Atmega asm (not a fix!!)
- Thread starter tonmedia11
- Start date
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
kr5 and kr6 should be pretty well covered in the atmega challenge sticky m8.
Take a look at the ATMeaga challenge thread. I think its all pretty much in there
Nice to see this thread is actually moving along at last
The problem really isn't that difficult to solve once people start to apply the knowledge thats already available.
@Tonmedia, well done so far. I'm glad somebody actually remembers the last lesson and is having a go. I'm watching this thread with interest
The problem really isn't that difficult to solve once people start to apply the knowledge thats already available.
@Tonmedia, well done so far. I'm glad somebody actually remembers the last lesson and is having a go. I'm watching this thread with interest
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
I'm a bit unsure about creating the offset which is obviously variable. I'm assuming I need to use 2 values (0x10 - location of affected byte and 0x2D - first byte of key0). Does this sound about right to anyone?
Think we need another copy of the actual EMM to make things a bit easier:
The problem you have essentially is that the actual EMM has references to bytes addresses which don't equate to the actual address of the data in our data buffer. So the contents of location $10 in KEYMASK7 has a value that points to? Don't confuse this with XORing with 0x10. You need to massage the byte content of $10 so that it equates to the byte position of the byte we need to modify in our data buffer.
Sorry to labour on this point and not just hand out an answer but you'll learn a lot if you can actually figure this out, I'm also not very good at explaining things so that won't help either.
Code:
You don't have permission to view the code content. Log in or register now.The problem you have essentially is that the actual EMM has references to bytes addresses which don't equate to the actual address of the data in our data buffer. So the contents of location $10 in KEYMASK7 has a value that points to? Don't confuse this with XORing with 0x10. You need to massage the byte content of $10 so that it equates to the byte position of the byte we need to modify in our data buffer.
Sorry to labour on this point and not just hand out an answer but you'll learn a lot if you can actually figure this out, I'm also not very good at explaining things so that won't help either.
Last edited:
hers key1 change .[
CODE
3F -> Filter: ANY CARD
5401 PROVIDER ID (ntl)
FA -> RUN CODE FOR ROM10:
B6024EA410B8B7B7 B79B11021E02B602 4EA418B8BBB7BB1F 029AA626CC6B0100
0000000000835501 4205F570E3AD3F2D F8F442859128FFB5 7B3707ED
DISASSEMBLY OF CODE:
------------------------------
0081: B6 02 lda $02 ; Load in A
0083: 4E swapa ; Nibble exchange of A
0084: A4 10 and #$10 ; A= A and ...
0086: B8 B7 eor $B7 ; A= A xor ...
0088: B7 B7 sta $B7 ; Store A in...
008A: 9B sei ; I <-- 1
008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
008F: B6 02 lda $02 ; Load in A
0091: 4E swapa ; Nibble exchange of A
0092: A4 18 and #$18 ; A= A and ...
0094: B8 BB eor $BB ; A= A xor ...
0096: B7 BB sta $BB ; Store A in...
0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
009A: 9A cli ; I <-- 0
009B: A6 26 lda #$26 ; Load in A
009D: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 55
00A8: 01 42 05 F5 70 E3 AD 3F
00B0: 2D F8 F4 42 85 91 28 FF
00B8: B5 7B 37 07 ED
][/CODE]
michael
- Joined
- Mar 29, 2005
- Messages
- 1,912
- Reaction score
- 116
A couple of questions if I may!!
CODE
3F -> Filter: ANY CARD
5401 PROVIDER ID (ntl)
FA -> RUN CODE FOR ROM10:
B6024EA410B8B7B7 B79B11021E02B602 4EA418B8BBB7BB1F 029AA626CC6B0100
0000000000835501 4205F570E3AD3F2D F8F442859128FFB5 7B3707ED
DISASSEMBLY OF CODE:
------------------------------
0081: B6 02 lda $02 ; Load in A
0083: 4E swapa ; Nibble exchange of A
0084: A4 10 and #$10 ; A= A and ...
0086: B8 B7 eor $B7 ; A= A xor ...
0088: B7 B7 sta $B7 ; Store A in...
008A: 9B sei ; I <-- 1
008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
I presume this bit handles the first byte swap on key 1
008F: B6 02 lda $02 ; Load in A
0091: 4E swapa ; Nibble exchange of A
0092: A4 18 and #$18 ; A= A and ...
0094: B8 BB eor $BB ; A= A xor ...
0096: B7 BB sta $BB ; Store A in...
0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
009A: 9A cli ; I <-- 0
I presume this bit handles the 2nd byte swap in Key 1
009B: A6 26 lda #$26 ; Load in A
009D: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 55
00A8: 01 42 05 F5 70 E3 AD 3F
00B0: 2D F8 F4 42 85 91 28 FF
00B8: B5 7B 37 07 ED
In this particular keyroll method do these values remain constant - in other words is it always the same bytes that swap with the value of $02. Have all the keyrolls of the last few days followed this protocol??
CODE
3F -> Filter: ANY CARD
5401 PROVIDER ID (ntl)
FA -> RUN CODE FOR ROM10:
B6024EA410B8B7B7 B79B11021E02B602 4EA418B8BBB7BB1F 029AA626CC6B0100
0000000000835501 4205F570E3AD3F2D F8F442859128FFB5 7B3707ED
DISASSEMBLY OF CODE:
------------------------------
0081: B6 02 lda $02 ; Load in A
0083: 4E swapa ; Nibble exchange of A
0084: A4 10 and #$10 ; A= A and ...
0086: B8 B7 eor $B7 ; A= A xor ...
0088: B7 B7 sta $B7 ; Store A in...
008A: 9B sei ; I <-- 1
008B: 11 02 bclr0 $02 ; Bit 0 <-- 0
008D: 1E 02 bset7 $02 ; Bit 7 <-- 1
I presume this bit handles the first byte swap on key 1
008F: B6 02 lda $02 ; Load in A
0091: 4E swapa ; Nibble exchange of A
0092: A4 18 and #$18 ; A= A and ...
0094: B8 BB eor $BB ; A= A xor ...
0096: B7 BB sta $BB ; Store A in...
0098: 1F 02 bclr7 $02 ; Bit 7 <-- 0
009A: 9A cli ; I <-- 0
I presume this bit handles the 2nd byte swap in Key 1
009B: A6 26 lda #$26 ; Load in A
009D: CC 6B 01 jmp $6B01 ; Jump
BYTES DUMP:
---------------------
00A0: 00 00 00 00 00 00 83 55
00A8: 01 42 05 F5 70 E3 AD 3F
00B0: 2D F8 F4 42 85 91 28 FF
00B8: B5 7B 37 07 ED
In this particular keyroll method do these values remain constant - in other words is it always the same bytes that swap with the value of $02. Have all the keyrolls of the last few days followed this protocol??
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
The values don't remain constant, so the affected byte may change and/or the value to xor with.
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
Same method. Just means the code has to take into the fact that these values may change so it has to load the actual values/location rather than us just assuming what the bytes will be and xor value.
tonmedia11
Inactive User
- Joined
- Jul 29, 2004
- Messages
- 220
- Reaction score
- 1
This section is used to skip any bytes in the keymask data which are variable as they can't be used as part of the mask. The following is from a previous method.
Code:
You don't have permission to view the code content. Log in or register now.the_blackadder1980
Inactive User
- Joined
- Dec 4, 2006
- Messages
- 132
- Reaction score
- 0
have a look at all the emms from all providers
then compare them to each other
note the values that change in there hex address
make a keymask
edit each changing bytee to 0x00 or exclude them after
then compare them to each other
note the values that change in there hex address
make a keymask
edit each changing bytee to 0x00 or exclude them after