technikgebastel

Tuesday, December 19, 2017

digging around in machine code and a licence violation

Hi,
today I will tell you how I found a violation of the license of LLVM by an international software company with 50+ employees and how I found out how to circumvent their disassembly protections for their plugin system.

Due to legal concerns I will not name the company or the software here and just refer to the software as "the program" and also not name the real version numbers to avoid any legal problems. Furthermore I would like to mention here, that I have never agreed to any end-user license agreement, because the binaries of the program were available on some github-account and so no installation was necessary.

At first let me shortly tell you why I looked at this program: A friend of mine uses it to do financial analysis. This program has a plugin infrastructure, that allows you to write your own indicators and automatic trading systems. A it is usual in the financial sector people want to earn money. So program includes the possibility to only distribute (sell) the compiled plugins without the source code. (They actually put pretty heavy measures in place to prevent people from learning what a compiled plugin actually does.) So my friend came across such a compiled indicator and wanted to learn about its functionality.
Here a short list of reasons, why I publish this article:

They actually violate some conditions of the LLVM license with their plugin infrastructure. (Details below.)
It should be possible to learn about what some compiled program does when I execute it on my computer.
If financial decisions are based on the output of some indicator it should be possible to analyse it (and if needed improve it or warn other people about dangerous stuff in it).

So the goal is to transform a compiled plugin file to readable text (at least assembler, i.e. disassembled) or even understandable text (C++ code or some pseudo code, i.e. "decompiled").

There are actually several major versions of this program (A, A', B) and the file formats of the compiled plugins (a,b,c):

program version A (ancient) produces plugins of type a
program version A' (old, but still heavily in use, same major version as A) produces plugins of type b
program version B (new, incremented major version) produces plugins of type c

For plugins of type a there is a tool to "decompile" compiled plugins. As it turned out the compiled file that we want to understand is actually of type b. The company has implemented extremely heavy countermeasures starting with version A' and type b. Type b and type c seem to differ only by a version string at the beginning of the file.

Here one example of how they try to protect their program code and compiled plugin files from disassembly: The binaries do not actually contain the real machine code, but only a small startup routine that later decrypts/decompresses the main part of the machine code from data sections in the binary. This is basically self-modifying code and a popular technique among malware programmers to hide the functionality of their creations from analysis tools such as regular disassemblers.

Even though the code contains all the functionality and all necessary information to decrypts/decompresses the actual machine code, in order to analyse it one first would have to understand the decryption/compression used and re-implement it. (But here is a much easier way, because they made a mistake! See below!)

Additionally they try to prevent debugging, i.e. the process of running a code step by step to learn its functionality. The conventional anti-anti-debugger tricks unfortunately did not work here.

The compiled plugin files are not constant in time meaning that if you compile the same code file at different points of time they will generate very different compiled files. Also neither the some structure nor string constants are visible in any way in the compiled files.

So we have here three different forms in which we can have a plugin:

the source code
the compiled machine code
the transformed and somehow compressed and/or encrypted (with timecode) plugin file: let's call it "encrypted" for simplicity here

So we have the following situation: We have a plugin compiler that creates encrypted files, that we can't understand. The main program can read these encrypted files, transform then back to machine code and execute them. Both programs can't be simply read in a disassembler or run in a debugger.....

But here is where their mistake comes in: The main program keeps the whole back-transformed machine code in memory instead of deleting it after execution!

I noticed that when I dumped the whole "physical" memory of the Windows virtual machine where I ran my analysis and dug trough it to find the actual machine code of the program because I could not sleep. A much simpler way to accomplish the same is to directly dump the memory of a process in Windows directly from the task manager.

Because I could not find the content of the "encrypted" plugins files in the memory dump, I tried some experiments with some integer numbers and simple structures in plugins, that I compiled with the plugin compiler and then loaded into the main program. Finding the exact integer numbers in the memory dump let me discover the the locations and formats of the compiled machine code of the plugins in the memory dump.

The "magic" numbers to look for are: "55 89 E5 83 EC 08" or in assembler (i386):

55 = push ebp
89 E5 = mov esp, esp
83 EC 08 = sub esp, 0x8

This are EXACTLY the first three assembler instructions that are executed at the start of a C-function when compiled with clang or gcc (with -O0 -m32).

So now we have found the compiled machine code of a plugin in the memory dump. We can now extract the functions and either diassemble them the conventional cumbersome way or use the recently released RetDec from Avast (https://github.com/avast-tl/retdec) to decompile it to readable C-code!

LLVM-license violation:

When digging trough the memory dump I found that the actual machine code of the plugin compiler has some strange strings in it, for example "After splitting live range around basic blocks" and "Number of branches unswitched". A quick internet search revealed that this is actually code from LLVM:

https://github.com/llvm-mirror/llvm/blob/209f04866320b6e58b78c06876e77254bd5d6102/lib/CodeGen/RegAllocGreedy.cpp

https://github.com/llvm-mirror/llvm/blob/4604874612fa292ab4c49f96aedefdf8be1ff27e/lib/Transforms/Scalar/LoopUnswitch.cpp

The LLVM-license (https://github.com/llvm-mirror/llvm/blob/4604874612fa292ab4c49f96aedefdf8be1ff27e/LICENSE.TXT) states:

"Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimers in the documentation and/or other materials provided with the distribution."

But neither the documentation on the website nor the distributed files seem to contain this copyright notice and the other stuff necessary. To me this is a clear violation of the license.

Saturday, April 2, 2016

bike home trainer II

Also see previous post: https://technikgebastel.blogspot.de/2016/02/bike-home-trainer-i.html

The next step in my modding of my home bike trainer is to completely replace the control computer by my laptop with USB-IO-card.
I have shown how to record rotational speed and control voltage for the eddy-current brake in a previous post (https://technikgebastel.blogspot.de/2016/02/bike-home-trainer-i.html).
Since these are the only input quantities for the control computer, I now have to reverse engineer the formula for the dependence of the performance P in watts on the rotational speed f_rot and brake voltage U_brake.

Fortunately the bike computer has a program, where it adjusts the brake voltage depending on the rotation speed, so that a constant work has to be performed. This is very helpful to explore and measure the dependence of the performance on the brake voltage and rotation speed.

The following graph shows the measured brake voltage versus the rotations speed for a fixed performance program (50 watts and 55 watss):

Even though there seems to be a lot of noise (not sure if it is because of the mesaurement setup or something else), there is a clear difference between 50 watts and 55 watts. Now we only have to record enough data during different constant performance runs and interpolate.
Another and probably faster way would be to simulate the input for the bike computer, i.e. the pulses at every full rotation, and measure the corresponding brake voltage without the brake actually connected to the computer to avoid damage.

Trekstore Surftab Wintron 7.0 III: Linux

- orientation sensor (bma22e with BMA2x2)

What probably works (not tested):
- Bluetooth (rtl8723bs)

What does not yet work:
- audio output (ALC5651 not supported with linux kernel 4.3, included starting 4.5, but wlan-patches for 4.5 cause problems)
- cameras (gc0310, ov2680)

What will probably never work, aka no idea how to make it work:
- hardware buttons (except power button)

Once everything except stuff in the category "What will probably never work, aka no idea how to make it work:" is working, I will document everything here.

Sunday, March 20, 2016

Trekstore Surftab Wintron 7.0 II: UEFI

Boot Manager: Choosing "Boot Manager", we find all startup entries that are registered in the UEFI.

Device Management:

Boot from File:

Secure Boot Option: Although not activated when shipped, it seems to be possible to deactivate it. Furthermore all the functionality to load own keys seems to be there.

SCU (System control unit of the Intel SOC): I was completely astonished by the functionality and options included here.

We can even get an old-school boot output!!!

Trekstore Surftab Wintron 7.0 I: Hardware

See post about hardware: https://technikgebastel.blogspot.de/2016/03/trekstore-surftab-wintron-70-i-hardware.html
See post about UEFI: https://technikgebastel.blogspot.de/2016/03/trekstore-surftab-wintron-70-i-uefi.html
See post about Linux: https://technikgebastel.blogspot.de/2016/04/trekstore-surftab-wintron-70-iii-linux.html

Recently a colleague of mine made me aware of a very cheap 7 inch Windows 10 tablet. Even though he intended to use it with Windows 10, when searching for the specs I came across some forum posts of people that tried to run Ubuntu instead of Windows on it.
The Trekstore Surftab Wintron 7 (http://www.trekstor.de/detail-surftabs-de/product/produktsupport/product/surftab-wintron-70-v2.html) costs about 50 Euro.
Motivated by Ron and Frank Riegers talk about the 32C3 (https://www.youtube.com/watch?v=DBv0eykj_m8&feature=youtu.be&t=1h5m35s) I started to tackle the problem of getting Debian to run on this device.

The inside looks like:

Specifications:
Display: 7 inch, 1024x600, IPS
CPU: Intel Atom Z3735G (http://ark.intel.com/de/products/80275/Intel-Atom-Processor-Z3735G-2M-Cache-up-to-1_83-GHz)

PMIC: AXP288 (http://www.x-powers.com/product/AXP288_en.php)

RAM: 1 GB DDR3, Kingston N11915-01, D2516EC4BXGGB (http://media.kingston.com/pdfs/emmc/MKF_585_DDR3_3L_US.pdf)

CMOS Flash memory: 64 Mbit 25LQ64GVIG

internal memory: 16 GB, FORESEE NCEMBS99-16GB

cameras: front 0.3 MP, back 2 MP

Audio: ALC5651, internal speaker (mono), 3,5mm external connector

Wireless/Bluetooth: RTL8723BS, 802.11 b/g/n, 2.4 GHz

Touchscreen: 5 fingers, Silead GSL1686

battery: 2500 mAh, 3.7V

microSD: SDHC, SDXC

microUSB: host and client mode

orientation sensor BMA222E (BMA2x2)

cameras: Gcoreinc gc0310, OmniVision 2680

Sunday, March 13, 2016

bike home trainer and Fallout 4

I bought my bike home trainer a few months before the release of Fallout 4, but according to Steam and my list of training exercises I have spend much more time playing Fallout 4 than I have spend on the home trainer.

So this is about to change....

The main idea is to couple the bike home trainer to Fallout 4 in some way. As documented in my previous post (https://technikgebastel.blogspot.de/2016/02/bike-home-trainer-i.html) I have succeeded in getting measurements from the bike home trainer to my linux laptop.
Now there are two major problems/questions to solve:
0. How to get the measurements from the home trainer?
1. Which aspect of the game should my performance on the bike trainer influence?
2. How do I make the necessary modifications in the game and feed in the data?
3. How to play comfortably while exercising on the bike?

0. home trainer:

In a previous post (https://technikgebastel.blogspot.de/2016/02/bike-home-trainer-i.html) I have shown how to measure the rotations speed of the bike home trainer with a USB-io-card. My fork of the Python tolls for the LabJack U3 can be found at https://github.com/ravenschade/LabJackPython. The script Examples/u3allio_ergometer.py measures the rotation speed and records them to a text file, i.e. python Examples/u3allio_ergometer.py ~/ergometer_log

1. game property:

There were several options for the first problem:
a. total game speed
b. AP recovery rate
c. HP recovery rate

d. movement speed

I chose the movement speed option, because it is most immersive. It can be modified by the effect Fallout4.esm/Magic Effect/AbFortifyActorSpeedMult, which takes a positve or negative percentage of change. Now all that has to be done is to create ingame items with this effect. I choose the ring-slot. In order to put the items somewhere in the game, where they can easily be picked up, I started form the mod Strongman's Rings by OmegaDir (http://www.nexusmods.com/fallout4/mods/5593), that puts a dave with some ring in the control station outside of vault 111. My mod uses this mod as a master file and adds a lot of rings, which have AdFortifyActorSpeedMult-modifiers from -100 to 300 in steps of 10, i.e. -100% to 300% change of movement speed. The names are ".speed [percentage]".

The mod can be found at http://www.nexusmods.com/fallout4/mods/10889.

2. external input to the game:

For the second problem Bethesda was very helpful, because they made the Pipboy-app for smartphones and tablets, so that one can use it as a secondary screen and modify the equpiment status and several other things. Luckily other people have already reverse engineered the protocol (special thanks to matzman666 https://github.com/matzman666/PyPipboy).
My fork can be found at https://github.com/ravenschade/PyPipboy. The relevant script is examples/equip.py.
It takes one command line argument, which is the file name of the log file produced by the ergometer logger, i.e. python3 examples/equip.py ~/ergometer_log.
This script then tries to connect to a Fallout 4 game in the same network, keeps reading the log file and submits movement speed changes in the form of item equip/uneqip commands to the game.

equip/unequip sound problem:

One problem here is that there is a noise if we equip/unequip and armor piece even when done via the app. The solution is to place empty sound files in Steam/steamapps/common/Fallout 4/Data/sound/FX/ITM/ for the files: ITM_Clothing_Down_01.xwm, ITM_Clothing_Down_02.xwm, ITM_Clothing_Up_01.xwm, ITM_Clothing_Up_02.xwm and modify the Fallout 4 ini to include the path.

3. How to play comfortably while exercising on the bike?

The interface works pretty well. There is a delay of about a second between changes in the rotation speed on the bike and the corresponding change of the movement speed in the game. This is mainly due to the fact, that the bike only generates a pulse on a full rotation of the pedals.
So in principle everything works, one remaining challenge is to modify the bike, mouse and keyboard so that I can play comfortably while exercising.

The current setup is shown in the following pictures:

The book and box under the mouse are there so that the hands rests higher and there is no force on the joint of the hand.

If you are interested in my work, please leave a comment below.

Saturday, February 20, 2016

bike home trainer I

Last year I bought the bike home trainer (ergometer) Finnlo Exum III (http://www.finnlo.de/finnlo-heimtrainer-ergometer-exum.html). I like it a lot, because it has a lot of good and different training programs. Unfortunately in the price category (about 500 Euro) you don't get a USB or Bluetooth interface.

Recently I came across an article in a popular german computer journal about the combination of a statinary bike and a Arduino (http://www.heise.de/make/meldung/Fuer-40-Dollar-mit-dem-eigenen-Rad-in-die-Virtual-Reality-3097272.html).
I wanted to go a step further and not only measure the rotations, but also the my performance in terms of power. The plan is to use this information to control the playback speed of videos that I watch while exercising.

First I disassembled the display and control unit of the

bicycle ergometer:

The cable that goes into it has six color coded wires (from left to right): black, brown,red,orange,yellow,green
The main goal is to find out how the computer derives the quantities in the display (rpm, distance, power, speed,...) from the signals on these wires.
After quick and dirty soldering some thin wires to the connection points on the circuit board

all the hardware aspects of the project were already done.

After connecting the wires to the analog inputs of my LabJack U3-HV (https://labjack.com/products/u3) it was time to record data.

After some trial and error I found the following:

1. the brown and red wire have a constant 12V, so this is probably the power supply

2. the differential voltage of the yellow and green wire gives 5V pulses, the time distance of these pulses encodes the rotation speed of the pedals

3. the differential voltage of the black and orange wires controls the power of the eddy current brake.

The above plot of the differential voltages shows a short test with the lowest brake setting and a constant rotation speed of the pedals.

The rotations speed is actually the only information that the ergometer computer gets, the setting of the brake is output.

The integration of this measurements into the video playback and detailed training analysis will be done later.