Todays Emm disasmebled

F

fes_786

Inactive User
Joined
Nov 30, 2005
Messages
3,894
Reaction score
278
Location
uk
ok here is the new emms in stream :

COMMAND $00: EMM
--------------------------------------------------------
21 00 53 A0 CA 00 00 4D 00 4B 54 01 A2 9C 69 38 02 79 48 CB FB 9B 92 CB D6 B9 35 B2 C3 0C 6C 4B 8F 75 11 52 A5 6B BE F9 F4 C1 A0 F1 3A D2 CF 5C 86 08 04 7E 5B 13 DD 09 B0 22 22 5C 80 E6 2F 02 C9 02 D9 6D 4F 35 99 2A C8 78 12 61 4A 4A EC A1 0D 8D 92 E7 73 05 BE

ID PROVIDER = 5401 (NTL)
KEYSELECT = A2 =B'10100010 PK=2 ¿bit 5? (TD $07->0)
SIGNATURE = 9C 69 38 02 79 48 CB FB
ENCRYPTED DATA =
9B 92 CB D6 B9 35 B2 C3 ; Block 1
0C 6C 4B 8F 75 11 52 A5 ; Block 2
6B BE F9 F4 C1 A0 F1 3A ; Block 3
D2 CF 5C 86 08 04 7E 5B ; Block 4
13 DD 09 B0 22 22 5C 80 ; Block 5
E6 2F 02 C9 02 D9 6D 4F ; Block 6
35 99 2A C8 78 12 61 4A ; Block 7
4A EC A1 0D 8D 92 E7 73 ; Block 8

Analysis:

DECRYPTED EMM:
--------------------------------------------------------

SIGNATURE: OK!


3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)

FA -> RUN CODE FOR ROM10:
CD823D1507100712 0714071107B607A4 074888B8AAB7AA84 B8B4B7B4CD8223A6
25CC6B0183550142 05D368005A293651 D14285E28754DF4D 01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: CD 82 3D jsr $823D ; Go to subroutine
0084: 15 07 bclr2 $07 ; Bit 2 <-- 0
0086: 10 07 bset0 $07 ; Bit 0 <-- 1
0088: 12 07 bset1 $07 ; Bit 1 <-- 1
008A: 14 07 bset2 $07 ; Bit 2 <-- 1
008C: 11 07 bclr0 $07 ; Bit 0 <-- 0
008E: B6 07 lda $07 ; Load in A
0090: A4 07 and #$07 ; A= A and ...
0092: 48 lsla ; a << 1
0093: 88 push a ; Stack <- A
0094: B8 AA eor $AA ; A= A xor ...
0096: B7 AA sta $AA ; Store A in...
0098: 84 pop a ; Stack -> A
0099: B8 B4 eor $B4 ; A= A xor ...
009B: B7 B4 sta $B4 ; Store A in...
009D: CD 82 23 jsr $8223 ; Go to subroutine
00A0: A6 25 lda #$25 ; Load in A
00A2: CC 6B 01 jmp $6B01 ; Jump

BYTES DUMP:
---------------------
00A5: 83 55 01 42 05 D3 68 00
00AD: 5A 29 36 51 D1 42 85 E2
00B5: 87 54 DF 4D 01 EC BA 00




EMM DECRYPTED RAW BYTES:
-------------------------
3F5401FACD823D15071007120714071107B607A4074888B8AAB7AA84B8B4B7B4CD8223A625CC6B018355014205D368005A293651D14285E28754DF4D01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: 21 00 brn $83 ; Branch never
0083: 53 comx ; One's complement of X
0084: A0 CA sub #$CA ; A=A - ...
0086: 00 00 4D brset0 IOREG, $D6 ; Branch if bit 0 set
0089: 00 4B 54 brset0 RC1L, $E0 ; Branch if bit 0 set
008C: 01 A2 9C brclr0 $A2, $2B ; Branch if bit 0 clear
008F: 69 38 rol $38, X ; << 1 (Circular)
0091: 02 79 48 brset1 $79, $DC ; Branch if bit 1 set
0094: CB FB 9B add $FB9B ; A=A + ...
0097: 92 CB D6 add [$D6:$D7] ; A=A + ...
009A: B9 35 adc $35 ; A=A + ... (with carry)
009C: B2 C3 sbc $C3 ; A=A - ... (with carry)
009E: 0C 6C 4B brset6 $6C, $EC ; Branch if bit 6 set
00A1: 8F wait ; Wait interrupt
00A2: 75 $X
00A3: 11 52 bclr0 $52 ; Bit 0 <-- 0
00A5: A5 6B bit #$6B ; Compare with A
00A7: BE F9 ldx $F9 ; Load in X
00A9: F4 and $X ; A= A and ...
00AA: C1 A0 F1 cmp $A0F1 ; Compare with A
00AD: 3A D2 dec $D2 ; -=1
00AF: CF 5C 86 stx $5C86 ; Save X in
00B2: 08 04 7E brset4 $04, $0133 ; Branch if bit 4 set
00B5: 5B
00B6: 13 DD bclr1 $DD ; Bit 1 <-- 0
00B8: 09 B0 22 brclr4 $B0, $DD ; Branch if bit 4 clear
00BB: 22 5C bhi $0119 ; Branch if >
00BD: 80 rti ; Return from interrupt


BYTES DUMP:
---------------------
00BE: E6 2F 02 C9 02 D9 6D 4F
00C6: 35 99 2A C8 78 12 61 4A
00CE: 4A EC A1 0D 8D 92 E7 73

00D6: 05 BE 00 brclr2 $BE, $D9 ; Branch if bit 2 clear
 
2nd emm

COMMAND $00: EMM
--------------------------------------------------------
21 00 53 A0 CA 00 00 4D 00 4B 54 01 AA 7A 46 2C 24 46 5E AB D2 65 55 47 F8 95 58 1E 24 CE BF 9A 47 0F FC 65 76 EB 16 9E 6A E9 A5 AC B6 EB B8 EF 0A A7 6A FD 4C 42 F2 58 7D ED CB 08 2E C2 F5 6F C1 2B A4 65 BD 48 09 F0 83 C4 1E 37 73 6F 2B 8F 47 EC CF 71 09 05 30

ID PROVIDER = 5401 (NTL)
KEYSELECT = AA =B'10101010 PK=2 ¿bit 5? (TD $07->1)
SIGNATURE = 7A 46 2C 24 46 5E AB D2
ENCRYPTED DATA =
65 55 47 F8 95 58 1E 24 ; Block 1
CE BF 9A 47 0F FC 65 76 ; Block 2
EB 16 9E 6A E9 A5 AC B6 ; Block 3
EB B8 EF 0A A7 6A FD 4C ; Block 4
42 F2 58 7D ED CB 08 2E ; Block 5
C2 F5 6F C1 2B A4 65 BD ; Block 6
48 09 F0 83 C4 1E 37 73 ; Block 7
6F 2B 8F 47 EC CF 71 09 ; Block 8


Analysis

DECRYPTED EMM:
--------------------------------------------------------
SIGNATURE: BAD(00FC9CCB0C5AD6FC)
DECRYPTED BAD DATA: 1E8EC329A974E48E1B6A1EBEC6AFA550C6D72E46A695E4C08A0E62BEC3565F43E6D826C7E866F476D813A45C3C96531609B1627CE4E65A5F85EC63D0383678FD
-- Trying decrypt with signature exchange...
NEW EMM SIGNATURE: 9C6938027948CBFB

SIGNATURE: OK!
3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)

FA -> RUN CODE FOR ROM10:
CD823D1507100712 0714071107B607A4 074888B8AAB7AA84 B8B4B7B4CD8223A6
25CC6B0183550142 05D368005A293651 D14285E28754DF4D 01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: CD 82 3D jsr $823D ; Go to subroutine
0084: 15 07 bclr2 $07 ; Bit 2 <-- 0
0086: 10 07 bset0 $07 ; Bit 0 <-- 1
0088: 12 07 bset1 $07 ; Bit 1 <-- 1
008A: 14 07 bset2 $07 ; Bit 2 <-- 1
008C: 11 07 bclr0 $07 ; Bit 0 <-- 0
008E: B6 07 lda $07 ; Load in A
0090: A4 07 and #$07 ; A= A and ...
0092: 48 lsla ; a << 1
0093: 88 push a ; Stack <- A
0094: B8 AA eor $AA ; A= A xor ...
0096: B7 AA sta $AA ; Store A in...
0098: 84 pop a ; Stack -> A
0099: B8 B4 eor $B4 ; A= A xor ...
009B: B7 B4 sta $B4 ; Store A in...
009D: CD 82 23 jsr $8223 ; Go to subroutine
00A0: A6 25 lda #$25 ; Load in A
00A2: CC 6B 01 jmp $6B01 ; Jump

BYTES DUMP:
---------------------
00A5: 83 55 01 42 05 D3 68 00
00AD: 5A 29 36 51 D1 42 85 E2
00B5: 87 54 DF 4D 01 EC BA 00




EMM DECRYPTED RAW BYTES:
-------------------------
3F5401FACD823D15071007120714071107B607A4074888B8AAB7AA84B8B4B7B4CD8223A625CC6B018355014205D368005A293651D14285E28754DF4D01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: 21 00 brn $83 ; Branch never
0083: 53 comx ; One's complement of X
0084: A0 CA sub #$CA ; A=A - ...
0086: 00 00 4D brset0 IOREG, $D6 ; Branch if bit 0 set
0089: 00 4B 54 brset0 RC1L, $E0 ; Branch if bit 0 set
008C: 01 AA 7A brclr0 $AA, $0109 ; Branch if bit 0 clear
008F: 46 rora ; a >> 1 (Circular)
0090: 2C 24 bmc $B6 ; Branch if mask=0
0092: 46 rora ; a >> 1 (Circular)
0093: 5E swapx ; Nibble exchange of X
0094: AB D2 add #$D2 ; A=A + ...
0096: 65 55 $55, X
0098: 47 asra ; a >> 1 (arithmetic)
0099: F8 eor $X ; A= A xor ...
009A: 95
009B: 58 lslx ; x << 1
009C: 1E 24 bset7 $24 ; Bit 7 <-- 1
009E: CE BF 9A ldx $BF9A ; Load in X
00A1: 47 asra ; a >> 1 (arithmetic)
00A2: 0F FC 65 brclr7 $FC, $010A ; Branch if bit 7 clear
00A5: 76 ror $X ; >> 1 (Circular)
00A6: EB 16 add $16, X ; A=A + ...
00A8: 9E tsa ; SP --> A
00A9: 6A E9 dec $E9, X ; -=1
00AB: A5 AC bit #$AC ; Compare with A
00AD: B6 EB lda $EB ; Load in A
00AF: B8 EF eor $EF ; A= A xor ...
00B1: 0A A7 6A brset5 $A7, $011E ; Branch if bit 5 set
00B4: FD jsr $X ; Go to subroutine
00B5: 4C inca ; a++
00B6: 42 mul ; Multiply X * A -> X:A
00B7: F2 sbc $X ; A=A - ... (with carry)
00B8: 58 lslx ; x << 1
00B9: 7D tst $X ; Test
00BA: ED CB jsr $CB, X ; Go to subroutine
00BC: 08 2E C2 brset4 $2E, $81 ; Branch if bit 4 set
00BF: F5 bit $X ; Compare with A
00C0: 6F C1 clr $C1, X ; <-- 0
00C2: 2B A4 bmi $68 ; Branch if <0
00C4: 65 BD $BD, X
00C6: 48 lsla ; a << 1
00C7: 09 F0 83 brclr4 $F0, RC2L ; Branch if bit 4 clear
00CA: C4 1E 37 and $1E37 ; A= A and ...
00CD: 73 com $X ; One's complement
00CE: 6F 2B clr $2B, X ; <-- 0
00D0: 8F wait ; Wait interrupt
00D1: 47 asra ; a >> 1 (arithmetic)
00D2: EC CF jmp $CF, X ; Jump


BYTES DUMP:
---------------------
00D4: 71 09

00D6: 05 30 00 brclr2 $30, $D9 ; Branch if bit 2 clear
 
fes_786 said:
2nd emm

COMMAND $00: EMM
--------------------------------------------------------
21 00 53 A0 CA 00 00 4D 00 4B 54 01 AA 7A 46 2C 24 46 5E AB D2 65 55 47 F8 95 58 1E 24 CE BF 9A 47 0F FC 65 76 EB 16 9E 6A E9 A5 AC B6 EB B8 EF 0A A7 6A FD 4C 42 F2 58 7D ED CB 08 2E C2 F5 6F C1 2B A4 65 BD 48 09 F0 83 C4 1E 37 73 6F 2B 8F 47 EC CF 71 09 05 30

ID PROVIDER = 5401 (NTL)
KEYSELECT = AA =B'10101010 PK=2 ¿bit 5? (TD $07->1)
SIGNATURE = 7A 46 2C 24 46 5E AB D2
ENCRYPTED DATA =
65 55 47 F8 95 58 1E 24 ; Block 1
CE BF 9A 47 0F FC 65 76 ; Block 2
EB 16 9E 6A E9 A5 AC B6 ; Block 3
EB B8 EF 0A A7 6A FD 4C ; Block 4
42 F2 58 7D ED CB 08 2E ; Block 5
C2 F5 6F C1 2B A4 65 BD ; Block 6
48 09 F0 83 C4 1E 37 73 ; Block 7
6F 2B 8F 47 EC CF 71 09 ; Block 8


Analysis

DECRYPTED EMM:
--------------------------------------------------------
SIGNATURE: BAD(00FC9CCB0C5AD6FC)
DECRYPTED BAD DATA: 1E8EC329A974E48E1B6A1EBEC6AFA550C6D72E46A695E4C08A0E62BEC3565F43E6D826C7E866F476D813A45C3C96531609B1627CE4E65A5F85EC63D0383678FD
-- Trying decrypt with signature exchange...
NEW EMM SIGNATURE: 9C6938027948CBFB

SIGNATURE: OK!
3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)

FA -> RUN CODE FOR ROM10:
CD823D1507100712 0714071107B607A4 074888B8AAB7AA84 B8B4B7B4CD8223A6
25CC6B0183550142 05D368005A293651 D14285E28754DF4D 01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: CD 82 3D jsr $823D ; Go to subroutine
0084: 15 07 bclr2 $07 ; Bit 2 <-- 0
0086: 10 07 bset0 $07 ; Bit 0 <-- 1
0088: 12 07 bset1 $07 ; Bit 1 <-- 1
008A: 14 07 bset2 $07 ; Bit 2 <-- 1
008C: 11 07 bclr0 $07 ; Bit 0 <-- 0
008E: B6 07 lda $07 ; Load in A
0090: A4 07 and #$07 ; A= A and ...
0092: 48 lsla ; a << 1
0093: 88 push a ; Stack <- A
0094: B8 AA eor $AA ; A= A xor ...
0096: B7 AA sta $AA ; Store A in...
0098: 84 pop a ; Stack -> A
0099: B8 B4 eor $B4 ; A= A xor ...
009B: B7 B4 sta $B4 ; Store A in...
009D: CD 82 23 jsr $8223 ; Go to subroutine
00A0: A6 25 lda #$25 ; Load in A
00A2: CC 6B 01 jmp $6B01 ; Jump

BYTES DUMP:
---------------------
00A5: 83 55 01 42 05 D3 68 00
00AD: 5A 29 36 51 D1 42 85 E2
00B5: 87 54 DF 4D 01 EC BA 00




EMM DECRYPTED RAW BYTES:
-------------------------
3F5401FACD823D15071007120714071107B607A4074888B8AAB7AA84B8B4B7B4CD8223A625CC6B018355014205D368005A293651D14285E28754DF4D01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: 21 00 brn $83 ; Branch never
0083: 53 comx ; One's complement of X
0084: A0 CA sub #$CA ; A=A - ...
0086: 00 00 4D brset0 IOREG, $D6 ; Branch if bit 0 set
0089: 00 4B 54 brset0 RC1L, $E0 ; Branch if bit 0 set
008C: 01 AA 7A brclr0 $AA, $0109 ; Branch if bit 0 clear
008F: 46 rora ; a >> 1 (Circular)
0090: 2C 24 bmc $B6 ; Branch if mask=0
0092: 46 rora ; a >> 1 (Circular)
0093: 5E swapx ; Nibble exchange of X
0094: AB D2 add #$D2 ; A=A + ...
0096: 65 55 $55, X
0098: 47 asra ; a >> 1 (arithmetic)
0099: F8 eor $X ; A= A xor ...
009A: 95
009B: 58 lslx ; x << 1
009C: 1E 24 bset7 $24 ; Bit 7 <-- 1
009E: CE BF 9A ldx $BF9A ; Load in X
00A1: 47 asra ; a >> 1 (arithmetic)
00A2: 0F FC 65 brclr7 $FC, $010A ; Branch if bit 7 clear
00A5: 76 ror $X ; >> 1 (Circular)
00A6: EB 16 add $16, X ; A=A + ...
00A8: 9E tsa ; SP --> A
00A9: 6A E9 dec $E9, X ; -=1
00AB: A5 AC bit #$AC ; Compare with A
00AD: B6 EB lda $EB ; Load in A
00AF: B8 EF eor $EF ; A= A xor ...
00B1: 0A A7 6A brset5 $A7, $011E ; Branch if bit 5 set
00B4: FD jsr $X ; Go to subroutine
00B5: 4C inca ; a++
00B6: 42 mul ; Multiply X * A -> X:A
00B7: F2 sbc $X ; A=A - ... (with carry)
00B8: 58 lslx ; x << 1
00B9: 7D tst $X ; Test
00BA: ED CB jsr $CB, X ; Go to subroutine
00BC: 08 2E C2 brset4 $2E, $81 ; Branch if bit 4 set
00BF: F5 bit $X ; Compare with A
00C0: 6F C1 clr $C1, X ; <-- 0
00C2: 2B A4 bmi $68 ; Branch if <0
00C4: 65 BD $BD, X
00C6: 48 lsla ; a << 1
00C7: 09 F0 83 brclr4 $F0, RC2L ; Branch if bit 4 clear
00CA: C4 1E 37 and $1E37 ; A= A and ...
00CD: 73 com $X ; One's complement
00CE: 6F 2B clr $2B, X ; <-- 0
00D0: 8F wait ; Wait interrupt
00D1: 47 asra ; a >> 1 (arithmetic)
00D2: EC CF jmp $CF, X ; Jump


BYTES DUMP:
---------------------
00D4: 71 09

00D6: 05 30 00 brclr2 $30, $D9 ; Branch if bit 2 clear
Click to expand...
can u explain to ppl what it means
?????
 
3rd emm

COMMAND $00: EMM
--------------------------------------------------------
21 40 53 A0 CA 00 00 4D 00 4B 54 01 42 D9 B1 65 5E C0 F0 84 B0 52 84 54 09 DB 53 59 4B 7A 3E F4 0A 66 61 64 25 FB EA 5E EF A5 BB 90 EA F2 FF 30 1F E8 1F B5 5E E5 8D 5B A6 1A 75 F1 AE F6 7E 32 BE 35 7C 61 37 E0 8B DC A8 63 DB 3C FA 53 6C 58 25 70 E7 19 24 05 3B

ID PROVIDER = 5401 (NTL)
KEYSELECT = 42 =B'01000010 PK=2 (TD $07->0)
SIGNATURE = D9 B1 65 5E C0 F0 84 B0
ENCRYPTED DATA =
52 84 54 09 DB 53 59 4B ; Block 1
7A 3E F4 0A 66 61 64 25 ; Block 2
FB EA 5E EF A5 BB 90 EA ; Block 3
F2 FF 30 1F E8 1F B5 5E ; Block 4
E5 8D 5B A6 1A 75 F1 AE ; Block 5
F6 7E 32 BE 35 7C 61 37 ; Block 6
E0 8B DC A8 63 DB 3C FA ; Block 7
53 6C 58 25 70 E7 19 24 ; Block 8

Analysis

DECRYPTED EMM:
--------------------------------------------------------

SIGNATURE: OK!


3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)

FB -> RUN CODE FOR ROM11:
CD97931507100712 0714071107B607A4 074888B8AAB7AA84 B8B4B7B4CD977CA6
25CC58F583550142 05D368005A293651 D14285E28754DF4D 01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: CD 97 93 jsr $9793 ; Go to subroutine
0084: 15 07 bclr2 $07 ; Bit 2 <-- 0
0086: 10 07 bset0 $07 ; Bit 0 <-- 1
0088: 12 07 bset1 $07 ; Bit 1 <-- 1
008A: 14 07 bset2 $07 ; Bit 2 <-- 1
008C: 11 07 bclr0 $07 ; Bit 0 <-- 0
008E: B6 07 lda $07 ; Load in A
0090: A4 07 and #$07 ; A= A and ...
0092: 48 lsla ; a << 1
0093: 88 push a ; Stack <- A
0094: B8 AA eor $AA ; A= A xor ...
0096: B7 AA sta $AA ; Store A in...
0098: 84 pop a ; Stack -> A
0099: B8 B4 eor $B4 ; A= A xor ...
009B: B7 B4 sta $B4 ; Store A in...
009D: CD 97 7C jsr $977C ; Go to subroutine
00A0: A6 25 lda #$25 ; Load in A
00A2: CC 58 F5 jmp $58F5 ; Jump

BYTES DUMP:
---------------------
00A5: 83 55 01 42 05 D3 68 00
00AD: 5A 29 36 51 D1 42 85 E2
00B5: 87 54 DF 4D 01 EC BA 00




EMM DECRYPTED RAW BYTES:
-------------------------
3F5401FBCD979315071007120714071107B607A4074888B8AAB7AA84B8B4B7B4CD977CA625CC58F58355014205D368005A293651D14285E28754DF4D01ECBA00

DISASSEMBLY OF CODE:
------------------------------

0081: 21 40 brn $C3 ; Branch never
0083: 53 comx ; One's complement of X
0084: A0 CA sub #$CA ; A=A - ...
0086: 00 00 4D brset0 IOREG, $D6 ; Branch if bit 0 set
0089: 00 4B 54 brset0 RC1ADDRL, $E0 ; Branch if bit 0 set
008C: 01 42 D9 brclr0 $42, EEWRITEOKBITS; Branch if bit 0 clear
008F: B1 65 cmp STATS3 ; Compare with A
0091: 5E swapx ; Nibble exchange of X
0092: C0 F0 84 sub $F084 ; A=A - ...
0095: B0 52 sub FLAGS2 ; A=A - ...
0097: 84 pop a ; Stack -> A
0098: 54 lsrx ; x >> 1
0099: 09 DB 53 brclr4 $DB, $EF ; Branch if bit 4 clear
009C: 59 rolx ; x << 1 (Circular)
009D: 4B
009E: 7A dec $X ; -=1
009F: 3E F4 $F4
00A1: 0A 66 61 brset5 $66, $0105 ; Branch if bit 5 set
00A4: 64 25 lsr $25, X ; >> 1
00A6: FB add $X ; A=A + ...
00A7: EA 5E ora $5E, X ; A= A or ...
00A9: EF A5 stx $A5, X ; Save X in
00AB: BB 90 add $90 ; A=A + ...
00AD: EA F2 ora $F2, X ; A= A or ...
00AF: FF stx $X ; Save X in
00B0: 30 1F neg $1F ; Negate
00B2: E8 1F eor $1F, X ; A= A xor ...
00B4: B5 5E bit INFOFIELDPTR ; Compare with A
00B6: E5 8D bit $8D, X ; Compare with A
00B8: 5B
00B9: A6 1A lda #$1A ; Load in A
00BB: 75 $X
00BC: F1 cmp $X ; Compare with A
00BD: AE F6 ldx #$F6 ; Load in X
00BF: 7E $X
00C0: 32 BE $BE
00C2: 35 7C $7C
00C4: 61 37 $37, X
00C6: E0 8B sub $8B, X ; A=A - ...
00C8: DC A8 63 jmp $A863, X ; Jump


BYTES DUMP:
---------------------
00CB: DB 3C FA 53 6C 58 25 70
00D3: E7 19 24

00D6: 05 3B 00 brclr2 $3B, $D9 ; Branch if bit 2 clear
 
4th emm

COMMAND $00: EMM
--------------------------------------------------------
21 40 53 A0 CA 00 00 4D 00 4B 54 01 A2 8F 58 68 70 C1 3C F2 6A BC 4E F5 F9 80 8B D1 2F E3 24 EE C2 4E EA 32 83 AD CE 1F 7A DF CE C0 DE 2F 67 EC 64 62 EF 7B 59 93 16 4D FA F4 FD 35 40 38 B2 DA F7 80 6E 77 11 2B C2 D2 1C 74 89 EA 5E C4 87 3E C6 B4 4F 8F 35 05 60

ID PROVIDER = 5401 (NTL)
KEYSELECT = A2 =B'10100010 PK=2 ¿bit 5? (TD $07->0)
SIGNATURE = 8F 58 68 70 C1 3C F2 6A
ENCRYPTED DATA =
BC 4E F5 F9 80 8B D1 2F ; Block 1
E3 24 EE C2 4E EA 32 83 ; Block 2
AD CE 1F 7A DF CE C0 DE ; Block 3
2F 67 EC 64 62 EF 7B 59 ; Block 4
93 16 4D FA F4 FD 35 40 ; Block 5
38 B2 DA F7 80 6E 77 11 ; Block 6
2B C2 D2 1C 74 89 EA 5E ; Block 7
C4 87 3E C6 B4 4F 8F 35 ; Block 8

Analysis

DECRYPTED EMM:
--------------------------------------------------------

SIGNATURE: OK!


3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)

F7 -> RUN CODE FOR ROM7:
A6AAB720A600AE21 D6FFFFC800A5C700 A5D6FFFFC800AFC7 00AFA620CC48BB83
550142057F68005A 293651D142854E87 54DF4D01ECBA0000 00000000

DISASSEMBLY OF CODE:
------------------------------

0081: A6 AA lda #$AA ; Load in A
0083: B7 20 sta RAMCODE0 ; Store A in...
0085: A6 00 lda #$00 ; Load in A
0087: AE 21 ldx #$21 ; Load in X
0089: D6 FF FF lda $FFFF, X ; Load in A
008C: C8 00 A5 eor $A5 ; A= A xor ...
008F: C7 00 A5 sta $A5 ; Store A in...
0092: D6 FF FF lda $FFFF, X ; Load in A
0095: C8 00 AF eor $AF ; A= A xor ...
0098: C7 00 AF sta $AF ; Store A in...
009B: A6 20 lda #$20 ; Load in A
009D: CC 48 BB jmp FILTEROK ; 2


BYTES DUMP:
---------------------
00A0: 83 55 01 42 05 7F 68 00
00A8: 5A 29 36 51 D1 42 85 4E
00B0: 87 54 DF 4D 01 EC BA 00
00B8: 00 00 00 00 00




EMM DECRYPTED RAW BYTES:
-------------------------
3F5401F7A6AAB720A600AE21D6FFFFC800A5C700A5D6FFFFC800AFC700AFA620CC48BB83550142057F68005A293651D142854E8754DF4D01ECBA000000000000

DISASSEMBLY OF CODE:
------------------------------

0081: 21 40 brn $C3 ; Branch never
0083: 53 comx ; One's complement of X
0084: A0 CA sub #$CA ; A=A - ...
0086: 00 00 4D brset0 IOREG, $D6 ; Branch if bit 0 set
0089: 00 4B 54 brset0 STATS3, $E0 ; Branch if bit 0 set
008C: 01 A2 8F brclr0 $A2, $1E ; Branch if bit 0 clear
008F: 58 lslx ; x << 1
0090: 68 70 lsl $70, X ; << 1
0092: C1 3C F2 cmp $3CF2 ; Compare with A
0095: 6A BC dec $BC, X ; -=1
0097: 4E swapa ; Nibble exchange of A
0098: F5 bit $X ; Compare with A
0099: F9 adc $X ; A=A + ... (with carry)
009A: 80 rti ; Return from interrupt


BYTES DUMP:
---------------------
009B: 8B D1 2F E3 24 EE C2 4E
00A3: EA 32 83 AD CE 1F 7A DF
00AB: CE C0 DE 2F 67 EC 64 62
00B3: EF 7B 59 93 16 4D FA F4
00BB: FD 35 40 38 B2 DA F7 80

00C3: 6E 77 $77, X
00C5: 11 2B bclr0 RAMCODE2 ; Bit 0 <-- 0
00C7: C2 D2 1C sbc $D21C ; A=A - ... (with carry)
00CA: 74 lsr $X ; >> 1
00CB: 89 push x ; Stack <- X
00CC: EA 5E ora $5E, X ; A= A or ...
00CE: C4 87 3E and $873E ; A= A and ...
00D1: C6 B4 4F lda $B44F ; Load in A
00D4: 8F wait ; Wait interrupt
00D5: 35 05 $05
00D7: 60 00 neg $00, X
 
5th emm

COMMAND $00: EMM
--------------------------------------------------------
21 00 53 A0 CA 00 00 4D 00 4B 54 01 A2 24 EF 12 5F 12 25 6E 66 34 1F 65 4F E7 C8 C3 86 5D DF A1 22 CD 0D 9B A2 A7 68 C4 1D A9 7E 33 72 FE 5A EF 0B 46 13 33 A3 B8 0C C9 B9 76 F2 03 20 19 AE 6A 06 F4 A2 D0 36 EC FF AF A2 67 F8 11 A3 93 98 4C C6 16 45 4A 82 05 E2

ID PROVIDER = 5401 (NTL)
KEYSELECT = A2 =B'10100010 PK=2 ¿bit 5? (TD $07->0)
SIGNATURE = 24 EF 12 5F 12 25 6E 66
ENCRYPTED DATA =
34 1F 65 4F E7 C8 C3 86 ; Block 1
5D DF A1 22 CD 0D 9B A2 ; Block 2
A7 68 C4 1D A9 7E 33 72 ; Block 3
FE 5A EF 0B 46 13 33 A3 ; Block 4
B8 0C C9 B9 76 F2 03 20 ; Block 5
19 AE 6A 06 F4 A2 D0 36 ; Block 6
EC FF AF A2 67 F8 11 A3 ; Block 7
93 98 4C C6 16 45 4A 82 ; Block 8

Analysis

DECRYPTED EMM:
--------------------------------------------------------
SIGNATURE: BAD(92E845928F0CF93B)
DECRYPTED BAD DATA: 3800E1678428A7D5422A486E8F44CB2CACCFBF497EEF49278E8255F96FCD7F636116A5C10E66B95FC8EC7B9816E365F4B09414E3F39D6F83BC47601A6C033D7F
-- Trying decrypt with signature exchange...
NEW EMM SIGNATURE: 8F586870C13CF26A

SIGNATURE: OK!
3F -> Filter: ANY CARD
5401 PROVIDER ID (NTL)

F7 -> RUN CODE FOR ROM7:
A6AAB720A600AE21 D6FFFFC800A5C700 A5D6FFFFC800AFC7 00AFA620CC48BB83
550142057F68005A 293651D142854E87 54DF4D01ECBA0000 00000000

DISASSEMBLY OF CODE:
------------------------------

0081: A6 AA lda #$AA ; Load in A
0083: B7 20 sta RAMCODE0 ; Store A in...
0085: A6 00 lda #$00 ; Load in A
0087: AE 21 ldx #$21 ; Load in X
0089: D6 FF FF lda $FFFF, X ; Load in A
008C: C8 00 A5 eor $A5 ; A= A xor ...
008F: C7 00 A5 sta $A5 ; Store A in...
0092: D6 FF FF lda $FFFF, X ; Load in A
0095: C8 00 AF eor $AF ; A= A xor ...
0098: C7 00 AF sta $AF ; Store A in...
009B: A6 20 lda #$20 ; Load in A
009D: CC 48 BB jmp FILTEROK ; 2


BYTES DUMP:
---------------------
00A0: 83 55 01 42 05 7F 68 00
00A8: 5A 29 36 51 D1 42 85 4E
00B0: 87 54 DF 4D 01 EC BA 00
00B8: 00 00 00 00 00




EMM DECRYPTED RAW BYTES:
-------------------------
3F5401F7A6AAB720A600AE21D6FFFFC800A5C700A5D6FFFFC800AFC700AFA620CC48BB83550142057F68005A293651D142854E8754DF4D01ECBA000000000000

DISASSEMBLY OF CODE:
------------------------------

0081: 21 00 brn $83 ; Branch never
0083: 53 comx ; One's complement of X
0084: A0 CA sub #$CA ; A=A - ...
0086: 00 00 4D brset0 IOREG, $D6 ; Branch if bit 0 set
0089: 00 4B 54 brset0 STATS3, $E0 ; Branch if bit 0 set
008C: 01 A2 24 brclr0 $A2, $B3 ; Branch if bit 0 clear
008F: EF 12 stx $12, X ; Save X in
0091: 5F clrx ; x <-- 0
0092: 12 25 bset1 TEMPA ; Bit 1 <-- 1
0094: 6E 66 $66, X
0096: 34 1F lsr $1F ; >> 1
0098: 65 4F $4F, X
009A: E7 C8 sta $C8, X ; Store A in...
009C: C3 86 5D cpx $865D ; Compare with X
009F: DF A1 22 stx $A122, X ; Save X in
00A2: CD 0D 9B jsr $0D9B ; Go to subroutine
00A5: A2 A7 sbc #$A7 ; A=A - ... (with carry)
00A7: 68 C4 lsl $C4, X ; << 1
00A9: 1D A9 bclr6 $A9 ; Bit 6 <-- 0
00AB: 7E $X
00AC: 33 72 com $72 ; One's complement
00AE: FE ldx $X ; Load in X
00AF: 5A decx ; x--
00B0: EF 0B stx $0B, X ; Save X in
00B2: 46 rora ; a >> 1 (Circular)
00B3: 13 33 bclr1 FLAGS3 ; Bit 1 <-- 0
00B5: A3 B8 cpx #$B8 ; Compare with X
00B7: 0C C9 B9 brset6 $C9, $73 ; Branch if bit 6 set
00BA: 76 ror $X ; >> 1 (Circular)
00BB: F2 sbc $X ; A=A - ... (with carry)
00BC: 03 20 19 brclr1 RAMCODE0, $D8 ; Branch if bit 1 clear
00BF: AE 6A ldx #$6A ; Load in X
00C1: 06 F4 A2 brset3 $F4, $66 ; Branch if bit 3 set
00C4: D0 36 EC sub $36EC, X ; A=A - ...
00C7: FF stx $X ; Save X in
00C8: AF A2 #$A2
00CA: 67 F8 asr $F8, X ; >> 1 (arithmetic)
00CC: 11 A3 bclr0 $A3 ; Bit 0 <-- 0
00CE: 93
00CF: 98 clc ; C <-- 0
00D0: 4C inca ; a++
00D1: C6 16 45 lda $1645 ; Load in A
00D4: 4A deca ; a--
00D5: 82
00D6: 05 E2 00 brclr2 $E2, $D9 ; Branch if bit 2 clear
 
ok guys im still learning here

but i reckon these are the new key roll emms

i think someone with a bit more knowledge can explain more about it

and peeps who know what they doing can easily impliment this in the fun au hex's

i posted them like this to make it easier for peeps

plus abit of technical discussion
 
The disasms at the bottom of each post are incorrect as you disasmed the encrpted packet (complete with headers etc). Only the top section of each is relevant.

Just gonna have a look at them now.

DISASSEMBLY OF CODE:
------------------------------

0081: CD 82 3D jsr $823D ; Go to subroutine
0084: 15 07 bclr2 $07 ; Bit 2 <-- 0
0086: 10 07 bset0 $07 ; Bit 0 <-- 1
0088: 12 07 bset1 $07 ; Bit 1 <-- 1
008A: 14 07 bset2 $07 ; Bit 2 <-- 1
008C: 11 07 bclr0 $07 ; Bit 0 <-- 0
008E: B6 07 lda $07 ; Load in A
0090: A4 07 and #$07 ; A= A and ...
0092: 48 lsla ; a << 1
0093: 88 push a ; Stack <- A
0094: B8 AA eor $AA ; A= A xor ...
0096: B7 AA sta $AA ; Store A in...
0098: 84 pop a ; Stack -> A
0099: B8 B4 eor $B4 ; A= A xor ...
009B: B7 B4 sta $B4 ; Store A in...
009D: CD 82 23 jsr $8223 ; Go to subroutine
00A0: A6 25 lda #$25 ; Load in A
00A2: CC 6B 01 jmp $6B01 ; Jump

BYTES DUMP:
---------------------
00A5: 83 55 01 42 05 D3 68 00
00AD: 5A 29 36 51 D1 42 85 E2
00B5: 87 54 DF 4D 01 EC BA 00


Routine seems to just modify some code in the emmbuff then re-enter normal emm execution with filterOK to process a normal keyroll. The bit that needs investigation is the "CD 82 23 jsr $8223". This code includes an SWI, so we would need to look at the bugcatcher code.
I will have a look when I get home later.

edcase
 
oops soz 4 that (was trying to be helpful)


was just trying to be helpfull

erm u want me to edit out the bottom of all posts ?

and im just looking at nozzers atmega challenge thread

and wondering what source file we nee .etc

because i think that 1 is for atmega

and thread is very intresting
 
nozzer said:
Not quite sure what you've done here but -

Code: 
You don't have permission to view the code content. Log in or register now.

The disassembly bears no relationship to the raw.

From the raw you should have -

Code: 
You don't have permission to view the code content. Log in or register now.
Click to expand...


Just beat you to it nozzer lol.
I will be back in about an hour anyway, so Ill have a proper look then.

edc.
 
Looks to me like the data bytes $AA and $B4 within the EMM are being XOR'ed with binary 110 before the keys are written.
 
nozzer Would this piece of code do the XORing?

LDS R16, (MP + 0x2D)
LDI R17, 0x3
EOR R16, R17
STS (MP + 0x2D), r16

ignore the offsets I'm just after logically and syntaxically (sp?), I've created and updated flash but unless excw emms are diff the first byte of each key is not correct.
 
Just realised I'm a clutz and have figured out why it's not working, the 0x3 is to blame :)
 
You must log in or register to reply here.

Similar threads

S
help to understand log
Replies
1
Views
825
acebing
A
T
oscam server running, no scrambled on the tv but the video have lagging.
Replies
0
Views
2K
theviper0308
T
T
Need help with rqcamd on DM500
Replies
0
Views
3K
tonydix
T
S
vu solo crash
Replies
1
Views
1K
pazza
P
johnny bravo
epg location reverts back to internal flash
2
Replies
32
Views
5K
johnny bravo
johnny bravo
Back
Top