Hello, everybody!
At the last time there was a lot noob news about loading TB lv2_kernel in IDA and what it really does, so I really wanted take a look at this by myself :)
This thing is really small, and took a few minutes for rce the "salt" of it. I spend more time writing some scripts for it :)
This is my clean idb http://rghost.ru/37617670
(I dont share my idb with comments, because its mostly Russian comments :D )
How you can see it uses some ofbusctaion, unconditionally branches, complex of instructions mtctr and bctrl.
When you will start reversing sub_80000000007F1114, the first thing what you will see that there is some condition of execution sub_80000000007F0F10.
Let's look this function, allocating a buffers already a good sign) You look subfunctions and see some crypt) sub_80000000007F0B1C is Tiny Encryption Algorithm
r4 - is a key. Tracing it, and wuala decryption key at the adress 800000000035E104.
Look next. I think it dont needs comments )
Closely look what happens between last two. Do you see it? ))
There where magic happens) It jumps inside decrypted code)
After this code executed its free a buffer, look back at sub_80000000007F1114, memcpy original code with mounting dev_flash, and jumps to lv2_kernel.self.
TB made really similar to malware.
Now we know that lv2_kernel is Payload Loader, we know where is a key, we know where is Payload)
I dont have TrueBlue so at this point its all what I can done :)
My Twitter: https://twitter.com/oct0xor
Greetings to my friend and great dev flatz: https://twitter.com/flat_z
At the last time there was a lot noob news about loading TB lv2_kernel in IDA and what it really does, so I really wanted take a look at this by myself :)
This thing is really small, and took a few minutes for rce the "salt" of it. I spend more time writing some scripts for it :)
This is my clean idb http://rghost.ru/37617670
(I dont share my idb with comments, because its mostly Russian comments :D )
How you can see it uses some ofbusctaion, unconditionally branches, complex of instructions mtctr and bctrl.
When you will start reversing sub_80000000007F1114, the first thing what you will see that there is some condition of execution sub_80000000007F0F10.
Let's look this function, allocating a buffers already a good sign) You look subfunctions and see some crypt) sub_80000000007F0B1C is Tiny Encryption Algorithm
Code:
void decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */
uint32_t delta=0x9e3779b9; /* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v0; v[1]=v1;
}Look next. I think it dont needs comments )
Code:
malloc
memcpy
free
freeCode:
mtctr r30
bctrlAfter this code executed its free a buffer, look back at sub_80000000007F1114, memcpy original code with mounting dev_flash, and jumps to lv2_kernel.self.
TB made really similar to malware.
Now we know that lv2_kernel is Payload Loader, we know where is a key, we know where is Payload)
I dont have TrueBlue so at this point its all what I can done :)
My Twitter: https://twitter.com/oct0xor
Greetings to my friend and great dev flatz: https://twitter.com/flat_z