ARM assembly help needed 2

[Obelisk]

My ARM CPU based software has been cracked and I have been comparing the cracked version to the normal version and am trying to figure out what the cracker changed. I have ASM from both versions and need them commented so I can figure out what exactly is going on. I have tried using an ARM manual but some instructions are different and I couldn't find them, it would be great if someone could lend a hand in figuring out about 100 lines of ARM ASM. Please post your email if you can help and I can send you the ASM.

Or if you know of another forum or website I should be asking this in please let me know, I searched for other ARM assembly forums but this was the closest one I found.

 

[TessaBonting]

Post your code please, E-mail addresses will not be
given on this side, see policy info.

Tessa

 

[Salem]

I take it your original version was compiled from say C or C++ code?

The first step would be to find out which module and function the modified ASM corresponds to. For this, you need a map file (which is produced by the linker).

--

 

[Obelisk]

Yes I have the original source, I just recompiled it from backups which created an exe with only 1 byte difference, I then created a map file and used the asm to find which function the changes are in, they are all in one, the function that creates the main window. This makes perfect sense as this is where the license information is loaded and checked. As excited as I was once this matched up it turns out not to be very useful as everything is happening in the same function, thanks for you tip though, I didn't know how to match up asm and C functions before, now I do

 

[Obelisk]

Ok here is the first snippet

My newbie anaylis is this change removes the conditional branch to the dialog box (loc_21AB4) which says your license is invalid and replaces it with a permanent branch to a loc_93724, loc_93724 is where the real hack is taking place probably, I will add it next...

Is this what is going on here so far?

-----------------------------------------------------------------------------
orginal section 1
-----------------------------------------------------------------------------

loc_2189C
; sub_20894+F40
; sub_20894+FE4
CMP	R0, #0
MOVMI	R4, R0
BMI	loc_21AB4
LDRB	R3, [R9]
MOV	R3, R3,LSR#5
BIC	R3, R3,	#1
LDRB	R2, [R9]
MOV	R2, R2,LSR#4
AND	R2, R2,	#1
ORR	R3, R3,	R2
LDRB	R2, [R9]
MOV	R2, R2,LSR#1
AND	R2, R2,	#1
ORR	R3, R2,	R3,LSL#1
LDRB	R2, [R9,#1]


-----------------------------------------------------------------------------
'cracked' modified section 1
only the first 4 lines were changed
-----------------------------------------------------------------------------

loc_2189C
; sub_20894+F40
; sub_20894+FE4
MOV	R0, R9		; void *
LDR	R1, =loc_93724	; void *
MOV	R2, #0xE	; size_t
BL	memcpy
MOV	R3, R3,LSR#5
BIC	R3, R3,	#1
LDRB	R2, [R9]
MOV	R2, R2,LSR#4
AND	R2, R2,	#1
ORR	R3, R3,	R2
LDRB	R2, [R9]
MOV	R2, R2,LSR#1

 

[Obelisk]

Does anyone know what the following instructions do?

STRLTB
CMNNE
MCRRHI
RSBEQ
RSBEQS
EOREQ
ANDEQ

Or have a link to an online reference for them? I have found variants of some of them here

http://www.heyrick.co.uk/assembler/qfinder.html

but none of them are exact and some of them are missing.

 

[Salem]

What's the object of the exercise here?

Sure you can find out what's been done to your code, but knowing it isn't going to help you stop it in future.

Basically, all that's happened is replacing code which looks like
[tt]if(invalidKey)myDialog(key);[/tt]
with what seems to be
[tt]memcpy(key,hackedkey,14);[/tt]

--

 

[Obelisk]

Hi Salem, yes that is the beginning of it, but there is another section which looks like it is copying in the hacked key, but may be doing something else and I was wanting to find out what if anything. There are various ways to stop it in the future, of course they aren't uncrackable, but they can make it very tedious or difficult to crack.

 

[Obelisk]

Do you know ARM assembly? Should I post the other section of code?

 

[CubeE101]

Does anyone know what the following instructions do?

STRLTB
CMNNE
MCRRHI
RSBEQ
RSBEQS
EOREQ
ANDEQ

[b]STRLTB[/b]
	STR - Store
	LT - Less Than
	B - Byte
[b]CMNNE[/b]
	CMN - Compare Negative
	NE - Not Equal
[b]MCRRHI[/b]
	MCRR - Two Arm Register Move
	HI - Unsigned Higher (Greater Than or Unordered)
[b]RSBEQ[/b]
	RSB - Reverse Subtract
	EQ - Equal
[b]RSBEQS[/b]
	RSB - Reverse Subtract
	EQ - Equal
	S - Ubdate Codition Flag
[b]EOREQ[/b]
	EOR - Logical Exclusive Or (aka XOR)
	EQ - Equal
[b]ANDEQ[/b]
	AND - Logical And
	EQ - Equal

Here are two references... (both PDFs)

http://www.arm.com/pdfs/QRC0001H_rvct_v2.1_arm.pdf

http://www.intel.com/design/iio/swsup/11139.pdf

the quickest way to sort out the elements in the code, is to locate the condition, which will be one of the following:

EQ - Equal
NE - Not equal
CS / HS - Carry Set / Unsigned higher or same
CC / LO - Carry Clear / Unsigned lower
MI - Negative
PL - Positive or zero
VS - Overflow
VC - No overflow
HI - Unsigned higher
LS - Unsigned lower or same
GE - Signed greater than or equal
LT - Signed less than
GT - Signed greater than
LE - Signed less than or equal
AL - Always (normally omitted)

Then use the above references to find the meaning of the other field(s)

Hope this helps ;-)
-Josh


Visit My Site
PROGRAMMER: Red-eyed, mumbling mammal capable of conversing with inanimate objects.

 

[Obelisk]

Awesome Josh, thanks, I'll use that this weekend and see if I can decipher the assembly, I'll post what I figure out so maybe someone can validate if I'm on the right track...

 

[Obelisk]

I don't think I'm having much luck of understanding whats going on, I can decipher the code, but have a few questions:

1) what values are in the registers to begin with?
2) in a RSB I don't understand what the EQ does

Here is the code I'm working on right now...

Notes:
Compare negative CMN{cond} Rn, <Operand2> N Z C V Update CPSR flags on Rn + Operand2
Two ARM register move 5E* MCRR{cond} <copr>, <op1>, Rd, Rn, CRm Coprocessor dependent reverse subtract RSB{cond}{S} Rd, Rn, <Operand2> N Z C V Rd := Operand2 – Rn
Rotate right extended Rm, RRX
Rotate right register Rm, ROR Rs

STRLTB	SP, [R3,R1,LSR#19]	;store SP at R3+(R1>>19)
CMNNE	R12, #0x55000000	;R12 + 0x55000000 != ?
MCRRHI	p8, 9, LR,R10,c10	;?
RSBEQ	R9, R7,	R9,LSR#6	;R9 := (R9<<6) - R7
RSBEQS	R0, R3,	R9,RRX
RSBEQS	R0, R2,	R4,ROR R0
RSBEQS	R0, R4,	R1,RRX
RSBEQ	R0, PC,	R9,RRX
EOREQ	R0, R0,	LR,RRX
RSBEQ	R0, R1,	R8,RRX
continues...

 

[TrojanWarBlade]

Not sure if this helps:

http://www.heyrick.co.uk/assembler/qfinder.html

(very injured) Trojan.