My try to clone/patch Rockey4nd
+3
ovis25
mardasmr
Key Dump
7 posters
Page 1 of 1
My try to clone/patch Rockey4nd
Hi all,
I am trying to crack a victim which is protected by rockey4nd. Let me summarize what i did till now.
I dissassemblied and debugged the victim and ry.dll.
I found most of important points.
But I have only usbtrace log, no rockey4nd at hand. Thanks to a member of this site since he provided me full log instead of asking money for emulator.
But I noticed that without rockey4nd at hand it will be very hard to continue. So I decided to make a hardware replica of the dongle with atmel microcontroller based circuit which will provide usb interface.
It is a small circuit and very cheap (www113.zippyshare.com/v/JQ9LfzU6/file.html)
I did not have any idea about usb protocol, so I had to dig into it. And also it was my first time to use atmel microcontroller.
Using v-usb usb library, I started to determine usb descriptors and copied into microcontroller
Anyway, after about one week struggle I could heard of ding dong sound of the HID Dongle finally:)
Yes, victim is passing ry_find, ry_find_next and ry_open functions now.
I decided to work on an sample from rockey4nd sdk to understand the inner working of th ry.dll.
But there is a problem, usb communication between ry.dll and the dongle is encrypted while transmitting reports. I found two subroutines in the ry.dll
I will work on that of course, but you can say I am kinda newbie. Any help is greatly appreciated.
Is there anyone having any information on decrypting that communication? Any help or idea about how to continue?
No no, I have no money for dongle emulator, it is very fun for me
(sorry for my terrible english)
I am trying to crack a victim which is protected by rockey4nd. Let me summarize what i did till now.
I dissassemblied and debugged the victim and ry.dll.
I found most of important points.
But I have only usbtrace log, no rockey4nd at hand. Thanks to a member of this site since he provided me full log instead of asking money for emulator.
But I noticed that without rockey4nd at hand it will be very hard to continue. So I decided to make a hardware replica of the dongle with atmel microcontroller based circuit which will provide usb interface.
It is a small circuit and very cheap (www113.zippyshare.com/v/JQ9LfzU6/file.html)
I did not have any idea about usb protocol, so I had to dig into it. And also it was my first time to use atmel microcontroller.
Using v-usb usb library, I started to determine usb descriptors and copied into microcontroller
Anyway, after about one week struggle I could heard of ding dong sound of the HID Dongle finally:)
Yes, victim is passing ry_find, ry_find_next and ry_open functions now.
I decided to work on an sample from rockey4nd sdk to understand the inner working of th ry.dll.
But there is a problem, usb communication between ry.dll and the dongle is encrypted while transmitting reports. I found two subroutines in the ry.dll
I will work on that of course, but you can say I am kinda newbie. Any help is greatly appreciated.
Is there anyone having any information on decrypting that communication? Any help or idea about how to continue?
No no, I have no money for dongle emulator, it is very fun for me
(sorry for my terrible english)
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Key Dump- Posts : 48
Points : -17
Reputation : -102
Join date : 2016-12-09
Location : Earth
Re: My try to clone/patch Rockey4nd
"I did not have any idea about usb protocol, so I had to dig into it. And also it was my first time to use atmel micro-controller.
Using v-usb usb library, I started to determine usb descriptors and copied into micro-controller"
You need reverse functions used in dongle.
Using v-usb usb library, I started to determine usb descriptors and copied into micro-controller"
You need reverse functions used in dongle.
ovis25- Posts : 648
Points : 1234
Reputation : 332
Join date : 2014-06-07
Re: My try to clone/patch Rockey4nd
mistyping
Last edited by mardasmr on Fri Feb 24, 2017 3:19 am; edited 1 time in total (Reason for editing : mistyping)
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Re: My try to clone/patch Rockey4nd
Key Dump wrote:Post log by usbtrace..
I can help for free..
I already got hid, p1 and p2 by debugging the victim.
What else could you tell me from full log?
Encryption procedure and how to reverse? That is what I need at this step.
I see that the victim forms URB buffer before send the dongle by calling rand and srand functions. So it sends different USB data for the same input data. How to reverse?
A sample request and response pair:
155 | OUT | SET_REPORT | Report Type: Feature | ** Data ** | 01 C2 C2 C2 C2 89 FB B6 76 C2 C2 C2 C2 C2 61 6D 8F 8A E9 8C 4F 30 81 E3 |
159 | OUT | GET_REPORT | Report Type: Feature | ** Data ** | 5A 00 00 00 00 8D DA A8 EE C2 C2 C2 C2 C2 61 6D 8F 8A E9 8C 4F 30 81 1B |
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Re: My try to clone/patch Rockey4nd
P1 0x4B39
P2 0x74B4
P3 0x0000
P4 0x0000
HID 0x4F186A2C
in your case emulating the ry.dll is done
P2 0x74B4
P3 0x0000
P4 0x0000
HID 0x4F186A2C
in your case emulating the ry.dll is done
BfoX- Posts : 1218
Points : 1662
Reputation : 307
Join date : 2012-04-18
Location : Earth
Re: My try to clone/patch Rockey4nd
I already know you are the master BfoX, You extract the info from the log, I could only extract from the debug for the moment as can be seen in the screenshot. www7.zippyshare.com/v/ZidIWBp6/file.htmlBfoX wrote:P1 0x4B39
P2 0x74B4
P3 0x0000
P4 0x0000
HID 0x4F186A2C
in your case emulating the ry.dll is done
So encryption of the communication protocol is decryptable and you know the way.
And you don't share your knowledge for free, am I not rigth?
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Re: My try to clone/patch Rockey4nd
inside information and algo few have and fewer or none will share.
But I see you understand RE so you can learn, just ask correct questions to guru's around here and maybe they will help you.
Check posts in forum and see what users came with solution and + good answers that's people you need ask!
But I see you understand RE so you can learn, just ask correct questions to guru's around here and maybe they will help you.
Check posts in forum and see what users came with solution and + good answers that's people you need ask!
ovis25- Posts : 648
Points : 1234
Reputation : 332
Join date : 2014-06-07
Re: My try to clone/patch Rockey4nd
> And you don't share your knowledge for free, am I not rigth?
you can't see knownledge inside your debugger? all packet is ciphered before send to dongle and deciphere after get it back.
just open your eye =)
or you want source code?
you can't see knownledge inside your debugger? all packet is ciphered before send to dongle and deciphere after get it back.
just open your eye =)
or you want source code?
BfoX- Posts : 1218
Points : 1662
Reputation : 307
Join date : 2012-04-18
Location : Earth
turkuaz- Posts : 3
Points : 3
Reputation : -3
Join date : 2016-12-31
Re: My try to clone/patch Rockey4nd
No thanks,
I have already found the encryption routine by debugging ry.dll and inspecting USB traces alive. And first byte of returning data must be equal 0x54.
I hope I am on the correct track.
I have already found the encryption routine by debugging ry.dll and inspecting USB traces alive. And first byte of returning data must be equal 0x54.
I hope I am on the correct track.
- Code:
Encrypt ; =============== S U B R O U T I N E =======================================
Encrypt
Encrypt
Encrypt ; HRESULT __stdcall Encrypt(PINFORMATIONCARD_CRYPTO_HANDLE hCrypto, BOOL fOAEP, DWORD cbInData, PBYTE pInData, DWORD *pcbOutData, PBYTE *ppOutData)
Encrypt Encrypt proc near ; CODE XREF: featureGETandSET+51p
Encrypt ; featureGETandSET+5Bp
Encrypt ; featureGETandSET+117p
Encrypt ; featureGETandSET+121p
Encrypt
Encrypt hCrypto = dword ptr 4
Encrypt fOAEP = dword ptr 8
Encrypt cbInData = dword ptr 0Ch
Encrypt pInData = dword ptr 10h
Encrypt pcbOutData = dword ptr 14h
Encrypt ppOutData = dword ptr 18h
Encrypt
Encrypt mov edx, [esp+fOAEP]
Encrypt+4 push ebx
Encrypt+5 push ebp
Encrypt+6 push esi
Encrypt+7 push edi
Encrypt+8 mov edi, [esp+10h+hCrypto]
Encrypt+C mov ebp, edi
Encrypt+E xor ecx, ecx
Encrypt+10 sub ebp, edx
Encrypt+12
Encrypt+12 loc_100083A2: ; CODE XREF: Encrypt+41j
Encrypt+12 xor eax, eax
Encrypt+14
Encrypt+14 loc_100083A4: ; CODE XREF: Encrypt+21j
Encrypt+14 mov bl, cl
Encrypt+16 or bl, al
Encrypt+18 add bl, [eax+edi]
Encrypt+1B inc eax
Encrypt+1C add [edx], bl
Encrypt+1E cmp eax, 8
Encrypt+21 jl short loc_100083A4
Encrypt+23 xor esi, esi
Encrypt+25
Encrypt+25 loc_100083B5: ; CODE XREF: Encrypt+32j
Encrypt+25 mov al, [esi+edi]
Encrypt+28 dec al
Encrypt+2A imul cl
Encrypt+2C xor [edx], al
Encrypt+2E inc esi
Encrypt+2F cmp esi, 8
Encrypt+32 jl short loc_100083B5
Encrypt+34 mov al, [edx+ebp]
Encrypt+37 shl al, cl
Encrypt+39 inc ecx
Encrypt+3A inc edx
Encrypt+3B xor [edx-1], al
Encrypt+3E cmp ecx, 8
Encrypt+41 jl short loc_100083A2
Encrypt+43 pop edi
Encrypt+44 pop esi
Encrypt+45 pop ebp
Encrypt+46 pop ebx
Encrypt+47 retn
Encrypt+47 Encrypt endp
- Code:
Encrypt_0
Encrypt_0 ; =============== S U B R O U T I N E =======================================
Encrypt_0
Encrypt_0
Encrypt_0 ; HRESULT __stdcall Encrypt_0(PINFORMATIONCARD_CRYPTO_HANDLE hCrypto, BOOL fOAEP, DWORD cbInData, PBYTE pInData, DWORD *pcbOutData, PBYTE *ppOutData)
Encrypt_0 Encrypt_0 proc near ; CODE XREF: SubA+7Cp
Encrypt_0 ; SubC+98p SubE+79p
Encrypt_0 ; SubB+8Bp SubG+E0p
Encrypt_0 ; SubD+9Cp SubL+10Ap
Encrypt_0 ; sub_10001EF0+10Bp
Encrypt_0 ; sub_10002030+FCp
Encrypt_0 ; sub_10002180+FEp
Encrypt_0 ; sub_100022D0+92p
Encrypt_0 ; sub_10002390+98p
Encrypt_0 ; sub_10002450+7Fp
Encrypt_0 ; sub_10002500+98p
Encrypt_0 ; sub_100025C0+AAp
Encrypt_0 ; sub_10002690+72p
Encrypt_0 ; sub_10002760+72p
Encrypt_0 ; sub_10002810+72p
Encrypt_0 ; sub_100028B0+72p
Encrypt_0 ; sub_10002950+68p
Encrypt_0 ; sub_100029F0+98p
Encrypt_0 ; sub_10002AB0+AAp
Encrypt_0 ; sub_10002B80+72p
Encrypt_0 ; sub_10002C40+72p
Encrypt_0 ; sub_10002D10+72p
Encrypt_0 ; sub_10002DB0+CEp
Encrypt_0 ; sub_10002EE0+C6p
Encrypt_0 ; sub_10003000+79p
Encrypt_0 ; sub_100030C0+EDp
Encrypt_0 ; sub_10003270+DFp
Encrypt_0 ; Sub_1+7Cp
Encrypt_0 ; sub_10003460+B2p
Encrypt_0 ; sub_10003570+B5p
Encrypt_0 ; sub_10003680+B5p
Encrypt_0 ; sub_10003790+B2p
Encrypt_0 ; sub_100038A0+197p
Encrypt_0 ; sub_100038A0+201p
Encrypt_0 ; sub_100038A0+25Fp
Encrypt_0 ; sub_10003B90+A3p
Encrypt_0 ; sub_10003B90+FDp
Encrypt_0 ; sub_10003CC0+ECp
Encrypt_0 ; sub_10003CC0+156p
Encrypt_0 ; sub_10003CC0+1BCp
Encrypt_0 ; sub_10003F70+B2p
Encrypt_0 ; sub_10003F70+10Cp
Encrypt_0 ; checkValidDongle_A+74p
Encrypt_0 ; sub_100041F0+9Dp
Encrypt_0 ; sub_100042C0+B4p
Encrypt_0 ; sub_100043B0+113p
Encrypt_0 ; SubK+113p SubJ+137p
Encrypt_0 ; SubJ+1A9p SubJ+209p
Encrypt_0 ; SubI+B2p SubI+10Cp
Encrypt_0 ; SubH+A3p SubH+FDp
Encrypt_0 ; Dongle1+C3p
Encrypt_0 ; Dongle2+79p
Encrypt_0
Encrypt_0 hCrypto = dword ptr 4
Encrypt_0 fOAEP = dword ptr 8
Encrypt_0 cbInData = dword ptr 0Ch
Encrypt_0 pInData = dword ptr 10h
Encrypt_0 pcbOutData = dword ptr 14h
Encrypt_0 ppOutData = dword ptr 18h
Encrypt_0
Encrypt_0 xor al, al
Encrypt_0+2 xor ecx, ecx
Encrypt_0+4
Encrypt_0+4 loc_10001824: ; CODE XREF: Encrypt_0+Ej
Encrypt_0+4 mov dl, byte ptr [esp+ecx+hCrypto+1]
Encrypt_0+8 xor al, dl
Encrypt_0+A inc ecx
Encrypt_0+B cmp ecx, 5
Encrypt_0+E jl short loc_10001824
Encrypt_0+10 xor ecx, ecx
Encrypt_0+12
Encrypt_0+12 loc_10001832: ; CODE XREF: Encrypt_0+1Cj
Encrypt_0+12 mov dl, byte ptr [esp+ecx+fOAEP+2]
Encrypt_0+16 xor al, dl
Encrypt_0+18 inc ecx
Encrypt_0+19 cmp ecx, 12h
Encrypt_0+1C jl short loc_10001832
Encrypt_0+1E retn
Encrypt_0+1E Encrypt_0 endp ; sp-analysis failed
Encrypt_0+1E
Encrypt_0+1E ; ---------------------------------------------------------------------------
- Code:
featureGETandSET
featureGETandSET ; =============== S U B R O U T I N E =======================================
featureGETandSET
featureGETandSET
featureGETandSET featureGETandSET proc near ; CODE XREF: SubA+90p
featureGETandSET ; SubC+ACp
featureGETandSET ; SubE+8Dp
featureGETandSET ; SubB+9Fp
featureGETandSET ; SubG+F4p
featureGETandSET ; SubD+B0p
featureGETandSET ; SubL+11Ep
featureGETandSET ; sub_10001EF0+11Fp
featureGETandSET ; sub_10002030+110p
featureGETandSET ; sub_10002180+112p
featureGETandSET ; sub_100022D0+A6p
featureGETandSET ; sub_10002390+ACp
featureGETandSET ; sub_10002450+93p
featureGETandSET ; sub_10002500+ACp
featureGETandSET ; sub_100025C0+BEp
featureGETandSET ; sub_10002690+86p
featureGETandSET ; sub_10002760+86p
featureGETandSET ; sub_10002810+86p
featureGETandSET ; sub_100028B0+86p
featureGETandSET ; sub_10002950+7Cp
featureGETandSET ; sub_100029F0+ACp
featureGETandSET ; sub_10002AB0+BEp
featureGETandSET ; sub_10002B80+86p
featureGETandSET ; sub_10002C40+86p
featureGETandSET ; sub_10002D10+86p
featureGETandSET ; sub_10002DB0+E2p
featureGETandSET ; sub_10002EE0+DAp
featureGETandSET ; sub_10003000+8Dp
featureGETandSET ; sub_100030C0+105p
featureGETandSET ; sub_10003270+10Bp
featureGETandSET ; Sub_1+90p
featureGETandSET ; sub_10003460+CAp
featureGETandSET ; sub_10003570+CDp
featureGETandSET ; sub_10003680+CDp
featureGETandSET ; sub_10003790+CAp
featureGETandSET ; sub_100038A0+1B2p
featureGETandSET ; sub_100038A0+21Cp
featureGETandSET ; sub_100038A0+27Ap
featureGETandSET ; sub_10003B90+BBp
featureGETandSET ; sub_10003B90+115p
featureGETandSET ; sub_10003CC0+107p
featureGETandSET ; sub_10003CC0+171p
featureGETandSET ; sub_10003CC0+1D0p
featureGETandSET ; sub_10003F70+CAp
featureGETandSET ; sub_10003F70+124p
featureGETandSET ; checkValidDongle_A+88p
featureGETandSET ; sub_100041F0+B1p
featureGETandSET ; sub_100042C0+CCp
featureGETandSET ; sub_100043B0+12Ep
featureGETandSET ; SubK+12Ep
featureGETandSET ; SubJ+152p
featureGETandSET ; SubJ+1C4p
featureGETandSET ; SubJ+224p
featureGETandSET ; SubI+CAp
featureGETandSET ; SubI+124p
featureGETandSET ; SubH+BBp
featureGETandSET ; SubH+115p
featureGETandSET ; Dongle1+DBp
featureGETandSET ; Dongle2+8Dp
featureGETandSET
featureGETandSET buffer = byte ptr -80h
featureGETandSET arg_0 = dword ptr 4
featureGETandSET arg_4 = dword ptr 8
featureGETandSET arg_8 = dword ptr 0Ch
featureGETandSET
featureGETandSET sub esp, 80h
featureGETandSET+6 push ebx ; ppOutData
featureGETandSET+7 mov ebx, [esp+84h+arg_4]
featureGETandSET+E push ebp ; pcbOutData
featureGETandSET+F push esi ; pInData
featureGETandSET+10 mov al, [ebx+1]
featureGETandSET+13 mov esi, [esp+8Ch+arg_0]
featureGETandSET+1A cmp al, 81h
featureGETandSET+1C push edi ; cbInData
featureGETandSET+1D jnz short loc_10001222
featureGETandSET+1F push esi
featureGETandSET+20 lea eax, [esp+94h+buffer]
featureGETandSET+24 push offset aSetpassword2Ha ; "SETPASSWORD 2,handle %4x"
featureGETandSET+29 push eax ; char *
featureGETandSET+2A call _sprintf
featureGETandSET+2F add esp, 0Ch
featureGETandSET+32
featureGETandSET+32 loc_10001222: ; CODE XREF: featureGETandSET+1Dj
featureGETandSET+32 lea eax, [esi+esi*2]
featureGETandSET+35 shl eax, 4
featureGETandSET+38 add eax, esi
featureGETandSET+3A lea esi, [eax+eax*2]
featureGETandSET+3D shl esi, 1
featureGETandSET+3F mov eax, dword_1001529E[esi]
featureGETandSET+45 test eax, eax
featureGETandSET+47 jz short hid_setfeature
featureGETandSET+49 lea ecx, [ebx+2]
featureGETandSET+4C lea edi, [ebx+11h]
featureGETandSET+4F push ecx ; fOAEP
featureGETandSET+50 push edi ; hCrypto
featureGETandSET+51 call Encrypt
featureGETandSET+56 lea edx, [ebx+9]
featureGETandSET+59 push edx ; fOAEP
featureGETandSET+5A push edi ; hCrypto
featureGETandSET+5B call Encrypt
featureGETandSET+60 add esp, 10h
featureGETandSET+63
featureGETandSET+63 hid_setfeature: ; CODE XREF: featureGETandSET+47j
featureGETandSET+63 mov eax, table[esi]
featureGETandSET+69 push ebx
featureGETandSET+6A push eax
featureGETandSET+6B mov edi, 1
featureGETandSET+70 call HidD_SetFeature_0
featureGETandSET+75 mov ebp, ds:Sleep
featureGETandSET+7B add esp, 8
featureGETandSET+7E test eax, eax
featureGETandSET+80 jz short loc_100012A4
featureGETandSET+82
featureGETandSET+82 loc_10001272: ; CODE XREF: featureGETandSET+B2j
featureGETandSET+82 cmp edi, 4
featureGETandSET+85 jge loc_10001325
featureGETandSET+8B push 64h ; dwMilliseconds
featureGETandSET+8D call ebp ; Sleep
featureGETandSET+8F push edi
featureGETandSET+90 lea ecx, [esp+14h]
featureGETandSET+94 push offset aWritereportD ; "WriteReport %d"
featureGETandSET+99 push ecx ; char *
featureGETandSET+9A call _sprintf
featureGETandSET+9F mov edx, table[esi]
featureGETandSET+A5 push ebx
featureGETandSET+A6 push edx
featureGETandSET+A7 inc edi
featureGETandSET+A8 call HidD_SetFeature_0
featureGETandSET+AD add esp, 14h
featureGETandSET+B0 test eax, eax
featureGETandSET+B2 jnz short loc_10001272
featureGETandSET+B4
featureGETandSET+B4 loc_100012A4: ; CODE XREF: featureGETandSET+80j
featureGETandSET+B4 mov ebx, [esp+9Ch]
featureGETandSET+BB mov eax, table[esi]
featureGETandSET+C1 push ebx
featureGETandSET+C2 push eax
featureGETandSET+C3 mov edi, 1
featureGETandSET+C8 call HidD_GetFeature_0
featureGETandSET+CD add esp, 8
featureGETandSET+D0 test eax, eax
featureGETandSET+D2 jz short loc_100012F5
featureGETandSET+D4
featureGETandSET+D4 loc_100012C4: ; CODE XREF: featureGETandSET+103j
featureGETandSET+D4 cmp edi, 4
featureGETandSET+D7 jge short loc_10001325
featureGETandSET+D9 push 0C8h ; dwMilliseconds
featureGETandSET+DE call ebp ; Sleep
featureGETandSET+E0 push edi
featureGETandSET+E1 lea ecx, [esp+14h]
featureGETandSET+E5 push offset aReadreportD ; "ReadReport %d"
featureGETandSET+EA push ecx ; char *
featureGETandSET+EB call _sprintf
featureGETandSET+F0 mov edx, table[esi]
featureGETandSET+F6 push ebx
featureGETandSET+F7 push edx
featureGETandSET+F8 inc edi
featureGETandSET+F9 call HidD_GetFeature_0
featureGETandSET+FE add esp, 14h
featureGETandSET+101 test eax, eax
featureGETandSET+103 jnz short loc_100012C4
featureGETandSET+105
featureGETandSET+105 loc_100012F5: ; CODE XREF: featureGETandSET+D2j
featureGETandSET+105 mov eax, dword_1001529E[esi]
featureGETandSET+10B test eax, eax
featureGETandSET+10D jz short loc_10001319
featureGETandSET+10F lea eax, [ebx+9]
featureGETandSET+112 lea esi, [ebx+11h]
featureGETandSET+115 push eax ; fOAEP
featureGETandSET+116 push esi ; hCrypto
featureGETandSET+117 call Encrypt
featureGETandSET+11C lea ecx, [ebx+2]
featureGETandSET+11F push ecx ; fOAEP
featureGETandSET+120 push esi ; hCrypto
featureGETandSET+121 call Encrypt
featureGETandSET+126 add esp, 10h
featureGETandSET+129
featureGETandSET+129 loc_10001319: ; CODE XREF: featureGETandSET+10Dj
featureGETandSET+129 mov dl, [ebx+1]
featureGETandSET+12C push edx
featureGETandSET+12D call isEqu5Ah
featureGETandSET+132 add esp, 4
featureGETandSET+135
featureGETandSET+135 loc_10001325: ; CODE XREF: featureGETandSET+85j
featureGETandSET+135 ; featureGETandSET+D7j
featureGETandSET+135 pop edi
featureGETandSET+136 pop esi
featureGETandSET+137 pop ebp
featureGETandSET+138 pop ebx
featureGETandSET+139 add esp, 80h
featureGETandSET+13F retn
featureGETandSET+13F featureGETandSET endp ; sp-analysis failed
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
BfoX- Posts : 1218
Points : 1662
Reputation : 307
Join date : 2012-04-18
Location : Earth
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Re: My try to clone/patch Rockey4nd
You on correct way. I like your project.
What model board you use?
What model board you use?
sverox- Posts : 49
Points : 107
Reputation : 50
Join date : 2013-10-09
Re: My try to clone/patch Rockey4nd
Ardunio mini. But without bootloader. You can built with discrete elements too.
V–usb is very good library
V–usb is very good library
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Re: My try to clone/patch Rockey4nd
Imho, Rockey4ND used XOR encrypt to comunicate dongle to dll
califor.
califor.
califor- Posts : 59
Points : 71
Reputation : -103
Join date : 2015-05-11
Age : 38
Re: My try to clone/patch Rockey4nd
I am still debugging/disassembling ry.dll in order to solve communication protocol.
Setting and getting reports are done in the following subroutine at 0x100011f0
Sending reports:
It fills 25 bytes of communication buffer with random data.
Applies simple xor over p1,p2,lp1 & lp3 bytes and writes on predefined places on the communication buffer
Calculates crc basen on the buffer with following subroutine at 0x10001820.
Writes the result in the last byte of the buffer.
The following routine is called twice on substrings on the communication buffer.
It is called or not depending on something. I could not solve yet under in which cases it is called. It looks like decryption subroutine.
Am I rigth? How to reverse it?
Any idea about this subroutine?
Setting and getting reports are done in the following subroutine at 0x100011f0
- Code:
featureGETandSET var_80 = byte ptr -80h
featureGETandSET command = dword ptr 4
featureGETandSET databuffer = dword ptr 8
featureGETandSET randomkey = dword ptr 0Ch
featureGETandSET
featureGETandSET sub esp, 80h
featureGETandSET+6 push ebx
featureGETandSET+7 mov ebx, [esp+84h+databuffer]
featureGETandSET+E push ebp
featureGETandSET+F push esi
featureGETandSET+10 mov al, [ebx+1]
featureGETandSET+13 mov esi, [esp+8Ch+command]
featureGETandSET+1A cmp al, 81h
featureGETandSET+1C push edi
featureGETandSET+1D jnz short loc_10001222
featureGETandSET+1F push esi
featureGETandSET+20 lea eax, [esp+94h+var_80]
featureGETandSET+24 push offset aSetpassword2Ha ; "SETPASSWORD 2,handle %4x"
featureGETandSET+29 push eax ; char *
featureGETandSET+2A call _sprintf
featureGETandSET+2F add esp, 0Ch
featureGETandSET+32
featureGETandSET+32 loc_10001222: ; CODE XREF: featureGETandSET+1Dj
featureGETandSET+32 lea eax, [esi+esi*2]
featureGETandSET+35 shl eax, 4
featureGETandSET+38 add eax, esi
featureGETandSET+3A lea esi, [eax+eax*2]
featureGETandSET+3D shl esi, 1
featureGETandSET+3F mov eax, dword_1001529E[esi]
featureGETandSET+45 test eax, eax
featureGETandSET+47 jz short loc_10001253
featureGETandSET+49 lea ecx, [ebx+2]
featureGETandSET+4C lea edi, [ebx+11h]
featureGETandSET+4F push ecx ; buffer ın 2. byteı
featureGETandSET+50 push edi ; bufferın s0n 8. byteı
featureGETandSET+51 call XoR
featureGETandSET+56 lea edx, [ebx+9]
featureGETandSET+59 push edx
featureGETandSET+5A push edi
featureGETandSET+5B call XoR
featureGETandSET+60 add esp, 10h
featureGETandSET+63
featureGETandSET+63 loc_10001253: ; CODE XREF: featureGETandSET+47j
featureGETandSET+63 mov eax, table[esi]
featureGETandSET+69 push ebx
featureGETandSET+6A push eax
featureGETandSET+6B mov edi, 1
featureGETandSET+70 call HidD_SetFeature_0
featureGETandSET+75 mov ebp, ds:Sleep
featureGETandSET+7B add esp, 8
featureGETandSET+7E test eax, eax
featureGETandSET+80 jz short loc_100012A4
featureGETandSET+82
featureGETandSET+82 loc_10001272: ; CODE XREF: featureGETandSET+B2j
featureGETandSET+82 cmp edi, 4
featureGETandSET+85 jge loc_10001325
featureGETandSET+8B push 64h ; dwMilliseconds
featureGETandSET+8D call ebp ; Sleep
featureGETandSET+8F push edi
featureGETandSET+90 lea ecx, [esp+94h+var_80]
featureGETandSET+94 push offset aWritereportD ; "WriteReport %d"
featureGETandSET+99 push ecx ; char *
featureGETandSET+9A call _sprintf
featureGETandSET+9F mov edx, table[esi]
featureGETandSET+A5 push ebx
featureGETandSET+A6 push edx
featureGETandSET+A7 inc edi
featureGETandSET+A8 call HidD_SetFeature_0
featureGETandSET+AD add esp, 14h
featureGETandSET+B0 test eax, eax
featureGETandSET+B2 jnz short loc_10001272
featureGETandSET+B4
featureGETandSET+B4 loc_100012A4: ; CODE XREF: featureGETandSET+80j
featureGETandSET+B4 mov ebx, [esp+90h+randomkey]
featureGETandSET+BB mov eax, table[esi]
featureGETandSET+C1 push ebx
featureGETandSET+C2 push eax
featureGETandSET+C3 mov edi, 1
featureGETandSET+C8 call HidD_GetFeature_0
featureGETandSET+CD add esp, 8
featureGETandSET+D0 test eax, eax
featureGETandSET+D2 jz short loc_100012F5
featureGETandSET+D4
featureGETandSET+D4 loc_100012C4: ; CODE XREF: featureGETandSET+103j
featureGETandSET+D4 cmp edi, 4
featureGETandSET+D7 jge short loc_10001325
featureGETandSET+D9 push 0C8h ; dwMilliseconds
featureGETandSET+DE call ebp ; Sleep
featureGETandSET+E0 push edi
featureGETandSET+E1 lea ecx, [esp+94h+var_80]
featureGETandSET+E5 push offset aReadreportD ; "ReadReport %d"
featureGETandSET+EA push ecx ; char *
featureGETandSET+EB call _sprintf
featureGETandSET+F0 mov edx, table[esi]
featureGETandSET+F6 push ebx
featureGETandSET+F7 push edx
featureGETandSET+F8 inc edi
featureGETandSET+F9 call HidD_GetFeature_0
featureGETandSET+FE add esp, 14h
featureGETandSET+101 test eax, eax
featureGETandSET+103 jnz short loc_100012C4
featureGETandSET+105
featureGETandSET+105 loc_100012F5: ; CODE XREF: featureGETandSET+D2j
featureGETandSET+105 mov eax, dword_1001529E[esi]
featureGETandSET+10B test eax, eax
featureGETandSET+10D jz short loc_10001319
featureGETandSET+10F lea eax, [ebx+9]
featureGETandSET+112 lea esi, [ebx+11h]
featureGETandSET+115 push eax
featureGETandSET+116 push esi
featureGETandSET+117 call XoR
featureGETandSET+11C lea ecx, [ebx+2]
featureGETandSET+11F push ecx
featureGETandSET+120 push esi
featureGETandSET+121 call XoR
featureGETandSET+126 add esp, 10h
featureGETandSET+129
featureGETandSET+129 loc_10001319: ; CODE XREF: featureGETandSET+10Dj
featureGETandSET+129 mov dl, [ebx+1]
featureGETandSET+12C push edx
featureGETandSET+12D call isEqu5Ah
featureGETandSET+132 add esp, 4
featureGETandSET+135
featureGETandSET+135 loc_10001325: ; CODE XREF: featureGETandSET+85j
featureGETandSET+135 ; featureGETandSET+D7j
featureGETandSET+135 pop edi
featureGETandSET+136 pop esi
featureGETandSET+137 pop ebp
featureGETandSET+138 pop ebx
featureGETandSET+139 add esp, 80h
featureGETandSET+13F retn
featureGETandSET+13F featureGETandSET endp
featureGETandSET+13F
Sending reports:
It fills 25 bytes of communication buffer with random data.
Applies simple xor over p1,p2,lp1 & lp3 bytes and writes on predefined places on the communication buffer
Calculates crc basen on the buffer with following subroutine at 0x10001820.
Writes the result in the last byte of the buffer.
- Code:
rockeyCalcCrc arg_0 = dword ptr 4
rockeyCalcCrc arg_4 = dword ptr 8
rockeyCalcCrc
rockeyCalcCrc xor al, al
rockeyCalcCrc+2 xor ecx, ecx
rockeyCalcCrc+4
rockeyCalcCrc+4 loc_10001824: ; CODE XREF: rockeyCalcCrc+Ej
rockeyCalcCrc+4 mov dl, byte ptr [esp+ecx+arg_0+1]
rockeyCalcCrc+8 xor al, dl
rockeyCalcCrc+A inc ecx
rockeyCalcCrc+B cmp ecx, 5
rockeyCalcCrc+E jl short loc_10001824
rockeyCalcCrc+10 xor ecx, ecx
rockeyCalcCrc+12
rockeyCalcCrc+12 loc_10001832: ; CODE XREF: rockeyCalcCrc+1Cj
rockeyCalcCrc+12 mov dl, byte ptr [esp+ecx+arg_4+2]
rockeyCalcCrc+16 xor al, dl
rockeyCalcCrc+18 inc ecx
rockeyCalcCrc+19 cmp ecx, 12h
rockeyCalcCrc+1C jl short loc_10001832
rockeyCalcCrc+1E retn
The following routine is called twice on substrings on the communication buffer.
It is called or not depending on something. I could not solve yet under in which cases it is called. It looks like decryption subroutine.
Am I rigth? How to reverse it?
Any idea about this subroutine?
- Code:
XoR XoR proc near ; CODE XREF: featureGETandSET+51p
XoR ; featureGETandSET+5Bp
XoR ; featureGETandSET+117p
XoR ; featureGETandSET+121p
XoR
XoR arg_0 = dword ptr 4
XoR arg_4 = dword ptr 8
XoR
XoR mov edx, [esp+arg_4]
XoR+4 push ebx
XoR+5 push ebp
XoR+6 push esi
XoR+7 push edi
XoR+8 mov edi, [esp+10h+arg_0]
XoR+C mov ebp, edi
XoR+E xor ecx, ecx
XoR+10 sub ebp, edx
XoR+12
XoR+12 ____loop: ; CODE XREF: XoR+41j
XoR+12 xor eax, eax
XoR+14
XoR+14 ___loopA: ; CODE XREF: XoR+21j
XoR+14 mov bl, cl
XoR+16 or bl, al
XoR+18 add bl, [eax+edi]
XoR+1B inc eax
XoR+1C add [edx], bl
XoR+1E cmp eax, 8
XoR+21 jl short ___loopA
XoR+23 xor esi, esi
XoR+25
XoR+25 ____loopB: ; CODE XREF: XoR+32j
XoR+25 mov al, [esi+edi]
XoR+28 dec al
XoR+2A imul cl
XoR+2C xor [edx], al
XoR+2E inc esi
XoR+2F cmp esi, 8
XoR+32 jl short ____loopB
XoR+34 mov al, [edx+ebp]
XoR+37 shl al, cl
XoR+39 inc ecx
XoR+3A inc edx
XoR+3B xor [edx-1], al
XoR+3E cmp ecx, 8
XoR+41 jl short ____loop
XoR+43 pop edi
XoR+44 pop esi
XoR+45 pop ebp
XoR+46 pop ebx
XoR+47 retn
XoR+47 XoR endp
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Re: My try to clone/patch Rockey4nd
why not use hexray plug-in for ida? may be c-source near to you
BfoX- Posts : 1218
Points : 1662
Reputation : 307
Join date : 2012-04-18
Location : Earth
Re: My try to clone/patch Rockey4nd
I did already, RetDec plugin too. I am porting this function into c to see how it works. I will solve how it works.BfoX wrote:why not use hexray plug-in for ida? may be c-source near to you
But I wonder what is used for. For decryption of incoming usb response from the dongle?
mardasmr- Posts : 35
Points : 51
Reputation : -10
Join date : 2017-02-23
Similar topics
» Clone Rockey4ND
» I Need rockey4nd SW clone. not for free.
» Rockey4ND dongle clone. Please help me talents.
» Rockey4nd hard copy (clone)
» Senselock CLONE
» I Need rockey4nd SW clone. not for free.
» Rockey4ND dongle clone. Please help me talents.
» Rockey4nd hard copy (clone)
» Senselock CLONE
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|