandSET+121 call Encrypt featureGETandSET+126 add esp, 10h featureGETandSET+129 featureGETandSET+129 loc_10001319: ; CODE XREF: featureGETandSET+10Dj featureGETandSET+129 mov dl, [ebx+1] featureGETandSET+12C push edx featureGETandSET+12D call isEqu5Ah featureGETandSET+132 add esp, 4 featureGETandSET+135 featureGETandSET+135 loc_10001325: ; CODE XREF: featureGETandSET+85j featureGETandSET+135 ; featureGETandSET+D7j featureGETandSET+135 pop edi featureGETandSET+136 pop esi featureGETandSET+137 pop ebp featureGETandSET+138 pop ebx featureGETandSET+139 add esp, 80h featureGETandSET+13F retn featureGETandSET+13F featureGETandSET endp ; sp-analysis failed

by BfoX Fri Feb 24, 2017 10:51 am

by mardasmr Fri Feb 24, 2017 11:02 am

Am i on the correct path BfoX?

by sverox Fri Feb 24, 2017 11:48 am

You on correct way. I like your project.
What model board you use?

by mardasmr Fri Feb 24, 2017 12:03 pm

Ardunio mini. But without bootloader. You can built with discrete elements too.
V–usb is very good library

by califor Fri Feb 24, 2017 11:37 pm

Imho, Rockey4ND used XOR encrypt to comunicate dongle to dll

califor.

by mardasmr Sun Feb 26, 2017 9:02 am

I am still debugging/disassembling ry.dll in order to solve communication protocol.

Setting and getting reports are done in the following subroutine at 0x100011f0

Code:: featureGETandSET var_80 = byte ptr -80h featureGETandSET command = dword ptr 4 featureGETandSET databuffer = dword ptr 8 featureGETandSET randomkey = dword ptr 0Ch featureGETandSET featureGETandSET sub esp, 80h featureGETandSET+6 push ebx featureGETandSET+7 mov ebx, [esp+84h+databuffer] featureGETandSET+E push ebp featureGETandSET+F push esi featureGETandSET+10 mov al, [ebx+1] featureGETandSET+13 mov esi, [esp+8Ch+command] featureGETandSET+1A cmp al, 81h featureGETandSET+1C push edi featureGETandSET+1D jnz short loc_10001222 featureGETandSET+1F push esi featureGETandSET+20 lea eax, [esp+94h+var_80] featureGETandSET+24 push offset aSetpassword2Ha ; "SETPASSWORD 2,handle %4x" featureGETandSET+29 push eax ; char * featureGETandSET+2A call _sprintf featureGETandSET+2F add esp, 0Ch featureGETandSET+32 featureGETandSET+32 loc_10001222: ; CODE XREF: featureGETandSET+1Dj featureGETandSET+32 lea eax, [esi+esi*2] featureGETandSET+35 shl eax, 4 featureGETandSET+38 add eax, esi featureGETandSET+3A lea esi, [eax+eax*2] featureGETandSET+3D shl esi, 1 featureGETandSET+3F mov eax, dword_1001529E[esi] featureGETandSET+45 test eax, eax featureGETandSET+47 jz short loc_10001253 featureGETandSET+49 lea ecx, [ebx+2] featureGETandSET+4C lea edi, [ebx+11h] featureGETandSET+4F push ecx ; buffer ın 2. byteı featureGETandSET+50 push edi ; bufferın s0n 8. byteı featureGETandSET+51 call XoR featureGETandSET+56 lea edx, [ebx+9] featureGETandSET+59 push edx featureGETandSET+5A push edi featureGETandSET+5B call XoR featureGETandSET+60 add esp, 10h featureGETandSET+63 featureGETandSET+63 loc_10001253: ; CODE XREF: featureGETandSET+47j featureGETandSET+63 mov eax, table[esi] featureGETandSET+69 push ebx featureGETandSET+6A push eax featureGETandSET+6B mov edi, 1 featureGETandSET+70 call HidD_SetFeature_0 featureGETandSET+75 mov ebp, ds:Sleep featureGETandSET+7B add esp, 8 featureGETandSET+7E test eax, eax featureGETandSET+80 jz short loc_100012A4 featureGETandSET+82 featureGETandSET+82 loc_10001272: ; CODE XREF: featureGETandSET+B2j featureGETandSET+82 cmp edi, 4 featureGETandSET+85 jge loc_10001325 featureGETandSET+8B push 64h ; dwMilliseconds featureGETandSET+8D call ebp ; Sleep featureGETandSET+8F push edi featureGETandSET+90 lea ecx, [esp+94h+var_80] featureGETandSET+94 push offset aWritereportD ; "WriteReport %d" featureGETandSET+99 push ecx ; char * featureGETandSET+9A call _sprintf featureGETandSET+9F mov edx, table[esi] featureGETandSET+A5 push ebx featureGETandSET+A6 push edx featureGETandSET+A7 inc edi featureGETandSET+A8 call HidD_SetFeature_0 featureGETandSET+AD add esp, 14h featureGETandSET+B0 test eax, eax featureGETandSET+B2 jnz short loc_10001272 featureGETandSET+B4 featureGETandSET+B4 loc_100012A4: ; CODE XREF: featureGETandSET+80j featureGETandSET+B4 mov ebx, [esp+90h+randomkey] featureGETandSET+BB mov eax, table[esi] featureGETandSET+C1 push ebx featureGETandSET+C2 push eax featureGETandSET+C3 mov edi, 1 featureGETandSET+C8 call HidD_GetFeature_0 featureGETandSET+CD add esp, 8 featureGETandSET+D0 test eax, eax featureGETandSET+D2 jz short loc_100012F5 featureGETandSET+D4 featureGETandSET+D4 loc_100012C4: ; CODE XREF: featureGETandSET+103j featureGETandSET+D4 cmp edi, 4 featureGETandSET+D7 jge short loc_10001325 featureGETandSET+D9 push 0C8h ; dwMilliseconds featureGETandSET+DE call ebp ; Sleep featureGETandSET+E0 push edi featureGETandSET+E1 lea ecx, [esp+94h+var_80] featureGETandSET+E5 push offset aReadreportD ; "ReadReport %d" featureGETandSET+EA push ecx ; char * featureGETandSET+EB call _sprintf featureGETandSET+F0 mov edx, table[esi] featureGETandSET+F6 push ebx featureGETandSET+F7 push edx featureGETandSET+F8 inc edi featureGETandSET+F9 call HidD_GetFeature_0 featureGETandSET+FE add esp, 14h featureGETandSET+101 test eax, eax featureGETandSET+103 jnz short loc_100012C4 featureGETandSET+105 featureGETandSET+105 loc_100012F5: ; CODE XREF: featureGETandSET+D2j featureGETandSET+105 mov eax, dword_1001529E[esi] featureGETandSET+10B test eax, eax featureGETandSET+10D jz short loc_10001319 featureGETandSET+10F lea eax, [ebx+9] featureGETandSET+112 lea esi, [ebx+11h] featureGETandSET+115 push eax featureGETandSET+116 push esi featureGETandSET+117 call XoR featureGETandSET+11C lea ecx, [ebx+2] featureGETandSET+11F push ecx featureGETandSET+120 push esi featureGETandSET+121 call XoR featureGETandSET+126 add esp, 10h featureGETandSET+129 featureGETandSET+129 loc_10001319: ; CODE XREF: featureGETandSET+10Dj featureGETandSET+129 mov dl, [ebx+1] featureGETandSET+12C push edx featureGETandSET+12D call isEqu5Ah featureGETandSET+132 add esp, 4 featureGETandSET+135 featureGETandSET+135 loc_10001325: ; CODE XREF: featureGETandSET+85j featureGETandSET+135 ; featureGETandSET+D7j featureGETandSET+135 pop edi featureGETandSET+136 pop esi featureGETandSET+137 pop ebp featureGETandSET+138 pop ebx featureGETandSET+139 add esp, 80h featureGETandSET+13F retn featureGETandSET+13F featureGETandSET endp featureGETandSET+13F

Sending reports:
It fills 25 bytes of communication buffer with random data.
Applies simple xor over p1,p2,lp1 & lp3 bytes and writes on predefined places on the communication buffer
Calculates crc basen on the buffer with following subroutine at 0x10001820.
Writes the result in the last byte of the buffer.

Code:: rockeyCalcCrc arg_0 = dword ptr 4 rockeyCalcCrc arg_4 = dword ptr 8 rockeyCalcCrc rockeyCalcCrc xor al, al rockeyCalcCrc+2 xor ecx, ecx rockeyCalcCrc+4 rockeyCalcCrc+4 loc_10001824: ; CODE XREF: rockeyCalcCrc+Ej rockeyCalcCrc+4 mov dl, byte ptr [esp+ecx+arg_0+1] rockeyCalcCrc+8 xor al, dl rockeyCalcCrc+A inc ecx rockeyCalcCrc+B cmp ecx, 5 rockeyCalcCrc+E jl short loc_10001824 rockeyCalcCrc+10 xor ecx, ecx rockeyCalcCrc+12 rockeyCalcCrc+12 loc_10001832: ; CODE XREF: rockeyCalcCrc+1Cj rockeyCalcCrc+12 mov dl, byte ptr [esp+ecx+arg_4+2] rockeyCalcCrc+16 xor al, dl rockeyCalcCrc+18 inc ecx rockeyCalcCrc+19 cmp ecx, 12h rockeyCalcCrc+1C jl short loc_10001832 rockeyCalcCrc+1E retn

The following routine is called twice on substrings on the communication buffer.
It is called or not depending on something. I could not solve yet under in which cases it is called. It looks like decryption subroutine.

Am I rigth? How to reverse it?

Any idea about this subroutine?

Code:: XoR XoR proc near ; CODE XREF: featureGETandSET+51p XoR ; featureGETandSET+5Bp XoR ; featureGETandSET+117p XoR ; featureGETandSET+121p XoR XoR arg_0 = dword ptr 4 XoR arg_4 = dword ptr 8 XoR XoR mov edx, [esp+arg_4] XoR+4 push ebx XoR+5 push ebp XoR+6 push esi XoR+7 push edi XoR+8 mov edi, [esp+10h+arg_0] XoR+C mov ebp, edi XoR+E xor ecx, ecx XoR+10 sub ebp, edx XoR+12 XoR+12 ____loop: ; CODE XREF: XoR+41j XoR+12 xor eax, eax XoR+14 XoR+14 ___loopA: ; CODE XREF: XoR+21j XoR+14 mov bl, cl XoR+16 or bl, al XoR+18 add bl, [eax+edi] XoR+1B inc eax XoR+1C add [edx], bl XoR+1E cmp eax, 8 XoR+21 jl short ___loopA XoR+23 xor esi, esi XoR+25 XoR+25 ____loopB: ; CODE XREF: XoR+32j XoR+25 mov al, [esi+edi] XoR+28 dec al XoR+2A imul cl XoR+2C xor [edx], al XoR+2E inc esi XoR+2F cmp esi, 8 XoR+32 jl short ____loopB XoR+34 mov al, [edx+ebp] XoR+37 shl al, cl XoR+39 inc ecx XoR+3A inc edx XoR+3B xor [edx-1], al XoR+3E cmp ecx, 8 XoR+41 jl short ____loop XoR+43 pop edi XoR+44 pop esi XoR+45 pop ebp XoR+46 pop ebx XoR+47 retn XoR+47 XoR endp

by BfoX Sun Feb 26, 2017 1:14 pm

why not use hexray plug-in for ida? may be c-source near to you

by mardasmr Sun Feb 26, 2017 1:41 pm

BfoX wrote:why not use hexray plug-in for ida? may be c-source near to you

I did already, RetDec plugin too. I am porting this function into c to see how it works. I will solve how it works.
But I wonder what is used for. For decryption of incoming usb response from the dongle?

by Sponsored content

My try to clone/patch Rockey4nd

My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd

Re: My try to clone/patch Rockey4nd