MicroHacker Forum

Online community for electronics and microcontroller reverse engineering
https://microhacker.denkdose.de/

Reverse engineer Ford IDS (find SecurityAccess algo)

https://microhacker.denkdose.de/viewtopic.php?t=382

Page 1 of 1

Reverse engineer Ford IDS (find SecurityAccess algo)

Posted: 11 Feb 2024, 08:40
by Go4IT
Have you every tried to decrypt "MCPFunctionManager.dll" ? I know that inside we would find the security algorithm for UDS 0x27 (SecurityAccess). I could already get the "keybag" from "AlgData.dll", but it's worthless without the algo.

Currently i don't really know where to start. Tried to load the DLL into IDA but it won't show up much in the "Exports" section, so i assume the DLL is somewhat packed/encrypted.
10-02-2024_19-22-39.png
11-02-2024_09-39-01.png
11-02-2024_09-40-20.png
As always, a base understanding, knowledge and analysing tools are required to start such a journey. I found a neat tool called "DIE - Detect It Easy" here
https://github.com/horsicq/Detect-It-Easy (https://github.com/horsicq/DIE-engine/r ... 09_x64.zip) which give some insights of a file loaded.

A "DLL" is somewhat similar to an "EXE", it could contain data, resources and code. DIE tells this about the file:
die_mcpdll.png
Looks pretty handsome and not crypted in first, but why does IDA complain about the file and could not get the functions inside?
Compared with loading "forscan.exe" for example, you see DIE finds the protection:
die_forscan.png
So this is something "special" inside MCP*.dll. DIE has a entropy-graph tool. You can detect enrcyptions with it. Don't know how that works, but the higher the value the more likely the content is crypted somehow. The graph is clear about what is in the ".text" part of the PE:
die_mcpdll_entropy.png

Re: Reverse engineer Ford IDS (find SecurityAccess algo)

Posted: 11 Feb 2024, 11:36
by Go4IT
I know try to start reversing it like malware analysts do, but hope you can help me with that!

Think it can't be simply "decoded" offline, it needs to run some code at the entry-point of the DLL which then decrypts the contents before exporting the functions. Malware analysts and hackers use debuggers for this task. I picked "x32dbg" (which is part of "x64dbg" package) from here: https://x64dbg.com/ (but some also uses OllyDbg https://www.ollydbg.de/).

Of course the packers may took some care to prevent the code from being run in debuggers ;-) but let's see.

The key here is to set breakpoints to let code run in a controlled way until it has unpackt itself and then may store a dump of it to disk for further examination. I've also seen some connecting IDA with a debugger to have both at the same time.

As i am new in this kind of business, don't blame me if my assumptions where all wrong, but correct me :-)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited