Reverse Engineering Team
Unregistered, You must accept the Forum Rules below to be able to use some forum functions.

Read forum rules below...

1. All posts must be written in English.
2. Don't spam/abuse any other member via E-mail or Private Messages.
3. Have phun!

For breaking above rules you may be warned/banned appropriately!

My try to clone/patch Rockey4nd

View previous topic View next topic Go down

My try to clone/patch Rockey4nd

Post by mardasmr on Thu Feb 23, 2017 5:37 pm

Hi all,

I am trying to crack a victim which is protected by rockey4nd. Let me summarize what i did till now.
I dissassemblied and debugged the victim and ry.dll.
I found most of important points.
But I have only usbtrace log, no rockey4nd at hand. Thanks to a member of this site since he provided me full log instead of asking money for emulator.

But I noticed that without rockey4nd at hand it will be very hard to continue. So I decided to make a hardware replica of the dongle with atmel microcontroller based circuit which will provide usb interface.
It is a small circuit and very cheap Very Happy (www113.zippyshare.com/v/JQ9LfzU6/file.html)

I did not have any idea about usb protocol, so I had to dig into it. And also it was my first time to use atmel microcontroller.
Using v-usb usb library, I started to determine usb descriptors and copied into microcontroller

Anyway, after about one week struggle I could heard of ding dong sound of the HID Dongle finally:)

Yes, victim is passing ry_find, ry_find_next and ry_open functions now.

I decided to work on an sample from rockey4nd sdk to understand the inner working of th ry.dll.

But there is a problem, usb communication between ry.dll and the dongle is encrypted while transmitting reports. I found two subroutines in the ry.dll

I will work on that of course, but you can say I am kinda newbie. Any help is greatly appreciated.

Is there anyone having any information on decrypting that communication? Any help or idea about how to continue?

No no, I have no money for dongle emulator, it is very fun for me Smile

(sorry for my terrible english)

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by Key Dump on Thu Feb 23, 2017 7:01 pm

Post log by usbtrace..
I can help for free..

Key Dump

Posts : 17
Points : 5
Reputation : -23
Join date : 2016-12-09
Location : Earth

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by ovis25 on Fri Feb 24, 2017 3:12 am

"I did not have any idea about usb protocol, so I had to dig into it. And also it was my first time to use atmel micro-controller.
Using v-usb usb library, I started to determine usb descriptors and copied into micro-controller"

You need reverse functions used in dongle.

ovis25

Posts : 501
Points : 809
Reputation : 116
Join date : 2014-06-07
Location : reversing.ro

http://reversing.ro

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Fri Feb 24, 2017 3:16 am

mistyping


Last edited by mardasmr on Fri Feb 24, 2017 3:19 am; edited 1 time in total (Reason for editing : mistyping)

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Fri Feb 24, 2017 3:20 am

Key Dump wrote:Post log by usbtrace..
I can help for free..

I already got hid, p1 and p2 by debugging the victim.
What else could you tell me from full log?
Encryption procedure and how to reverse? That is what I need at this step.

I see that the victim forms URB buffer before send the dongle by calling rand and srand functions. So it sends different USB data for the same input data. How to reverse?

A sample request and response pair:
   
155OUTSET_REPORTReport Type: Feature** Data **01 C2 C2 C2 C2 89 FB B6 76 C2 C2 C2 C2 C2 61 6D 8F 8A E9 8C 4F 30 81 E3 
159OUTGET_REPORTReport Type: Feature** Data **5A 00 00 00 00 8D DA A8 EE C2 C2 C2 C2 C2 61 6D 8F 8A E9 8C 4F 30 81 1B 

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by BfoX on Fri Feb 24, 2017 3:30 am

P1 0x4B39
P2 0x74B4
P3 0x0000
P4 0x0000

HID 0x4F186A2C


in your case emulating the ry.dll is done

BfoX

Posts : 1008
Points : 1309
Reputation : 232
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Fri Feb 24, 2017 3:54 am

BfoX wrote:P1 0x4B39
P2 0x74B4
P3 0x0000
P4 0x0000

HID 0x4F186A2C


in your case emulating the ry.dll is done
I already know you are the master BfoX, You extract the info from the log, I could only extract from the debug for the moment Sad as can be seen in the screenshot. www7.zippyshare.com/v/ZidIWBp6/file.html

So encryption of the communication protocol is decryptable and you know the way.
And you don't share your knowledge for free, am I not rigth?

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by ovis25 on Fri Feb 24, 2017 6:41 am

inside information and algo few have and fewer or none will share.

But I see you understand RE so you can learn, just ask correct questions to guru's around here and maybe they will help you.

Check posts in forum and see what users came with solution and + good answers that's people you need ask!

ovis25

Posts : 501
Points : 809
Reputation : 116
Join date : 2014-06-07
Location : reversing.ro

http://reversing.ro

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by BfoX on Fri Feb 24, 2017 6:51 am

> And you don't share your knowledge for free, am I not rigth?

you can't see knownledge inside your debugger? all packet is ciphered before send to dongle and deciphere after get it back.

just open your eye =)

or you want source code?

BfoX

Posts : 1008
Points : 1309
Reputation : 232
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by turkuaz on Fri Feb 24, 2017 9:55 am

0x5a

turkuaz

Posts : 3
Points : 3
Reputation : -3
Join date : 2016-12-31

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Fri Feb 24, 2017 10:48 am

No thanks, 
I have already found the encryption routine by debugging ry.dll and inspecting USB traces alive. And first byte of returning data must be equal 0x54.

I hope I am on the correct track.



Code:
Encrypt      ; =============== S U B R O U T I N E =======================================
Encrypt
Encrypt
Encrypt      ; HRESULT __stdcall Encrypt(PINFORMATIONCARD_CRYPTO_HANDLE hCrypto, BOOL fOAEP, DWORD cbInData, PBYTE pInData, DWORD *pcbOutData, PBYTE *ppOutData)
Encrypt      Encrypt         proc near               ; CODE XREF: featureGETandSET+51p
Encrypt                                              ; featureGETandSET+5Bp
Encrypt                                              ; featureGETandSET+117p
Encrypt                                              ; featureGETandSET+121p
Encrypt
Encrypt      hCrypto         = dword ptr  4
Encrypt      fOAEP           = dword ptr  8
Encrypt      cbInData        = dword ptr  0Ch
Encrypt      pInData         = dword ptr  10h
Encrypt      pcbOutData      = dword ptr  14h
Encrypt      ppOutData       = dword ptr  18h
Encrypt
Encrypt                      mov     edx, [esp+fOAEP]
Encrypt+4                    push    ebx
Encrypt+5                    push    ebp
Encrypt+6                    push    esi
Encrypt+7                    push    edi
Encrypt+8                    mov     edi, [esp+10h+hCrypto]
Encrypt+C                    mov     ebp, edi
Encrypt+E                    xor     ecx, ecx
Encrypt+10                   sub     ebp, edx
Encrypt+12
Encrypt+12   loc_100083A2:                           ; CODE XREF: Encrypt+41j
Encrypt+12                   xor     eax, eax
Encrypt+14
Encrypt+14   loc_100083A4:                           ; CODE XREF: Encrypt+21j
Encrypt+14                   mov     bl, cl
Encrypt+16                   or      bl, al
Encrypt+18                   add     bl, [eax+edi]
Encrypt+1B                   inc     eax
Encrypt+1C                   add     [edx], bl
Encrypt+1E                   cmp     eax, 8
Encrypt+21                   jl      short loc_100083A4
Encrypt+23                   xor     esi, esi
Encrypt+25
Encrypt+25   loc_100083B5:                           ; CODE XREF: Encrypt+32j
Encrypt+25                   mov     al, [esi+edi]
Encrypt+28                   dec     al
Encrypt+2A                   imul    cl
Encrypt+2C                   xor     [edx], al
Encrypt+2E                   inc     esi
Encrypt+2F                   cmp     esi, 8
Encrypt+32                   jl      short loc_100083B5
Encrypt+34                   mov     al, [edx+ebp]
Encrypt+37                   shl     al, cl
Encrypt+39                   inc     ecx
Encrypt+3A                   inc     edx
Encrypt+3B                   xor     [edx-1], al
Encrypt+3E                   cmp     ecx, 8
Encrypt+41                   jl      short loc_100083A2
Encrypt+43                   pop     edi
Encrypt+44                   pop     esi
Encrypt+45                   pop     ebp
Encrypt+46                   pop     ebx
Encrypt+47                   retn
Encrypt+47   Encrypt         endp
Code:
Encrypt_0
Encrypt_0      ; =============== S U B R O U T I N E =======================================
Encrypt_0
Encrypt_0
Encrypt_0      ; HRESULT __stdcall Encrypt_0(PINFORMATIONCARD_CRYPTO_HANDLE hCrypto, BOOL fOAEP, DWORD cbInData, PBYTE pInData, DWORD *pcbOutData, PBYTE *ppOutData)
Encrypt_0      Encrypt_0       proc near               ; CODE XREF: SubA+7Cp
Encrypt_0                                              ; SubC+98p SubE+79p
Encrypt_0                                              ; SubB+8Bp SubG+E0p
Encrypt_0                                              ; SubD+9Cp SubL+10Ap
Encrypt_0                                              ; sub_10001EF0+10Bp
Encrypt_0                                              ; sub_10002030+FCp
Encrypt_0                                              ; sub_10002180+FEp
Encrypt_0                                              ; sub_100022D0+92p
Encrypt_0                                              ; sub_10002390+98p
Encrypt_0                                              ; sub_10002450+7Fp
Encrypt_0                                              ; sub_10002500+98p
Encrypt_0                                              ; sub_100025C0+AAp
Encrypt_0                                              ; sub_10002690+72p
Encrypt_0                                              ; sub_10002760+72p
Encrypt_0                                              ; sub_10002810+72p
Encrypt_0                                              ; sub_100028B0+72p
Encrypt_0                                              ; sub_10002950+68p
Encrypt_0                                              ; sub_100029F0+98p
Encrypt_0                                              ; sub_10002AB0+AAp
Encrypt_0                                              ; sub_10002B80+72p
Encrypt_0                                              ; sub_10002C40+72p
Encrypt_0                                              ; sub_10002D10+72p
Encrypt_0                                              ; sub_10002DB0+CEp
Encrypt_0                                              ; sub_10002EE0+C6p
Encrypt_0                                              ; sub_10003000+79p
Encrypt_0                                              ; sub_100030C0+EDp
Encrypt_0                                              ; sub_10003270+DFp
Encrypt_0                                              ; Sub_1+7Cp
Encrypt_0                                              ; sub_10003460+B2p
Encrypt_0                                              ; sub_10003570+B5p
Encrypt_0                                              ; sub_10003680+B5p
Encrypt_0                                              ; sub_10003790+B2p
Encrypt_0                                              ; sub_100038A0+197p
Encrypt_0                                              ; sub_100038A0+201p
Encrypt_0                                              ; sub_100038A0+25Fp
Encrypt_0                                              ; sub_10003B90+A3p
Encrypt_0                                              ; sub_10003B90+FDp
Encrypt_0                                              ; sub_10003CC0+ECp
Encrypt_0                                              ; sub_10003CC0+156p
Encrypt_0                                              ; sub_10003CC0+1BCp
Encrypt_0                                              ; sub_10003F70+B2p
Encrypt_0                                              ; sub_10003F70+10Cp
Encrypt_0                                              ; checkValidDongle_A+74p
Encrypt_0                                              ; sub_100041F0+9Dp
Encrypt_0                                              ; sub_100042C0+B4p
Encrypt_0                                              ; sub_100043B0+113p
Encrypt_0                                              ; SubK+113p SubJ+137p
Encrypt_0                                              ; SubJ+1A9p SubJ+209p
Encrypt_0                                              ; SubI+B2p SubI+10Cp
Encrypt_0                                              ; SubH+A3p SubH+FDp
Encrypt_0                                              ; Dongle1+C3p
Encrypt_0                                              ; Dongle2+79p
Encrypt_0
Encrypt_0      hCrypto         = dword ptr  4
Encrypt_0      fOAEP           = dword ptr  8
Encrypt_0      cbInData        = dword ptr  0Ch
Encrypt_0      pInData         = dword ptr  10h
Encrypt_0      pcbOutData      = dword ptr  14h
Encrypt_0      ppOutData       = dword ptr  18h
Encrypt_0
Encrypt_0                      xor     al, al
Encrypt_0+2                    xor     ecx, ecx
Encrypt_0+4
Encrypt_0+4    loc_10001824:                           ; CODE XREF: Encrypt_0+Ej
Encrypt_0+4                    mov     dl, byte ptr [esp+ecx+hCrypto+1]
Encrypt_0+8                    xor     al, dl
Encrypt_0+A                    inc     ecx
Encrypt_0+B                    cmp     ecx, 5
Encrypt_0+E                    jl      short loc_10001824
Encrypt_0+10                   xor     ecx, ecx
Encrypt_0+12
Encrypt_0+12   loc_10001832:                           ; CODE XREF: Encrypt_0+1Cj
Encrypt_0+12                   mov     dl, byte ptr [esp+ecx+fOAEP+2]
Encrypt_0+16                   xor     al, dl
Encrypt_0+18                   inc     ecx
Encrypt_0+19                   cmp     ecx, 12h
Encrypt_0+1C                   jl      short loc_10001832
Encrypt_0+1E                   retn
Encrypt_0+1E   Encrypt_0       endp ; sp-analysis failed
Encrypt_0+1E
Encrypt_0+1E   ; ---------------------------------------------------------------------------


Code:
featureGETandSET
featureGETandSET      ; =============== S U B R O U T I N E =======================================
featureGETandSET
featureGETandSET
featureGETandSET      featureGETandSET proc near              ; CODE XREF: SubA+90p
featureGETandSET                                              ; SubC+ACp
featureGETandSET                                              ; SubE+8Dp
featureGETandSET                                              ; SubB+9Fp
featureGETandSET                                              ; SubG+F4p
featureGETandSET                                              ; SubD+B0p
featureGETandSET                                              ; SubL+11Ep
featureGETandSET                                              ; sub_10001EF0+11Fp
featureGETandSET                                              ; sub_10002030+110p
featureGETandSET                                              ; sub_10002180+112p
featureGETandSET                                              ; sub_100022D0+A6p
featureGETandSET                                              ; sub_10002390+ACp
featureGETandSET                                              ; sub_10002450+93p
featureGETandSET                                              ; sub_10002500+ACp
featureGETandSET                                              ; sub_100025C0+BEp
featureGETandSET                                              ; sub_10002690+86p
featureGETandSET                                              ; sub_10002760+86p
featureGETandSET                                              ; sub_10002810+86p
featureGETandSET                                              ; sub_100028B0+86p
featureGETandSET                                              ; sub_10002950+7Cp
featureGETandSET                                              ; sub_100029F0+ACp
featureGETandSET                                              ; sub_10002AB0+BEp
featureGETandSET                                              ; sub_10002B80+86p
featureGETandSET                                              ; sub_10002C40+86p
featureGETandSET                                              ; sub_10002D10+86p
featureGETandSET                                              ; sub_10002DB0+E2p
featureGETandSET                                              ; sub_10002EE0+DAp
featureGETandSET                                              ; sub_10003000+8Dp
featureGETandSET                                              ; sub_100030C0+105p
featureGETandSET                                              ; sub_10003270+10Bp
featureGETandSET                                              ; Sub_1+90p
featureGETandSET                                              ; sub_10003460+CAp
featureGETandSET                                              ; sub_10003570+CDp
featureGETandSET                                              ; sub_10003680+CDp
featureGETandSET                                              ; sub_10003790+CAp
featureGETandSET                                              ; sub_100038A0+1B2p
featureGETandSET                                              ; sub_100038A0+21Cp
featureGETandSET                                              ; sub_100038A0+27Ap
featureGETandSET                                              ; sub_10003B90+BBp
featureGETandSET                                              ; sub_10003B90+115p
featureGETandSET                                              ; sub_10003CC0+107p
featureGETandSET                                              ; sub_10003CC0+171p
featureGETandSET                                              ; sub_10003CC0+1D0p
featureGETandSET                                              ; sub_10003F70+CAp
featureGETandSET                                              ; sub_10003F70+124p
featureGETandSET                                              ; checkValidDongle_A+88p
featureGETandSET                                              ; sub_100041F0+B1p
featureGETandSET                                              ; sub_100042C0+CCp
featureGETandSET                                              ; sub_100043B0+12Ep
featureGETandSET                                              ; SubK+12Ep
featureGETandSET                                              ; SubJ+152p
featureGETandSET                                              ; SubJ+1C4p
featureGETandSET                                              ; SubJ+224p
featureGETandSET                                              ; SubI+CAp
featureGETandSET                                              ; SubI+124p
featureGETandSET                                              ; SubH+BBp
featureGETandSET                                              ; SubH+115p
featureGETandSET                                              ; Dongle1+DBp
featureGETandSET                                              ; Dongle2+8Dp
featureGETandSET
featureGETandSET      buffer          = byte ptr -80h
featureGETandSET      arg_0           = dword ptr  4
featureGETandSET      arg_4           = dword ptr  8
featureGETandSET      arg_8           = dword ptr  0Ch
featureGETandSET
featureGETandSET                      sub     esp, 80h
featureGETandSET+6                    push    ebx             ; ppOutData
featureGETandSET+7                    mov     ebx, [esp+84h+arg_4]
featureGETandSET+E                    push    ebp             ; pcbOutData
featureGETandSET+F                    push    esi             ; pInData
featureGETandSET+10                   mov     al, [ebx+1]
featureGETandSET+13                   mov     esi, [esp+8Ch+arg_0]
featureGETandSET+1A                   cmp     al, 81h
featureGETandSET+1C                   push    edi             ; cbInData
featureGETandSET+1D                   jnz     short loc_10001222
featureGETandSET+1F                   push    esi
featureGETandSET+20                   lea     eax, [esp+94h+buffer]
featureGETandSET+24                   push    offset aSetpassword2Ha ; "SETPASSWORD 2,handle %4x"
featureGETandSET+29                   push    eax             ; char *
featureGETandSET+2A                   call    _sprintf
featureGETandSET+2F                   add     esp, 0Ch
featureGETandSET+32
featureGETandSET+32   loc_10001222:                           ; CODE XREF: featureGETandSET+1Dj
featureGETandSET+32                   lea     eax, [esi+esi*2]
featureGETandSET+35                   shl     eax, 4
featureGETandSET+38                   add     eax, esi
featureGETandSET+3A                   lea     esi, [eax+eax*2]
featureGETandSET+3D                   shl     esi, 1
featureGETandSET+3F                   mov     eax, dword_1001529E[esi]
featureGETandSET+45                   test    eax, eax
featureGETandSET+47                   jz      short hid_setfeature
featureGETandSET+49                   lea     ecx, [ebx+2]
featureGETandSET+4C                   lea     edi, [ebx+11h]
featureGETandSET+4F                   push    ecx             ; fOAEP
featureGETandSET+50                   push    edi             ; hCrypto
featureGETandSET+51                   call    Encrypt
featureGETandSET+56                   lea     edx, [ebx+9]
featureGETandSET+59                   push    edx             ; fOAEP
featureGETandSET+5A                   push    edi             ; hCrypto
featureGETandSET+5B                   call    Encrypt
featureGETandSET+60                   add     esp, 10h
featureGETandSET+63
featureGETandSET+63   hid_setfeature:                         ; CODE XREF: featureGETandSET+47j
featureGETandSET+63                   mov     eax, table[esi]
featureGETandSET+69                   push    ebx
featureGETandSET+6A                   push    eax
featureGETandSET+6B                   mov     edi, 1
featureGETandSET+70                   call    HidD_SetFeature_0
featureGETandSET+75                   mov     ebp, ds:Sleep
featureGETandSET+7B                   add     esp, 8
featureGETandSET+7E                   test    eax, eax
featureGETandSET+80                   jz      short loc_100012A4
featureGETandSET+82
featureGETandSET+82   loc_10001272:                           ; CODE XREF: featureGETandSET+B2j
featureGETandSET+82                   cmp     edi, 4
featureGETandSET+85                   jge     loc_10001325
featureGETandSET+8B                   push    64h             ; dwMilliseconds
featureGETandSET+8D                   call    ebp ; Sleep
featureGETandSET+8F                   push    edi
featureGETandSET+90                   lea     ecx, [esp+14h]
featureGETandSET+94                   push    offset aWritereportD ; "WriteReport %d"
featureGETandSET+99                   push    ecx             ; char *
featureGETandSET+9A                   call    _sprintf
featureGETandSET+9F                   mov     edx, table[esi]
featureGETandSET+A5                   push    ebx
featureGETandSET+A6                   push    edx
featureGETandSET+A7                   inc     edi
featureGETandSET+A8                   call    HidD_SetFeature_0
featureGETandSET+AD                   add     esp, 14h
featureGETandSET+B0                   test    eax, eax
featureGETandSET+B2                   jnz     short loc_10001272
featureGETandSET+B4
featureGETandSET+B4   loc_100012A4:                           ; CODE XREF: featureGETandSET+80j
featureGETandSET+B4                   mov     ebx, [esp+9Ch]
featureGETandSET+BB                   mov     eax, table[esi]
featureGETandSET+C1                   push    ebx
featureGETandSET+C2                   push    eax
featureGETandSET+C3                   mov     edi, 1
featureGETandSET+C8                   call    HidD_GetFeature_0
featureGETandSET+CD                   add     esp, 8
featureGETandSET+D0                   test    eax, eax
featureGETandSET+D2                   jz      short loc_100012F5
featureGETandSET+D4
featureGETandSET+D4   loc_100012C4:                           ; CODE XREF: featureGETandSET+103j
featureGETandSET+D4                   cmp     edi, 4
featureGETandSET+D7                   jge     short loc_10001325
featureGETandSET+D9                   push    0C8h            ; dwMilliseconds
featureGETandSET+DE                   call    ebp ; Sleep
featureGETandSET+E0                   push    edi
featureGETandSET+E1                   lea     ecx, [esp+14h]
featureGETandSET+E5                   push    offset aReadreportD ; "ReadReport %d"
featureGETandSET+EA                   push    ecx             ; char *
featureGETandSET+EB                   call    _sprintf
featureGETandSET+F0                   mov     edx, table[esi]
featureGETandSET+F6                   push    ebx
featureGETandSET+F7                   push    edx
featureGETandSET+F8                   inc     edi
featureGETandSET+F9                   call    HidD_GetFeature_0
featureGETandSET+FE                   add     esp, 14h
featureGETandSET+101                  test    eax, eax
featureGETandSET+103                  jnz     short loc_100012C4
featureGETandSET+105
featureGETandSET+105  loc_100012F5:                           ; CODE XREF: featureGETandSET+D2j
featureGETandSET+105                  mov     eax, dword_1001529E[esi]
featureGETandSET+10B                  test    eax, eax
featureGETandSET+10D                  jz      short loc_10001319
featureGETandSET+10F                  lea     eax, [ebx+9]
featureGETandSET+112                  lea     esi, [ebx+11h]
featureGETandSET+115                  push    eax             ; fOAEP
featureGETandSET+116                  push    esi             ; hCrypto
featureGETandSET+117                  call    Encrypt
featureGETandSET+11C                  lea     ecx, [ebx+2]
featureGETandSET+11F                  push    ecx             ; fOAEP
featureGETandSET+120                  push    esi             ; hCrypto
featureGETandSET+121                  call    Encrypt
featureGETandSET+126                  add     esp, 10h
featureGETandSET+129
featureGETandSET+129  loc_10001319:                           ; CODE XREF: featureGETandSET+10Dj
featureGETandSET+129                  mov     dl, [ebx+1]
featureGETandSET+12C                  push    edx
featureGETandSET+12D                  call    isEqu5Ah
featureGETandSET+132                  add     esp, 4
featureGETandSET+135
featureGETandSET+135  loc_10001325:                           ; CODE XREF: featureGETandSET+85j
featureGETandSET+135                                          ; featureGETandSET+D7j
featureGETandSET+135                  pop     edi
featureGETandSET+136                  pop     esi
featureGETandSET+137                  pop     ebp
featureGETandSET+138                  pop     ebx
featureGETandSET+139                  add     esp, 80h
featureGETandSET+13F                  retn
featureGETandSET+13F  featureGETandSET endp ; sp-analysis failed

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by BfoX on Fri Feb 24, 2017 10:51 am

0x5A

BfoX

Posts : 1008
Points : 1309
Reputation : 232
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Fri Feb 24, 2017 11:02 am

Am i on the correct path BfoX?

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by sverox on Fri Feb 24, 2017 11:48 am

You on correct way. I like your project.
What model board you use?

sverox

Posts : 49
Points : 97
Reputation : 40
Join date : 2013-10-09

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Fri Feb 24, 2017 12:03 pm

Ardunio mini. But without bootloader. You can built with discrete elements too.
 V–usb is very good library

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by califor on Fri Feb 24, 2017 11:37 pm

Imho, Rockey4ND used XOR encrypt to comunicate dongle to dll


califor.

califor

Posts : 59
Points : 79
Reputation : -95
Join date : 2015-05-11
Age : 32

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Sun Feb 26, 2017 9:02 am

I am still debugging/disassembling ry.dll in order to solve communication protocol.

Setting and getting reports are done in the following subroutine at 0x100011f0
Code:
featureGETandSET      var_80          = byte ptr -80h
featureGETandSET      command         = dword ptr  4
featureGETandSET      databuffer      = dword ptr  8
featureGETandSET      randomkey       = dword ptr  0Ch
featureGETandSET
featureGETandSET                      sub     esp, 80h
featureGETandSET+6                    push    ebx
featureGETandSET+7                    mov     ebx, [esp+84h+databuffer]
featureGETandSET+E                    push    ebp
featureGETandSET+F                    push    esi
featureGETandSET+10                   mov     al, [ebx+1]
featureGETandSET+13                   mov     esi, [esp+8Ch+command]
featureGETandSET+1A                   cmp     al, 81h
featureGETandSET+1C                   push    edi
featureGETandSET+1D                   jnz     short loc_10001222
featureGETandSET+1F                   push    esi
featureGETandSET+20                   lea     eax, [esp+94h+var_80]
featureGETandSET+24                   push    offset aSetpassword2Ha ; "SETPASSWORD 2,handle %4x"
featureGETandSET+29                   push    eax             ; char *
featureGETandSET+2A                   call    _sprintf
featureGETandSET+2F                   add     esp, 0Ch
featureGETandSET+32
featureGETandSET+32   loc_10001222:                           ; CODE XREF: featureGETandSET+1Dj
featureGETandSET+32                   lea     eax, [esi+esi*2]
featureGETandSET+35                   shl     eax, 4
featureGETandSET+38                   add     eax, esi
featureGETandSET+3A                   lea     esi, [eax+eax*2]
featureGETandSET+3D                   shl     esi, 1
featureGETandSET+3F                   mov     eax, dword_1001529E[esi]
featureGETandSET+45                   test    eax, eax
featureGETandSET+47                   jz      short loc_10001253
featureGETandSET+49                   lea     ecx, [ebx+2]
featureGETandSET+4C                   lea     edi, [ebx+11h]
featureGETandSET+4F                   push    ecx             ; buffer ın 2. byteı
featureGETandSET+50                   push    edi             ; bufferın s0n 8. byteı
featureGETandSET+51                   call    XoR
featureGETandSET+56                   lea     edx, [ebx+9]
featureGETandSET+59                   push    edx
featureGETandSET+5A                   push    edi
featureGETandSET+5B                   call    XoR
featureGETandSET+60                   add     esp, 10h
featureGETandSET+63
featureGETandSET+63   loc_10001253:                           ; CODE XREF: featureGETandSET+47j
featureGETandSET+63                   mov     eax, table[esi]
featureGETandSET+69                   push    ebx
featureGETandSET+6A                   push    eax
featureGETandSET+6B                   mov     edi, 1
featureGETandSET+70                   call    HidD_SetFeature_0
featureGETandSET+75                   mov     ebp, ds:Sleep
featureGETandSET+7B                   add     esp, 8
featureGETandSET+7E                   test    eax, eax
featureGETandSET+80                   jz      short loc_100012A4
featureGETandSET+82
featureGETandSET+82   loc_10001272:                           ; CODE XREF: featureGETandSET+B2j
featureGETandSET+82                   cmp     edi, 4
featureGETandSET+85                   jge     loc_10001325
featureGETandSET+8B                   push    64h             ; dwMilliseconds
featureGETandSET+8D                   call    ebp ; Sleep
featureGETandSET+8F                   push    edi
featureGETandSET+90                   lea     ecx, [esp+94h+var_80]
featureGETandSET+94                   push    offset aWritereportD ; "WriteReport %d"
featureGETandSET+99                   push    ecx             ; char *
featureGETandSET+9A                   call    _sprintf
featureGETandSET+9F                   mov     edx, table[esi]
featureGETandSET+A5                   push    ebx
featureGETandSET+A6                   push    edx
featureGETandSET+A7                   inc     edi
featureGETandSET+A8                   call    HidD_SetFeature_0
featureGETandSET+AD                   add     esp, 14h
featureGETandSET+B0                   test    eax, eax
featureGETandSET+B2                   jnz     short loc_10001272
featureGETandSET+B4
featureGETandSET+B4   loc_100012A4:                           ; CODE XREF: featureGETandSET+80j
featureGETandSET+B4                   mov     ebx, [esp+90h+randomkey]
featureGETandSET+BB                   mov     eax, table[esi]
featureGETandSET+C1                   push    ebx
featureGETandSET+C2                   push    eax
featureGETandSET+C3                   mov     edi, 1
featureGETandSET+C8                   call    HidD_GetFeature_0
featureGETandSET+CD                   add     esp, 8
featureGETandSET+D0                   test    eax, eax
featureGETandSET+D2                   jz      short loc_100012F5
featureGETandSET+D4
featureGETandSET+D4   loc_100012C4:                           ; CODE XREF: featureGETandSET+103j
featureGETandSET+D4                   cmp     edi, 4
featureGETandSET+D7                   jge     short loc_10001325
featureGETandSET+D9                   push    0C8h            ; dwMilliseconds
featureGETandSET+DE                   call    ebp ; Sleep
featureGETandSET+E0                   push    edi
featureGETandSET+E1                   lea     ecx, [esp+94h+var_80]
featureGETandSET+E5                   push    offset aReadreportD ; "ReadReport %d"
featureGETandSET+EA                   push    ecx             ; char *
featureGETandSET+EB                   call    _sprintf
featureGETandSET+F0                   mov     edx, table[esi]
featureGETandSET+F6                   push    ebx
featureGETandSET+F7                   push    edx
featureGETandSET+F8                   inc     edi
featureGETandSET+F9                   call    HidD_GetFeature_0
featureGETandSET+FE                   add     esp, 14h
featureGETandSET+101                  test    eax, eax
featureGETandSET+103                  jnz     short loc_100012C4
featureGETandSET+105
featureGETandSET+105  loc_100012F5:                           ; CODE XREF: featureGETandSET+D2j
featureGETandSET+105                  mov     eax, dword_1001529E[esi]
featureGETandSET+10B                  test    eax, eax
featureGETandSET+10D                  jz      short loc_10001319
featureGETandSET+10F                  lea     eax, [ebx+9]
featureGETandSET+112                  lea     esi, [ebx+11h]
featureGETandSET+115                  push    eax
featureGETandSET+116                  push    esi
featureGETandSET+117                  call    XoR
featureGETandSET+11C                  lea     ecx, [ebx+2]
featureGETandSET+11F                  push    ecx
featureGETandSET+120                  push    esi
featureGETandSET+121                  call    XoR
featureGETandSET+126                  add     esp, 10h
featureGETandSET+129
featureGETandSET+129  loc_10001319:                           ; CODE XREF: featureGETandSET+10Dj
featureGETandSET+129                  mov     dl, [ebx+1]
featureGETandSET+12C                  push    edx
featureGETandSET+12D                  call    isEqu5Ah
featureGETandSET+132                  add     esp, 4
featureGETandSET+135
featureGETandSET+135  loc_10001325:                           ; CODE XREF: featureGETandSET+85j
featureGETandSET+135                                          ; featureGETandSET+D7j
featureGETandSET+135                  pop     edi
featureGETandSET+136                  pop     esi
featureGETandSET+137                  pop     ebp
featureGETandSET+138                  pop     ebx
featureGETandSET+139                  add     esp, 80h
featureGETandSET+13F                  retn
featureGETandSET+13F  featureGETandSET endp
featureGETandSET+13F

Sending reports:
It fills 25 bytes of communication buffer with random data. 
Applies simple xor over p1,p2,lp1 & lp3 bytes and writes on predefined places on the communication buffer
Calculates crc basen on the buffer with following subroutine at 0x10001820.
Writes the result in the last byte of the buffer.

Code:
rockeyCalcCrc      arg_0           = dword ptr  4
rockeyCalcCrc      arg_4           = dword ptr  8
rockeyCalcCrc
rockeyCalcCrc                      xor     al, al
rockeyCalcCrc+2                    xor     ecx, ecx
rockeyCalcCrc+4
rockeyCalcCrc+4    loc_10001824:                           ; CODE XREF: rockeyCalcCrc+Ej
rockeyCalcCrc+4                    mov     dl, byte ptr [esp+ecx+arg_0+1]
rockeyCalcCrc+8                    xor     al, dl
rockeyCalcCrc+A                    inc     ecx
rockeyCalcCrc+B                    cmp     ecx, 5
rockeyCalcCrc+E                    jl      short loc_10001824
rockeyCalcCrc+10                   xor     ecx, ecx
rockeyCalcCrc+12
rockeyCalcCrc+12   loc_10001832:                           ; CODE XREF: rockeyCalcCrc+1Cj
rockeyCalcCrc+12                   mov     dl, byte ptr [esp+ecx+arg_4+2]
rockeyCalcCrc+16                   xor     al, dl
rockeyCalcCrc+18                   inc     ecx
rockeyCalcCrc+19                   cmp     ecx, 12h
rockeyCalcCrc+1C                   jl      short loc_10001832
rockeyCalcCrc+1E                   retn

The following routine is called twice on substrings on the communication buffer.
It is called or not depending on something. I could not solve yet under in which cases it is called. It looks like decryption subroutine.

Am I rigth? How to reverse it?

Any idea about this subroutine?


Code:
XoR      XoR             proc near               ; CODE XREF: featureGETandSET+51p
XoR                                              ; featureGETandSET+5Bp
XoR                                              ; featureGETandSET+117p
XoR                                              ; featureGETandSET+121p
XoR
XoR      arg_0           = dword ptr  4
XoR      arg_4           = dword ptr  8
XoR
XoR                      mov     edx, [esp+arg_4]
XoR+4                    push    ebx
XoR+5                    push    ebp
XoR+6                    push    esi
XoR+7                    push    edi
XoR+8                    mov     edi, [esp+10h+arg_0]
XoR+C                    mov     ebp, edi
XoR+E                    xor     ecx, ecx
XoR+10                   sub     ebp, edx
XoR+12
XoR+12   ____loop:                               ; CODE XREF: XoR+41j
XoR+12                   xor     eax, eax
XoR+14
XoR+14   ___loopA:                               ; CODE XREF: XoR+21j
XoR+14                   mov     bl, cl
XoR+16                   or      bl, al
XoR+18                   add     bl, [eax+edi]
XoR+1B                   inc     eax
XoR+1C                   add     [edx], bl
XoR+1E                   cmp     eax, 8
XoR+21                   jl      short ___loopA
XoR+23                   xor     esi, esi
XoR+25
XoR+25   ____loopB:                              ; CODE XREF: XoR+32j
XoR+25                   mov     al, [esi+edi]
XoR+28                   dec     al
XoR+2A                   imul    cl
XoR+2C                   xor     [edx], al
XoR+2E                   inc     esi
XoR+2F                   cmp     esi, 8
XoR+32                   jl      short ____loopB
XoR+34                   mov     al, [edx+ebp]
XoR+37                   shl     al, cl
XoR+39                   inc     ecx
XoR+3A                   inc     edx
XoR+3B                   xor     [edx-1], al
XoR+3E                   cmp     ecx, 8
XoR+41                   jl      short ____loop
XoR+43                   pop     edi
XoR+44                   pop     esi
XoR+45                   pop     ebp
XoR+46                   pop     ebx
XoR+47                   retn
XoR+47   XoR             endp

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by BfoX on Sun Feb 26, 2017 1:14 pm

why not use hexray plug-in for ida? may be c-source near to you

BfoX

Posts : 1008
Points : 1309
Reputation : 232
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by mardasmr on Sun Feb 26, 2017 1:41 pm

BfoX wrote:why not use hexray plug-in for ida? may be c-source near to you
I did already, RetDec plugin too. I am porting this function into  c to see how it works. I will solve how it works.
But I wonder what is used for. For decryption of incoming usb response from the dongle?

mardasmr

Posts : 28
Points : 41
Reputation : -10
Join date : 2017-02-23

Back to top Go down

Re: My try to clone/patch Rockey4nd

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum