|
Title: Passat 3BG 1.9TDI AVF !! Seed Key !! Post by: turbocrack on March 26, 2022, 05:34:25 AM Hi, I'm looking for the seed key in this file.
The question is to change address 3B56 or 3B7A r4, #1 to #0 or are both addresses wrong? ROM:00003B56 ; =============== S U B R O U T I N E ======================================= ROM:00003B56 ROM:00003B56 ROM:00003B56 sub_3B56: ROM:00003B56 ROM:00003B56 ; FUNCTION CHUNK AT ROM:00000830 SIZE 00000396 BYTES ROM:00003B56 ROM:00003B56 mov r4, #1 ROM:00003B58 jmpr cc_UC, loc_3B5E ROM:00003B58 ; --------------------------------------------------------------------------- ROM:00003B5A db 0F2h ROM:00003B5B db 0F4h ROM:00003B5C db 2Ch ; , ROM:00003B5D db 0C7h ROM:00003B5E ; --------------------------------------------------------------------------- ROM:00003B5E ROM:00003B5E loc_3B5E: ; CODE XREF: sub_3B56+2↑j ROM:00003B5E sub r4, #1 ROM:00003B60 mov word_C72C, r4 ROM:00003B64 mov r4, word_C72C ROM:00003B68 cmp r4, #0 ROM:00003B6A jmpr cc_SLE, loc_3B7E ROM:00003B6C mov r4, word_1164 ROM:00003B70 mov r5, [r4+14h] ROM:00003B74 cmp r5, word_F962 ROM:00003B78 jmpr cc_SGE, loc_3B7E ROM:00003B7A mov r4, #1 ROM:00003B7C jmpr cc_UC, loc_3B80 Title: Re: Passat 3BG 1.9TDI AVF !! Seed Key !! Post by: turbocrack on March 27, 2022, 02:16:20 AM The question is to change address 3B56 or 3B7A r4, #1 to #0 or are both addresses wrong? ROM:00003B56 ; =============== S U B R O U T I N E ======================================= ROM:00003B56 ROM:00003B56 ROM:00003B56 sub_3B56: ROM:00003B56 ROM:00003B56 ; FUNCTION CHUNK AT ROM:00000830 SIZE 00000396 BYTES ROM:00003B56 ROM:00003B56 mov r4, #1 ROM:00003B58 jmpr cc_UC, loc_3B5E ROM:00003B58 ; --------------------------------------------------------------------------- ROM:00003B5A db 0F2h ROM:00003B5B db 0F4h ROM:00003B5C db 2Ch ; , ROM:00003B5D db 0C7h ROM:00003B5E ; --------------------------------------------------------------------------- ROM:00003B5E ROM:00003B5E loc_3B5E: ; CODE XREF: sub_3B56+2↑j ROM:00003B5E sub r4, #1 ROM:00003B60 mov word_C72C, r4 ROM:00003B64 mov r4, word_C72C ROM:00003B68 cmp r4, #0 ROM:00003B6A jmpr cc_SLE, loc_3B7E ROM:00003B6C mov r4, word_1164 ROM:00003B70 mov r5, [r4+14h] ROM:00003B74 cmp r5, word_F962 ROM:00003B78 jmpr cc_SGE, loc_3B7E ROM:00003B7A mov r4, #1 ROM:00003B7C jmpr cc_UC, loc_3B80 Title: Re: Passat 3BG 1.9TDI AVF !! Seed Key !! Post by: gremlin on March 27, 2022, 05:25:55 AM Whats a problem to calculate key from seed for this ecu?
It's very easy. Here is calculation pseudo code: mov eax, Seed for (i = 1; i <= 5; i++) { rol eax, 1 jno L0 xor eax, 0x1CDA81F7 L0: } mov Key, eax ret Title: Re: Passat 3BG 1.9TDI AVF !! Seed Key !! Post by: turbocrack on March 28, 2022, 12:51:27 PM Whats a problem to calculate key from seed for this ecu? It's very easy. Here is calculation pseudo code: mov eax, Seed for (i = 1; i <= 5; i++) { rol eax, 1 jno L0 xor eax, 0x1CDA81F7 L0: } mov Key, eax ret Hi gremlin, I'm sorry I don't know assembly language yet, but I want to learn it. So I only have to change on address 81F7 rol eax 1 to 0 and save it to the bin file, then OBD reading would be locked. If I understand correctly? Title: Re: Passat 3BG 1.9TDI AVF !! Seed Key !! Post by: prj on March 28, 2022, 12:53:47 PM There is nothing on an EDC15 that's worth protecting.
Has not been for 10 years. Title: Re: Passat 3BG 1.9TDI AVF !! Seed Key !! Post by: turbocrack on March 29, 2022, 09:23:39 AM There is nothing on an EDC15 that's worth protecting. Has not been for 10 years. Hi prj, that's not really my point. I just wanted to know how something like this looks like in IDA because I want to learn assembly language for reverse engineering in the future because I'm very interested in it. May I write to you privately about this? Would be very happy :) |