TRIMUI
破解加密IC
XBOOT大佬說有一顆加密IC而且是透過I2C介面傳輸,於是搜尋一下I2C字眼
$ grep -i i2c usr/trimui/ -r Binary file usr/trimui/bin/MainUI matches Binary file usr/trimui/apps/cdogs/music/game/space_dimensions_8bit.ogg matches Binary file usr/trimui/lib/libarelink.so matches
P.S. 原來是Arelink安瑞易连,哈
接著開啟libarelink.so,果真有I2C副程式
發現寶庫
開啟MainUI去找尋arelink_req_enc_dec就可以看到關鍵字/tmp/.cmdenc
再度搜尋一下
$ grep cmdenc . -r Binary file ./usr/trimui/bin/MainUI matches Binary file ./root/gameloader matches ./etc/init.d/main: if [ -f /tmp/.cmdenc ] ; then ./main: if [ -f /tmp/.cmdenc ] ; then
P.S. /etc/init.d/main
/etc/init.d/main
if [ -f /tmp/.cmdenc ] ; then
/root/gameloader
elif [ -f /tmp/cmd_to_run.sh ] ; then
chmod a+x /tmp/cmd_to_run.sh
/tmp/cmd_to_run.sh
rm /tmp/cmd_to_run.sh
fi
P.S. 原來是透過gameloader做後續的動作,哈
開啟gameloader就可以看到/tmp/.cmdenc相關資訊,而且長度是256,哈
於是,司徒修改測試
if [ -f /tmp/.cmdenc ] ; then
dd if=/dev/urandom of=/tmp/.cmdenc bs=1 count=256
/root/gameloader
接著,司徒使用FC 1942遊戲測試
trimui_sunxi_gpio_init: ver Aug 1 2020 serial: 00000002ED file /tmp/.cmdenc len=256 DEC1: N�z1��=v��.��N>�ZT������OZ��>F�੨������R�.�u� [ 17.423914] write len=256 [ 17.820278] exec! there result of call_usermodehelper is 0 [ 17.826401] exec! the process is "gameloader", pid is 183. [ 17.832694] BASE64:0wiSJBoxSQ/reYr9IPNlu0XPhZ3kv6xh0WwuWz36EDlzvzxTFL+JUQCWXtSWVLJQ1rwI+4Ul3yGYusGOe9GNvWf+X46ZmNg7J8xXuYcc1BNn/l+OmZjYOyfMV7mHHNQTZ/5fjpmY2DsnzFe5hxzUE2f+X46ZmNg7J8xXuYc= bye
拿掉測試那行,重新載入FC 1942遊戲,則顯示如下
trimui_sunxi_gpio_init: ver Aug 1 2020 serial: 00000002ED file /tmp/.cmdenc len=256 DEC1: cd /usr/trimui/bin/;HOME=/mnt/SDCARD/Roms/FC/ /usr/trimui/bin/fceux "/mnt/SDCARD/Roms/FC//1942[MS漢化](JU)[STG](0.31Mb).nes" [ 25.267101] write len=256
/tmp/.cmdenc
原來那顆加密IC是負責字串的加解密,於是,司徒找了一下MainUI,再度發現了寶庫
接著把呼叫加解密Patch成NOP
接著測試一下
Load nes rom cd /usr/trimui/bin/;HOME=/mnt/SDCARD/Roms/FC/ /usr/trimui/bin/fceux "/mnt/SDCARD/Roms/FC//1942[MS漢化](JU)[STG](0.31Mb).nes" sth wrong, encoded != decoded !!!!
接著看一下MainUI寫出的檔案
# ls -al drwxrwxrwt 3 root root 120 Jan 1 00:00 . drwxr-xr-x 19 root root 4096 Jan 1 00:00 .. -rw-r--r-- 1 root root 256 Jan 1 00:00 decode -rw-r--r-- 1 root root 256 Jan 1 00:00 encode -rw-r--r-- 1 root root 424 Jan 1 00:00 game_output.txt drwxr-xr-x 2 root root 60 Jan 1 00:00 log # cat /tmp/encode g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W���g�_����;'�W�� # cat /tmp/decode /mnt/SDCARD/Roms/FC//1942[MS漢化](JU)[STG](0.31Mb).nes
接著修改一下
if [ -f /tmp/.cmdenc ] ; then
echo "#!/bin/sh" > /tmp/run.sh
echo "cd /usr/trimui/bin/;HOME=/mnt/SDCARD/Roms/FC/ /usr/trimui/bin/fceux \"" >> /tmp/run.sh
cat /tmp/decode >> /tmp/run.sh
echo "\"" >> /tmp/run.sh
chmod +x /tmp/run.sh
/tmp/run.sh
#/root/gameloader
elif [ -f /tmp/cmd_to_run.sh ] ; then
chmod a+x /tmp/cmd_to_run.sh
/tmp/cmd_to_run.sh
rm /tmp/cmd_to_run.sh
fi
接著,再度載入FC 1942遊戲,成功繞過加密IC
