Vin protection
Vin protection
Has any one figured out how m0tral got the whole vin into 4 bytes
Re: Vin protection
I have tried many combinations and cannot get the same outcome it's no use but I'm interested how hes done it
Re: Vin protection
Well, then disassemble the routine handling the data you found and you know.
Re: Vin protection
Its not al VIN....just combination of year of production and last VIN digits
Re: Vin protection
For m0tral firmwares you need only calculate 2 bytes from the VIN, and need to patch this 2 bytes in 2 different locations (it checks twice the VIN)
Check out the following small C code:
But it's much esier to patch the 2 conditional jumps instead of calcating and patching these bytes....
Check out the following small C code:
Code: Select all
#include <stdio.h>
typedef unsigned long DWORD;
typedef unsigned short WORD;
#define LOWORD(a) ((WORD)(a))
#define HIWORD(a) ((WORD)(((DWORD)(a) >> 16) & 0xFFFF))
int calc(unsigned int a1, char a2)
{
return (a1 << (32 - a2)) | (a1 >> a2);
}
int main() {
char VIN[] = "WF0EXXGXXY8X12345";
int x =0, i;
for (i=0; i<17; i++)
x+=calc(VIN[i],i+1);
unsigned char x1 = (HIWORD(x)+x) & 0xff;
unsigned char x2 = ((HIWORD(x)+x) >> 0x08) & 0xff;
printf("0xd59f6: %08X\n", x1);
printf("0xd59EE: %08X\n", x2);
printf("0xd5b48: %08X\n", x1);
printf("0xd5b40: %08X\n", x2);
};
Re: Vin protection
Agreed, by removing the jumps the firmware get's universal useable. But please don't post this on the forum as it will only raise up registration requests 
But good to know how the protection works, algos are always highly welcome!
Did you manage to find those jumps? Never looked into a modified FW, currently disassembling the genuine FW.
But good to know how the protection works, algos are always highly welcome!
Did you manage to find those jumps? Never looked into a modified FW, currently disassembling the genuine FW.
Re: Vin protection
Yes I identified the jumps.
And I also created 2 tools to deals with the protected firmwares.
One is a simple program written in C to patch the jumps directly in the VBF file (and of course it recalculate the checksums also).
Other tool is a simple webpage in PHP. There is an input field to upload the ZIP file containing the MondeoElmLoader.exe (package received from m0tral).
The tool will be extract the VBF from the exe and it will patch the jumps and repack it into the exe file. So finally you will receive the MondeElmLoader.exe including the unprotected VBF file. Of course you need to have valid license file for the MondeElmLoader.exe, but this is other story...
And I also created 2 tools to deals with the protected firmwares.
One is a simple program written in C to patch the jumps directly in the VBF file (and of course it recalculate the checksums also).
Other tool is a simple webpage in PHP. There is an input field to upload the ZIP file containing the MondeoElmLoader.exe (package received from m0tral).
The tool will be extract the VBF from the exe and it will patch the jumps and repack it into the exe file. So finally you will receive the MondeElmLoader.exe including the unprotected VBF file. Of course you need to have valid license file for the MondeElmLoader.exe, but this is other story...
Re: Vin protection
There is a slight variation between the different motors SMAX GALAXY and MOND
WFOS
WFOE
WF0G
WFOS
WFOE
WF0G
Last edited by Stevebe on 20 Jan 2020, 17:39, edited 1 time in total.
Digimod