viper54g
join:2004-07-16
1 edit | Re: Analysis of the Alchemy 5.1 binaries said by Arno Nym:
Further inspection of the superfluous whitespace indicates that »www.darkside.com.au/snow/ has been used to create it. If this is correct, then the encryption feature of Snow has been used before embedding the hidden information.
"The snow source code and the algorithms contained within it are free for non-commercial use"
I'm wondering if James has paid a license for this...   | |
|
 
Arno Nym
| Re: Analysis of the Alchemy 5.1 binaries Don't jump to conclusions. A tool with similar output could be written in a matter of hours with publically available crypto libraries. | |
|
 | |
| |
TheIndividual
1 edit | Re: Analysis of the Alchemy 5.1 binaries Arno Nym:
I have to admit that I am not that familiar with the firmware structure. Congratulations on your findings, I'm just curious how you did it. Did you strip the squashfs from the binary or did you actually upload it to your router and compare those files? I guess the former, so I would like to know how exactly one can do that and if it would be possible to re-compress a tag-free version?
Sveasoft obviously must be keeping all the different binaries available for possible later downloads, so they do know which file with which md5sum got transfered to who.
Anyways it's nice to know that there are no code differences in all versions, I never really believed in any backdoor and such on P2P versions. | |
|
| | |
Arno Nym
| Re: Analysis of the Alchemy 5.1 binaries A backdoor or phone home function is still possible if it is in every firmware binary. I only checked for differences. I have yet to compile my own binary. Sifting through the whole source for trojan code would take a long time.
The squash filesystem has a magic number. Open the firmware image with a hexeditor and look for hsqs (0x68 0x73 0x71 0x73) or shsq (0x73 0x68 0x73 0x71). In the Alchemy 5.1 binaries, this signature is found at offset 0xB84A0. Copy everything from that point on into a new file. This file can be mounted on a system with a matching squashfs driver (mount -o loop -t squashfs image.sqfs /mnt). The squashfs 2.0 final driver does not recognize the filesystem images from Alchemy 5.1, but the squashfs source from the Alchemy source package can be compiled on an i386 as well. To create a new squashfs image, you would have to use the binary only mksquashfs from the Alchemy source package, concatenate the resulting image file with a header and a kernel and adjust the checksum in the header. This could be the point where the tag is created, so check the resulting filesystem image. You could also try using the newer mksquashfs directly from the author, but to avoid bricking your router, you should first verify that you can mount the filesystem image with a kernel which has been patched with the squashfs code from Alchemy.
It should be noted that the tagging need not be this obvious and it is absolutely possible to create tags in a way which permits exact identification of the group of files which has been compared in order to eliminate the tag. Detagging could thus get all subscribers kicked who offer their downloaded firmware for comparison. You would be better off sacrificing one subscription per release. | |
|
|
| (topic locked) |
|
·
·