lördag 13 april 2013

USB Missile Launcher + Delphi CRACKED!!!

 
Soooooo, me and this mysterious USB missile launcher that I couldn't crack have bugging me ever since I wanted to reverse engineer it early 2012. (read earlier post)

I have read tons and tons of articles where people have tried to figure out how the tenxHID.dll function exports work and what their parameters are.

People have been in touch with the original manufacturers, people have sent emails to every possible forum, It took me through the deepest parts of the internet in order to crack its secrets.

Through forums, mailing lists, original chip manufacturer, disassembly software, usb sniffers and even unknown chinese websites.

For over a year I have been walking around wanting to crack this son of a bitch.

And today, well, yesterday, and tonight, I told myself "I have to put an end to this bullshit.", and it turns out to not be that hard of a task after all.

All I needed to do was to send it two types of byte arrays (or packets, or frames, or whatever you want to call it), in 4 steps.

Two separate 8 byte arrays, which initiates the device,
One 8 byte array which tells the device what to do (left, right, up, down, fire)
Two 8 byte arrays for initiation Again,
and lastly One 64 byte array to stop the device, or else it would just keep going and going once you told it what to do.

I figured this out using a USB sniffer and Project Jedi as the USB HID component for Delphi XE 2.

Now the thing was that the device itself was recognized as two separate HID
devices with the same VID and PID, but different Hardware ID's.

So whenever you plug it in you will see two devices get connected.

And a lot of people have managed to send 8 bytes to the device,
but never the 64 bytes.

The trick and solution to this was that the first HID handles the 64 byte array which stops the device,
and the second HID handles the 8 byte array.

Download project source from here.

Developed using Delphi XE2 and Project Jedi.

Mystery solved, Case Close, One Less Thing to walk around and think about.

Time to sleep and never look back at it again.

Good Night!

lördag 18 februari 2012

USB Missile Launcher + Delphi

FInally cracked the nut. Check the new post here!

Hey boys and girls I'ma get straight to the point.


I have this missile launcher usb toy and I wanted to put a camera on it so that I can use it as a security camera.






To do this I need to be able to controll the missile launcher in some way.


Ive tried to simulate mouse button clicks directly on to the software that comes with the missile launcher but I found no useful or simple enough of information of Delphi code to do this.


I've tried to find .pas units and components to send hex data directtly to the usb device,
but only to be left with failiure.


I've searched everywhere for SOMETHING that is Delphi+USB related but I couldnt find anything,
nontheless anything about the missile launcher+delphi.


I noticed that in the folder of the missile launcher program there is a file called TenxHID.dll, and with some research I managed to find out that this file was created by the company Tenx and this DLL file does all the data transmission and recievment from and to the missile launcher.


I downloaded DLL Export Viewer and opened the TenxHID.dll to see its exports and found DeviceIni, BufferWrite and BufferRead.




However since I dont know their parameters they're useless to me.


I searched on google for some more hours and I found a site called hackchina.com that had a couple of files that some guy from back in 1998 2004 had written in Delphi for a
specific chip, http://www.hackchina.com/en/cont/105310.


I looked at one of the files and I found the following piece of code:


const
DN = 'kiusb.dll';
function usb_close(): Integer; stdcall; external DN;
function usb_dwnload(image: PByte; len: dword): Integer; stdcall; external DN;
function usb_bulk_write(pipe: Integer; buf: PByte; len: Integer): Integer;
stdcall; external DN;
function usb_bulk_read(pipe: Integer; buf: PByte; len: Integer): Integer;
stdcall; external DN;
function cusb_init(): Integer; stdcall; external DN;


And I was like "hmmm, that looks a bit familiar".


So I took the three functions, cusb_init, usb_bulk_read and usb_bulk_write
and I renamed them to DeviceIni, ReadBuffer and WriteBuffer, and then I took their respective code and called DeviceIni to see if I could get any connection with the missile launcher,
and viola, when the missile launcher was connected, I got a "Connection OK" message, and when it was not connected I got a "Connection Fail" message.


All I have to do now is to try to sniff up some hex buffer snippets that is sent from the original software and try to send it through my own software.


The full function of the WriteBuffer looks like this:
function WriteBuffer(pipe: Integer; buf: PByte; len: Integer): Integer; stdcall; external DN;


However I dont know how to work with that PByte thingy, if anybody knows how to use it, please let me know.


Files
USB Missile Launcher (Works on Win7x64)   : www.xaid.se/USBMissileLauncher.zip
Delphi Missile Launcher (Developed in Delphi XE): www.xaid.se/DelphiMissileLauncher.zip