News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Author Topic: Interesting Tools  (Read 4175 times)

  • No avatar
  • *****
February 16, 2011, 04:42:18 pm
Whilst reading a security paper on something I saw a mention of a tool called SignSrch

This is a pretty interesting tool written by Luigi Auriemmal downloadable at http://aluigi.altervista.org/mytoolz.htm.
What does it do?

It searches through a file and lists out where it finds matches for common libraries or formats.

This is what I get when I pass it our uncompressed kernel binary from a firmware:

(MD5 - 04d2aaa87283e37612539146f6453b8a  linux.bin)

Code: [Select]
# signsrch  linux.bin

Signsrch 0.1.6a
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org
  optimized search function from Andrew http://www.team5150.com/~andrew/
  disassembler engine from Oleh Yuschuk

- open file "linux.bin"
- 1628604 bytes allocated
- load signatures
- open file signsrch.sig
- 1801396 bytes allocated for the signatures
- 2278 signatures in the database
- start signatures scanning:

  offset   num  description [bits.endian.size]
  --------------------------------------------
  00182d38 165  AES Rijndael S / ARIA S1 [..256]
  0018932c 167  Rijndael Te0 (0xc66363a5U) [32.le.1024]
  0018972c 169  Rijndael Te1 (0xa5c66363U) [32.le.1024]
  00189b2c 171  Rijndael Te2 (0x63a5c663U) [32.le.1024]
  00189f2c 173  Rijndael Te3 (0x6363a5c6U) [32.le.1024]
  0018a72c 176  Rijndael Td0 (0x51f4a750U) [32.le.1024]
  0018ab2c 178  Rijndael Td1 (0x5051f4a7U) [32.le.1024]
  0018af2c 180  Rijndael Td2 (0xa75051f4U) [32.le.1024]
  0018b32c 182  Rijndael Td3 (0xf4a75051U) [32.le.1024]
  0018b72c 185  Rijndael rcon [32.le.40]
  000519d4 307  SHA1 / SHA0 / RIPEMD-160 initialization [32.le.20&]
  00182e18 1467 RIJNDAEL1_DS [..33]
  000519d4 1626 Lucifer (outerbridge) DFLTKY [..16]
  00188e1c 1639 Misty md5const [32.le.256]
  0016debb 2094 libavcodec ff_mjpeg_val_ac_luminance [..162]
  0016df6e 2095 libavcodec ff_mjpeg_val_ac_chrominance [..162]
  0016de6c 2192 libavcodec sp5x_data_dht [..420]
  0017844c 2257 unlzx table_three [16.le.32]

- 18 signatures found in the file


(MD5 0bc3042991fff7d0da061254cd46e93b  /home/lawrence/Downloads/foscam_linux_romfs_files/linux.bin)

Code: [Select]
signsrch /home/lawrence/Downloads/foscam_linux_romfs_files/linux.bin

Signsrch 0.1.6a
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org
  optimized search function from Andrew http://www.team5150.com/~andrew/
  disassembler engine from Oleh Yuschuk

- open file "/home/lawrence/Downloads/foscam_linux_romfs_files/linux.bin"
- 1258480 bytes allocated
- load signatures
- open file signsrch.sig
- 1801396 bytes allocated for the signatures
- 2278 signatures in the database
- start signatures scanning:

  offset   num  description [bits.endian.size]
  --------------------------------------------
  0012e704 165  AES Rijndael S / ARIA S1 [..256]
  0005b774 307  SHA1 / SHA0 / RIPEMD-160 initialization [32.le.20&]
  0012e7e4 1467 RIJNDAEL1_DS [..33]
  0005b774 1626 Lucifer (outerbridge) DFLTKY [..16]
  00114e53 2094 libavcodec ff_mjpeg_val_ac_luminance [..162]
  00114f06 2095 libavcodec ff_mjpeg_val_ac_chrominance [..162]
  00114e04 2192 libavcodec sp5x_data_dht [..420]
  00128448 2257 unlzx table_three [16.le.32]

- 8 signatures found in the file

Interesting to see that the sp5x_data_dht tables are there, which pretty much confirms for me that our driver is based off of spc5xx code.

There are other interesting programs at the same site also.

Lawrence.