Note on CH549
DeqingSun opened this issue · comments
family ID 0x12, device ID 0x49
u8AddessCmd 0xA3 seems changing as well with WCHISPTool V2.9
Use IDA to open WCH55xISPDLL.dll
Search all text occurrence of rand
choose the call
Edit > Patch Program > Assemble , mov eax, 0h
is 5 bytes should replace the call _rand
or call _srand
Search all text occurrence of GetTickCount
It is using call edi
, 2 bytes, change it with 2 nop
Edit > Patch Program > apply patches to input file
After that A3 seems OK
.text:10002899 call sub_1000AB30
seems A5 command get ready before calling, unencrypted data loaded. Encryption seems happening here!
.text:1000836F call sub_10001E50
A1 communication (u8DetectCmd)
.text:10001F01 call sub_10001820 send out
.text:10001F4D call sub_100019A0 get response
.text:10008431 call sub_10002E60
A7 communication (u8IdCmd)
response located in Stack[00000CC8]:01B6EE3C db 0A7h
.text:10008542 call sub_1000A160
check later.
.text:100085A0 call sub_100067F0
check later.
.text:10008637 loc_10008637:
seems family check 11~15
.text:10008688 call sub_100032F0
.text:100087B1 call sub_10003160
A8 communication (u8InitCmd)
.text:10008815 call sub_10002E60
A7 communication (u8IdCmd)
.text:10008972 call sub_10002B20
A3 communication
before call .text:1000896D mov edi, [esp+50h+arg_0]
.text:10008971 push edi
0,0,0,0,58,11
.text:10002BC1 call sub_1000AB70
Key generated inside.
ebx+193h ebx+194h, seems checking device and family ID
.text:1000ABEF jb short loc_1000ABCA this 1E times loop just put 0 into mem as we hacked the tick call
.text:1000ABF5 mov al, [ebx+194h] value is 12, maybe family ID
.text:1000AC00 lea edi, [esp+1Ch+var_8] Not sure what for
.text:1000AC3B loc_1000AC3B: calculate key, the sum of ID and family ID seems not changed. But the sum of ID is 8 bytes!
.text:10002C5C call sub_10001820
send A3, step over will crash, seems A3 command is located in [esp+28h]
modify [esp+28h] will change the send A3 command
2c27? send A3
.text:10008A19 call sub_1000A160
.text:10008A39 call sub_10002960
A4 communication (u8EraseCmd)
call sub_1000A160
.text:10008C64 call sub_1000A160
.text:10008C98 call sub_100027D0
A5 communication
.text:10002899 call sub_1000AB30
seems 3D get ready before calling, unencrypted data loaded.
encryption seems happening here!
.text:1000AB4F loc_1000AB4F:
XOR happens here. Key is 8 bytes long, send with address esp+4+arg_8
if we go outside, sent by push ecx, lea ecx, [ebp+1Ch], saved_fp+1ch. Which is static
.text:10001623 call ds:CreateFileA