×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

ARM assembly help needed
2

ARM assembly help needed

ARM assembly help needed

(OP)
My ARM CPU based software has been cracked and I have been comparing the cracked version to the normal version and am trying to figure out what the cracker changed.  I have ASM from both versions and need them commented so I can figure out what exactly is going on.  I have tried using an ARM manual but some instructions are different and I couldn't find them, it would be great if someone could lend a hand in figuring out about 100 lines of ARM ASM.  Please post your email if you can help and I can send you the ASM.

Or if you know of another forum or website I should be asking this in please let me know, I searched for other ARM assembly forums but this was the closest one I found.

RE: ARM assembly help needed

Post your code please, E-mail addresses will not be
given on this side, see policy info.

Tessa

RE: ARM assembly help needed

I take it your original version was compiled from say C or C++ code?

The first step would be to find out which module and function the modified ASM corresponds to.  For this, you need a map file (which is produced by the linker).

--

RE: ARM assembly help needed

(OP)
Yes I have the original source, I just recompiled it from backups which created an exe with only 1 byte difference, I then created a map file and used the asm to find which function the changes are in, they are all in one, the function that creates the main window.  This makes perfect sense as this is where the license information is loaded and checked.  As excited as I was once this matched up it turns out not to be very useful as everything is happening in the same function, thanks for you tip though, I didn't know how to match up asm and C functions before, now I do :)

RE: ARM assembly help needed

(OP)
Ok here is the first snippet

My newbie anaylis is this change removes the conditional branch to the dialog box (loc_21AB4) which says your license is invalid and replaces it with a permanent branch to a loc_93724, loc_93724 is where the real hack is taking place probably, I will add it next...

Is this what is going on here so far?

CODE

-----------------------------------------------------------------------------
orginal section 1
-----------------------------------------------------------------------------

loc_2189C
; sub_20894+F40
; sub_20894+FE4
CMP    R0, #0
MOVMI    R4, R0
BMI    loc_21AB4
LDRB    R3, [R9]
MOV    R3, R3,LSR#5
BIC    R3, R3,    #1
LDRB    R2, [R9]
MOV    R2, R2,LSR#4
AND    R2, R2,    #1
ORR    R3, R3,    R2
LDRB    R2, [R9]
MOV    R2, R2,LSR#1
AND    R2, R2,    #1
ORR    R3, R2,    R3,LSL#1
LDRB    R2, [R9,#1]


-----------------------------------------------------------------------------
'cracked' modified section 1
only the first 4 lines were changed
-----------------------------------------------------------------------------

loc_2189C
; sub_20894+F40
; sub_20894+FE4
MOV    R0, R9        ; void *
LDR    R1, =loc_93724    ; void *
MOV    R2, #0xE    ; size_t
BL    memcpy
MOV    R3, R3,LSR#5
BIC    R3, R3,    #1
LDRB    R2, [R9]
MOV    R2, R2,LSR#4
AND    R2, R2,    #1
ORR    R3, R3,    R2
LDRB    R2, [R9]
MOV    R2, R2,LSR#1

RE: ARM assembly help needed

(OP)
Does anyone know what the following instructions do?

STRLTB    
CMNNE    
MCRRHI    
RSBEQ    
RSBEQS    
EOREQ    
ANDEQ

Or have a link to an online reference for them?  I have found variants of some of them here http://www.heyrick.co.uk/assembler/qfinder.html but none of them are exact and some of them are missing.

RE: ARM assembly help needed

What's the object of the exercise here?

Sure you can find out what's been done to your code, but knowing it isn't going to help you stop it in future.

Basically, all that's happened is replacing code which looks like
if(invalidKey)myDialog(key);
with what seems to be
memcpy(key,hackedkey,14);

--

RE: ARM assembly help needed

(OP)
Hi Salem, yes that is the beginning of it, but there is another section which looks like it is copying in the hacked key, but may be doing something else and I was wanting to find out what if anything.  There are various ways to stop it in the future, of course they aren't uncrackable, but they can make it very tedious or difficult to crack.

RE: ARM assembly help needed

(OP)
Do you know ARM assembly?  Should I post the other section of code?

RE: ARM assembly help needed

Quote (Obelisk):

Does anyone know what the following instructions do?

STRLTB    
CMNNE    
MCRRHI    
RSBEQ    
RSBEQS    
EOREQ    
ANDEQ

CODE

STRLTB
    STR - Store
    LT - Less Than
    B - Byte
CMNNE
    CMN - Compare Negative
    NE - Not Equal
MCRRHI
    MCRR - Two Arm Register Move
    HI - Unsigned Higher (Greater Than or Unordered)
RSBEQ
    RSB - Reverse Subtract
    EQ - Equal
RSBEQS
    RSB - Reverse Subtract
    EQ - Equal
    S - Ubdate Codition Flag
EOREQ
    EOR - Logical Exclusive Or (aka XOR)
    EQ - Equal
ANDEQ
    AND - Logical And
    EQ - Equal

Here are two references... (both PDFs)
http://www.arm.com/pdfs/QRC0001H_rvct_v2.1_arm.pdf
http://www.intel.com/design/iio/swsup/11139.pdf

the quickest way to sort out the elements in the code, is to locate the condition, which will be one of the following:

CODE

EQ - Equal
NE - Not equal
CS / HS - Carry Set / Unsigned higher or same
CC / LO - Carry Clear / Unsigned lower
MI - Negative
PL - Positive or zero
VS - Overflow
VC - No overflow
HI - Unsigned higher
LS - Unsigned lower or same
GE - Signed greater than or equal
LT - Signed less than
GT - Signed greater than
LE - Signed less than or equal
AL - Always (normally omitted)

Then use the above references to find the meaning of the other field(s)

Hope this helps
-Josh

Visit My Site
PROGRAMMER: (n) Red-eyed, mumbling mammal capable of conversing with inanimate objects.

RE: ARM assembly help needed

(OP)
Awesome Josh, thanks, I'll use that this weekend and see if I can decipher the assembly, I'll post what I figure out so maybe someone can validate if I'm on the right track...

RE: ARM assembly help needed

(OP)
I don't think I'm having much luck of understanding whats going on, I can decipher the code, but have a few questions:

1) what values are in the registers to begin with?
2) in a RSB I don't understand what the EQ does

Here is the code I'm working on right now...

CODE

Notes:
Compare negative CMN{cond} Rn, <Operand2> N Z C V Update CPSR flags on Rn + Operand2
Two ARM register move 5E* MCRR{cond} <copr>, <op1>, Rd, Rn, CRm Coprocessor dependent reverse subtract RSB{cond}{S} Rd, Rn, <Operand2> N Z C V Rd := Operand2 – Rn
Rotate right extended Rm, RRX
Rotate right register Rm, ROR Rs

STRLTB    SP, [R3,R1,LSR#19]    ;store SP at R3+(R1>>19)
CMNNE    R12, #0x55000000    ;R12 + 0x55000000 != ?
MCRRHI    p8, 9, LR,R10,c10    ;?
RSBEQ    R9, R7,    R9,LSR#6    ;R9 := (R9<<6) - R7
RSBEQS    R0, R3,    R9,RRX
RSBEQS    R0, R2,    R4,ROR R0
RSBEQS    R0, R4,    R1,RRX
RSBEQ    R0, PC,    R9,RRX
EOREQ    R0, R0,    LR,RRX
RSBEQ    R0, R1,    R8,RRX
continues...

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close