How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?


Tuesday, June 30, 2015

Best Reverser Write-Up: Analyzing Uncommon Firmware

While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.

Let us define what common reverse engineering tasks look like. Given an executable file for Windows (or Linux, MacOS or any other widely-used operating system). We can run it, watch it in a debugger, and twist it in virtual environments in any way possible. File format is known. The processor’s instruction set is x86, AMD64 or ARM. Library functions and system calls are documented. The equipment can be accessed through the operating system only. Using tools like IDAPro and HеxRays makes analysis of such applications very simple, while debug protection, virtual machines with their own instruction sets, and obfuscation could complicate the task. But large vendors hardly ever use any of those in their programs. So there’s no point in developing a contest aimed at demonstrating skills that are rarely addressed in practice.

However, there’s another area, where reverse engineering became more in-demand, that’s firmware analysis. The input file (firmware) could be presented in any format, can be packed, encrypted. The operating system could be unpopular, or there could be no operating system at all. Parts of the code could not be changed with firmware updates. The processor could be based on any architecture. (For example, IDAPro “knows” not more than 100 different processors.) And of course, there’s no documentation available, debugging or code execution cannot be performed―a firmware is presented, but there’s no device.

Our contest’s participants needed to analyze an executable file and find the correct key and the relative email (any internet user was able to take part in the contest).

Part One: Loader

 At the first stage, the input file is an ELF file compiled with a cross compiler for the PA-RISC architecture. IDA can work with this architecture, but not as good as with x86. Most requests to stack variables are not identified automatically, and you’ll have to do it manually. At least you can see all the library functions (log, printf, memcpy, strlen, fprintf, sscanf, memset, strspn) and even symbolic names for some functions (с32, exk, cry, pad, dec, cen, dde). The program expects two input arguments: an email and key.

It’s not hard to figure out that the key should consist of two parts separated by the “-“ character. The first part should consist of seven MIME64 characters (0-9A-Za-z+/), the second part of 32 hex characters that translate to 16 bytes.

Further we can see calls to c32 functions that result in:

t = c32(-1, argv[1], strlen(argv[1])+1)
k = ~c32(t, argv[2], strlen(argv[2])+1)

Name of the function is a hint: it’s a СRC32 function, which is confirmed by the constant 0xEDB88320.
Next, we call the dde function (short for doDecrypt), and it receives the inverted output of the CRC32 function (encryption key) as the first argument, and the address and the size of the encrypted array as the second and third ones.

Decryption is performed by BTEA (block tiny encryption algorithm) based on the code taken from Wikipedia. We can guess that it’s BTEA from the use of the constant DELTA==0x9E3779B9. It’s also used in other algorithms on which BTEA is based on, but there are not many of them.

The key should be of 128-bit width, but we receive only 32 bits from CRC32. So we get three more DWORDs from the exk function (expand_key) by multiplying the previous value by the same DELTA.

However, the use of BTEA is uncommon. First of all, the algorithm supports a variable-width block size, and we use a block of 12-bytes width (there are processors that have 24-bit width registers and memory, then why should we use only powers of two). And in the second place, we switched encryption and decryption functions.

Since data stream is encrypted, cipher block chaining is applied. Enthropy is calculated for decrypted data in the cen function (calc_enthropy). If its value exceeds 7, the decryption result is considered incorrect and the program will exit.

The encryption key is 32-bit width, so it seems to be easily brute-forced. However, in order to check every key we need to decrypt 80 kilobytes of data, and then calculate enthropy. So brute-forcing the encryption key will take a lot of time.

But after the calculation, we call the pad function (strip_pad), which check and remove PKCS#7 padding. Due to CBC features, we need to decrypt only one block (the last one), extract N byte, check whether its range is between 1 and 12 (inclusive) and each of the last N bytes has value N. This allows reducing the number of operations needed to check one key. But if the last encrypted byte equals 1 (which is true for 1/256 keys), the check should be still performed.

The faster method is to assume that decoded data have a DWORD-aligned length (4 bytes). Then in the last DWORD of the last block there may be only one of three possible values: 0x04040404, 0x08080808 or 0x0C0C0C0C. By using heuristic and brute force methods you can run through all possible keys and find the right one in less than 20 minutes.

If all the checks after the decryption (entropy and the integrity of the padding) are successful, we call the fire_second_proc function, which simulates the launch of the second CPU and the loading of decrypted data of the firmware (modern devices usually have more than one processorwith different architectures).

If the second processor launches, it receives the user’s email and 16 bytes with the second part of the key via the function send_auth_data. At this point we made a mistake: there was the size of the string with the email instead of the size of the second part of the key.

Part Two: Firmware

The analysis of the second part is a little bit more complicated. There was no ELF file, only a memory image—without headings, function names, and other metadata. Type of the processor and load address were unknown as well.

We thought of brute force as the algorithm of determining the processor architecture. Open in IDA, set the following type, and repeat until IDA shows something similar to a code. The brute force should lead to the conclusion that it is big-endian SPARC.

Now we need to determine the load address. The function 0x22E0 is not called, but it contains a lot of code. We can assume that is the entry point of the program, the start function.

In the third instruction of the start function, an unknown library function with one argument == 0x126F0 is called, and the same function is called from the start function four more times, always with arguments with similar values (0x12718, 0x12738, 0x12758, 0x12760). And in the middle of the program, starting from 0x2490, there are five lines with text messages:

00002490             .ascii "Firmware loaded, sending ok back."<0>
000024B8            .ascii "Failed to retrieve email."<0>
000024D8            .ascii "Failed to retrieve codes."<0>
000024F8             .ascii "Gratz!"<0>
00002500             .ascii "Sorry may be next time..."<0>

Assuming that the load address equals 0x126F0-0x2490 == 0x10260, then all the arguments will indicate the lines when calling the library function, and the unknown function turns out to be the printf function (or puts).

After changing the load base, the code will look something like this:

The value of 0x0BA0BAB0, transmitted to the function sub_12194, can be found in the first part of the task, in the function fire_second_proc, and is compared with what we obtain from read_pipe_u32 (). Thus sub_12194 should be called write_pipe_u32.

Similarly, two calls of the library function sub_24064 are memset (someVar, 0, 0x101) for the email and code, while sub_121BC is read_pipe_str (), reversed write_pipe_str () from the first part.

The first function (at offset 0 or address 0x10260) has typical constants of MD5_Init:

 Next to the call to  MD5_Init, it is easy to detect the function MD5_Update () and MD5_Final (), preceded by the call to the library strlen ().

Not too many unknown functions are left in the start() function.

The sub_12480 function reverses the byte array of specified length. In fact, it’s memrev, which receives a code array input of 16 bytes.

Obviously, the sub_24040 function checks whether the code is correct. The arguments transfer the calculated value of MD5(email), the array filled in function sub_12394, and the number 16. It could be a call to memcmp!

The real trick is happening in sub_12394. There is almost no hints there, but the algorithm is described by one phrase—the multiplication of binary matrix of the 128 by the binary vector of 128. The matrix is stored in the firmware at 0x240B8.

Thus, the code is correct if MD5(email) == matrix_mul_vector (matrix, code).

Calculating the Key

To find the correct value of the code, you need to solve a system of binary equations described by the matrix, where the right-hand side are the relevant bits of the MD5(email). If you forgot linear algebra: this is easily solved by Gaussian elimination.

If the right-hand side of the key is known (32 hexadecimal characters), we can try to guess the first seven characters so that the CRC32 calculation result was equal to the value found for the key BTEA. There are about 1024 of such values, and they can be quickly obtained by brute-force, or by converting CRC32 and checking valid characters.

Now you need to put everything together and get the key that will pass all the checks and will be recognized as valid by our verifier :)
We were afraid that no one would be able to solve the task from the beginning to the end. Fortunately, Victor Alyushin showed that our fears were groundless. You can find his write-up on the task at This is the second time Victor Alyushin has won the contest (he was the winner in 2013 as well).

A participant who wished to remain anonymous solved a part of the task and took second place.

Thanks to all participants!


  1. Certainly a fantastic piece of work ... It has relevant information. Thanks for posting this.Your blog is so interesting and very informative.I was in search of the information that can win my heart and then I found your blog and got everything from here. Thanks

    Assignment writing service reviews

  2. This is great piece of information that you have come up with and it is really well explained. Great post on the best reverser write up analyzing and this really touched my heart.Top rated essay writing service

  3. I wondered upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.
    Home Automation in Chennai
    smart home in Chennai
    Home security in Chennai
    Burglar alarm in Chennai
    Door sensors Chennai

  4. Hi buddy, your blog' s design is simple and clean and i like it. Your blog posts about Online Dissertation Help are superb. Please keep them coming. Greets!!
    Do My C Project

  5. My friend recommended this blog and he was totally right keep up the fantastic work!
    assigment help

  6. This is really a great stuff for sharing. Keep it up .Thanks for sharing.
    MBA Report Writing

  7. This is great information for students. This article is very helpful i really like this blog thanks. I also have some information relevant for online dissertation help.
    Content Creation Service

  8. Get the dissertation writing service students look for these days with the prime focus being creating a well researched and lively content on any topic.
    java programming assignments

  9. Well thanks for posting such an outstanding idea. I like this blog & I like the topic and thinking of making it right.
    Law Assignment Help

  10. I appreciate your efforts in preparing this post. I really like your blog articles.
    Psychology Projects

  11. This a good way to appreciate the teacher as they put their efforts to train students. UK dissertation Writers appreciates the teachers.
    Cold Fusion Assignment Help

  12. Great Information,it has lot for stuff which is informative.I will share the post with my friends.
    Coursework Homework Help

  13. Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us
    Java Training in Chennai

  14. If you need to hire a real hacker to help spy on your partner's cell phone remotely, change your grades or boost your credit score. Contact this helpline 347.857.7580 or the email address

  15. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    mcdonaldsgutscheine | startlr | saludlimpia

  16. These reverser write up analyze have shown all the relevant data within the write ups and have shared all the updated touching all the nook and corner of the writings. However for students with writing difficulty can visit buy essay online

  17. thank you for publishing this. im also looking for a reverse write up code. is it work in the linux os or not? is anyone have any idea about this?

  18. is the reverse writing code is working correctly? for me there is some issues and its not working properly. can any one help me to solve this?

  19. thank you. actually this is what im seeking for. i was looking for a reverser write-up analyzing code. i appreciate you to post it here.

  20. n genetics, an expressed sequence tag (EST) is a short sub-sequence of a cDNA sequence. ESTs may be used to identify gene transcripts, and are instrumental in gene discovery and in gene-sequence determination. The identification of ESTs has proceeded rapidly, with approximately 74.2 million ESTs now available in . dissertation Writing Services

  21. Good post to read, and it sharing information related to techniques. As a writer from best essay writing service I am always seeking for useful information to enrich my knowledge level.

  22. There is very helpful blog. Check also my blog with a lot of content about movie review. I hope it will be interesting for you.

  23. SBI Online Provide SBI Mobile Banking Registration through Online Mode.

  24. Very good article thanks for sharing.I visit this website every day.

  25. This comment has been removed by the author.

    For getting the best essays written hire the Professional Essay Writers of
    all assignment who have knowledge in every field to write the best essays for you.
    Assignment Help

  27. Thanks for sharing this blog. It is really helpful.
    QTP Training In Chennai

  28. Thank you for sharing such valuable information and tips. This can give insights and inspirations for us; very helpful and informative! Would love to see more updates from you in the future.

    Best JAVA Training in Chennai
    JAVA Training

  29. Superb information, as always. After reading this one I really got refreshing and fantastic feeling! This is also a great and encouraging post.

    Hadoop Training Chennai
    Hadoop Training in Chennai

  30. I have been searching for quite some time for information on this topic and no doubt your website saved my time and I got my desired information. Your post has been very helpful. Thanks.
    DOT NET Course Chennai
    DOT NET Training Institute in Chennai

  31. This comment has been removed by the author.

  32. This idea is mind blowing. I think everyone should know such information like you have described on this post. Thank you for sharing this explanation.Your final conclusion was good.

    Digital Marketing Course
    Digital Marketing Course in Chennai

  33. This is very informative and valuable blog.

    Dot Net Training in Chennai

  34. Awesome blog reading is very comfortable.Thanks for sharing.

    Dot Net Training in Chennai | Java Training in Chennai

  35. This is really great work. Thank you for sharing such a useful information here in the blog. Swot Analysis Case Study

  36. I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that's at the other blogs. Harvard Business Review

  37. Hi buddy, your blog' s design is simple and clean and i like it. Your blog posts about Online writing Help are superb. Please keep them coming. Greets! Do MY Computer Science Assignments

  38. Great post! thank you very much for this information.

  39. Commendable job with the article! It was really informative and enriching. Looking forward to more such posts in the future. Keep us updated with what’s in store! Will surely keep frequenting this website. Law Assignment Help

  40. Nice Blog, Thanks for sharing this valuable one. This very useful for me and gain more information. Regards,
    Selenium Training in Chennai

  41. Thanks for another informative site. Where else could i get that type of information, written in such a perfect way. I have a project that i am just now working on, and I've been on the lookout for such information Looking for reliable and high quality College Assignment Help, Get best and professional help at very reasonable prices with different options,No Plagiarism

  42. Great blog.Thank you for written this blog regarding software.This is very Helpful and informative blog. development services

  43. Asking for technology topics for research paper? Then come at Students Assignment Help and boost your academic grades. We will help you clear all your topics and understand all the important points.

  44. This was an nice and amazing and the given contents were very useful and the precision has given here is good.
    AWS Training in Chennai

  45. This was an nice and amazing and the given contents were very useful and the precision has given here is good.
    Java Training in Chennai

  46. Thanks for the blog and it is really very useful one.hadoop training in chennai

  47. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    digital marketing training in chennai

    digital marketing institute in chennai

  48. Thanks for the blog and it is really very useful one.hadoop training in chennai

  49. Thanks for sharing information with clear explanation. This is really awesome to understand.

    Dot Net Training in Chennai

  50. This was an nice and amazing and the given contents were very useful and the precision has given here is good.

    Bigdata training institute in bangalore

  51. Your new valuable key points imply much a person like me and extremely more to my office workers. With thanks; from every one of us.

    hadoop training in chennai

    hadoop training in bangalore

    hadoop online training

    hadoop training in pune

  52. Nice Blog, Thanks for sharing this valuable one.This is very useful for me and gain more information,

    Java Training in Chennai

  53. Good news. Appreciate this post. Thank you for compiling and sharing it.
    Check out all the latest news headlines on recent changes in Mobile App Design Trends.

  54. hello sir,
    thanks for giving that type of designing company

  55. nice topic which you have choose.
    second is, the information which you have provided is better then other blog.
    so nice work keep it up. And thanks for sharing.Digital PVC Door Manufacturer in Karnataka

  56. Thanks for giving great kind of information. So useful and practical for me. Thanks for your excellent blog, nice work keep it up thanks for sharing the knowledge.Tourist visa provider Dwarka

  57. It's interesting that many of the bloggers to helped clarify a few things for me as well as giving.Most of ideas can be nice content.The people to give them a good shake to get your point and across the command
    Data Science Training in Chennai
    Data science training in bangalore
    Data science online training
    Data science training in pune
    Data science training in kalyan nagar

  58. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.

    Devops training in Chennai
    Devops training in Bangalore
    Devops Online training
    Devops training in Pune

  59. This comment has been removed by the author.

  60. Very nice post here and thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great

    content of different kinds of the valuable information's.

    angularjs Training in bangalore

    angularjs Training in btm

    angularjs Training in electronic-city

    angularjs Training in online

    angularjs Training in marathahalli

  61. Amazing website to peruse and share,each and each line in your blog is special and mind blowing exceptionally hard to compose such sort of article on the grounds that so much data is accessible on web and to discover great one among them is a troublesome undertaking.

    I invest hours on web and after an excessive amount of diligent work I arranged a blog which will shaken you mind on the off chance that you read it.please see my page:- What is Love