#104 Reverse engineering an old linear power supply

Back panel connectors Antronics made by TPW

Recently I came into possession of two working ups devices from 1993. both of them had old capacitors and old 12v7a lead acid batteries inside the devices.

First thing I did was clean the cases and the PCB boards. Once that was done I replaced the old capacitors and the 12v7a batteries, then I tested both devices. both work fine but the design is old and a bit dangerous.

Secondary side
Primary side

So I decided to reverse engineer the circuit in order to better understand the design and to see if I could make any improvements to a design I would like to make.

While reversing the PCB I noticed that the mains earth and the GND of the circuit were connected together. I also notices sone discoloration from what looks like heat between the regulator and the transformer. Also the 330 ohm resistor for the led appeared to be discoloured from what also looks like excessive heat.

Mirrored for reversing
The original schematic I reversed
Schematic after I implemented suggestions

With these issues in mind I also noticed that the heatsink for the LM317T was very small and close to the transformer and the mains 1A fuse was placed after the choke and varistors instead of before them.

In conclusion I decided to choose between a different regulator at a fixed voltage or a chain of 4 LM317Ts providing around 6A of peak current, Since I do not need to adjust my voltage like the original circuit I should be able to get 13.75v by using a fixed 1k and 10k resistor. I also wanted better heat dissipation and Amps so I will definitely install good heatsinks with thermal compound. Depending on the size of the enclosure I get for the project I may add a fan.

The project files and components list etc. can be found on my Github here.


#101 Reverse Engineering A Simple Crack

A lot of times the ordinary everyday person is unable to resist using pirated software. After all it’s free and usually works, there is the chance of contracting a virus or other malware but using reputable “sources” is acceptable because if many comments praise the distributor then obviously the software can be fine right?

Well…. not necessarily… in some cases bots can create comments and high seed counts creating the appearance of a well received product. Also flags as false positives can be used as camouflage, sometimes the crack installs discrete backdoors sometimes following the living of the land principal. Basically using the files and programs already installed out of the box on Windows or Linux. This makes it very difficult to find the malware as no foreign exe or files are used (at least in the initial stage of infection)

Therefore antivirus software can get stuck with behavior analysis and hash scans. Creating large files (hundreds of megabytes) and reversing code, using BOM to obfuscate are a few little tricks that may be caught by themselves but layering all these techniques can make the malware almost undetectable.

So I decided to create an example using a real life application and crack I found for IBM analyst’s notebook which is used by private and government organizations. Opening a broad portal to many computers luckily when I decoded the scripts I did not see anything too suspicious. however after the patch (DTD.dll) is installed I do not know what behavior the application will show.

The application was downloaded via torrent and yes all the files were correct no man in the middle attacks took place.

Three files are present after unzipping IBM i2 Analyst’s Notebook 9.2.3 Multilingual.zip

Luckily windows CMD and Powershell are used to copy the cack.


Initial folder contents.

Inside crack.zip

Crack folder contents.

Interesting enough Readme.txt only instructs the user to run patch.bat although the file DTD.dll is copied to \Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\DTD.dll

There’s no mention of the i2 Analyst’s Notebook 7 folder and we are presumably installing version 9.2.3

patch.bat is obfuscated due to some carefully chosen bytes at the very beginning of the file that are able to trick file and other charset detection software.

Obfuscated patch.bat file
Taking a peek inside the obfuscated patch.bat file

As referenced by this

However once we remove the character and save the file we can see that the .bat file calls Powershell and then extracts and reverses a script from the bin.dat file.. then runs the extracted script in the terminal.

After removing the character

This 1st Powershell script checks for admin privilege then reverses and reads another script from bin.dat.

The 2nd Powershell script checks the install folders and makes use of the windows dialogs then uses virtualalloc to copy DTD.dll from the bin.dat file to the
\Program Files (x86)\Common Files\i2 Shared\i2 Analyst’s Notebook 7\Components\ directory

Then ends with a messagebox Patch complete!

Opening DTD.dll with dependency viewer shows only 4 functions.

Methods inside of the DTD.dll file

A VirusTotal scan of DTD.dll shows only 3 positives.