Reverse Analysis on Windows - Hands-on 1
Environment Information
System information: Windows 10 , Thankpad T430I
Tools involved: x64dbg
Test program: g1uj49us.exe (Thankpad T430I Bios update)
Note: This is a translation of the article previously written into English version, if you can not see the message I improve the translation
The file released after installation, the default program to install the driver is WINUPTP.exe
Because
I recently got a Thankpad T430I notebook and wanted to upgrade to the latest Bios (2019) but for battery reasons (255% display, software can not get battery information), the official upgrade program can not detect the battery resulting in an upgrade.
Result
Searching articles online, it is said that adding the -sp parameter when running can skip the battery detection, but testing found that this method is not suitable for g1uj49us, and there is also said to upgrade directly through the winflash64 BIOS file, the beginning of the article does not cover the BIOS file format, the wrong understanding led to test failure
I executed the following command.
Code:
1 | WinFlash64 /64bit/tpnflhlp.sys |
Obviously it failed to run.
Continuing to search for related articles, I got the idea under this article.
https://superuser.com/questions/1569417/how-to-update-lenovo-bios-on-a-t460-without-battery
On Lenovo ThinkPad X230i was enough to copy BIOS (.FL1) and ECP (.FL2) files to parent folder, where WinFlash64.exe is located then run cmd.exe as administrator and enter command:
cd
WinFlash64.exe /file $01D3000.FL1
Notice that when executing WINUPTP.exe and selecting Update ThinkPad BIOS
Click Next and it will release some files in the current directory
See the files needed for the upgrade
Code:
1 | $01D2000.FL1 |
Screenshot after successful upgrade
Reverse Analysis
The test result shows that the upgrade can be successful without battery (also without BIOS battery), so I want to run the upgrade program to bypass this detection
Key information.
The program will return the detection results in the form of a pop-up window
Click pause after the pop-up window
in the stack to find the key information, the mouse wheel down
// call function will be called when the address will be pressed into the stack, and then jump to the relevant address, so you can find the relevant function call according to the stack address
See some display, continue to look for this pop-up window from there
Code:
1 | 00EFE454 003EC655 return to winuptp.003EC655 from ????? |
Double click to enter
Breakpoint at the top call
Re-run the test
After running, the pop-up window
Re-run, see a judgment to execute this address
Let the jump does not hold, the program abnormally exit
Stack analysis see several returns, enter in turn to see
0055E57C 007ED0AA return to winuptp.007ED0AA from winuptp.007EC60F
0055E598 007E30E9 return to winuptp.007E30E9 from winuptp.007ED07B
I see the word OK
Keep looking and you see this string: “AC adapter/Battery check ….”
Breakpoint at the entry point (push ebp is often the entry point of the function)
broken
normal, jump execution (ZF = 1)
change ZF value so that it does not execute (ZF = 0)
// je/jz will jump according to CMP comparison, if ZF = 1, it will jump
Run
can be successfully upgraded, bypassing the battery detection
Note: Security considerations, if the conditions allow the upgrade or to meet the conditions of the good, to avoid the failure of the upgrade.
This article ends here, see you soon!