Hi, serpilliere wrote: > > If you think the firmware is ciphered with a symetric algo and > uses some special mode (CBC or counter block), and hope the > IV is the same, we can suppose the firmwares are xored with > the same stream (because for aes cbc or counter mode will result > in a simple xor between clear text and a final mask see fips or > wikipdia). So we could try xoring firmware A and firmware B > and to do statistics on the result: > if the firmware are nearly the same, maybe we will have > biased statistic.
Moreover, in the case of stream ciphering with the exact same IV (which is probably hidden somewhere in the header data), then we might be able to find some identical areas even after the first difference in the binary (_IF_ the size of the new sections are the same than the previous ones). Even if this is very much unlikely, we should try it out. Having a positive match would really confirm the theory of serpilliere. I guess that Vincent didn't look further than the first bit of difference in the payload, am I right Vincent ? Can someone build a tool to detect differences and similarity in two (or more) binaries ? (and of course perform the frequency analysis of the xor of the two firmwares as serpilliere mentioned it) Regards -- Emmanuel Fleury | Office: 261 Associate Professor, | Phone: +33 (0)5 40 00 69 34 LaBRI, Domaine Universitaire | Fax: +33 (0)5 40 00 66 69 351, Cours de la Libération | email: [EMAIL PROTECTED] 33405 Talence Cedex, France | URL: http://www.labri.fr/~fleury _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
