Jump to content
XPEnology Community

4.3 issues


VeNoM

Recommended Posts

cat /proc/bus/pci/devices >>> DSM 4.3.3776 (DS213+)

 

0000    19570110        0                      0                       0                       0                       0                       0                       0                       0                       0                       0                       0                       0                       0                   0                0
0200    19570110        0                      0                       0                       0                       0                       0                       0                       0                       0                       0                       0                       0                       0                   0                0
0300    10953132        10              c0000004                       0                c0004004                       0                    1001                       0                c0080000                      80                       0                    4000                       0                      80                   0            80000        sata_sil24
0400    19570110        0                      0                       0                       0                       0                       0                       0                       0                       0                       0                       0                       0                       0                   0                0
0500    1b6f7023        11              80000004                       0                       0                       0                       0                       0                       0                    8000                       0                       0                       0                       0                   0                0        etxhci_hcd_121130

Link to comment
Share on other sites

Post your results too pls

 

edit;

I have only this..

DSM 3.2

CubeStation CS-406

 

0060	10953512	14	          bffff9	          bffff5	          bfffe9	          bfffe5	          bfffd1	        bffffe00	               0	               8	               4	               8	               4	              10	             200	           80000	sata_sil
0068	10953512	10	          bfffc9	          bfffc5	          bfffb9	          bfffb5	          bfffa1	        bffffc00	               0	               8	               4	               8	               4	              10	             200	           80000	sata_sil
0070	10330035	11	        bfffe000	               0	               0	               0	               0	               0	               0	            1000	               0	               0	               0	               0	               0	               0	ohci_hcd
0071	10330035	11	        bfffd000	               0	               0	               0	               0	               0	               0	            1000	               0	               0	               0	               0	               0	               0	ohci_hcd
0072	103300e0	11	        bfffcf00	               0	               0	               0	               0	               0	               0	             100	               0	               0	               0	               0	               0	               0	ehci_hcd
0078	11ab4320	12	        bfff8000	          bffe01	               0	               0	               0	               0	               0	            4000	             100	               0	               0	               0	               0	           20000	sk98lin

Link to comment
Share on other sites

Linux DiskStation 3.2.40 #3776 SMP Sat Aug 17 02:16:50 CST 2013 x86_64 GNU/Linux synology_x86_1010+

 

0000    8086a000        0                      0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0
0010    8086a001        a               fe880000                    bc01                d0000008                fe700000                       0                       0                       2                   80000                    8                10000000                  100000                       0                       0                       0
0011    8086a002        0               fe680000                       0                       0                       0                       0                       0                       0                   80000                    0                       0                       0                       0                       0                       0
00d0    80862937        10                     0                       0                       0                       0                    b881                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00d1    80862938        15                     0                       0                       0                       0                    b801                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00d2    80862939        13                     0                       0                       0                       0                    b481                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00d7    8086293c        12              fe87bc00                       0                       0                       0                       0                       0                       0                     400                    0                       0                       0                       0                       0                       0        ehci_hcd
00e0    80862940        28                     0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0        pcieport
00e4    80862948        29                     0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0        pcieport
00e5    8086294a        2a                     0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0        pcieport
00e8    80862934        17                     0                       0                       0                       0                    b401                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00e9    80862935        13                     0                       0                       0                       0                    b081                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00ea    80862936        12                     0                       0                       0                       0                    b001                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00ef    8086293a        17              fe87b800                       0                       0                       0                       0                       0                       0                     400                    0                       0                       0                       0                       0                       0        ehci_hcd
00f0    8086244e        0                      0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0
00f8    80862916        0                      0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0
00fa    80862922        2b                  ac01                    a881                    a801                    a481                    a401                fe87b000                       0                       8                    4                       8                       4                      20                     800                       0        ahci
00fb    80862930        e               fe87ac04                       0                       0                       0                     401                       0                       0                     100                    0                       0                       0                      20                       0                       0
0100    10953132        10              fe9ffc04                       0                fe9f8004                       0                    cc01                       0                fe900000                      80                    0                    4000                       0                      80                       0                   80000        sata_sil24
0200    808610d3        2c              feae0000                       0                    dc01                feadc000                       0                       0                       0                   20000                    0                      20                    4000                       0                       0                       0        e1000e
0300    808610d3        2d              febe0000                       0                    ec01                febdc000                       0                       0                       0                   20000                    0                      20                    4000                       0                       0                       0        e1000e

Link to comment
Share on other sites

Disassembly code contains anti reverse technique (Jump Trick with short near ptr loc+1) in order to avoid linear disassembly :

 

 

33 C0 XOR eax, eax

74 01 jz short near ptr loc+1

E9 58 C3 68 94 jmp near ptr 94A8D521h

 

Should be disassembled as :

 

33 C0 xor eax,eax

74 01 jz short near ptr loc+1

E9 junk

58 Pop eax

C3 retn

 

It will be harder to find what is really done. It's the same countermeasure malware uses.

 

More info here :

 

http:http://books.google.fr/books?id=FQC8EPYy834C&lpg=PA329&ots=BsntpxIe6l&dq=Fool%20Linear%20Disassembly&hl=fr&pg=PA329#v=onepage&q=Fool%20Linear%20Disassembly&f=false

Link to comment
Share on other sites

I came accross this one too but it only traverse defined func. It seems there is a mix of several obfuscation in here. The good point I think, the harder they try to hide what is done, easier it will be to fool once we figure out what is really done :smile:

 

I'm working on the libdsm.so as it has the same pattern as cgi regarding obfuscation. I will share any progress here, do the same :smile:

 

I have change a bit the python code to work on selected area :

 

def fixTheJmpCalls():
   # Fix the jmp call in select code
   selection, startaddr, endaddr = idaapi.read_selection() 
   if selection:    
       for opcode in range(startaddr,endaddr):
           if GetMnem(opcode) == "jmp" or GetMnem(opcode) == "call":
               if GetDisasm(opcode)[-2:-1] == "+" and GetDisasm(opcode)[-1:].isdigit():
                   print "Broken Instruction: %X"%opcode, GetDisasm(opcode)
                   code_addr = GetOperandValue(opcode, 0) 
                   fix_addr = code_addr -1 
                   MakeUnkn(fix_addr,1)
                   MakeCode(code_addr)

 

I'll give a try

Link to comment
Share on other sites

I replaced /proc/bus/pci/devices with /PROC/bus_pci_devices and in this file I put :

 

This is from a 1010 from page 6 from doedels.

0000    8086a000        0                      0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0
0010    8086a001        a               fe880000                    bc01                d0000008                fe700000                       0                       0                       2                   80000                    8                10000000                  100000                       0                       0                       0
0011    8086a002        0               fe680000                       0                       0                       0                       0                       0                       0                   80000                    0                       0                       0                       0                       0                       0
00d0    80862937        10                     0                       0                       0                       0                    b881                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00d1    80862938        15                     0                       0                       0                       0                    b801                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00d2    80862939        13                     0                       0                       0                       0                    b481                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00d7    8086293c        12              fe87bc00                       0                       0                       0                       0                       0                       0                     400                    0                       0                       0                       0                       0                       0        ehci_hcd
00e0    80862940        28                     0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0        pcieport
00e4    80862948        29                     0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0        pcieport
00e5    8086294a        2a                     0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0        pcieport
00e8    80862934        17                     0                       0                       0                       0                    b401                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00e9    80862935        13                     0                       0                       0                       0                    b081                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00ea    80862936        12                     0                       0                       0                       0                    b001                       0                       0                       0                    0                       0                       0                      20                       0                       0        uhci_hcd
00ef    8086293a        17              fe87b800                       0                       0                       0                       0                       0                       0                     400                    0                       0                       0                       0                       0                       0        ehci_hcd
00f0    8086244e        0                      0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0
00f8    80862916        0                      0                       0                       0                       0                       0                       0                       0                       0                    0                       0                       0                       0                       0                       0
00fa    80862922        2b                  ac01                    a881                    a801                    a481                    a401                fe87b000                       0                       8                    4                       8                       4                      20                     800                       0        ahci
00fb    80862930        e               fe87ac04                       0                       0                       0                     401                       0                       0                     100                    0                       0                       0                      20                       0                       0
0100    10953132        10              fe9ffc04                       0                fe9f8004                       0                    cc01                       0                fe900000                      80                    0                    4000                       0                      80                       0                   80000        sata_sil24
0200    808610d3        2c              feae0000                       0                    dc01                feadc000                       0                       0                       0                   20000                    0                      20                    4000                       0                       0                       0        e1000e
0300    808610d3        2d              febe0000                       0                    ec01                febdc000                       0                       0                       0                   20000                    0                      20                    4000                       0                       0                       0        e1000e

 

DiskStation43> find /lib -type f -print0 | xargs -0 grep "bus_pci_devices"
/lib/libdsm.so.4:/PROC/bus_pci_devices
/lib/libsynocgi.so.4:/PROC/bus_pci_devices

 

Still doesn't work. /proc/self/comm is the process name. I can replace this one too, but with what ?

Link to comment
Share on other sites

As far as I know there are non senses obfuscation :

 

loc_4ACF8:                              ; CODE XREF: LOAD:loc_4ACF8p

LOAD:0004ACF8 E8 FC FF FF FF                                call    near ptr loc_4ACF8+1

 

You can found the pattern "E8 FC FF FF FF" regulary on this bloc of code.

 

I made a little script to undefine this as there is non sens for me.

 

 

def fixTheJmpCalls():
   # Fix the jmp call in select code
   selection, startaddr, endaddr = idaapi.read_selection()
   idaapi.unmark_selection()
   if selection:    
       for opcode in range(startaddr,endaddr):
           if GetMnem(opcode) == "jmp" or GetMnem(opcode) == "call":
               if GetDisasm(opcode)[-2:-1] == "+" and GetDisasm(opcode)[-1:].isdigit():
                   print "Broken Instruction: %X"%opcode, GetDisasm(opcode)
                   MakeUnkn(opcode,0)
                   MakeArray(opcode,5)

 

it seems to fix the flow, but there are still some other obfuscation to reveal, example :

 

loc_4AE00:                              ; CODE XREF: LOAD:0004ADF6j
LOAD:0004AE00 8B 8D 9C F8 FF FF                             mov     ecx, [ebp-764h]
LOAD:0004AE06 85 C9                                         test    ecx, ecx
LOAD:0004AE08 74 0E                                         jz      short loc_4AE18
LOAD:0004AE0A 8B 85 9C F8 FF FF                             mov     eax, [ebp-764h]
LOAD:0004AE10 89 04 24                                      mov     [esp], eax
LOAD:0004AE13
LOAD:0004AE13                               loc_4AE13:                              ; CODE XREF: LOAD:loc_4AE13p
LOAD:0004AE13 E8 FC FF FF FF                                call    near ptr loc_4AE13+1
LOAD:0004AE18
LOAD:0004AE18                               loc_4AE18:                              ; CODE XREF: LOAD:0004AE08j
LOAD:0004AE18 85 DB                                         test    ebx, ebx

 

The test eax,eax will always be true, so the jz will always jump and the code behind never used. It could be changes to :

 

LOAD:0004AE00                               loc_4AE00:                              ; CODE XREF: LOAD:0004ADF6j
LOAD:0004AE00 8B 8D 9C F8 FF FF                             mov     ecx, [ebp-764h]
LOAD:0004AE06 85 C9                                         test    ecx, ecx
LOAD:0004AE08 74 0E                                         jz      short loc_4AE18
LOAD:0004AE08                               ; ---------------------------------------------------------------------------
LOAD:0004AE0A 8B 85 9C F8 FF FF 89 04 24 E8+junk            db 'ïࣰ  ë',4,'$Þ³   '
LOAD:0004AE18                               ; ---------------------------------------------------------------------------
LOAD:0004AE18
LOAD:0004AE18                               loc_4AE18:                              ; CODE XREF: LOAD:0004AE08j

 

 

Not sure it will help but I don't found any other explanation.

 

Assembly guys, please contribute :smile:

Link to comment
Share on other sites

hello and good night... sorry for my bad english and yes >I`m a noob ... I got stuck in diskstation login and pasword on usb boot menu... any idea thanks :wink:

 

This thread's more for development discussion of 4.3 rather than support problems with (I'm assuming) 4.2. However, once it's at the login stage, that's it. The rest of it is managed via the web interface - point your browser at the address you gave it during the install process:

 

http://your IP:5000/webman/index.cgi

 

If you've not installed it yet, you need to download DSAssistant from synology and then run that. It should find your DS and allow you to install it. There are plenty of instructions on this site if you look.

Link to comment
Share on other sites

Giving up for now static analysis, I will make my custom kernel with debug enabled and start dynamic analysis.

 

Obfuscation is pretty hard to read, that's the point of this :smile:

 

Anyway, seems the cgi don't have any obfuscation, how did you manage to get the core ? (Not familliar with web stuff :smile:)

 

Thanks

Link to comment
Share on other sites

neXus:

 

that was LITTLE tricky part :razz: (you need "freeze" the process then kill it with some of coredump-making signals... strace says it fopens synoinfo.conf so...)

 

mv /etc/synoinfo.conf /etc/synoinfo.conf.bak ;

mkfifo /etc/synoinfo.conf ; (this is tricky part. you need ipkg and install... coreutils maybe? dont remember)

./storagehandler.cgi

 

(second ssh)

ulimit -c unlimited ;

kill -SIGABRT

 

DiskStation> ./storagehandler.cgi

Aborted (core dumped)

 

find / -name \*core\*

 

And you are done. IDA PRO can open coredump files. Then remove /etc/synoinfo.conf and mv /etc/synoinfo.conf.bak /etc/synoinfo.conf

 

EDIT:

here is coredump http://www.k3dt.eu/storagehandler..core.gz

Link to comment
Share on other sites

Do you realize that the attempt to adapt the DSM to other systems, disassembly and removal of protection from their own (non-GPL) files this is piracy?

It's no longer just a harmless digging in the kernel/drivers. Some of them are protected so that they can not be patched directly.

Synology implements explicit protection and does not want to spread DSM. Is not it obvious?

Link to comment
Share on other sites

Do you realize that the attempt to adapt the DSM to other systems, disassembly and removal of protection from their own (non-GPL) files this is piracy?

It's no longer just a harmless digging in the kernel/drivers. Some of them are protected so that they can not be patched directly.

Synology implements explicit protection and does not want to spread DSM. Is not it obvious?

 

Well given that most of those who use XPEnology releases wouldn't buy a Synology NAS any way, it cannot be counted as piracy. DSM is not sold, it is not a product - it is merely a feature, and based on what you say, it would be illegal to port iOS to other devices (I know it would never really work, but basically we are doing the same thing). So no, it is not illegal. We are making no profit out of it (except if you count personal experience, especially for those whom patch the releases, profit), and it is only used in home environment, where the other options are either (pirated) Windows, or some crappy Linux distro that does not offer even closely as much features as DSM.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...