小米路由固件中lua文件反编译

最新推荐文章于 2024-07-31 18:00:05 发布

shengyaoyi

最新推荐文章于 2024-07-31 18:00:05 发布

阅读量1.7k

点赞数

分类专栏： OpenWrt 文章标签：反汇编

本文链接：https://blog.csdn.net/shengyaoyi/article/details/117430318

版权

OpenWrt 专栏收录该内容

4 篇文章 2 订阅

订阅专栏

小米路由ax3600、ax1800解包后发现lua脚本加密
查找资料后发现unluac可以进行反汇编

配置binwalk、ubi_reader、unluac

binwalk配置：

git clone https://github.com/ReFirmLabs/binwalk.git
cd binwalk
sudo python3 setup.py install

ubi_reader配置：

git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader
sudo python3 setup.py install
sudo apt-getinstall python-lzo
sudo apt-get install liblzo2-dev

unluac配置：

git clone https://github.com/NyaMisty/unluac_miwifi.git
cd unluac_miwifi
mkdir build
javac -d build -sourcepath src  src/unluac/*.java
jar -cfm build/unluac.jar src/META-INF/MANIFEST.MF -C build  .

主要是这个unluac.jar反汇编

ax3600、ax1800固件官方下载地址：

对ax3600解包：

binwalk -Me binwalk -Me miwifi_r3600_firmware_02d97_1.1.15.bin 
cd _miwifi_r3600_firmware_02d97_1.1.15.bin.extracted/
ubireader_extract_images 2AC.ubi
cd ubifs-root/2AC.ubi
sudo unsquashfs ./img-928520125_vol-ubi_rootfs.ubifs

在这里插入图片描述

对ax1800解包：

binwalk -Me binwalk -Me miwifi_rm1800_firmware_df7e3_1.0.385.bin 
cd _miwifi_rm1800_firmware_df7e3_1.0.385.bin.extracted/
ubireader_extract_images 2B0.ubi 
cd ubifs-root/2B0.ubi/
sudo unsquashfs ./img-1921350739_vol-rootfs_data.ubifs

进入
squashfs-root/usr/lib/lua/luci/controller/api
查看脚本：
在这里插入图片描述
加密过了这时候用
unluac.jar进行反汇编，选择如下有漏洞的函数文件测试一下：
squashfs-root/usr/lib/lua/luci/controller/api/misystem.lua
记得分别把这个ax3600、ax1800下的这个文件copy到unluar.jar下
方便对比

touch ax3600.lua
java -jar ./unluac.jar ./misystem.lua > ax3600.lua

反汇编后查看有漏洞的函数

setConfigIotDev = L14
function L14()
  local L0, L1, L2, L3, L4, L5, L6, L7, L8, L9, L10, L11, L12, L13, L14, L15, L16, L17, L18, L19, L20
  L0 = require
  L1 = "xiaoqiang.common.XQFunction"
  L0 = L0(L1)
  L1 = require
  L2 = "xiaoqiang.util.XQWifiUtil"
  L1 = L1(L2)
  L2 = require
  L3 = "luci.util"
  L2 = L2(L3)
  L3 = {}
  L3.code = 0
  L4 = {}
  L5 = {}
  L6 = require
  L7 = "luci.model.uci"
  L6 = L6(L7)
  L6 = L6.cursor
  L6 = L6()
  L8 = L6
  L7 = L6.get
  L9 = "miscan"
  L10 = "config"
  L7 = L7(L8, L9, L10, L11)
  L7 = L7 or L7
  L8 = nil
  L9 = {}
  L10 = L1.getWifiBasicInfo
  L10 = L10(L11)
  L10 = L10.on
  L10 = L10 == 1
  wifi24GOn = L10
  if L7 == "1" then
    L10 = wifi24GOn
    if L10 then
      L10 = "scan 1"
      scancmd = L10
      L10 = L2.execl
      L10 = L10(L11)
      if L10 then
        for L14, L15 in L11, L12, L13 do
          L16 = L0.isStrNil
          L17 = L15
          L16 = L16(L17)
          if not L16 then
            L17 = L15
            L16 = L15.match
            L18 = "ssid:(%S+) bssid:(%S+) model:(%S+) routerSSID:(%S+) routerBSSID:(%S+)"
            L16, L17, L18, L19, L20 = L16(L17, L18)
            router_bssid = L20
            router_ssid = L19
            model = L18
            bssid = L17
            ssid = L16
            L16 = ssid
            if L16 ~= nil then
              L16 = table
              L16 = L16.insert
              L17 = L4
              L18 = {}
              L19 = tostring
              L20 = model
              L19 = L19(L20)
              L18.model = L19
              L19 = tostring
              L20 = ssid
              L19 = L19(L20)
              L18.ssid = L19
              L19 = tostring
              L20 = bssid
              L19 = L19(L20)
              L18.bssid = L19
              L19 = tostring
              L20 = router_ssid
              L19 = L19(L20)
              L18.router_ssid = L19
              L19 = tostring
              L20 = router_bssid
              L19 = L19(L20)
              L18.router_bssid = L19
              L16(L17, L18)
            end
          end
        end
      end
    end
  end
  L5.list = L4
  L3.data = L5
  L10 = _UPVALUE0_
  L10 = L10.write_json
  L10(L11)
end