Xilinx ISE12.1 IPCORE source code

Prev: EDK BFM Simulation
Next: Xilinx' partition flow in ISE12.1

From: doomsten on 26 May 2010 23:50

---

1.the format of encrypted file
can_v3_2/can_tl_bsp.vhd as an example.
a)the first 8 bytes XlxV62EB is version code,From ISE11.1 Xilinx use
AES.
b)the first 8bytes of line2 is the length of the ciphertext.，it means
that the next segment of ciphertext is after 3300H
c)from 18h bytes is ciphertext which is made by the Zlib compress then
AES encrypted.

00000000h: 58 6C 78 56 36 32 45 42 20 20 20 20 66 61 30 30 ;
XlxV62EB fa00
00000010h: 20 20 20 20 33 33 30 30 79 69 0B DB A6 74 14 DA ;
3300yi.郐t.?
00000020h: 46 FE 2C 93 15 2C 28 A1 22 55 3A AA 55 20 4A DB ; F??,(?U:猆
J?
00000030h: 40 4D 51 E1 EA 28 AB AD 61 F5 57 7F 2B F4 CA 26 ; @MQ彡(a鮓
+
。。。。。。。。。。
00003310h: B9 64 BE 7E 02 BB 0F 56 58 6C 78 56 36 32 45 42 ; 筪緙.?
VXlxV62EB
00003320h: 20 20 20 20 36 38 35 63 20 20 20 20 31 34 66 30 ;
685c 14f0
00003330h: AF 07 8F 0F 8D F2 0E E6 50 1F 2F 71 0B 5A 80 A9 ; ??嶒.鍼./
q.Z

2.how to decrypt
a)With AES, each 16bytes block is encrypted under same AES key(256bit
Key)。
if the ciphertext can't be divided evenly,don't process these left
bytes。
b)XOR with the 16bytes initial data
c)replace the initial XOR data with this 16bit ciphertext.
d)go to a
e）combine to a file


3.download ZLIB fromhttp://www.zlib.net/
a）call the unpress function ;
b)the we got the source code :

4.how to find the key
uasm the libisl_iostreams.dll with IDA pro
we find

..text:10004D50
private: void __thiscall isl::iostreams::filter::xp_decrypt<class
isl::iostreams::filter::xp_aes_keys>::process_block_data(void)

..text:10004D50 ; CODE XREF:
sub_1000C9E0+3Dp
..text:10004D50
..text:10004D50 var_18 = dword ptr -18h
..text:10004D50 var_14 = dword ptr -14h
..text:10004D50 var_10 = dword ptr -10h
..text:10004D50 var_C = dword ptr -0Ch
..text:10004D50 var_4 = dword ptr -4
..text:10004D50
..text:10004D50 push 0FFFFFFFFh
..text:10004D52 push offset loc_1001B6D8
..text:10004D57 mov eax, large fs:0
..text:10004D5D push eax
..text:10004D5E sub esp, 0Ch
..text:10004D61 push ebx
..text:10004D62 push ebp
..text:10004D63 push esi
..text:10004D64 push edi
..text:10004D65 mov eax, dword_10032908
..text:10004D6A xor eax, esp
..text:10004D6C push eax
..text:10004D6D lea eax, [esp+2Ch+var_C]
..text:10004D71 mov large fs:0, eax
..text:10004D77 mov edi, ecx
..text:10004D79 lea ecx, [edi+9]
..text:10004D7C call ?
get_block_bytes(a)xp_header@detail(a)filter@iostreams(a)isl@@QBEIXZ ;
isl::iostreams::filter::detail::xp_header::get_block_bytes(void)
..text:10004D81 xor ebp, ebp
..text:10004D83 mov esi, eax
..text:10004D85 lea ebx, [edi+21h]
..text:10004D88 mov [esp+2Ch+var_18], ebp
..text:10004D8C mov [esp+2Ch+var_14], ebp
..text:10004D90 mov [esp+2Ch+var_10], ebp
..text:10004D94 lea eax, [esi+1]
..text:10004D97 push eax
..text:10004D98 lea ecx, [esp+30h+var_18]
..text:10004D9C mov [esp+30h+var_4], ebp
..text:10004DA0 call data_mv
..text:10004DA5 mov ecx, [edi]
..text:10004DA7 mov edx, [esp+2Ch+var_18]
..text:10004DAB push ebp
..text:10004DAC push ecx
..text:10004DAD push edx
..text:10004DAE push esi
..text:10004DAF push ebx
..text:10004DB0 call aes_process
<=============this function
..text:10004DB5 mov eax, [esp+40h+var_18]
..text:10004DB9 movsx ecx, byte ptr [eax+esi-1]
..text:10004DBE add esp, 14h
..text:10004DC1 sub esi, ecx
..text:10004DC3 push esi
..text:10004DC4 add edi, 8
..text:10004DC7 push eax
..text:10004DC8 mov ecx, edi
..text:10004DCA call ?
set_block(a)xp_header_reader@detail(a)filter@iostreams(a)isl@@QAEXPBDI@Z ;
isl::iostreams::filter::detail::xp_header_reader::set_block(char const
*,uint)
..text:10004DCF mov ecx, edi
..text:10004DD1 call ?
append_output(a)xp_header_reader@detail(a)filter@iostreams(a)isl@@QAEXXZ ;
isl::iostreams::filter::detail::xp_header_reader::append_output(void)
..text:10004DD6 lea ecx, [esp+2Ch+var_18]
..text:10004DDA mov [esp+2Ch+var_4], 0FFFFFFFFh
..text:10004DE2 call sub_10004F40
..text:10004DE7 mov ecx, [esp+2Ch+var_C]
..text:10004DEB mov large fs:0, ecx
..text:10004DF2 pop ecx
..text:10004DF3 pop edi
..text:10004DF4 pop esi
..text:10004DF5 pop ebp
..text:10004DF6 pop ebx
..text:10004DF7 add esp, 18h
..text:10004DFA retn
..text:10004DFA ?



..text:10004BC0 aes_process proc near ; CODE XREF:
isl::iostreams::filter::xp_decrypt<isl::iostreams::filter::xp_aes_keys>::process_block_data(void)
+60p
..text:10004BC0 ;
isl::iostreams::filter::xp_encrypt<isl::iostreams::filter::xp_aes_keys>::process_block_data(void)
+D2p
..text:10004BC0
..text:10004BC0 var_158 = byte ptr -158h
..text:10004BC0 var_64 = byte ptr -64h
..text:10004BC0 var_60 = byte ptr -60h
..text:10004BC0 var_44 = byte ptr -44h
..text:10004BC0 var_40 = byte ptr -40h
..text:10004BC0 var_4 = dword ptr -4
..text:10004BC0 arg_0 = dword ptr 4
..text:10004BC0 arg_4 = dword ptr 8
..text:10004BC0 arg_8 = dword ptr 0Ch
..text:10004BC0 arg_C = dword ptr 10h
..text:10004BC0 arg_10 = byte ptr 14h
..text:10004BC0
..text:10004BC0 sub esp, 158h
..text:10004BC6 mov eax, dword_10032908
..text:10004BCB xor eax, esp
..text:10004BCD mov [esp+158h+var_4], eax
..text:10004BD4 push ebx
..text:10004BD5 mov ebx, [esp+15Ch+arg_8]
..text:10004BDC push ebp
..text:10004BDD mov ebp, [esp+160h+arg_0]
..text:10004BE4 push esi
..text:10004BE5 mov esi, [esp+164h+arg_4]
..text:10004BEC push edi
..text:10004BED mov edi, [esp+168h+arg_C]
..text:10004BF4 mov eax, [edi]
..text:10004BF6 mov edx, [eax]
..text:10004BF8 lea ecx, [esp+168h+var_44]
..text:10004BFF push ecx
..text:10004C00 mov ecx, edi
..text:10004C02 call edx
..text:10004C04 cmp [esp+168h+arg_10], 0
..text:10004C0C mov ecx, edi
..text:10004C0E jz short loc_10004C2C
..text:10004C10 mov edx, [edi]
..text:10004C12 lea eax, [esp+168h+var_158]
..text:10004C16 push eax
..text:10004C17 mov eax, [edx+8]
..text:10004C1A call eax
..text:10004C1C push eax
..text:10004C1D lea ecx, [esp+16Ch+var_40]
..text:10004C24 push ecx
..text:10004C25 call enckeyexp
..text:10004C2A jmp short loc_10004C46
..text:10004C2C ;
---------------------------------------------------------------------------
..text:10004C2C
..text:10004C2C loc_10004C2C: ; CODE XREF:
aes_process+4Ej
..text:10004C2C mov eax, [edi]
..text:10004C2E lea edx, [esp+168h+var_158]
..text:10004C32 push edx
..text:10004C33 mov edx, [eax+8]
..text:10004C36 call edx
..text:10004C38 push eax
..text:10004C39 lea eax, [esp+16Ch+var_40]
..text:10004C40 push eax
..text:10004C41 call deckeyexp <===========Here we
will find the key
..text:10004C46
..text:10004C46 loc_10004C46: ; CODE XREF:
aes_process+6Aj
..text:10004C46 mov edx, [edi]
..text:10004C48 mov edx, [edx+4]
..text:10004C4B add esp, 0Ch
..text:10004C4E lea eax, [esp+164h+var_60]
..text:10004C55 push eax
..text:10004C56 mov ecx, edi
..text:10004C58 call edx
..text:10004C5A mov eax, esi
..text:10004C5C and eax, 0Fh
..text:10004C5F sub esi, eax
..text:10004C61 push eax ; Size
..text:10004C62 lea eax, [esi+ebp]
..text:10004C65 push eax ; Src
..text:10004C66 lea ecx, [ebx+esi]
..text:10004C69 push ecx ; Dst
..text:10004C6A call memcpy
..text:10004C6F add esp, 0Ch
..text:10004C72 cmp [esp+168h+arg_10], 0
..text:10004C7A jz short loc_10004C8D
..text:10004C7C push 1
..text:10004C7E lea edx, [esp+16Ch+var_64]
..text:10004C85 push edx
..text:10004C86 lea eax, [esp+170h+var_158]
..text:10004C8A push eax
..text:10004C8B jmp short loc_10004C9C
..text:10004C8D ;
---------------------------------------------------------------------------
..text:10004C8D
..text:10004C8D loc_10004C8D: ; CODE XREF:
aes_process+BAj
..text:10004C8D push 0
..text:10004C8F lea ecx, [esp+16Ch+var_64]
..text:10004C96 push ecx
..text:10004C97 lea edx, [esp+170h+var_158]
..text:10004C9B push edx
..text:10004C9C
..text:10004C9C loc_10004C9C: ; CODE XREF:
aes_process+CBj
..text:10004C9C push esi
..text:10004C9D push ebx
..text:10004C9E push ebp
..text:10004C9F call aes_blk <=========in this
function XOR seeds
..text:10004CA4 mov ecx, [esp+180h+var_4]
..text:10004CAB add esp, 18h
..text:10004CAE pop edi
..text:10004CAF pop esi
..text:10004CB0 pop ebp
..text:10004CB1 pop ebx
..text:10004CB2 xor ecx, esp
..text:10004CB4 call sub_1001A14C
..text:10004CB9 add esp, 158h
..text:10004CBF retn
..text:10004CBF aes_process endp

 | 
Pages: 1
Prev: EDK BFM Simulation
Next: Xilinx' partition flow in ISE12.1